According to research published today by Paul Bischoff, privacy advocate for Comparitech.com, most top VPN applications can leak data during day-today use, despite their claims to the contrary. VPNs are used to improve users’ security and privacy by offering a safe, encrypted connection over a less secure internet network, but even ones that claim to use leak protection and kill switches were found to be leaky.
A handful of the top VPNs were put through the test using the (now freely available from GitHub) ExpressVPN Leak Testing Tools. Some key findings from the research include:
Slightly more leaks were detected on Mac VPNs, but Windows VPNs showed more leaks of the highest severity
• VPN apps struggle with WebRTC IPv6 leaks, some of which are severe, but do not affect the majority of users because most people still have no IPv6 connectivity
• Many VPNs leak DNS and IP traffic when a disruption occurs, such as a change in the network configuration
Comparitech.com is hoping that the findings will raise the standards in the VPN marketplace and encourages VPN providers to use the tool to run their own tests and fix these issues.
“While people are increasingly using the internet in all aspects of their lives, they are also, as a result of the ongoing publicity, becoming more aware of the risks to their privacy. People have reasonably assumed that the use of a VPN was offering some degree of protection to their online privacy; however, this research has shown that there are significant potential weaknesses in a number of the tools that we use and as a result, they are not as well protected as they believe. Users, rightly or wrongly, trust products that are designed to help them protect their information and when these are shown to have weaknesses, the impact can be significant.”
Kylie Wilhoit, senior security Researcher at DomainTools:
“VPNs are used every day to access bank accounts from coffee shops, circumvent government censorship, and to access work networks. Most users think they are secure when using a VPN, since they are designed to obfuscate a user’s tracks online. However, this research proves that not only are there information leaks, but they are also in many cases, severe. Many of the most popular VPN providers have critical information leakages when the network interface operating the VPN changes state. (For instance, dropping because of server maintenance) This is potentially damaging to thousands of users of some of the largest VPN service providers.
Remember, VPN software is just that…Software. If you’re not careful with your VPN selection, you may be inadvertently opening yourself up to risk.”
“With cyberattacks and hacks, government surveillance, and big data mining all on the rise, internet users are relying on VPNs to protect their privacy and security. But is their VPN really protecting them? Our internal research suggests that most VPN providers are falling short. That’s why we’ve released the ExpressVPN Leak Testing Tools—to empower users to evaluate providers and assess their own risks, as well as to help the entire VPN industry raise its privacy and security standards.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.