What's in a VPN?

-- By EdenEsemuede - 01 Feb 2024

Introduction

"What is a VPN?"

When the average consumer inputs this Google search, the first thing that pops up is not the Google dictionary result. Instead, an article written by NordVPN? appears, rife with claims about data privacy and purchase links. Rather than empowering people with the tools to take control of their own privacy, companies like Nord, Express, and Surfshark jump to charge consumers high prices for significantly less privacy than they could get on their own. This essay argues that commercially available VPNs are not true VPNs, and offers alternatives to truly secure browsing. Defining VPN: Commercial vs Actual.

Commercial v. Actual

First, this essay will define a VPN, differentiating it from the definition proffered by commercial entities.

Commercial

The commercial understanding of a VPN is as follows: A VPN, also known as a virtual private network, is a tool that creates a secure connection between two networks. Illustrations liken a VPN to a secure underground tunnel between your computer and the websites you want to reach, keeping your information more secret than it would be if it traveled through the open-air, aboveground internet. These monthly subscription services keep your data totally secure, and allow you to watch Netflix shows in different countries.

Indeed, for a student doing a semester abroad and wanting to keep up with their favorite US show releases, a commercial VPN might seem like a harmless, functional purchase. However, in terms of privacy, commercial VPNs are extremely lacking. An explanation of why becomes apparent once you understand what an actual VPN could be.

Actual

A better explanation starts with an understanding of software networks through the OSI conceptual framework. You can liken each layer to an onion, touching and interacting with the layers directly above and below itself.

Layer 1, the physical, is about the electrical and physical parts of data connection. This includes the layout of pins, voltages, line impedance, cable specifications, signal timing, hubs, repeaters, network adapters, host bus adapters, and more.” In other words, it’s all the physical aspects of the device. If you’re troubleshooting something on this level, you might ask questions such as, ‘Is any of my copper wiring frayed?’ or ‘Is the computer plugged in?’.

Layer 2 is the data link layer. This is where pieces of data get transferred between physically connected devices. Data is divided into small segments called packets, then held within frames as it is transferred from one device to another. It is transferred over a bridge, which connects two network segments. Ethernet Cables operate at this level.

Layer 3 is the Network Layer. Once a device sends frames, Layer 3 decides how to organize them, figuring out what path each frame needs to take to be received on the other side. You can find IP addresses and routers on this layer.

Layer 4 is the Transport Layer. This layer coordinates data transfer between systems. Unlike Layer 3, the application programmer can interact with Layer 4 directly. It also makes up for any deficiencies on lower layers. As such, you’ll find many additional firewalls on this layer for user protection.

Layer 5 is the Session layer. This controls the dialogue between two parties and allows for ongoing communication. It also handles session identification, so only designated parties can get access to the information during that session. This is important for synchronization of data transfer. If you want to send a file between two machines, this layer sets up checkpoints where, in case part of one system fails or shuts down, the data can keep resending from that checkpoint rather than restarting. This makes information transfer more synchronous and better.

Layer 6 is the Presentation layer. It operates in human language, formatting data before it gets presented to the final level. It translates, compresses and encrypts data.

Finally, Layer 7 is the Application layer, the things everyone interacts with online. HTTPS runs at this outermost layer.

With all of the layers of the network, it might surprise you to learn that commercial VPNs only work to protect things on the 7th layer. Rather than forming secure tunnels between you and your data, you simply form a pathway between yourself and the VPN. Then, if it is your only protection, the VPN can proceed to comb through all of your information at will. It is no different than having Google ‘encrypt’ your data for you, which is already what happens when you see the little padlock in the corner of your screen. Despite its claims to maintain your privacy, nothing in a commercial VPN’s terms of service stops the VPN company itself from doing all of the things a consumer is worried some anomalous ‘bad guy’ might do. In fact, VPNs have done this in the past. Previously known as Crossrider, Kape Technologies, (ExpressVPN? ’s parent company) was involved in the ad-injection technology business. These ads can be malicious, so rather than securing your data, a commercial VPN has free reign to harm your system at will for short-term profits.

Alternatives

As implied by the name ‘Virtual Private Network, an effective VPN should operate on Layer 3, the Network Layer.

This can be done through a Secured Shell Protocol (SSH). SSH is a login protocol that connects remote computers via an encrypted connection. Basically, it is a special program that can securely connect two remote computers through a router. Unlike commercial VPNs, this secret tunnel is run and designed by you. Secure Shell protocols are secure, fast, low power, portable, and because they are separate from your core firmware, simple to upgrade.

Another alternative is OPENVPN. It costs nothing for personal use and allows you to form secure connections like you would by setting up a SSN.

Conclusion

Commercial VPNs may not be what they seem, but that doesn’t mean that privacy-concerned individuals are out of options for protecting their online browsing information. Through using a SSH, or at the very least OPENVPN, consumers can protect their online privacy.

Sources

1. https://d1wqtxts1xzle7.cloudfront.net/37556683/THE_OSI_MODEL_OVERVIEW_ON_THE_SEVEN_LAYERS-607-libre.pdf?1430932201=&response-content-disposition=inline%3B+filename%3DTHE_OSI_MODEL_OVERVIEW_ON_THE_SEVEN_LAYE.pdf&Expires=1706821410&Signature=Up8wvORFaDCDNFtDTyn3nKGKtXIrQno3RNzry3B8lYaOi6H705mSsRsB4knjEtE8Eixj1A3Imv8mxQJ1NT~6fcdw1qCL~I6diA9vk9PMl9lMqMMRxv5aL5nvLjjk9PH70k7hbTxTq~fKmWalwqjnoZqD4OfA2iVKWXzkqOPFy19ivIaVBBQrgR22wNVBL7h3O0ZcINO3uPufFDx~IqfVvUZhaTYuaauwMrB5b3KTK6sq7vNJQ2cVkNE6hzEPs8WJj2EzjsFnHcWPT-ZtxVJxofPLhr3chOMntKwCjlItRu0qsOyILl6KMQeO-1wl3O04YpRGNYrj0cj4CUj5UBA8yA__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA

2. https://www.extrahop.com/company/blog/2019/understanding-the-osi-model-and-osi-layers-in-2024-extrahop/#:~:text=Rather%2C%20it's%20a%20simple%20mnemonic,%2C%20data%20link%2C%20and%20physical.

3. https://www.cloudflare.com/learning/network-layer/what-is-a-packet/

4. https://security.googleblog.com/2015/05/new-research-ad-injection-economy.html

5. https://hide-ip-proxy.com/what-is-ssh-proxy/#what-is-the-ssh-protocol

6. J. D. d. Hoz, J. Saldana, J. Fernández-Navajas, J. Ruiz-Mas, R. G. Rodríguez and F. d. J. M. Luna, "SSH as an Alternative to TLS in IoT? Environments using HTTP," 2018 Global Internet of Things Summit (GIoTS? ), Bilbao, Spain, 2018, pp. 1-6, doi: 10.1109/GIOTS.2018.8534545. keywords: {Security;Internet of Things;Software;Protocols;Servers;Hardware;Linux;SSH;IoT;TLS;HTTP;HTTP/2},

7. https://openvpn.net/access-server/pricing/