Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Alexei Balaganski. He is Lead Analyst with KuppingerCole. Hi, Alexei, good to see you.
Hello Matthias, it's great to be here again.
Great to have you. We have October 2022 and that means we are in Cyber Security Awareness Month. So we want to talk about topics that are closer to the end user, which are more practical and have a direct impact on what you can do to improve your security posture when you're listening to that podcast. As a start, when you're currently surfing the web, when you're on YouTube, when you're, yeah, looking at your favorite sites and you have advertisements enabled and you don't have an ad blocker, you get really bombarded with ads regarding VPNs to protect your security, your privacy, your data. Alexei, is this something that you consider to be valid? Is this something where you think people should take care of that and should have a VPN?
First of all, you're absolutely right. It seems like VPNs are now everywhere, with like probably every second video on YouTube has a built-in integration to a VPN service. And apparently we are led to believe that basically VPNs would solve any of your security problems online. I believe personally and not without some reasoning, which we explain today, that these ads are misleading at best. So, yes, we should probably explain just quickly what a VPN actually means from a technical perspective. So, VPN stands for Virtual Private Network. By modern standards, it’s a really ancient networking technology which existed for decades already. And the original purpose of a VPN was to establish a connection between two remote networks. Basically, if you have a central office of your company and you have a branch office somewhere in a different city, but you want your workers to be able to work as if they are in the same office, you would need a VPN. Obviously, it's virtual private network. It's a secure tunnel which is established over the Internet and it will send all your traffic through the secure tunnel, which would from somebody communicating to you appear that you are located somewhere else, like in your company's central office. For enterprise users, VPN was basically the most dreadful part of the daily user experience. If they are traveling for work, if they are staying in the hotel, or I have to work from a train or a coffee shop, they would have to launch a special client and then go through a tedious procedure of logging in, probably using some kind of security key or smartcard, to validate the identity, and then finally accessing their work documents, for example. This experience for most or at least for many users in the enterprise market is already in the past because especially in the recent years, much more modern solutions, Zero Trust Networks Acess solutions, for example, are increasingly replacing those old school VPN. So, obviously, the companies which are making their living from selling VPN products are now looking for alternative markets, and apparently they have found enough, let’s say, gullible end users who are ready to pay quite a substantial sum of money, because usually you would buy a VPN subscription for like three years in advance to somehow improve their home security. Does it really work? Let's just go through the promises one by one.
Okay. When you start with this promise, the situation that I currently encounter very regularly is that I'm in a hotel or on a train station where I use a public Wi-Fi, or even a Wi-Fi where I have a shared credential available, where they give me the key to enter the Wi-Fi. And then I'm really not sure what happens with my traffic during transfer. As long as it is https and it's a website, I can assume that this is encrypted, but on a protocol level, but everything else is not protected. So I would assume having a VPN that encrypts all my traffic through the hotel network or through the train station network is a good thing, isn't it?
So, yes, let's just start with talking about the security promise of a VPN. So a VPN provider will tell you about tunneling your last mile traffic, let’s call it like that, through their infrastructure would make you more secure. Well, I mean, technically, this is true, they will make your last mile connection slightly more secure. Yes, if you are still using an unencrypted public Wi-Fi in an airport or in a hotel - yes, theoretically, your traffic is potentially exposed to someone on the same wireless network. And they could sniff your traffic and steal some data from your network packets, basically. The problem is that nowadays everything is now using TLS. So, yes, you mentioned https in the browser. If you have that lock icon on any browser type, you have all on, then basically your traffic is already encrypted. There is absolutely no need to encrypt it once again through a VPN tunnel. But even if it's not, even for whatever reason you are connecting to a completely unprotected resource. To be honest, I just cannot think of any modern internet resource you would actually connect unprotected because anything now is encrypted, because TLS is very cheap, remote desktop sessions, remote channels, some fat clients which connect to an API endpoint. They're all encrypted now. But let's say you want to access your home FTP server which is completely unprotected. So yes, a VPN would protect you on that last mile from the hacker lurking in an airport nearby. But the rest of your connection would still be unencrypted. There are still so many other opportunities to intercept it after it leaves the other end of the VPN tunnel. So unless you have a VPN tunnel established directly to your home network, for example, then you are still unprotected. So yes, I mean, technically they are not lying to you outright. They are just kind of overselling their security promise massively.
Okay, then next stop, privacy. Many of these VPN providers come with the promise that they protect your privacy during surfing, by hiding your location, and maybe more. What is it what VPNs can add to increasing your privacy?
Yeah, that's actually a very interesting proposal. And again, I believe it's not just misleading, it can be potentially even dangerous. I mean, usually the claim is basically that your Internet provider, like for me, for example, it's Vodafone Germany, that they will be monitoring my connection from my home Internet and they will know what I'm doing, like which sites I am visiting, which products I'm buying online and stuff like that. And of course, if I install a VPN client, then my provider would not know that anymore. Well, you have to clearly understand that, Yes, your traffic, your last mile traffic again, will be hidden from your Internet provider and then it will be that the VPN provider will be able to sniff all your traffic and see all your online behavior. Why would I trust to some shady company which is based somewhere in an offshore country any more than I would trust to a German company, which is supposedly governed by a much higher privacy standard? So, again, technically, they are not telling a lie. They're just kind of replacing one point of potential trust abuse, if you will, with a different one where you have you in less control. So if anything relying on a VPN to protect your identity, to ensure your anonymity online, is potentially very dangerous, especially if you're talking about some countries where this is still considered a crime, North Korea, maybe parts of China or Iran or whatever. If you are involved in any kind of political dissent or even just something which you don't want anyone else to know about, a VPN is a really flimsy and unsafe method of protecting your anonymity. You should rather consider first of all, I don't know if we should even go into such potentially criminal details, but you should probably try to use a burner form or use some communication tool which is end to end encrypted, like the Signal messenger or even Telegram or WhatsApp. I mean, probably WhatsApp alone is better for your privacy than a VPN, even though it is owned by Facebook and we all know what Facebook does for privacy.
But I would assume that there are still some good use cases where a VPN can support in changing the origin of a data package to hide my location as a user, I think of journalists hiding their actual position, and you've mentioned that, if you are in a state where there's no full freedom of speech and no full freedom of expression. Is this not a scenario where that could make sense? I'm not talking about watching a different country’s TV streaming service. I'm really trying to think of scenarios where you want to hide where you are.
Again, for most end users, hiding where they really are is more of a convenience feature. Yes, if I want to watch, I don’t know, some British TV shows which I cannot access from Germany. Yeah, I would probably rely on a VPN to basically trick, let's say BBC into thinking that I'm located in the UK. But again, this has absolutely nothing to do with privacy or security and this is purely a convenience feature. And by the way, this feature is really easy for the actual content provider to identify and prevent you from accessing in anyway. Because if you are using a really popular VPN service with thousands, even millions of other users, you are still accessing that through a very well known IP address. And it's up to Netflix or BBC or any other content provider to just block that IP address from accessing their resources completely. And this is known to have happened in the past and will probably happen even more in the future because of course those content providers are not interested in piracy and stuff like that. So again, this is a convenience feature and not a very reliable one, but this is absolutely not a privacy feature. It's extremely easy to circumvent and it's extremely easy to steal or be able to identify you as the user through all those nefarious tracking features companies nowadays employ to identify you. They don't even have to know that you are Matthias Reinwarth, but they will still have enough evidence on you basically to use some big data analytics, maybe at least identify your real world location. And if you are planning something really illegal, a VPN will not help you in any way.
Right. So we've talked about security. We talked about privacy. Is there anything where you consider a VPN being useful to be employed in communication?
Again, as I mentioned, the only really useful method of using the VPN nowadays, is just convenience. What if I want to know what my website looks from a different country? What if I want to watch a geo blocked TV show, which is a, let's call it quote unquote “testing tool” or a convenience unlocker for an end user. This isn't really the only valid reason to buy a VPN nowadays. But again, even that reason is already at least partially illegal in some countries around the world, hopefully not in Germany or in the U.S., but again in countries like Russia or China, just having VPN subscription can be a problem.
Okay, so what would be the alternatives? Alternatives would be to make sure that every website that you're visiting, every service that you use is configured to be using built-in encryption to protect you from ground up?
Absolutely. Well, first of all, obviously, you have to know that anything you access online is secure. Again, in the browser, you just have to look for the lock icon, which is pretty easy to spot for any user. For some other applications, you just have to do a little bit of research. Like if you want to use a new instant messenger or a video service or anything else, well, there is no other way but to read through the terms of service and so on and understand that, yes, this is actually secure, this is actually encrypted. Again, for some really well known services, it's already common knowledge like we do know that Zoom, for example, uses end-to-end encryption, or Telegram or Signal Messenger. And we also know that WhatsApp is only partially secured that way, so it's up to you to decide whether you want security more than you need convenience. And that’s about the security part of it. And of course, you have to understand that if you are using a third party security tool, you are still relying on that third party security tool provider. You still have to trust them. You have to think about it like, do you want to trust some company from, you know, like a small Caribbean country with shady legal practices or would you rather trust a large, well-established communication provider from Germany or your home country?
Okay, great. Thank you very much, Alexei, for giving your opinion and your position on the use of these security tools and maybe, quote, unquote, security tools and privacy tools, and I hope this was useful also to the audience for deciding where to spend money on and where to invest some work, when it comes to securing your own security and privacy. And I think that was really helpful. So hopefully security or cybersecurity awareness has been improved by this. Thank you very much, Alexei, again for being my guest today for this Cybersecurity Awareness Month episode, and I'm looking forward to having you very soon again here in my podcast.
Thank you Matthias, and by the way, as a final take away. Remember Zero Trust, your motto on the Internet, whether you are an employee of an enterprise or just a home user, should be trust no one. Don't even trust us. Do your own research. Follow your commonsense and stay safe. Thank you.
Great. Thank you very much, Alexei. I'm looking forward to talking to you. Bye bye.
Bye.
