Preshared keys

White offered a quick list of VPNs that have preshared keys posted online: GoldenFrog, GFwVPN, VPNReactor, UnblockVPN, IBVPN, Astril, PureVPN, PrivateInternetAccess, TorGuard, IPVanish, NordicVPN, and EarthVPN.

“If I know the preshared key for your VPN and I am somebody who has control of the Wi-Fi access point, and you’re using a preshared key with a VPN I know, then I can basically man-in-the-middle attack and decrypt everything you’re doing,” said White. “The security you get against that kind of attacker when the preshared key is known is not very strong.”

PPTP instead of IPSec, L2TP/IPSec, IKEV2, or OpenVPN

Some VPNs use the outdated PPTP VPN protocol, which is fundamentally insecure. Better options include IPSec (LibreSwan and StrongSwan, which are actively maintained), L2TP/IPSec, IKEv2, or OpenVPN.

Among these alternatives, IPsec can be set up without installing extra software, but some believe it was either compromised or intentionally weakened by the NSA. OpenVPN is more secure but can be more difficult to set up and requires third-party software. It also needs to be configured correctly.

Recent research by High-Tech Bridge found that 90 percent of SSL VPNs tested use insecure or outdated encryption. In total, 77 percent used the insecure SSLv3 (or even SSLv2) protocols, 76 percent used an untrusted SSL certificate (making it easier for remote attackers to perform man-in-the-middle attacks and intercept all data passing over the VPN connection), and a large chunk used insecure key lengths for RSA signatures, insecure SHA-1 signature. Believe it or not, 10 percent were still vulnerable to Heartbleed.

Data retention/logging

Some VPNs log information to be in compliance with data retention laws in their respective countries. And a lot of VPNs overall log information, such as when specific users connected, where they connected from, and even what connections they made. It’s not entirely easy to know whether to trust VPN claims that they do not log.

Even VPN providers that log less than others often do log usage data (including incoming connections, either by IP address or user name) and internal routing on the network they use for internal load balancing or server maintenance. This creates a record of user accounts or connections and outgoing IP addresses—which is quite a bit of information. Some logs are only held in volatile memory, but others are not, often due to retention laws in various countries. Ultimately, the information kept can be enough to de-anonymize VPN users if combined with usage data from that person’s computer or connection logs from another site.

Reading the terms of service closely may help you determine whether logs are maintained, what is retained, for how long it's retained, and perhaps even how such information would be used in which instance—but again, the claims are hard to verify. Folks thinking that VPNs will protect user identities in the case of criminal activity will be disappointed to learn that the US government actually has mutual legal assistance treaties with dozens of countries throughout the world.



Leakage

"From a technical point of view, I think the most underrated vulnerabilities are network leaks in the client-side VPN software,” said Campbell. Even after a user has connected to a VPN server, a few outgoing packets may not be using the VPN tunnel, which could compromise their privacy. “That could be life threatening. VPNs have been rightly criticized about this vulnerability by many in the security/anonymity community (e.g., https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf).”

Some VPNs do have settings that block insecure communications before they have a chance to activate, such as when you first sign onto a Wi-Fi hotspot or switch from one to another. Other providers allow users to set up firewall rules.

In June 2015, a group of researchers from Sapienza University in Rome and Queen Mary University in London tested 14 popular commercial VPN services and found that 10 of them leaked IP data, and all but one were vulnerable to IPv6 DNS hijacking attacks. The researchers did not comprehensively recheck VPNs to see if they deployed fixes, but they did run some ad hoc tests and found improvement. Again, though, it’s not easy to determine which VPNs that say they fixed this and other issues actually have.

“The advice that I would give people is that, if you’re worried about government monitoring, you should always use Tor, full stop,” said Dr. Gareth Tyson, a lecturer based at Queen Mary University of London and one of the authors of the study.

Again, this could prove to be an imperfect solution. While the Tor Browser may offer anonymity, censorship circumvention, and protection from monitoring and tracking, it’s not as speedy as using a VPN. Some ISPs unfortunately block Tor relays to boot.

Marketing hype

Hopefully, Ars readers can identify a majority of the online snake oil that exists. VPNs aren’t exempt, and many make claims that lack credibility (offering “100 percent online security,” for example).

“Take a really skeptical look at a service provider that makes claims of no logging, accepts Bitcoin, and makes any kind of grandiose claims about military grade or government-proof or NSA-proof encryption,” said White. Not only could VPNs have lax security, some may be honeypots run by nation-state actors. Conversely, VPNs that are very clear about their threat model and what they can and cannot protect against are likely more trustworthy.

Reading terms of service can sometimes provide a bit more clarity. For example, in 2015, the free version of the Israeli-based VPN Hola was caught selling users’ bandwidth to Luminati VPN network, and users who cloaked their IP addresses unwittingly became VPN exit nodes or endpoints (exposing their own IP address and associating it with other people’s traffic). Hola did not update its FAQ for clarity until 8chan message board operator Fredrick Brennan stated that Hola users’ computers were unwittingly used to attack his site.

What to look for

Given all the precautions and VPN footnotes above, is it feasible to find workable VPNs or at least reliable information about them? “Assertions from VPN service providers are absolutely caveat emptor, in the absence of public third-party audits,” White pointed out. “You’re getting Pinky-Promise-as-a-Service.”

That said, there are many positive signs to look for when evaluating a VPN beyond the basics: is the VPN using up-to-date protocols, what’s the reputation of the company and the people behind it (and their history or expertise), are terms of service easy to understand, what does the VPN protect against and what doesn’t it cover, and is the service honest about its disclosures?

Aside from these factors, Campbell recommends looking at any company activism, which he says is likely to demonstrate how much an organization cares about customer privacy. He also looks for a clear and unambiguous privacy policy rather than a boilerplate policy and for companies that have been in business for at least three years.

“There has been an explosion of cheap VPN providers over the last few years since the Snowden revelations,” Campbell warned. “Many of these new providers use laughable security practices. In many cases, they are Web hosting businesses that have decided to repurpose some of their servers, effectively becoming bandwidth resellers, but with no security experience.”

As a final precaution, Campbell also looks for VPNs that do not use third-party systems to capture sensitive customer data. “Any VPN service that respects their customers’ privacy will self-host all systems that interact with customers, such as third-party live chat scripts, support ticketing systems, blog comments, etc. Customers often submit very sensitive information in support requests without knowing that the VPN provider doesn't have exclusive control over the system,” he said.

DIY

Depending on your privacy needs, a pre-made solution may not currently exist. If that’s the case, technical users can roll their own VPNs. If a pre-made solution is more your speed, one option is running Streisand over a DigitalOcean VPS, Amazon Web Services, Vultur, OVH, or another reputable hosting provider. Created in the aftermath of Turkey blocking Twitter, Streisand's goal is to help users circumvent Internet restrictions.

“Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services,” the GitHub page reads.

Creator Joshua Lund told Ars that one of Streisand’s goals is to make the setup process as painless as possible. He envisions the open-source service growing into a ”centralized knowledge repository” where the best practices can be updated and automated by a watchful community.

“Streisand automates several difficult steps that can dramatically increase security,” Lund told Ars in an e-mail. “For example, Streisand's OpenVPN configuration enables TLS authentication (AKA an ‘HMAC firewall’), generates a custom set of Diffie-Hellman parameters, and enables a much stronger cipher and checksum algorithm (AES-256/SHA-256 instead of OpenVPN's antiquated default of Blowfish/SHA1). Many users will skip these optional and time-consuming enhancement steps if they are configuring OpenVPN by hand. In fact, most commercial VPN providers don't enable these features in their OpenVPN setup.”

Other benefits of Streisand include automatic security updates and an automated setup process that allows users to get a brand new server running in around 10 minutes. And when compared to commercial VPN providers, Streisand-deployed servers are far less likely to become targets of censorship efforts, DDoS attacks, or blocked access to streaming services.

Like VPNs at large, your mileage with Streisand may vary. And after surveying the state of such offerings in 2016, there may only be one truly universal rule: What to look for in a VPN depends on what you’re using it for in the first place. A user looking for local network security has different needs than someone using a VPN for geoshifting, for example, so these decisions can get complicated fast. But being aware of the limitations of VPNs in general and knowing what specific weaknesses and pitfalls to avoid can at least help you make a more informed complicated decision.

Yael Grauer (@yaelwrites) is an independent tech journalist based in Phoenix. She's written for WIRED, Slate, Forbes, and others. Her PGP key and other secure channels are available here: https://yaelwrites.com/contact/.