Secure Socket Layer (SSL) is a security protocol that is most commonly used to establish an encrypted link between a web server and a browser. This encrypted link ensures that all data communicated between a web server and a browser remains secure and private. In addition, SSL certificates help prevent man in the middle (MitM) attacks by ensuring users connect to the correct server.
When it comes to Virtual Private Networks, SSL cryptography is used to provide a securely encrypted tunnel between VPN clients and VPN servers. This, rather unsurprisingly, is why they are commonly referred to as SSL VPNs.
SSL vs TLS
Prior to 2015, all VPNs used Secure Socket Layer encryption. Since then, VPNs have adopted SSL's successor the Transport Layer Security protocol (TLS). TLS is used to encrypt all data packets traveling between an internet connected device and an SSL VPN server.
An SSL VPN does this by providing end-to-end encryption (E2EE) between the VPN client and the VPN server. As is the case with the encrypted link between a server and a browser, TLS encryption ensures that all data passed from a VPN subscriber’s device to a VPN server is private and secure.
The advantage of SSL/TLS is that third parties are unable to intercept or “sniff” the encrypted data. This stops ISPs, governments, employers, local network administrators and cybercriminals from being able to perform “packet sniffing” to access what the traffic contains. It also protects against man in the middle (MitM) attacks.
Transport Layer Security (TLS) - the latest standard
Despite often being referred to as SSL VPNs, Secure Socket Layer encryption has largely been replaced by a more secure protocol TLS. This is due to the fact that, over the years, a number of vulnerabilities (POODLE, DROWN) were found in the SSL protocol.
This ultimately led to SSL protocols (SSL 2.0 and 3.0) being deprecated by the Internet Engineering Task Force (IETF). It is for this reason that SSL VPNs (secure ones) now implement TLS. SSL can no longer be trusted to ensure data security and privacy.
TLS successfully stops eavesdropping and tampering by ensuring data integrity between the VPN client software and the VPN server.
Enterprise use
Businesses often use SSL VPN technology to permit secure remote-access VPN connections from a web browser. This enables employees working remotely to securely access corporate resources and computer systems from home or while traveling.
The E2EE provided by an enterprise SSL/TLS VPN secures the employee’s remote internet session. This keeps all enterprise data secure from malicious interception and corporate espionage.
Consumer VPN use
Consumer VPNs provide a service to individuals who wish to secure their personal data online. Commercial VPNs also permit people to conceal their real IP address - in order to pretend to be in a choice of remote locations around the globe. This is called geo-spoofing.
A VPN protects its user’s data privacy by stopping all third parties from being able to snoop on their traffic. This kind of VPN is used by hundreds of thousands of people around the world to stop ISPs, governments, landlords, universities - and any other local network administrator - from tracking them online.
One thing worth bearing in mind is that unlike an enterprise SSL VPN, a consumer VPN does not provide E2EE. This is because the VPN provider unencrypts the data before passing it along to its final destination (the internet).
SSL cryptography is an important part of the market-leading VPN protocol currently used by commercial VPN providers. This type of VPN encryption is called OpenVPN.
OpenVPN encryption protocol
OpenVPN is an open source VPN protocol developed by the OpenVPN project since 2001. OpenVPN is an SSL VPN that uses SSL/TLS for key exchange. It relies extensively on the OpenSSL library , as well as the TLS protocol.
OpenVPN encryption can be considered secure because it implements secure TLS for key exchange (on the control channel). In addition, OpenVPN can be executed with additional security and control features.
OpenVPN has been the subject of two independent audits - meaning that it can be trusted (as long as it is implemented to the latest approved standards).
Why OpenVPN?
The advantage of OpenVPN is that it is extremely adaptable; allowing for portability across multiple platforms and processor architectures. In addition, it is easy to configure and is compatible with both NAT and dynamic addresses.
What’s more, OpenVPN can be configured to work using the Transmission Control Protocol (TCP), or User Datagram Protocol (UDP).
Why SSL/TLS?
The TLS handshake on the control channel protects the data channel by detecting alterations and ensuring data confidentiality is in place. OpenVPN UDP and TCP are both subject to vulnerabilities on the transport layer without the TLS encryption. This is why the SSL/TLS handshake is such an integral component of the protocol.
Basically, SSL does 3 things:
1. It makes sure you are connecting to the VPN server you think you are connecting to (certs).
2. It performs an encrypted key exchange to make a secure connection (RSA)
3. It sheaths all data in an encrypted tunnel
Why is OpenVPN secure if SSL is out of date?
OpenVPN contains an open-source implementation of the SSL and TLS protocols, which allows OpenVPN to make use of all the ciphers available in the OpenSSL package. Secure OpenVPN uses TLS on the control channel, not the deprecated SSL protocols. In addition, OpenVPN authenticates packets using HMAC for additional security.
In other words, OpenVPN isn’t necessarily secure by default. Rather, it is an extremely versatile VPN protocol that can be implemented in one of any number of ways - many of which will not necessarily be secure.
It is for this reason that at ProPrivacy.com, we regularly test and review VPNs - looking closely at how the OpenVPN protocol is implemented by each provider. Our minimum standards for OpenVPN implementation are:
AES-128-CBC cipher, RSA 2048 handshake, with HMAC SHA1 for authorization.
In addition, to be truly secure, we recommend that OpenVPN encryption should be implemented with an ephemeral key exchange or “Perfect Forward Secrecy” (PFS). Our minimum standards for PFS is Diffie Hellman Key exchange (DHE).
For a full guide on VPN encryption please click here.
For more details on how SSL certs and https work check out our guide here.
Title image credit: Funtap/Shutterstock.com
Image credits: Profit_Image/Shutterstock.com, Bakhtiar Zein/Shutterstock.com, WEB-DESIGN/Shutterstock.com