For years, consumer VPN providers have boasted about how their services can make users more secure online. It makes perfect sense for any sort of cybersecurity product or service vendor to market themselves that way. The companies I work for communicate to prospective customers that their products and services can improve the security of individuals and businesses. But the effectiveness of any product is dependent on how it’s used and implemented. Antivirus software must be frequently updated. A SIEM won’t work well without good correlation rules. And so on, and so forth.
Enterprises often can deploy their own VPNs, and they do. If a VPN is entirely within your organization’s control, that’s the best possible option. I have to take a VPN provider’s word that they don’t log my traffic, but if I have my own VPN, I can keep my logs on my organization’s computers. But it’s not pragmatic for a consumer to deploy their own VPN, especially if they lack network security experience. Ideally all consumer internet traffic should be as well encrypted as an enterprise’s.
That’s where providers like NordVPN come to the rescue! NordVPN has client software that makes it easy to implement a VPN on your phones, tablets, and PCs, no computer geek knowledge necessary. But using NordVPN requires your trust. Your internet traffic will be routed through their infrastructure, and they have the keys to your encryption. You need to rely on them to protect those encryption keys. More on that later.
On October 19th, NordVPN’s marketing team sent a controversial tweet that has since been deleted. “Ain't no hacker can steal your online life. (If you use VPN). Stay safe!” Understandably, those of us in the information security community didn’t like the tweet very much. Even if we assume that NordVPN implements encryption well and they avoid logging as they claim, a VPN only encrypts your data in transit. It should protect against man-in-the-middle attacks. But if the website or other online service doesn’t secure your data in storage on their end effectively, your “online life” can be “stolen” from point B. Some of my colleagues describe VPN usage as simply transferring the risk to the provider. And if the provider is cyber attacked, your “online life” could be “stolen” from there.
Personally, I didn’t like how NordVPN reacted to the controversy. On October 20th, they tweeted:
“1/3 Yesterday, our marketing department got ahead of themselves and published an ad on Twitter that triggered the infosec community. The message stated the following: ‘Ain't no hacker can steal your online life. (If you use VPN). Stay safe.’
2/3 This isolated case of one third-party datacenter did not impact our other servers in any way – it is virtually impossible to do that. So a lot of assumptions in the TechCrunch article are inaccurate.
3/3 We’d be happy to explain the technical details for a more accurate picture of the issue.
Privacy and security have always been our priority, and we will take all necessary measures to prove it.”
Oh… Were you “triggered?!” Do the people who work in NordVPN marketing frequent 4chan? People with PTSD and eating disorders have triggers that they should avoid for the sake of their mental health. Considerate people will post trigger warnings on their content that people may need to beware of, such as descriptions of war zones, abuse, or weight loss dieting. Less considerate people think the word “triggered” is hilarious and synonymous with “you’re offended, ha!”
I doubt that NordVPN’s “ain't no hacker can steal your online life” tweet triggered anyone’s mental illness. Those of us in cybersecurity have genuine concerns about misinformation. A hacker can definitely “steal your online life,” even with a VPN. It’s very irresponsible to make consumers think that NordVPN is any sort of complete security solution. And even my well security hardened endpoints can be subject to cyber attack, feeling invincible is dangerous indeed.
The marketing controversy came with very bad timing. On October 21st, it was reported that NordVPN was breached in March 2018. One of three private keys leaked, which were used to acquire NordVPN’s TLS certificate. There’s another command log that suggests that cyber attackers used another leaked key to access a private certificate authority that NordVPN used to issue digital certificates. It’s possible that cyber attackers have intercepted NordVPN for well over a year. The breached TLS certificate was set to expire in October 2018, months after it was maliciously acquired.
The implications of the NordVPN breach are relevant to all VPN providers, and also to TLS certificate use in general, including when it comes to securing websites and web apps. A security consultant looked into the matter and said, "intercepting TLS traffic isn't as hard as they make it seem. There are tools to do it, and I was able to set up a web server using their TLS key with two lines of configuration. The attacker would need to be able to intercept the victim's traffic (such as through public wifi)."
It’s not only irresponsible to convince consumers that a commercial VPN provider can make it impossible for a cyber attacker to “steal your online life.” It’s also dangerous to assume that TLS implementations are automatically securing your internet traffic effectively. It doesn’t matter how strong a cipher is, if the public key infrastructure or machine identities are vulnerable, cryptography is rendered pointless. We must never rest on our laurels when it comes to securing our network traffic. To assume makes an “ass” out of “u” and “me?”
Venafi’s Kevin Bocek understands the importance of securing TLS certificates and all other types of machine identities:
“VPN providers have grown rapidly because of the growing need for privacy. VPN cloud providers require TLS certificates that act as machine identities to authorize connection, encryption and establish trust between machines.
Machine identities are extremely valuable targets for cyber criminals and large enterprises often have tens of thousands of machine identities they need to protect.
These breaches will become more common in the future. It is imperative organizations have the agility to automatically replace every key and certificate that may have been exposed in breaches. Quickly replacing machine identities is the reliable way to ensure privacy and security in a world where businesses run and depend on the cloud.
This capability is especially critical in large enterprises that have tens of thousands of machine identities that must be protected against attackers.”
As someone who works for cybersecurity vendor marketing departments, I still understand that it’s important to spend more money and effort on securing security services than you spend on advertising. And it’s irresponsible to tell consumers that they’re invincible to cyber attack. Airbags and seatbelts can improve your odds of surviving a car accident, but you could still die in a collision.