October 23, 2019

NordVPN, a VPN service provider, got hacked some time in 2018. In their official response, they say that only one server was affected due to an insecure remote management system left on the machine by the datacenter provider. Private keys got leaked (bad), some other VPN providers were also breached (bad) but that's not what I want to write about (good) because there are better places to read about it.

NordVPN: Ain't no hacker can steal your online life. \(If you use VPN). keksec: This one isn't our work, its just been floating around mostly unnoticed. Plus a link to some private keys and more.

Tweet by keksec announcing the incident to a wider audience

I don't use any VPN (Virtual Private Network) for security. I don't even use any VPN for anonymity. The VPN providers can't guarantee one anyway, a VPN provider is just another Internet Service Provider. Having researched some “VPNs”, I can safely say that the VPN landscape has turned into a VPN minefield with pseudonymous companies leading the market, with some browser extensions redirecting to spam sites, while others don't even encrypt the traffic.

Instead, I push sites to move to HTTPS and implement things like HSTS – HTTP Strict Transport Security (which will tell the browser to auto-upgrade the request to https:// even when you click a http:// link or don't type https:// in the address bar because why would you) so everyone gets better security. I push services to move to encrypted protocols and not even offer unencrypted versions – I like what for example Gmail does and I hate when major local email providers offer plaintext email protocols (but at least they now say these are not recommended). I don't buy anything from sites that don't do HTTPS.

However, I use a VPN provider to bypass stupid geo restrictions, to check location-based pricing, to allow me to google for weird stuff without the rest of the devices on the same network getting CAPTCHA'd because of unusual bot-like queries. But I don't use a VPN for staying safe online.

For some increased browsing security, install the EFF's HTTPS Everywhere extension to auto-upgrade more sites to HTTPS. But you don't need a VPN-as-a-service to stay safe even when on public networks like the Internet. (For the sake of completeness, I'm talking about consumer VPN providers, not some enterprise Cisco and whatnots.)

I did recommend using a VPN provider a few years ago, however, but I no longer do. The web (and the Internet in general) has moved on and more and more sites are using HTTPS now 🎉 This is the progress we have made for the last 3 years:

Nov 2, 2016: USA users 57.76291%, All users 48.55465%, Japan users 24.53105%; Oct 8, 2019: USA users 89.36207%, Japan users 80.20807%, All users 79.97562%

Percentage of pages loaded by Firefox over HTTPS (source, similar data from Chrome)

Of course, you can build your own VPN server using Algo or Streisand and be your own provider but for me, it would be yet another separate machine to secure, and I'll rather bug others to secure theirs 😜

Own VPN server might not be the best solution for you either, because then your traffic won't be coming from you but from your server (and only from your server and only your traffic, see the problem?) Of course it all depends on what you do and need. But for staying safe online, for security and anonymity, don't use a VPN provider. For anonymity, use Tor Browser but staying anonymous is not an easy task long-term so maybe don't get yourself in a situation that requires it, ok?


Recommended reading

Michal Špaček

Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.

Public trainings

Come to my public trainings, everybody's welcome:

PHP application security
(December 2019 Praha)

HTTPS for developers and admins
(December 2019 Praha)