Anybody contemplating using a VPN server or Proxy services may want to read the following excellent write-up by ZHUREN on ISG, Living in China section, posts #1423 and 1426 - as to the pitfalls and dangers doing so.
Please be very careful when using free (and to some degree even paid) proxies and VPNs. Here is why.
Please keep this in mind at all times:
EVERYTHING you send through a proxy and VPN is wide open to the party operating the proxy/VPN. EVERYTHING, meaning your passwords, userids, credit card numbers, any and all data you send via that link (short of encrypted traffic sent through an encrypted VPN or SSL connection…) is freely available to the party at the other end.
When you use a proxy or VPN, you need to know that you entrust your data to another party at the other side. This party has access to your most private secrets. Would you trust a perfect stranger?
Why do free proxies exist?
Setting up a proxy costs time and money. Have you ever contemplated why there are free ones? For several reasons:
1.) Per chance. Many proxy servers are created by mistake when someone sets up a new system. They are found by robots and included in lists. Suddenly, the traffic spikes, the administrator finds out, he fixes his mistake, the proxy is gone. This explains the short shelf life of many proxies.
2.) As a trap set up by criminals. The easiest way to collect private data is to set up a free proxy. People who use it have something to hide. People who set it up have a lot of interesting stuff to gain. Many free proxies are set up by hackers. While you use their proxy, they steal your information, get access to your computer, place Trojans or rootkits on your computer. From now on, your computer will operate as part of their botnet and do whatever else they want. Stolen credit cards, and “rental fees” to botnets easily compensate for the cost of the proxy. When or before the illicit nature of this proxy is discovered, it is shut down. This explains the short shelf life of many proxies.
3.) As a trap set up by law enforcement. Because proxies attract people who want to hide something, many proxies are set up by LE. Refer to #2 for the rest. There is no need to shut down these proxies. This explains why some of the longest living and best performing proxies are operated by governments or law enforcement agencies.
4.) As a service to society by do-gooders. But how do you know that #4 isn’t a #2 or #3? You don’t. These proxies tend to stay around for a while also, until the do-gooders are sick of doing good for free. A notable exception is the TOR network. It is a distributed, peer-to-peer network of volunteers. It uses encryption. It’s usually slow like molasses. Again, the encryption ends at the exit nodes of the network where it can be sniffed, recorded, analyzed. You never know.
Why do free VPNs exist?
Except for the inadvertent creation (VPNs need to be managed and administered,) the same applies to free VPNs. They are set up by criminals, law enforcement agencies who want to entrap criminals, and by do-gooders who want to provide a public service. As above: You never know. Keep in mind: The VPN traffic is encrypted (some traffic, especially via the PPTP protocol is easily breakable,) but it’s only encrypted as far as the VPN-provider’s server. Once there, the traffic is decrypted and passed on in the clear. On the provider’s server, the traffic can be viewed, stored, analyzed, traced back to the sender et al.
Who do you trust?
It is up to you to decide what the intentions are to provide a free proxy or VPN service. The old “if an offer sounds too good to be true” adage applies. I trust a free proxy or VPN service as much as I trust anyone who offers me any free service: I don’t.
Paid proxies or VPNs
Note that in theory (and some praxis) the same as above applies to paid proxies and paid VPNs. Just because you pay them doesn’t make your information more secure. The fact that they are a commercial enterprise simply raises your trust level. They invest time and money to get you as a customer, and they will lose all customers if they abuse your data. Which doesn’t assure you that they won’t cheat you. A paid proxy or VPN simply raises the likelihood that it is legit. If I’d be really insidious, then I would operate a low cost, high performance, paid VPN service. I would have all my customers’ credit cards, and therefore addresses, identities, SSN#s, credit ratings. I would know what they access all day and would even make some money to cover the cost. Can’t help you with that conundrum.
Proxy or VPN?
If you pay, use someone you deem as reliable, stay away from the too good to be true offers, and pay for a VPN instead of a proxy. A VPN encrypts all traffic from and to your machine without additional fuss. Proxies are headache-inducing, they need a lot of fiddling on your part and often they plainly don’t work. If you pay, pay for a VPN.
Other uses of a VPN
If you use a hotspot in an airport or Starbucks, if you use an internet connection in a hotel or any other public place, and if you value your data, ALWAYS use a VPN. If you don’t, the data you send is available to anyone on that network. Wifi connections to public hotspots are unencrypted and can be sniffed by anyone who knows how. The easiest way to get high value data is to camp out with a laptop in the first class lounge of an airport (keeps out the riffraff …) If you are using a hotel connection, assume that your data is being logged. Wifi in public hotspots and hotel networks can be fertile grounds to harvest high value data.
Paranoia dept. 1
When you sign up for any encrypted service, the initial sign-up stage is usually in the clear. Userids, passwords, keys etc. often get sent via email. Renewal notices and transactions are often sent via email. Can be easily intercepted. Be careful. You might be buying a complicated security system while giving the key to someone you want to lock out.
Paranoia dept. 2
The identity and addresses of VPNs and proxies are no secret. The IP numbers of the providers and ports to be used can be and are being blocked. More insidiously, they can be spoofed. You think you are connecting to your VPN provider, but instead you go through someone else’s computer. To set this up takes considerable effort and energy. It is unlikely. But not impossible. “Someone else’s” identity is left as an exercise to the reader.
Most trusted solution
The person you can trust the most is yourself. The safest VPN is the one you have set up yourself. If you know how to, you can set up a small server back home. Preferably via TCP port 443, which makes your traffic look like regular https traffic. If you don’t know what I’m talking about, then you probably can’t set up that system anyway. An (expensive) alternative is to rent a private or virtual private server elsewhere and set up the endpoint there. In both cases, the identity of the VPN server can be tracked down, so don’t use it for doing something you should not. You still need to be able to trust the ISP, the administrator of the datacenter on the other end, or the person who has the keys to your basement. There is no such thing as perfect security.
Firewall it!
Often forgotten: If you use a VPN, it bypasses all routers and firewalls on your premises. Your home or office router usually provides a level of safety. With a VPN connection to the Internet, that level of safety is removed, and you are wide open to attacks. Don’t get lulled into a false feeling of safety, just because you use an encrypted connection. The other end isn’t encrypted, and your computer is as vulnerable as if you connect it straight to the internet via a cable modem or ADSL connection without an intervening router. If you use a VPN, ALWAYS use a personal firewall such as Zonealarm etc. and set the security level to high.
Other uses for a VPN
If you travel a lot, it probably happened to you many times: You ordered something with your credit card. The charge was denied. You call the card company and incur expensive long distance charges on your mobile. Turns out your card is good. Or sometimes, turns out your card was just blocked because of a possible security breach. What happened? Ignorant of the fact that people travel, the webshop on the other side used a geo-location of the IP-address where you at. The IP says you are in Timbuktu, whereas your address is in Hicksville, USA. The charge is denied. Or worse, reported to your credit card company, which blocks your card until you call them and tell them that you are on vacation in Timbuktu. With a VPN that has its endpoint in the USA, this hassle is usually avoided. If the VPN server sits in Los Angeles, they think you are in Los Angeles. It usually works. The charge goes through. Americans are allowed to travel freely in America, but never abroad. Very paranoid shopping sites have a list of VPN servers and all alarm bells ring when you use them. Then they want you to send a copy of your credit card and your driver’s license and your firstborn’s birth certificate to someone in Bangalore. What a mess.
Last words
The only halfway reliable security is end-to-end encryption. If your website supports it (this one does not) use the HTTPS protocol instead of HTTP. To try, use
https://www.yoursite.com instead of
http://www.yoursite.com. For email, always use secure (SSL) connections for sending and receiving. Some ISPs, hotels, hotspots etc. block the ports of these protocols. Be very wary if they do. Use your VPN. If they won’t let you use your VPN, move.
Hope that helps.
My write-up is based on an understanding of the business and the technology. Whether one should be paranoid or not is up to the user. As far as UltraVPN is concerned, it is fair to question the motives of its operator. We don’t know who runs UltraVPN. All we are told is that “UltraVPN servers are run by Lynanda .” Doesn’t mean a thing. My servers are run by datacenters in various parts of the world. However, I control them. And who’s Lynanda anyway? The only thing noteworthy about them I found was that they invented a piece of software that blocks Skype. Thanks a lot. Not the best reference for someone who supposedly protects your privacy. Or not.
Bandwidth ain’t free, hardware ain’t free. Operating a high performance VPN service for gadzillions of users needs a serious investment into hardware and bandwidth. Why they do it isn’t clear at all.
If you go to
https://www.Lynanda.fr and to
https://www.ultravpn.fr, your browser will throw a security certificate error, saying that the security certificate is bogus. This is common with amateur sites that don’t want to afford the $100 or so a decent certificate costs, but it is highly questionable for a company you entrust with all your data. And by the way, UltraVPN.fr is registered through an OVH company which prides itself in providing "Certificats SSL" amongst other products. They could have provided the registrant LYNANDA COMPUTING SERVICES (well, at least the website is registered to Lynanda...) with a decent certificate. I don't know what kind of certificate they use for UltraVPN, but if they can't come up with a real one for their own sites, I fear the worst. As explained here, non-bogus certificates issued by a trustworthy certificate authority is at the heart of a trustworthy OpenVPN service. (Also see "Paranoia 2" in my previous writeup. Your OpenVPN client can check for a valid certificate or certificate revokation to avoid these man-in-the middle attacks.)
The Swedish Pirate Party, which has an ideological motive to protect privacy, runs a well-known VPN called Relakks, (note the working certificate,) but even their VPN isn’t free, it costs EUR 45 a year. At least they have a halfway decent data privacy policy.
UltraVPN’s data privacy policy is notable by its absence. All they say is “No connection or traffic logs are kept.” With that “policy,” they could keep all data (except for the logs), or give the logs straight to the Deuxieme Bureau, or do whatever they please, except for keeping the logs.
They don’t need any logs. Most traffic in Europe already is logged. As for most in Europe, there is even an EU directive. UltraVPN doesn’t have to log anything, their ISP is REQUIRED to do that as per EU regulation 2006/24/EC . As you correctly write, China is not alone. Just a bit hamfisted. France has an especially bad history of privacy. Until 1999, all encryption in France was against the law. After 1999, only weak encryption was allowed. It needed EU regulations to make encryption legal in France. In Germany, the government now can legally put a Trojan on your computer (and I’m not referring to the rubbers.) Many countries are surrounding themselves with their very own firewalls. Of course, they are there to protect the citizenry from kiddie porn. Yeah, sure.
