Send email Copy Email Address

Annabelle Theobald

No added cybersecurity through double VPN services

CISPA researcher Matthias Fassl on false security promises by VPN providers

"Improved security" and "absolute privacy" when surfing the net - for some time now, providers have been advertising their so-called double, multi-hop, cascade, or chain VPN services with these and other promises. These services route users' data traffic in encrypted form via multiple servers to the actual destination. "However, many of the alleged advantages of double- or multi-hop VPNs do not exist, or at least not to the extent suggested by the providers," says Matthias Fassl. The Viennese native researches in the area of usable security at CISPA and is annoyed by this deception of consumers. He explains what Double VPN has to offer and who can benefit from it.

The technology behind VPN (Virtual Private Network) was already developed in the 1990s. A VPN generally uses the connection paths on the Internet but forwards the transmitted data in encrypted form from the user's terminal device through a kind of tunnel to the VPN server and only from there in its original form to the actual destination. VPN is interesting for companies because it allows employees to securely access the local company network from home or on the road and use services otherwise only available locally. The same applies to private users, for example, if they want to access streaming services abroad from Germany that are blocked here. VPNs also offer another advantage: Web services no longer display the IP address of the user. Instead, the VPN server appears as the origin of the request. 

For some time now, VPN providers have been advertising so-called double VPNs, which route the data not only via one VPN server but via two. They advertise the services with slogans such as: "double encryption, double security." Matthias Fassl says: "That's not true as such. Double encryption offers only slightly more security - if at all. Single encryption is sufficient." In addition, double VPNs - or even triple or quadruple VPNs, with which the providers outbid each other - often promise more or even absolute anonymity. Even this promise is not tenable. "More hops from the same provider do not bring more anonymity."

The providers frequently name journalists and political activists as target groups for their services since they are particularly dependent on anonymity and data protection, depending on the explosiveness of their topics. However, these groups often have to deal with state actors and thus with strong attackers. They cannot be fooled with multiple VPNs, no matter how many servers from the same provider are interposed. Even with multiple forwarding, strong attackers can still connect the data packets coming in and going out of the VPN services and thus trace the data streams back to the users.

In addition, the VPN server appears as the point of origin of the data for all VPN connections - even in the simple variant - and the user's IP address remains invisible. "But the IP is by no means the only identity feature," explains Fassl. For example, so-called browser fingerprinting techniques can be used to read out the exact configuration of the browser. "Installed plug-ins, time zone, operating system, screen size, the selected language, and all kinds of other information make users unique and identifiable. Even the use of a VPN does not help."

According to Fassl, there is another problem when it comes to government tracking. In the end, VPN providers would have to log data on court order and pass it on to the authorities just like Internet providers. So it is just replacing one threat with another, Fassl says. Using the Tor browser is the only way to protect data from access by government authorities.

However, the doctoral student admits that double VPN services are not useless. Under certain circumstances, they can be used to circumvent Internet censorship in repressive states. Authoritarian regimes know all the tricks, of course, and often quickly cut off simple VPN connections to foreign servers. However, if VPN providers can find a way to route data internally from a local VPN server to a VPN server abroad, users can bypass state firewalls.  "So an increase in freedom is definitely possible through the services."

translated by Oliver Schedler