Using the Internet in China has always been a bit of a struggle, simply because the government is very restrictive regarding which content can be accessed by residents. To counter this problem, many Chinese Internet users have signed up for VPN services to bypass the Great Firewall. But as it turns out, even those services are not free from government surveillance, as their lackluster encryption tools are relatively weak.
Chinese VPN Providers Use Weak Encryption
One of the main reasons people use VPN providers is because these services will encrypt all Internet traffic. Doing so will keep all of the information gathered during a browsing session safe from prying eyes. Furthermore, governments, such as the Chinese officials, are unable to block Internet pages from being accessed when using such a VPN service.
However, as it turns out, several Chinese VPN providers are not using proper encryption, resulting in government officials being able to access user data in the end. What makes things even worse is how the popular commercial VPN providers are using this weaker form of encryption. Needless to say, this is a great cause for concern, especially in China.
ExpressVPN and Astrill – both of whom are quite popular VPN providers in China – are using 1024-bit RSA key to encrypt all connections. While this may sound like a proper security measure to people who are not as tech-savvy, this form of encryption can be bypassed without much trouble. That is, as far as the Chinese government goes at least.
[Update April 2017: It appears that Astrill and some others usually recommended VPN are not functionning anymore in China due to continuous service disruption. The chinese governement has been cracking down on VPN in the last couple of months. Before making a choice you should read Anonymster Best VPN for China Guide in order to avoid getting a VPN which is blacklisted.]
By using less-than-optimal encryption, both VPN providers are wide open to having government officials snoop around whenever data is collected. While there is no real evidence documenting this to be the case, hardly anyone would be surprised if the Chinese government was, in fact, accessing data collected by both ExpressVPN and Astrill.
It goes without saying using weak encryption to protect customer data from snooping is irresponsible, to say the least. But there is another worry about both of these VPN services as the Chinese government could block access to both platforms if they wanted to. Even though both ExpressVPN and Astrill are offering a way for consumers to bypass the Great Firewall, there serves can still be accessed by residents without a problem. Whether or not this is a ploy to give VPN users a false sense of privacy, remains to be seen, though.
Bitcoin Employs Proper Security Measures
Explaining how VPN encryption works is quite similar to how Bitcoin works at its core. The RSA key associated with the VPN connection encryption operates similarly to a lock. But instead of using just one key, there is a hidden layer that requires a signature. It is this signature that provides the actual encryption of data.
In the Bitcoin world, this signature is called a “private key”, which ensures only the owner of the Bitcoin address can send funds. RSA keys work in the same way, but by employing very weak 1024-bit encryption, anyone with enough dedicated computational power will be able to crack the code. Bitcoin, on the other hand, uses far stronger encryption, making it impossible for anybody to snoop on people’s transactions and balances.
Other than a private key, there is also a public key. Combining both keys will grant access to the data – or Bitcoin wallet – and take complete control. By deriving the factors of that public key, hackers – or government officials – would be able to “guess” the private key. Strong encryption is needed to prevent this from happening, and 2048 bits RSA should be the minimum requirement. To put this into perspective, Bitcoin has moved away from RSA encryption, and switched to ECDSA several years ago.
In the end, various companies around the world can learn plenty from the Bitcoin ecosystem, especially where encryption is concerned. Switching from RSA to ECDSA would be a good move for these VPN providers as it would prevent government officials from accessing user logs. Bitcoin is on top of its game when it comes to security and encryption, whereas more traditional technology services and companies are not as secure as they should be.
Source: Tech In Asia