As cases of Internet censorship continue to grow globally, there has been a tremendous demand for VPN services over the last few months. In Belarus, citizens resorted to privacy apps when Internet services were to throttle the widespread protests after the disputed presidential election. On the other end of the spectrum, the on popular media platforms TikTok and WeChat in the United States has already seen a surge in the sales of VPN apps. A similar trend was seen in India, Hong Kong, and other regions which had imposed similar bans earlier. disrupted impending ban Protesters in Belarus have been forced to resort to privacy apps VPN apps employ various techniques to mask the user’s IP address and encrypt user data, letting users bypass restrictions and access online services and websites in a secure and private manner. Unfortunately, most of the VPN apps out there in the market today are centralized systems, plagued by unique issues of their own. Logging of user data, inadvertent VPN leaks, even selling off user data for the purpose of monetization – the list is significant and alarming. Add to that the risk of data hacks and server failures, which are banes of all centralized systems. The year 2020 has seen a new trend – applications, based on a peer-to-peer network of blockchain nodes. Such networks function without any central overseeing authority. Even if some of the nodes go down, the normal functioning of the VPN service doesn’t get affected. While projects have been working in the decentralized internet space from 2017, it’s only this year that we’re seeing their efforts bear fruit. decentralized VPN In this article, we look at a couple of decentralized VPN apps, and see how they compare against conventional centralized VPN services and other traditional privacy-safeguarding options like Tor and SSR. NordVPN is one of the most popular names when it comes to centralized VPN services available in the market today. The app is available for , , , , and platforms, and can support upto 6 simultaneous connections. Operating 5,500+ servers in 58 countries (as of August, 2020), NordVPN employs military-grade 256-bit AES encryption with SHA384 authentication algorithm. NordVPN iOS Android macOS Windows Android TV Linux NordVPN offers a proprietary VPN protocol called , which was in Q2, 2020. An extension of , NordVPN claims that NordLynx is more efficient, simpler, easier to audit, and much faster than traditional choices like and , both of which are also by the app. WireGuard, however, assigns users with a static IP address, which requires storing user data on the VPN server. NordLynx launched WireGuard OpenVPN IKEv2/IPsec offered A recent addition to NordVPN’s app is , which blocks ads, malware, and phishing threats. NordVPN also offers the feature, where user traffic is first routed through NordVPN's own network, then directed over the network, and finally on to its actual destination. This feature makes it extremely difficult for anyone to trace any action back to the user, but it also slows the service down. CyberSec Onion over VPN Onion Users have to be careful about their choice of device, as some features that are available on the desktop app aren’t available in the mobile apps, and vice versa. For example, split tunneling, which allows users to disable the VPN for selected apps, is available in the Android app but not in the Windows app. On the other hand, the Windows version has an option for double VPN servers, but the Android app does not. NordVPN has Kill switches built into the Windows, MacOS, and iOS apps. When enabled, the kill switch cuts off internet connection completely in case the VPN connection drops, preventing any leakage of unencrypted data onto the ISP’s network. The kill switch hasn’t been implemented in the Android version yet. One distinct advantage that NordVPN provides over its centralized peers is that it maintains a strict policy of not logging user data. The company is based in Panama, where there are no legal data retention requirements. While many centralized VPN services boast of a ‘no logs’ rule, very few actually stick to it. Inspite of all the security features, NordVPN still remains a centralized service with its security concerns. In fact, NordVPN itself suffered a back in 2018, when an attacker got root access to a Nord server in Finland because that data center had left its server management system insecure. What’s is that NordVPN admitted to this hack more than a year later! While NordVPN followed up the security breach with multiple security audits, the fact remains that centralized VPN service providers are always susceptible to such risks. inherent data hack worse Tor is synonymous with browsing the today. An acronym for “The Onion Router”, Tor is an open-source protocol that lets users hide their browsing data by wrapping it in multiple layers of encryption like an onion. Windows, macOS and Linux users can connect to the Tor network using the , while Android and iOS users can use the app and the respectively for the same. Tor Deep Web Tor browser Orbot Onion Browser It should be noted that while their purpose seems similar, Tor is not the same as VPN. In principle, VPNs emphasize privacy, and Tor emphasizes anonymity. While VPN can provide a high degree of privacy by hiding the user’s IP address, the VPN provider can still see connection data and traffic passing through its servers. The core technology of Tor’s onion routing was developed by the US Naval Research Lab and in the 1990s. Tor was primarily designed as a means to access the open internet uncensored and anonymously. User data which enters the Tor network is encrypted and routed through at least 3 volunteer-operated servers (called ‘relays’), obscuring the originating IP address. Data is protected using AES-128 encryption and Curve25519 DH elliptic curve cryptography techniques. DARPA Each relay decrypts a layer of encryption to reveal the next relay, and passes on the remaining encrypted data. The final relay (called “exit node”) decrypts the innermost layer of encryption, and sends the original data to its destination. No node can know the whole path between the user device and the website that the user is accessing. However, data enters and leaves the exit node unencrypted. Although the exit node can’t access the user’s IP address, it can still spy on user activity if an unsecured HTTP website is being accessed. This is a major drawback of Tor technology. Conversely, the volunteer running an exit node can also face prosecution if illegal data passes through this IP address, even though a completely random Tor user might be the culprit. Another drawback of Tor is that it provides anonymity at the cost of speed. Since data is routed through and re-encrypted at 3 random nodes at least (located anywhere in the world), the network speed can be extremely poor. Streaming high quality content is painfully slow. Accessing torrent sites through Tor is also advised against, as it can slow down the network completely, and the torrent traffic can expose the user’s IP address. Tor is a vital anti-censorship tool for Internet users who require the maximum anonymity possible, such as human right activists, whistleblowers, political dissenters, and so on. Unfortunately, repressive governments go to great lengths to counter this by access to the Tor network itself, with varying degrees of success. Ironically, accessing the Tor network can raise suspicion and draw attention to the user – the ISP can well see that the user is connected to Tor! blocking Tachyon VPN has used a combination of blockchain technology and encryption techniques to create a decentralized VPN application. Tachyon’s app was released in December, 2019, followed by the and apps in March, 2020. The Windows app is scheduled to be launched later this year. Recently, Tachyon has launched , a tool for global node providers to create and run nodes themselves, and join or manage the staking of Tachyon’s native token IPX. Tachyon Protocol macOS Android iOS Node Manager 2.0 Tachyon has created its own decentralized protocol to improve the ubiquitous TCP/IP protocol stack, and solve its underlying security and privacy issues. Unlike many other decentralized projects, Tachyon has shunned the popular smart contract platform Ethereum and developed its application on ’s blockchain. VSYS uses a based consensus algorithm called Supernode Proof-of-Stake ( ), which enables faster transactions than PoW based blockchains. The VSYS and Tachyon teams have actually worked together for the development of this app. VSYS PoS SPoS The core of Tachyon’s architecture is the Tachyon Booster UDP ( ), which replaces the Internet, Transport and Application layers of the TCP/IP model. TBU implements a decentralized peer-to-peer network based on PPPoIP, and uses UDP in the transport layer to improve transmission efficiency. In future, TBU is expected to employ real-time routing to choose the optimal connection and increase transmission speed further. TBU Tachyon Security Protocol ( ) executes end to end ECDHE-ECDSA encryption to prevent VPN nodes from intercepting user traffic. A unique feature of Tachyon is the Protocol Simulation scheme, where TSP simulates standard communication protocols like HTTPS, SMTP and FTP. This disguises the Tachyon data and makes it look like a normal e-mail or file transfer, preventing firewalls from recognizing VPN traffic and even trying to intercept it. Furthermore, Tachyon Anti-Analysis (TAA) uses multipath routing to distribute VPN traffic through multiple nodes, and prevent single-point failures and attacks. TSP Since VSYS is a PoS blockchain, IPX holders can stake their tokens and earn staking rewards. Tachyon is also implementing a peer-to-peer bandwidth marketplace, where VPN users can purchase spare bandwidth from nodes by making payments in IPX tokens. These nano-payments will be settled off-chain through a set of dedicated , significantly reducing the transaction fees and settlement time. smart contracts Tachyon’s vision of building a new protocol itself is extremely ambitious. There’s always risk associated with new techniques; in Tachyon’s case, even the underlying blockchain platform hasn’t undergone the rigorous testing that Ethereum has over the years. Developing smart contracts on VSYS would take more time comparatively, which can ultimately hamper Tachyon’s progress. Tachyon has done well to build up a user base of without any severe network issues, but there still remain questions about scalability and robustness in the long run. 1.5 million Shadowsocks Shadowsocks is an open-source encryption protocol project based on . It was first released in 2012 by a Chinese programmer under the pseudonym , with the intention of bypassing the . On 2nd Aug, 2015, police authorities forced the programmer to take down the project. However, Shadowsocks has grown in stature since then and multiple implementations of the protocol have been made available over time. SOCKS5 clowwindy Great Firewall of China Shadowsocks focuses on circumventing traffic restrictions by utilizing , disguising traffic so that it can move past the censorship measures in place. SOCKS is an Internet protocol that supervises the exchange of network packets between a client and a server through a proxy server. Due to its use of SOCKS5 proxies, Shadowsocks doesn’t send the entire user traffic through a single server; rather, the client software connects to a third party SOCKS5 proxy through which internet traffic is then directed, similar to the operation of a SSH tunnel. HTTPS Like VPN, Shadowsocks is also designed to fight internet censorship, but its fundamental working principle is quite different. Shadowsocks isn’t designed for privacy and anonymity. While VPN uses state-of-the-art encryption protocols to completely hide the traffic on its servers, Shadowsocks disguises data to make it look like HTTPS traffic, so that it can move around unrestricted. Shadowsocks doesn’t hide data, but just camouflages it. Shadowsocks is light-weight and easy to setup. It works with multiple TCP connections, and can also proxy UDP traffic. The net result is much faster speeds compared to the alternatives available. Moreover, the user can selectively disguise traffic through Shadowsocks, making it possible to access restricted (geo-blocked) websites both inside and outside the user’s location. Being an open-source project, there have been significant developments to Shadowsocks’ technology over the last couple of years. V2ray, the next-generation of Shadowsocks, integrates the vmess protocol, which provides users with several tunneling and obfuscation options, improving upon the performance of the traditional Shadowsocks protocol. Inspite of all these features, there’s one major criticism against Shadowsocks – it does absolutely nothing to hide the user’s identity. Shadowsocks is useful only when the user wants to bypass internet censorship, without any fear of backlash from the authorities. Even its creator couldn’t evade police action, as Shadowsocks was never designed for this purpose. If the purpose is to keep one’s digital identity protected and browsing history private, then VPN should be the instrument of choice. Orchid VPN is another decentralized VPN application, built on the Ethereum blockchain. It has been developed by Orchid Labs, which was founded in 2017. Orchid’s app was launched in December, 2019, and the and apps have been made available in July, 2020. Orchid supports WireGuard, OpenVPN, and its own native Orchid VPN protocol. Orchid VPN Android iOS macOS The Orchid application runs on top of the popular web standard , which is commonly used to transmit audio and video from within a web browser. Orchid servers maintain registration information in a stake registry and provider directory. The stake registry enables the Orchid client to select random servers for users, and the provider directory allows server nodes to register metadata. WebRTC Orchid VPN gives users insight and control over the network connection of their device. Users can select single-hop or multi-hop onion routed circuits. A single-hop route is similar to a conventional VPN connection, creating a tunnel to route Internet traffic over a public network or the user’s ISP; a multi-hop configuration allows users to split their traffic into "hops" across multiple nodes, providers and protocols, providing greater privacy. Orchid has set up a peer-to-peer marketplace, where VPN users can purchase bandwidth from providers on a packet-wise basis using Orchid’s native cryptocurrency OXT, which is an ERC-20 token. Such a scheme would normally require nano-payments at an exceptionally high rate, resulting in a colossal amount being spent by the users as gas fees on Ethereum’s blockchain. Orchid claims to have solved this problem by implementing a unique payment architecture, where users send nano-payments based on a probability function, balancing payments across multiple transactions and parties. All traffic that goes through the Orchid network is encrypted at the protocol level, which serves as an additional layer of encryption. The final exit traffic is then decrypted by the exit node and sent to the destination. However, Orchid’s VPN service runs on existing Internet protocols. Not all traffic on the Internet is encrypted, and Orchid can’t fix that problem. The exit hop will send the user requests out onto the Internet, and cleartext information would be revealed to the Orchid node. Users should always use SSL/TLS security protocols for sensitive Internet connections, even on Orchid. Orchid VPN also suffers from another vulnerability that affects centralized VPN services. Internet browsers run various sorts of “active content”, such as Javascript, Adobe Flash, ActiveX controls, VBScript and so on. These applications can store cookies, bypass proxy settings, and share information directly to other sites. It’s the user’s responsibility to disable these technologies in order to guarantee foolproof security in conjunction with using Orchid. ----------------------------------------------------------------------------------------------------------- PS – Although the author is a fan of decentralized technologies, he doesn’t have any vested interested in Tachyon or Orchid. As for the other options, the author has tried using Tor once, and has been severely frustrated at the sluggishness!
