VPN Security

Some security issues when using a VPN

VPN Anonymity

An insecure connection is still insecure: Although Riseup VPN will anonymize your location and protect you from surveillance from your ISP, once your data is securely routed through riseup.net it will go out on the internet as it normally would. Therefore, you should still use secure connections (TLS) when available (ie https over http, imaps over imap, etc).

Besides that, how anonymous is RiseupVPN? Each time you run RiseupVPN, a new certificate is created to authenticate to the service. We do not require a username/password registration for RiseupVPN, and we do not have any information that ties those short-lived certificates to each other, or to an individual. Additionally, our logs do not contain any IP addresses of any user, any browser fingerprint information (browser information, plugins installed, fonts installed, screen resolution, etc.), DNS requests, traffic flows, any metadata information, any personally identifying information of any kind, and more. The logs we do have are the bare minimum needed to make the service work. We don’t sell or share any of these logs. The logs that do exist are stored encrypted, and persist for no more than 5 days before being rotated out of existence.

If you are not using RiseupVPN, and are still using the deprecated Riseup Red VPN (if you are, then please switch to RiseupVPN!), then the answer primarily depends on what user information you have associated with your Riseup login. If you are concerned about your anonymity, we suggest you create a separate VPN account that you only use for the VPN. For this service, the only additional information logged that is different from RiseupVPN is the username that is registered. These logs are also stored encrypted and do not persist more than 5 days before being rotated out of existence.

Man-in-the-middle attacks

A Man-in-the-middle attack (or MiTM) is where the attacker is able to listen and/or modify your network traffic. Such an attack can be used to de-anonymize you, modify content, steal your passwords, or serve you viruses, trojans or other software designed to gain access to your computer.

Every internet connection is vulnerable to a MiTM attack because of the broken nature of how the internet works. By tricking the routing protocol used by the internet, any traffic is vulnerable to a MITM attack from anywhere in the world. Although this vulnerability has been known for years, researchers dramatically demonstrated such an attack at the hacker conference DEFCON in August of 2008.

Does a VPN help protect against MiTM?

Yes and no. Using a VPN will shut down many of the places where a MiTM attack might happen, but not all of them. Specifically, it will protect your traffic between your device and the VPN gateway, preventing your ISP (or most governments) from performing a MiTM attack targeted toward you.

However, once your traffic passes from the VPN gateway to its eventual destination, it becomes vulnerable to a MiTM attack. With a VPN, your traffic is then semi-anonymized, so it is much much more difficult to target any attack toward any particular person, but an indescriminate attack against all users of a particular website is still very possible.

For example, in January 2011 the Tunisian government, in fear of the popular upraising that would eventually topple the regime, was able to perform a MiTM attack on Facebook users connecting from withing Tunisia, capturing their login and passwords. In this case, a VPN would have pretected against so long as the VPN gateway was located outside the country of Tunisia.