That VPN may not be as secure as you think

0

If you’re a VPN subscriber and have ever wondered just how secure the supposedly encrypted pipe that you’re using through the internet is — and whether the anonymity promise made by the VPN provider is indeed protecting your privacy— well, your hunches may be correct. It turns out several of these connections are not secure.

Academics say they’ve discovered a whopping 13 programming errors in 61 separate VPN systems tested recently. The configuration bungles “allowed Internet traffic to travel outside the encrypted connection,” the researchers say.

The independent research group, made up of computer scientists from UC San Diego, UC Berkeley, University of Illinois at Chicago, and Spain’s Madrid Institute of Advanced Studies (IMDEA) with International Computer Science Institute, write in the Conversation this month, some of which is redistributed by Homeland Security Newswire, that six of 200 VPN services also scandalously monitored user traffic. That’s more serious than unintended leaks, the team explains — users trust providers not to snoop. The point of a VPN is to be private and not get monitored. VPN use ranges from companies protecting commercial secrets on public Wi-Fi to dissidents.

Some botches are actually “defeating the purpose of using a VPN and leaving the user’s online activity exposed to outside spies and observers,” the researchers say.

Other problems the team discovered include that some VPNs allegedly lie about the server locations. “We found some VPNs that claim to have large numbers of diverse Internet connections really only have a few servers clustered in a couple of countries,” the researchers wrote. They say they found at least six VPNs faking routings through certain countries when they were actually going through others. That possibly creates potential legal issues for the user, depending on local laws.

Other trouble areas included privacy policies. Fifty of the 200 VPN providers that were tested had no privacy policies published on their websites at all, the group says.