For expats living in China, a solid VPN (virtual private network) is essential in order to cope with the country’s internet firewall. However, according to a recent Tech in Asia report, many VPNs have inadequate security and are not doing enough to protect your data.
Former Google information security engineer, Marc Bevand, has raised doubts about the security provided by VPNs. During a recent trip to China, Bevand discovered that the VPN he was using, ExpressVPN, was only encrypted with a 1024-bit RSA key [see update below], considered weak enough to allow third-parties like the Chinese government to access user data. The report also noted that Astrill VPN uses a 1024-bit RSA encryption key.
Calling the decision to rely on outdated encryption technology “irresponsible”, Bevand offered a rather scary hypothesis to explain why ExpressVPN and Astrill haven’t been shut down by the Chinese government:
One possible explanation could be that the Chinese government did factor the ExpressVPN root CA key and does spy on the network traffic of their users, but they prefer to not interfere with ExpressVPN in order to give their users a false sense of privacy. If China blocked the service, users would migrate to other more secure VPN services, and China would lose a SIGINT [ie. intelligence information gathered from communications] ability.
In short, Bevand is suggesting that the Chinese government may not be blocking VPN use in China because it would rather listen in on your conversations. Now that’s scary.
UPDATED 12:35pm on February 18, 2016:
Express VPN has informed us that they have upgraded their OpenVPN CA certificate strength from 1024-bit to 4096-bit. David Lang, who is Express VPNs Communications Manager, had this to say about the upgrade:
As ExpressVPN is committed to maintaining the privacy and security of our users worldwide, I wanted to follow up on your post to make it clear we’ve taken this very seriously. This upgrade to 4096-bit makes ExpressVPN best in class for OpenVPN.
As we pointed out previously, this item was in our backlog to fix. We believe that no data was compromised, but we agree 100% that it needed to be addressed. To that effect, our team of engineers worked tirelessly to upgrade the CA key strength in record time.
I want to personally thank you for shedding light on this important issue, and for your commitment to safety, privacy, and security. These independent third-party checks and balances are essential for an open and free Internet. These are values we, too, share.