VPN, HTTPS, TLS walk into a bar... Is VPN useless?

Introduction

Disclaimer: I use the word "VPN" a lot in this article. In most cases, I use this word to mean "Commercial VPN service/provider". Obviously concept of VPN itself is not useless, here we are talking about Commercial VPN services, like NordVPN, ExpressVPN, etc. And I'm sorry for AI banner if AI art triggers you as much as it triggers me.

Popular commercial VPN providers had long ago launched a massive advertising campaign which propagates following notions - “Public WIFI is dangerous. Always use VPN”.

Some people argue that this statement is not entirely true and modern security protocols, such as HTTPS provide adequate security, therefore VPN is not needed.

This raises the question of real helpfulness of VPN services and whether they are worth subscribing to. In this post we will have a look into VPN, HTTPS protocol, TLS, and a bit of cryptography. We will try to answer the question: “Should I use VPN or not?”

Some claims from VPN providers

1. VPN prevents man-in-the-middle.
2. Prevents ISP from spying on you.
3. Adds security and blocks malicious sites.

Some arguments against VPN

Arguments are not strictly against VPN, but doubting its usefulness in terms of security. It is claimed that modern communication protocols provide enough security to prevent most of the attacks that VPNs claims to defend from. For example:

• Man-in-the-middle - HTTPS utilises TLS which effectively prevents attackers from making sense of any information they can intercept making it useless. Claim is that it’s safe to communicate over public network using HTTPS.

• Enhanced Privacy - While ISP indeed won’t track you, VPN provider will. It’s basically like to trade six of one for half a dozen of the other.

Let’s investigate

What is VPN?

Firstly, let’s have a look at what VPN is.

According to Cisco

• A virtual private network, or VPN, is an encrypted connection over the Internet from a device to a network.
• The encrypted connection helps ensure that sensitive data is safely transmitted.
• It prevents unauthorised people from eavesdropping on the traffic and allows the user to conduct work remotely.
• VPN technology is widely used in corporate environments.

Essentially, VPN is a secure encrypted tunnel between one device in one network, and VPN server in another network through the insecure network such as Internet.

What do commercial VPN services do?

Following image explains what commercial VPN services do.

In a nutshell, they create an encrypted tunnel between your device and one of their servers which will in turn become a proxy for all your internet traffic. This way your ISP (and anyone who might intercept packets on their way to proxy server) won’t be able to track your connections, as all your traffic will be encrypted and directed to the proxy server (VPN server).

• Does it hide your traffic from ISP? Yes.
• Does it protect against eavesdropping? Yes.
• Does it enhance your privacy? Yes and no. Although most of VPN providers will tell you that they don’t keep logs, it’s generally not true and they will release this information upon first request from law enforcement.

https://hackread.com/purevpn-aided-fbi-track-cyberstalker-providing-logs/

https://www.welivesecurity.com/2020/07/20/seven-vpn-services-leaked-data-20million-users-report/

https://hackread.com/everything-you-need-to-know-about-vpn-tracking/

What happens without VPN?

Let’s look into plain HTTPS connection

We will now go through a Wireshark capture of how HTTPS connection is established. This is basically what an eavesdropper would see if they sniffed your traffic in McDonald’s.

My network topology looks like this:

I typed google.co.uk into Firefox inside Kali VM, and could immediately see following packets appear in Wireshark

We can see that there was a DNS request for IP of www.google.co.uk from Kali VM to Host (which was configured as a DNS server by VMware DHCP) and receives a response with the ip address of www.google.co.uk.

Ok, so now google’s ip address is known (216.58.204.67) and browser does a three way TCP handshake to establish a session.

Here we see SYN, SYN-ACK, and ACK messages between our VM and Google, which means that TCP session is now established.

Next we see TLS handshake where our VM negotiates cipher, version of TLS in use and performs key exchange with Google server

Here is packet 30 (which contains server hello message):

We can see that it is part of the handshake, that it is a server hello message, and that server asks to use TLS version 1.2.

But most importantly we can already see that server started sending HTTPS (website contents) data. This is exactly what we were looking for!! Let’s jump in and see what it contains inside:

And it contains ciphertext - data that we can’t make any sense of. In contrast, here is what would plain HTTP packet look like:

And then we can follow TCP session and see how remaining encrypted data was transferred between google server and my machine until the session was closed with TCP FIN packet.

Some additional details about TLS

TLS is a cryptographic protocol that provides end-to-end security of data sent between applications over the Internet.

What is important to understand is that TLS handshake utilises digital certificates and performs authentication of communicating parties. Namely, client is able to verify server’s certificate with Certificate Authority effectively confirming that client is indeed establishing a secure session with legitimate server. Also it provides integrity by using digital signatures.

What it means is that in most cases attackers would not be able to redirect you to their own servers using DNS poisoning as they would not be able to provide a legitimate digital certificate that would be verifiable with certificate authority ( or they would, but then they wouldn’t be able to decrypt communication as they don’t have legitimate server’s private key). Alternatively they could try send you self-signed certificate and you will see this scary pop-up:

By the way, never proceed with the site when you see this message. I’m serious, don’t do it.

The simplest mistake (other than proceeding with connection when seeing scary pop-up) that can be made is using old version of TLS, like 1.1 (or SSL which is effectively very old TLS), which is considered broken. Ideally, 1.3 should be used, but 1.2 is still considered okay.

Interim conclusions

• Is HTTPS traffic encrypted? Yes
• Are communicated parties authenticated when using HTTPS? Yes
• Is communication integrity guaranteed with HTTPS? With TLS 1.2 - 1.3 and use of digital signatures: Yes
• Can eavesdropping make sense of HTTPS data you are receiving/sending? No
• With correct device configuration, would I connect to my bank using HTTPS through open public WiFi without using VPN? Yes

So, is VPN useless?

Short answer - No. But we aren’t here for short answers, right?

First let’s have a look at some of the points we missed when looked at HTTPS communication.

DNS is a snitch

The Domain Name System (DNS) is the phonebook of the Internet. It resolves URL (”www.google.co.uk”) to IP address (”216.58.204.67”) which identifies individual nodes on the Internet (any network really). https://www.cloudflare.com/en-gb/learning/dns/what-is-dns/

When we looked at the Wireshark capture, we could see DNS request and response:

Interesting thing is that both DNS request and response are in plain text. It means that whatever website you want to visit - firstly you will need to request its IP address, which most likely will happen in plain text. Therefore, any eavesdropper (especially on WiFi which really is a wireless hub) would be able to see exactly what websites you are visiting by reading your DNS queries.

There is a protocol called DNSSEC, which is effectively authenticated and encrypted DNS. It mitigates the points covered. However - right now it needs to be specifically enabled by network operators at their recursive resolvers and also by domain name owners at their zone's authoritative servers.

So most likely you won’t have one working by default on your devices no matter how new they are.

Doesn’t destination IP in the IP header already reveal what I’m communicating with?

TLS does not encrypt IP headers, so eavesdropper would see which IP address you are sending IP packets to. But some IP addresses that are returned by DNS queries are not pointing to some website directly, but rather to a webserver that might be hosting hundreds of them. Even in my example, the IP address that I received for www.google.co.uk was 216.58.204.67 which really leads to lhr25s13-in-f67.1e100[.]net

Although we know that this lhr25s13-in-f67.1e100[.]net belongs to google by using nslookup, we still don’t know what webpages exactly it might serving. It might be serving anything.

However, DNS requests and responses conveniently shout in plaintext about every website you want to visit.

What Commercial VPNs really bring instead of claimed additional security?

Firstly, as we have already established, Commercial VPN can hide your DNS queries and destinations of your connections. But why is it so important?

There are a number of countries around the world that could oppress Internet users simply based on the fact that they viewed some specific web content which is not necessarily illegal.

VPNs, especially with headquarters in some neutral country provide not additional, but the only possible security in such cases (If we do not consider TOR and especially if the mere use of VPNs is not illegal).

Also, as students living in student accommodation, it doesn’t really feel comfortable to realise that any one of us could simply launch wireshark and start observing all websites everyone visits.

Secondly, some web content in particular parts of the world is simply blocked.

Thirdly, some services have location restrictions, meaning that you can connect to them only from inside of a specific country. That’s when a VPN with a list of available servers around the world comes in handy.

And the last but not the least. Some VPN providers indeed embrace their roles as proxy and maintain a registry of known malicious domains including those who where able to obtain a legit certificate signed by recognised certificate authorities. Although it can indeed protect you in some cases, I suppose it can also create a dangerous assumption that if VPN lets you connect to some website then it’s definitely safe. As a rule of thumb, you should not rely on VPN to tell you if website is malicious or not, but rather not go to suspicious domains in the first place.

Conclusion

We have seen that modern web protocols, such as HTTPS with TLS 1.2-1.3 provide sufficient security on their own, including:

• Server authentication
• Encryption
• Session integrity

Additionally, we can say that if device is correctly configured, and user follows security practices (such as not going to websites when your browser asks you not to), it is safe to assume that it’s not dangerous to use public WiFi. At least it is not as dangerous as claimed by popular VPN providers.

However, it is incorrect to deem commercial VPNs useless. VPN provides a way to circumvent content restrictions, protects people in oppressed countries from being charged with visiting forbidden resources, and gives a way to obtain an IP address from inside some specific country when such need arises. Additionally, VPN gives a way to hide your DNS queries from some curious eyes and can sometimes prevent you from accessing a known malicious domain.

To conclude, modern communication protocols are secure enough and VPN is not necessarily required to be safe when connected to public networks. However, VPN provides a lot of other essential features, and therefore is at least worth your attention.