Internet encryption today
Data encryption has come a long way since its origins as a U.S. government research project during the Cold War. Despite government and state intelligence efforts to block it during the Crypto wars, by the early 2000s encryption managed to become a wide-spread and public internet resource. Now, all of our data and traffic online is likely encrypted by default.
What is encryption?
Encryption is the process of transforming your data so that it is readable only by those with the necessary encryption and decryption key(s) to access it. Encryption is performed with the use of mathematical algorithms which turn your data from cleartext to a ciphertext, from original to coded. For the ins-and-outs of this process, check out Nym’s comprehensive guide to how encryption works.
There are many different types of algorithms currently being used to encrypt data, whether at rest on a device or in transit online (such as AES and RSA, as well as modern ones like ECC and ChaCha20-Poly1305). Encryption protocols fall into three general categories: symmetric (using the same key for encryption and decryption), asymmetric (using two keys, one private and one public), or a hybrid of the two.
Encryption strength is determined by the length of the encryption key, with most modern keys being either 128- or 256-bits (though longer keys are in use for advanced security). These encryption standards have so far proven to be unbreakable, though the rise of quantum computing is changing what future standards will need to be.
What does end-to-end encryption mean?
End-to-end encryption means that a user’s online traffic is encrypted from the moment data leaves their device until it arrives at its destination on the web. Data stays encrypted even while making intermediary stops, such as on a proxy or VPN server.
Default web encryption
Most internet traffic is now end-to-end encrypted by default through HTTPS and SSL/TLS protocols. These are automatically established between your web browser and the web service you’re accessing. This will be signified at the beginning of a web address beginning with HTTPS://. Your browser might also signal this with something like a lock icon next to the address. HTTPS was developed in the early 1990s to protect banking transactions before being extended to the growing market of e-retailers. Now it is a cornerstone of the public web.
Keep in mind that if a web service does not have a valid SSL/TLS certificate, and your browser does not refuse the connection, then your data might be transmitted unencrypted, in the clear from end-to-end. And if you’re using a VPN, it will only be encrypted on the first leg of its trip to the VPN server and left exposed between the VPN and the destination.
VPN encryption
In light of the widespread privacy threats affecting everyone globally, using a VPN is highly recommended. A VPN not only adds its own encryption layers to default HTTPS connections, but also obscures your IP address and the route of your traffic. This can make traffic analysis, digital profiling, and mass surveillance efforts more difficult. Further, a true dVPN will also guard against breaches of metadata records and VPN client data, and possibly halt traffic analysis and surveillance in their tracks.
How does a VPN work?
A VPN is a kind of proxy network for all of your internet traffic. The VPN’s server(s) functions as an intermediary between you and the public web. So when you connect with a web service, it will see that the traffic or connection is coming from the VPN’s public IP address and not your own. This is an important privacy tool given how extensively our everyday activities online are being tracked and our personal data exploited. But this is not all a VPN can do: it also doubles or multi-layers encryption around your data.
VPN tunneling
Data encryption is a core component of VPN services. All reliable VPNs should first encrypt your data on your device before it ever leaves, creating a secure VPN tunnel between your device and the VPN server. This ensures that any attempts to intercept and access your data in route to the VPN will be futile.
Keep in mind that VPNs are primarily routing networks: they provide one or several servers that route our traffic before it accesses the public web. To add encryption to the equation, VPNs use special protocols to facilitate encrypted user traffic through their networks.
Encrypted communication protocols for VPNs
Encrypting data transfers between multiple parties online is a multi-step process. This work is done by encrypted communication protocols designed for VPN traffic (usually WireGuard or OpenVPN). These protocols take care of all the necessary steps in encrypted communication and routing: secure key exchanges, authenticated certificates, and encrypted data transfer.
Read up on Nym’s comparison of WireGuard and OpenVPN.
Encryption with traditional VPNs
Being a “VPN” is by no means a sufficient indicator for privacy protection. The architecture of a VPN service provider makes all the difference: how many servers are used, who controls them, what data is stored and where, and how centralized is the network overall?
What are traditional VPNs?
Most VPN providers on the market are single-server (or one-hop) infrastructures. Your data is routed through one company server before accessing the public web. These servers are physical and architectural resources: they either own and operate them, or rent them from third-parties who do. This means that they control them, potentially seeing and recording what traffic goes in and out. No matter the reliability of the company, centralized servers are a privacy hazard.
There are nonetheless important differences to consider between these mainstream VPNs. Some providers claim to be dedicated to user privacy: they may have “no-logs” policies, or even use RAM servers which clear all traffic data when rebooted rather than writing it to disk. Whether or not a VPN service provider claims to abide by a “zero-logs” policy, their single-servers are potential repositories for metadata records of user traffic, even if kept for purely operational purposes. Given the prevalence of data breaches and hacking, this requires unnecessary trust and uncertainty on the client side.
Other providers offering free VPN services are the complete opposite of privacy-oriented: through their single servers, they deliberately keep user traffic records in order to sell them to third-party data brokers. In the absence of client revenue, user data is the revenue. There is also the risk that they will not encrypt user data at all.
Single-server VPN encryption
With single-server VPNs, your data is only encrypted once by the VPN itself, in the tunnel between your device and their server. The type of encryption used for the data transfer will depend on the service provider’s encryption protocol. This will likely be symmetric SSL/TLS encryption used by OpenVPN, the protocol used by the large majority of VPNs.
Once your data is on the VPN server, this encryption layer provided by the VPN is removed before being sent to its final destination on the public web. Note that all VPNs, not simply single-server ones, do not themselves provide end-to-end encryption. This will only be the case if the destination on the web has already encrypted your data before it entered the VPN’s tunnel. In the unlikely case that it is not already encrypted, your traffic and data will be cleartext, in the open, between the VPN server and the public web.
Encryption with dVPNs
Given the privacy risks posed by the centralized and targetable servers of traditional VPNs, new decentralized models for VPN services have been developed in recent years.
What is a dVPN?
In order to be truly decentralized, a dVPN must be (1) multi-hop by default and (2) by design incapable of keeping centralized logs of user traffic data. Contrarily, single-server VPNs have the power to either keep full traffic logs (e.g., free VPNs) or operational metadata logs (privacy-focused VPNs).
With a true dVPN, user traffic is routed through multiple servers which are independently operated and ideally unlinkable. There is no central authority which can have access to the full route of user traffic. A single operator or node may be able to keep logs of what traffic passes through their server, but this will only be a partial picture of the full route.
So when a VPN provider claims to offer a double VPN feature for “advanced privacy,” this is unlikely to be truly decentralized since one company controls the multiple servers being used. Similarly, if an individual sets up many globally dispersed servers for multi-hop routing, it will not be truly decentralized if that operator controls all servers. Being tracked while using a VPN is still possible due to centralized data records.
General dVPN encryption
As a multi-hop service, a dVPN should provide multiple encryption stages, rather than the one encryption step of traditional VPNs. With NymVPN’s 2-hop dVPN mode, this involve the following encryption stages:
- Data is encrypted twice on the user’s device, each forming a different layer around their cleartext data
- Secured keys are shared with nodes (or servers) 1 and 2 on the network circuit
- The multi-layered encrypted package is tunneled to dVPN node 1
- dVPN node 1 removes the encryption layer to which it has the key, revealing node 2 as the next recipient
- Once forwarded, node 2 decrypts the outermost encryption layer and sends the package to its final destination *
- Note that one layer of end-to-end SSL/TLS encryption should remain on this final leg of the trip so that the exit node (node 2) of the dVPN does not have access to your cleartext data.
With multi-hop routing, latency and connection issues can be a real problem for users. To address this, NymVPN’s 2-hop dVPN mode is powered through WireGuard, the fastest VPN encrypted routing protocol available.
Onion encryption
The Tor network is not technically a VPN, but its decentralized routing and encryption procedure is very similar to that of a dVPN. Many users thus turn to Tor for similar privacy and anonymity needs.
What is Tor?
Tor is a decentralized, 3-hop network accessible uniquely from the Tor browser. The network is run by volunteers who offer their servers to route and anonymize the traffic of clients. With its onion encryption protocol, user traffic is routed through three nodes: an entry guard, a middle relay, and finally an exit node before being sent to its destination on the web. Like VPNs, Tor provides IP address obfuscation and complicates traffic analysis. However, it has also become the target of network specific attacks.
Tor’s onion encryption
Tor employs a multilayered encryption protocol dubbed “onion” encryption. The Tor browser first establishes a circuit of three servers (or nodes) through which your data will be routed, securely exchanging keys with them individually. Your data is then encrypted in three layers like an onion, with each layer corresponding to a decryption key possessed only by a respective node in the circuit.
When a data packet arrives at a node, the server uses its unique key to remove the outermost layer of encryption, revealing only where to send the data package next. The routing procedure continues until the exit node removes the final layer of onion encryption, revealing the (hopefully) HTTPS encrypted packet and the final destination on the web. With SSL/TLS encryption in place, user traffic will be end-to-end encrypted passing through Tor.
Mixnet encryption
What is a mixnet?
Nym’s novel mixnet (short for mix network) is a decentralized network and routing protocol. Like Tor, it uses multi-layered encryption to protect user data in transit. The Nym mixnet is composed of independently owned and operated providers who are incentivized to maintain quality network service. Like a true dVPN, the Nym mixnet has no central network authority or point of failure.
The Nym mixnet also provides number of robust privacy mechanisms:
- Multi-hops: It uses a 5-hop routing procedure, with three mixnodes and two gateways guarding access to the network. Unlike in Tor, which uses long-live circuits for the entire session communication, a fresh set of 3 mixnodes is selected at random for each package the user sends through the mixnet. This architecture is currently unparalleled in terms of the privacy it can provide against traffic analysis, profiling, and surveillance.
- Mixing: The name “mixnet” comes from the way user data is broken up into encrypted packets of similar size and mixed up with other traffic as it passes through the mixnet. Mixing unrelated data packets makes it extremely difficult for external eyes to decipher and track what is what.
- Timing obfuscation: Mixnodes delay the transmission of packets to make sophisticated traffic analysis based on transmission and decryption time more difficult.
- Cover traffic: In order to block efforts at data tracking, the mixnet also introduces dummy data packets into network circulation, adding volume and cover traffic to the network of mixed client communications. This technique, much like hiding in a crowd, obscures client communication patterns and protects against individual profiling.
Encryption with Nym mixnet
The Nym mixnet is powered through the Sphinx encryption protocol, which is specifically designed to handle mixed packet routing. Sphinx encrypts user data in a 4-layered package composed of a payload (your cleartext data) and a header (which contains all the necessary routing information in a group element accessible through public encryption keys).
What makes Sphinx particularly effective is its decryption procedure for nodes. When a node combines its public key with the group element included in the packet’s header, a shared key can be computed (through Diffie-Hellman key exchange). This allows the first node to decrypt a layer of encoding and forward the packet to the next hop, and so on. This encrypted routing procedure protects the core of your data so that no malicious node along the way can know your data, IP address, or the full route of your traffic. Nodes only know the previous and subsequent nodes in the routing chain, and thus no node can correlate your IP with your online activities
Sphinx also allows for quicker computation time in generating shared keys, expediting what would otherwise be a sluggishly slow multi-hop routing process. Along with other supplemental security measures, this makes traffic analysis exceedingly difficult, even against hypothetical adversaries who might have a view of the whole network.
Conclusion
VPN encryption is not simply an excessive step in addition to HTTPS encryption provided by most web services. It is essential to obscure the route of your traffic and to mask your IP address so that you cannot be easily tracked. But ensuring genuine online anonymity also requires choosing the best VPN for privacy. Given the risks posed by centralized VPN services, the proper choice for everyone should be a dVPN.
dVPNs can have problems, however, one of which is latency. The more hops on a route, the slower it can be and the more connection issues can arise. With this in mind, NymVPN has been designed to give users a choice for how much protection they need online, when, and for what kinds of traffic:
- You can select between a 2-hop dVPN mode powered by WireGuard, the fastest encryption protocol available,
- Or an unparalleled 5-hop mixnet mode for highly sensitive traffic (like private email apps or crypto transactions)
Get NymVPN to try the world’s first VPN built on mixnet technology and help us fight for a more private internet.
