We have already talked about VPNs, in this article we will deal with security protocols. The protocols are those little understandable acronyms, such as PPTP, L2TP, SSTP, IKEv2 that each service flaunts, and which are fundamental to establish how much a secure service.
Structurally, VPN connections are not complicated, they are based on a client, tunnel, server structure. The client routes the data of those who use the service in the tunnel, the tunnel allows the transport of data safely to the destination server. The target server can be connected to a private corporate network, or to the Internet. With this stratagem, all Internet traffic done by the client appears as coming from the server's IP. This is the reason why the VPN to get around territorial blocks (every serious service has servers located almost everywhere in the world), and for hide your IP address (and therefore your identity).
Here is a quick index of our study:
What are security protocols?
Such a connection can have only two weaknesses, the tunnel and the destination server. The security of the destination server depends on the service manager, the best ones do not record connection data, sessions and data exchanged (they have of strict no logs policies).
So the only weak point may be the tunnel and here they come into play security protocols, they are the ones who guarantee that the data arrives from the client to the server without being able to be decrypted.
So if a service encrypts data with a reliable protocol and does not keep logs, its practically total security and anonymity on the net of its users practically guaranteed.
The most used VPN security protocols
In this paragraph we will deepen the functioning, the strengths and weaknesses of each protocol:
It is certainly still today the most used security protocol for VPNs, although it is now that less sure. Its name stands for Point-to-Point Tunneling Protocol (which can be translated into Italian with point-to-point tunneling protocol). The protocol was developed by Microsoft in 1999 and for its many known vulnerabilities, the same company not recommended for use since 2012. The PPTP protocol supports 128-bit encryption keys, so widespread because it is compatible with practically every operating system, and with a large number of devices (even many routers). By now, it is not recommended to use PPTP for tasks that require a minimum of security.
the heir to PPTP, was developed by Microsoft and launched with Windows Vista Service Package 1. The SSTP protocol, whose name stands for Secure Socket Tunneling Protocol, also available for systems other than Windows. It is a very fast, practical to use, and even protocol sure since, to date, there are no known vulnerabilities. SSTP is based on SSL v3, so it has no problems with the NAT firewall. The network doubts the complete reliability of SSTP because Microsoft, according to what emerged, has a history of contacts with the NSA, and may have included some backdoors.
The use of this protocol is therefore advisable to anyone who does not want to do international espionage. In general, if you want a higher degree of security you have to look at OpenVPN.
L2TP / IPsec
Its name stands for Layer 2 Tunnel Protocol, it is just a tunneling protocol, which is often used by VPN services. Of his own, L2TP does not provide any encryption and no data protection, which is why it is paired with IPsec. IPsec supports keys up to 256 bits. The double encapsulation does not make L2TP / IPsec the fastest security protocol, but has its wide compatibility and ease of installation.
No major vulnerabilities are known for this security protocol, but Snowden has confirmed the suspicions of many security officers: according to them IPsec may have been compromised and weakened since its creation. In any case, L2TP / IPsec is a fairly secure protocol, therefore recommended for everyone unless you are spies, international criminals or political activists in countries at risk such as China.
It is a protocol developed jointly by Microsoft and Cisco and launched with Windows 7. Internet Key Exchange Version 2 (IKEv2) very similar in operation to IPsec, of which an evolution. Having been programmed by Microsoft, natively supported by all its recent systems, also compatible with Linux and Blackberries. Many of the clients of emblazoned VPN services use this protocol as default, is chosen because considered safe, in that no vulnerabilities are known and no backdoor rumors are circulating. The ease of configuration for the user and the ability to automatically reconnect are appreciated.
The only real flaws in IKEv2 are the difficulty of server side implementation, and that the protocol routes all its traffic through the UDP 500 port, which is simple enough to block.
Finally, let's talk about safer protocol, OpenVPN open source, so it is more difficult for the NSA to insert backdoors without anyone noticing. OpenVPN uses the SSLv3 and TLSv1 protocols for connection, and the OpenSSL library for data encryption. The library supports several valid encryption algorithms: Camellia, 3DES, AES, Blowfish and CAST-128. VPN services mainly use AES with 128 bit encryption key (a small number of services use Bubblefish). AES considered, to date, safe enough that it is used by the governments of several states, including the USA. Regarding the connection, OpenVPN is usually configured to exchange data via UDP port, but it can be configured to route traffic on any port, making it the most difficult protocol to block.
OpenVPN a fairly young protocol, to work it needs a dedicated client that is not natively compatible with many systems. Configuring an OpenVPN client that is not at all trivial, for this reason many services offer their own preset clients for various platforms. According to Snowden, the only protocol that is currently safe from the NSA.
Here is a quick summary, when available they are always recommended to use: OpenVPN, IKEv2 or SSTP. if possible, avoid using the PPTP protocol because it is now an obsolete and insecure solution.
All security protocols are useful only on reliable VPN services. Free VPN services (see: Free VPN) rarely make you choose the protocol, because it would be a joke because they often sell their users' browsing data to finance themselves.