As cases of Internet censorship continue to grow globally, there has been a tremendous demand for VPN services over the last few months. In Belarus, citizens resorted to privacy apps when Internet services were disrupted to throttle the widespread protests after the disputed presidential election. On the other end of the spectrum, the impending ban on popular media platforms TikTok and WeChat in the United States has already seen a surge in the sales of VPN apps. A similar trend was seen in India, Hong Kong, and other regions which had imposed similar bans earlier.
Protesters in Belarus have been forced to resort to privacy apps
VPN apps employ various techniques to mask the user’s IP address and encrypt user data, letting users bypass restrictions and access online services and websites in a secure and private manner. Unfortunately, most of the VPN apps out there in the market today are centralized systems, plagued by unique issues of their own. Logging of user data, inadvertent VPN leaks, even selling off user data for the purpose of monetization – the list is significant and alarming. Add to that the risk of data hacks and server failures, which are banes of all centralized systems.
The year 2020 has seen a new trend – decentralized VPN applications, based on a peer-to-peer network of blockchain nodes. Such networks function without any central overseeing authority. Even if some of the nodes go down, the normal functioning of the VPN service doesn’t get affected. While projects have been working in the decentralized internet space from 2017, it’s only this year that we’re seeing their efforts bear fruit.
In this article, we look at a couple of decentralized VPN apps, and see how they compare against conventional centralized VPN services and other traditional privacy-safeguarding options like Tor and SSR.
NordVPN
NordVPN is one of the most popular names when it comes to centralized VPN services available in the market today. The app is available for iOS, Android, macOS, Windows, Android TV and Linux platforms, and can support upto 6 simultaneous connections. Operating 5,500+ servers in 58 countries (as of August, 2020), NordVPN employs military-grade 256-bit AES encryption with SHA384 authentication algorithm.
NordVPN offers a proprietary VPN protocol called NordLynx, which was launched in Q2, 2020. An extension of WireGuard, NordVPN claims that NordLynx is more efficient, simpler, easier to audit, and much faster than traditional choices like OpenVPN and IKEv2/IPsec, both of which are also offered by the app. WireGuard, however, assigns users with a static IP address, which requires storing user data on the VPN server.
A recent addition to NordVPN’s app is CyberSec, which blocks ads, malware, and phishing threats. NordVPN also offers the Onion over VPN feature, where user traffic is first routed through NordVPN's own network, then directed over the Onion network, and finally on to its actual destination. This feature makes it extremely difficult for anyone to trace any action back to the user, but it also slows the service down.
Users have to be careful about their choice of device, as some features that are available on the desktop app aren’t available in the mobile apps, and vice versa. For example, split tunneling, which allows users to disable the VPN for selected apps, is available in the Android app but not in the Windows app. On the other hand, the Windows version has an option for double VPN servers, but the Android app does not.
NordVPN has Kill switches built into the Windows, MacOS, and iOS apps. When enabled, the kill switch cuts off internet connection completely in case the VPN connection drops, preventing any leakage of unencrypted data onto the ISP’s network. The kill switch hasn’t been implemented in the Android version yet.
One distinct advantage that NordVPN provides over its centralized peers is that it maintains a strict policy of not logging user data. The company is based in Panama, where there are no legal data retention requirements. While many centralized VPN services boast of a ‘no logs’ rule, very few actually stick to it.
Inspite of all the security features, NordVPN still remains a centralized service with its inherent security concerns. In fact, NordVPN itself suffered a data hack back in 2018, when an attacker got root access to a Nord server in Finland because that data center had left its server management system insecure. What’s worse is that NordVPN admitted to this hack more than a year later! While NordVPN followed up the security breach with multiple security audits, the fact remains that centralized VPN service providers are always susceptible to such risks.
Tor
Tor is synonymous with browsing the Deep Web today. An acronym
for “The Onion Router”, Tor is an open-source protocol that lets users hide
their browsing data by wrapping it in multiple layers of encryption like an
onion. Windows, macOS and Linux users can connect to the Tor network using the Tor browser, while Android and iOS users can use the Orbot app and the Onion Browser respectively for the same.
for “The Onion Router”, Tor is an open-source protocol that lets users hide
their browsing data by wrapping it in multiple layers of encryption like an
onion. Windows, macOS and Linux users can connect to the Tor network using the Tor browser, while Android and iOS users can use the Orbot app and the Onion Browser respectively for the same.
It should be noted that while their purpose seems similar, Tor is not the same as VPN. In principle, VPNs emphasize privacy, and Tor emphasizes anonymity. While VPN can provide a high degree of privacy by hiding
the user’s IP address, the VPN provider can still see connection data and
traffic passing through its servers.
the user’s IP address, the VPN provider can still see connection data and
traffic passing through its servers.
The core technology of Tor’s onion routing was developed by the
US Naval Research Lab and DARPA in the 1990s. Tor was primarily designed as a means to access the open internet uncensored and anonymously. User data which enters the Tor network is encrypted and routed through at least 3 volunteer-operated servers (called ‘relays’), obscuring the originating IP address. Data is protected using AES-128 encryption and Curve25519 DH elliptic curve cryptography techniques.
US Naval Research Lab and DARPA in the 1990s. Tor was primarily designed as a means to access the open internet uncensored and anonymously. User data which enters the Tor network is encrypted and routed through at least 3 volunteer-operated servers (called ‘relays’), obscuring the originating IP address. Data is protected using AES-128 encryption and Curve25519 DH elliptic curve cryptography techniques.
Each relay decrypts a layer of encryption to reveal the next relay, and passes on the remaining encrypted data. The final relay (called “exit node”) decrypts the innermost layer of encryption, and sends the original
data to its destination. No node can know the whole path between the user device and the website that the user is accessing.
data to its destination. No node can know the whole path between the user device and the website that the user is accessing.
However, data enters and leaves the exit node unencrypted. Although the exit node can’t access the user’s IP address, it can still spy on user activity if an unsecured HTTP website is being accessed. This is a major drawback of Tor technology. Conversely, the volunteer running an exit node can also face prosecution if illegal data passes through this IP address, even though a completely random Tor user might be the culprit.
Another drawback of Tor is that it provides anonymity at the cost of speed. Since data is routed through and re-encrypted at 3 random nodes at least (located anywhere in the world), the network speed can be extremely poor. Streaming high quality content is painfully slow. Accessing torrent sites
through Tor is also advised against, as it can slow down the network completely, and the torrent traffic can expose the user’s IP address.
through Tor is also advised against, as it can slow down the network completely, and the torrent traffic can expose the user’s IP address.
Tor is a vital anti-censorship tool for Internet users who require the maximum anonymity possible, such as human right activists, whistleblowers, political dissenters, and so on. Unfortunately, repressive governments go to great lengths to counter this by blocking access to the Tor network itself, with varying degrees of success. Ironically, accessing the Tor network can raise suspicion and draw attention to the user – the ISP can well see that the user is connected to Tor!
Tachyon VPN
Tachyon Protocol has used a combination of blockchain technology and encryption techniques to create a decentralized VPN application. Tachyon’s macOS app was released in December, 2019, followed by the Android and iOS apps in March, 2020. The Windows app is scheduled to be launched later this year. Recently, Tachyon has launched Node Manager 2.0, a tool for global node providers to create and run nodes themselves, and join or manage the staking of Tachyon’s native token IPX.
Tachyon has created its own decentralized protocol to improve the ubiquitous TCP/IP protocol stack, and solve its underlying security and privacy issues. Unlike many other decentralized projects, Tachyon
has shunned the popular smart contract platform Ethereum and developed its application on VSYS’s blockchain. VSYS uses a PoS based consensus algorithm called Supernode Proof-of-Stake (SPoS), which enables faster transactions than PoW based blockchains. The VSYS and Tachyon teams have actually worked together for the development of
this app.
has shunned the popular smart contract platform Ethereum and developed its application on VSYS’s blockchain. VSYS uses a PoS based consensus algorithm called Supernode Proof-of-Stake (SPoS), which enables faster transactions than PoW based blockchains. The VSYS and Tachyon teams have actually worked together for the development of
this app.
The core of Tachyon’s architecture is the Tachyon Booster UDP (TBU), which replaces the Internet, Transport and Application layers of the TCP/IP model. TBU implements a decentralized peer-to-peer network based on PPPoIP, and uses UDP in the transport layer to improve transmission efficiency. In future, TBU is expected to employ real-time routing to choose the optimal connection and increase transmission speed further.
Tachyon Security Protocol (TSP) executes end to end ECDHE-ECDSA encryption to prevent VPN nodes from intercepting user traffic. A unique feature of Tachyon is the Protocol Simulation scheme, where TSP simulates standard communication protocols like HTTPS, SMTP and FTP. This disguises the Tachyon data and makes it look like a normal e-mail or file transfer, preventing firewalls from recognizing VPN traffic and even trying to intercept it. Furthermore, Tachyon Anti-Analysis (TAA) uses multipath routing to distribute VPN traffic through multiple nodes, and prevent single-point failures and attacks.
Since VSYS is a PoS blockchain, IPX holders can stake their tokens and earn staking rewards. Tachyon is also implementing a peer-to-peer bandwidth marketplace, where VPN users can purchase spare bandwidth from nodes
by making payments in IPX tokens. These nano-payments will be settled off-chain through a set of dedicated smart contracts, significantly reducing the transaction fees and settlement time.
by making payments in IPX tokens. These nano-payments will be settled off-chain through a set of dedicated smart contracts, significantly reducing the transaction fees and settlement time.
Tachyon’s vision of building a new protocol itself is extremely ambitious. There’s always risk associated with new techniques; in Tachyon’s case, even the underlying blockchain platform hasn’t undergone the rigorous testing that Ethereum has over the years. Developing smart contracts on VSYS would take more time comparatively, which can ultimately hamper Tachyon’s progress. Tachyon has done well to build up a user base of
1.5 million without any severe network issues, but there still remain
questions about scalability and robustness in the long run.
1.5 million without any severe network issues, but there still remain
questions about scalability and robustness in the long run.
Shadowsocks
Shadowsocks is an open-source encryption protocol project based on SOCKS5. It was first released in 2012 by a Chinese programmer under the pseudonym clowwindy, with the intention of bypassing the Great Firewall of China. On 2nd Aug, 2015, police authorities forced the programmer to take down the project. However, Shadowsocks has grown in stature
since then and multiple implementations of the protocol have been made
available over time.
since then and multiple implementations of the protocol have been made
available over time.
Shadowsocks focuses on circumventing traffic restrictions by utilizing HTTPS, disguising traffic so that it can move past the censorship measures in place. SOCKS is an Internet protocol that supervises the exchange of network packets between a client and a server through a proxy server. Due to its use of SOCKS5 proxies, Shadowsocks doesn’t send the entire user traffic through a single server; rather, the client software connects to a third party SOCKS5 proxy through which internet traffic is then directed, similar to the operation of a SSH tunnel.
Like VPN, Shadowsocks is also designed to fight internet censorship, but its fundamental working principle is quite different. Shadowsocks isn’t designed for privacy and anonymity. While VPN uses state-of-the-art encryption protocols to completely hide the traffic on its servers, Shadowsocks disguises data to make it look like HTTPS traffic, so that it can move around unrestricted. Shadowsocks doesn’t hide data, but just camouflages it.
Shadowsocks is light-weight and easy to setup. It works with multiple TCP connections, and can also proxy UDP traffic. The net result is much faster speeds compared to the alternatives available. Moreover, the user can selectively disguise traffic through Shadowsocks, making it possible to access restricted (geo-blocked) websites both inside and outside the user’s location.
Being an open-source project, there have been significant developments to Shadowsocks’ technology over the last couple of years. V2ray, the next-generation of Shadowsocks, integrates the vmess protocol, which provides users with several tunneling and obfuscation options, improving upon the performance of the traditional Shadowsocks protocol.
Inspite of all these features, there’s one major criticism against Shadowsocks – it does absolutely nothing to hide the user’s identity. Shadowsocks is useful only when the user wants to bypass internet censorship, without any fear of backlash from the authorities. Even its creator couldn’t evade police action, as Shadowsocks was never designed for this purpose. If the purpose is to keep one’s digital identity protected and browsing history private, then VPN should be the instrument of choice.
Orchid VPN
Orchid VPN is another decentralized VPN application, built on the Ethereum blockchain. It has been developed by Orchid Labs, which was founded in 2017. Orchid’s Android app was launched in December, 2019, and the iOS and macOS apps have been made available in July, 2020.
Orchid supports WireGuard, OpenVPN, and its own native Orchid VPN protocol.
Orchid supports WireGuard, OpenVPN, and its own native Orchid VPN protocol.
The Orchid application runs on top of the popular web standard WebRTC, which is commonly used to transmit audio and video from within a web browser. Orchid servers maintain registration information in a stake registry and provider directory. The stake registry enables the Orchid client to select random servers for users, and the provider directory allows server nodes to register metadata.
Orchid VPN gives users insight and control over the network connection of their device. Users can select single-hop or multi-hop onion routed circuits. A single-hop route is similar to a conventional VPN connection, creating a tunnel to route Internet traffic over a public network or the user’s ISP; a multi-hop configuration allows users to split their traffic into "hops" across multiple nodes, providers and protocols, providing greater privacy.
Orchid has set up a peer-to-peer marketplace, where VPN users can purchase bandwidth from providers on a packet-wise basis using Orchid’s native cryptocurrency OXT, which is an ERC-20 token. Such a scheme would normally require nano-payments at an exceptionally high rate, resulting in a colossal amount being spent by the users as gas fees on Ethereum’s blockchain. Orchid claims to have solved this problem by implementing a unique payment architecture, where users send nano-payments based on a probability function, balancing payments across multiple transactions and parties.
All traffic that goes through the Orchid network is encrypted at the protocol level, which serves as an additional layer of encryption. The final exit traffic is then decrypted by the exit node and sent to the destination. However, Orchid’s VPN service runs on existing Internet protocols. Not all traffic on the Internet is encrypted, and Orchid can’t fix that problem. The exit hop will send the user requests out onto the Internet, and cleartext information would be revealed to the Orchid node. Users should always use SSL/TLS security protocols for sensitive Internet connections, even on Orchid.
Orchid VPN also suffers from another vulnerability that affects centralized VPN services. Internet browsers run various sorts of “active content”, such as Javascript, Adobe Flash, ActiveX controls, VBScript and so on. These applications can store cookies, bypass proxy settings, and share information directly to other sites. It’s the user’s responsibility to disable these technologies in order to guarantee foolproof security in conjunction with using Orchid.
-----------------------------------------------------------------------------------------------------------