VPN Security

Some security issues when using a VPN

VPN Anonymity

An insecure connection is still insecure: Although Riseup VPN will anonymize your location and protect you from surveillance from your ISP, once your data is securely routed through riseup.net it will go out on the internet as it normally would. Therefore, you should still use secure connections (TLS) when available (ie https over http, imaps over imap, etc).

Besides that, how anonymous is RiseupVPN? Each time you run RiseupVPN, a new certificate is created to authenticate to the service. We do not require a username/password registration for RiseupVPN, and we do not have any information that ties those short-lived certificates to each other, or to an individual. Additionally, our logs do not contain any IP addresses of any user, any browser fingerprint information (browser information, plugins installed, fonts installed, screen resolution, etc.), DNS requests, traffic flows, any metadata information, any personally identifying information of any kind, and more. The logs we do have are the bare minimum needed to make the service work. We don’t sell or share any of these logs. The logs that do exist are stored encrypted, and persist for no more than 5 days before being rotated out of existence.

Man-in-the-middle attacks

A Man-in-the-middle attack (or MiTM) is where the attacker is able to listen and/or modify your network traffic. Such an attack can be used to de-anonymize you, modify content, steal your passwords, or serve you viruses, trojans or other software designed to gain access to your computer.

Every internet connection is vulnerable to a MiTM attack because of the broken nature of how the internet works. By tricking the routing protocol used by the internet, any traffic is vulnerable to a MITM attack from anywhere in the world. Although this vulnerability has been known for years, researchers dramatically demonstrated such an attack at the hacker conference DEFCON in August of 2008.

Does a VPN help protect against MiTM?

Yes and no. Using a VPN will shut down many of the places where a MiTM attack might happen, but not all of them. Specifically, it will protect your traffic between your device and the VPN gateway, preventing your ISP (or most governments) from performing a MiTM attack targeted toward you.

However, once your traffic passes from the VPN gateway to its eventual destination, it becomes vulnerable to a MiTM attack. With a VPN, your traffic is then semi-anonymized, so it is much much more difficult to target any attack toward any particular person, but an indiscriminate attack against all users of a particular website is still very possible.

For example, in January 2011 the Tunisian government, in fear of the popular uprising that would eventually topple the regime, was able to perform a MiTM attack on Facebook users connecting from withing Tunisia, capturing their login and passwords. In this case, a VPN would have protected as long as the VPN gateway was located outside the country of Tunisia.

Limitaciones en el uso de RiserupVPN

El VPN de Riseup comparte algunas limitaciones comunes a todos los VPNs personales:

  • Una conexión no segura será todavía insegura: Aunque Riseup VPN conseguirá anonimizar tu ubicación y te protegerá de la vigilancia de tu ISP, una vez que tus datos son enviados de forma segura a través de riseup.net estos saldrán a Internet como lo harían normalmente. Esto significa que debes seguir utilizando TLS cuando esté disponible (es decir: https, imaps, etc).
  • Tu conexión podría ir más lenta: Riseup VPN redirige todo tu tráfico a través de una conexión cifrada a riseup.net antes de su viaje hacia la Internet normal. Este paso adicional puede ralentizar las cosas. Para minimizar este contratiempo, puedes elegir un servidor VPN cercano a donde vivas.