VPN and Security Friction

Troy Hunt spent some time over the weekend writing on the relative insecurity of the Internet and how VPNs reduce threats without obviating those threats entirely. The kicker is:

To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.

Something that security professionals are still not great at communicating—because we’re not asked to and because it’s harder for regular users to use the information—is that security is about adding friction that prevents adversaries from successfully exploiting whomever or whatever they’re targeting. Any such friction, however, can be overcome in the face of a sufficiently well-resourced attacker. But when you read most articles that talk about any given threat mitigation tool what is apparent is that the problems that are faced are systemic; while individuals can undertake some efforts to increase friction the crux of the problem is that individuals are operating in an almost inherently insecure environment.

Security is a community good and, as such, individuals can only do so much to protect themselves. But what’s more is that their individual efforts functionally represent a failing of the security community, and reveals the need for group efforts to reduce the threats faced by individuals everyday when they use the Internet or Internet-connected systems. Sure, some VPNs are a good thing to help individuals but, ideally, these are technologies to be discarded in some distant future after groups of actors successfully have worked to mitigate the threats that lurk all around us. Until then, though, adopting a trusted VPN can be a very good idea if you can afford the costs linked to them.


VPNs becoming more common amongst youth

The risks that onerous copyright laws pose for law enforcement are rarely considered, despite such laws (potentially) threatening national security operations. In Sweden, following efforts to dissuade file sharing, the population is increasingly moving to encrypted VPN connections to continue their sharing. From an article over at Torrentfreak,

according to new research from the Cybernorms research group at Sweden’s Lund University, an increasing proportion of the country’s population are taking measures to negate the effects of spying on their online activities.

The study reveals that 700,000 Swedes now make themselves anonymous online with paid VPN services such as The Pirate Bay’s iPredator.

What does this have to do with law enforcement? As the Swedish population moves to encrypted communications it limits authorities’ insights into the data traffic moving through Swedish networks. Consequently, the copyright lobby is (unintentionally) increasing the challenges of applying digital ‘wiretaps’ on Swedish citizens. While not something that the copyright lobbies are necessarily concerned with, these developments can be problematic for national security agencies.

I’m not advocating that communications should necessarily be easier for such agencies to investigate – far from it – but do I think that before aligning legislative efforts with copyright groups it is critical for legislators to think of the broader implications associated with ‘strong’ copyright laws. While such laws might dissuade some file sharing, are the benefits derived from limiting file sharing sufficient to justify disadvantaging national security and intelligence operation?