A vulnerability recently reported affecting virtual private network (VPN) services on unsecure networks is kind of a doozy … or kind of a nothingburger, depending on your point of view.
What’s really going on?
You already know not to trust public WiFi networks — at your coffee shop, hotel, or airport for example — to keep your internet transactions private and secure. The opportunity for a Man-in-the-Middle (MITM) attack is wide open when you use a network with unknown provenance. (MITM attacks allow someone to sit themselves between your computer and any service you connect to, potentially able to read all the traffic moving between the two.)
But VPNs are supposed to protect against that, wrapping all your traffic in secure, encrypted packages that only your destination can unwrap. Many of our clients use VPNs to access office file servers when working at home. Many other people use commercial VPNs to hide their true location or just to keep their data packages encrypted so they can feel safe working from the airport lounge.
But the “TunnelVision” security hole recently described by researchers shows how a MITM attack can give bad actors access to your traffic before it’s encrypted for VPN transit. Moreover: it doesn’t matter what VPN you use, the vulnerability has existed for at least 20 years, and there’s no technical fix available.
Best practices
There is a practical fix available, though, and that’s to follow the same advice we’ve been giving for years: don’t trust public WiFi, or really any network you don’t control, if the work you are doing over the internet needs to stay private.
So what should you do if you are away from home and need to transact internet business securely? Your best option is to use a wireless hotspot that you control — either by pairing your computer to your mobile phone, or through a separate hotspot device you have acquired from your mobile provider. (Of course, make sure that hotspot is password-protected, so someone else in the coffee shop can’t hijack your connection.)
Once connected to the internet via hotspot, you may still want to use a VPN to cloak your location, or need VPN to access company assets. That’s fine: the VPN will protect your data exactly the way it’s supposed to, and as long as you control and can trust your initial network connection, you won’t have to worry about someone intercepting your internet traffic.
If you are a client and have any additional questions, please reach out to your Technical Account Manager.