Thursday, September 10, 2015

Modern Day VPN

I recently read a G+ posting about VPNs that made my skin crawl. It seems clear to me that the unapologetic entitlement crowd has taken and repurposed the RFC. Clearly VPNs have a wide variety of features, however, when it was initially conceived it was about linking private distributed networks. Then with lower cost crypto appliances it became part of the remote workers hardware inventory and then as it made it's way into the mobile device stack it allowed workers to be mobile.

Let's be clear, it was not meant to (a) obfuscate locate network traffic (b) improve QOS (c) bypass regional service restrictions... although this is what each of the VPN service providers in the Google Play store would have you believe. (clearly there is no money in the traditional VPN, and by using a VPN mom and dad won't see that you spend all your time on porn sites.)

And so there is no ambiguity... I did a whois the top 4 VPN providers on google play.

  1. domain registered 2007
  2. domain registered 2013
  3. domain registered 2010
  4. domain registered 2011
I checked all of their websites... one is totally free. WHAT? How is that possible. Just the act of spinning up their website means that they have costs. If they offer a superior product then they have bandwidth costs too. Their upstream providers are not giving them resources for free. Clicking on their learn more button they make the claim that companies pay them to recommend software to their users. But since they don't have any advertising how are they actually doing that? The site is devoid of real facts and I'm left with the impression that they might actually be a man-in-the-middle and trojan horse wrapped in one.

To be fair the Google Play Store does host other VPN client apps and extensions which I consider more legitimate or traditional. Cisco, SonicWall, Citrix to name a few. These tools are meant to create a virtual network between your computer and the remote network and that's it. From that point forward one usually has to sign a "proper use" or employee manual document so that you're not using the company network to watch movies or download torrents.

Anyway, the big misconception.... While you might be hiding you IP address, obfuscating your browsing history, tricking your ISPs QOS mechanisms... all of your data is now being consolidated by a different 3rd party. Therefore; whatever secrets you thought you had before are no more secure. If you go to a public FTP server and you are not using SFTP or FTPs then your password and content will be in the clear for everyone at the VPN provider to see. 

No comments:

Post a Comment

another bad day for open source

One of the hallmarks of a good open source project is just how complicated it is to install, configure and maintain. Happily gitlab and the ...