Disclaimer: Affiliate links help us produce good content. Learn more.
With the word “blockchain” entering ever-more-outlandish combinations, Blockchain VPN sounds rather tame – something you knew must exist but didn‘t quite know where and how. Indeed the where and how are not the most simple questions to answer, but that’s what we’re here for. So read on and learn the ins and outs of blockchain VPN.
What does blockchain have to do with VPN?
To begin to answer this, we first need to mention the most important criticisms of regular Virtual Private Networking.
Many will already know that the entire point of VPNs is to disassociate the user from his or her online activities – to grant freedom on the internet. The way this is done is through tunneling protocols (which encrypt your traffic as it travels from one digital point to another) and VPN servers (which create a wall for you to stand behind, changing your IP address in the eyes of the host server and changing the host server IP address in the eyes of your Internet Service Provider (ISP)).
As a result of this procedure, you are able to hide what you do online from your ISP and, therefore, also the government. More than that, you can choose which location you appear to be based in – just connect to a VPN server in the US and sites like Netflix will assume you’re a US-based user.
When VPNs work as advertised, they are an awesome tool. However, their very design raises issues regular users are unable to wave away.
Blockchain VPN service developers recognize these issues and are presenting a solution. They recognize, that the main issue with regular VPN services is the VPN company, which is a central hub all user traffic goes through. That’s why every VPN has some statement about “logging” – storing data on user connections, activities, or identities. It’s also why VPN providers that have given user data to law enforcement agencies are so vilified.
The truth of the matter about logging is this: every single VPN service technically has the ability to store all the information it gets about users. And it can sell all that information to third parties if it so wishes. Of course, VPNs may do all they can to minimize their need for logging. For example, they can remove all of the limits VPN services typically impose on their users – bandwidth, data transfer, simultaneous connection limits. Without the need to enforce these restrictions, VPNs can technically do away with logging. One thing they can’t do? Remove their ability to log.
Blockchain VPNs try to render this concern moot. They remove the central hub that all user traffic must pass through and instead offer a decentralized network of volunteer nodes, kind of like Tor.
Differences between blockchain VPN and Tor
The basic premise behind Tor and P2P blockchain VPN is similar. When using the Tor network, the user’s traffic is sent through a series of volunteer relays – essentially, people who operate servers to pass traffic (not to sound flippant…) out of the goodness of their hearts. At each relay, the traffic is additionally encrypted, with only the last node being able to decrypt the traffic and send it on to the host server.
This is a good system, but one that has several weaknesses. The first of these weaknesses is that there aren’t many of these volunteer nodes – just as there isn’t much of volunteer-anything. This results in very poor speeds and makes it more or less impossible to engage in certain activities we love regular VPN services for. Torrenting, for example.
Perhaps more importantly, the low number of nodes creates a security issue. An attacker controlling a significant portion of the network may be able to trace traffic back to its source or decrypt it. That defeats the whole purpose of using a privacy-protection service in the first place.
In the best examples, Blockchain VPN takes more or less the same system but uses blockchain to introduce an economy into the network, allowing it to remain decentralized and anonymous at the same time. If some of these blockchain VPN developers are to be believed, this would also make the network a lot cheaper to use than a regular VPN – traffic would always be routed to the cheapest and fastest nodes on the network. The economic incentives would hopefully solve the network size issue and thus also the speed and security issues.
Nevertheless, there are concerns here as well.
Sounds good – what’s the problem?
Well, for one thing, unless the network actually grows to a good size, the same problems would (presumably) still apply as with Tor. Controlling a significant portion of the network may allow attackers to “get to the user.”
Another aspect is one that those following the story of Hola VPN will recognize. Hola is a notoriously shady VPN service, which has one interesting feature – it sells the user’s idle bandwidth to other users on the network. Basically, if you are running Hola and are not doing anything on your computer, the VPN will use your internet connection to route other people’s traffic.
Fair enough – if you want a VPN for free, you’ll only end up paying for it some other way. The issues start elsewhere. Specifically, Hola also has a parallel company called Luminati, which sells the idle bandwidth of Hola VPN users to businesses. One time, Luminati sold this bandwidth to someone who used it as they would a botnet – in a cyber attack. When something like this happens, the end nodes are culpable.
You can see where we’re going with this. If you’re the end node of some nasty traffic exchange on the blockchain VPN network, where does that leave you exactly?
There are, of course, other important questions to consider too. For example, it remains to be seen whether the speeds in such a network would be any good, let alone able to compete with the top-botch bare metal servers of regular VPN providers. Also, half of the P2P VPNs we looked at are not even multi-hop (which makes the exit node just as able to log data as VPN servers would be).
Attempts to answer these and other concerns are to be found in the wild.
The blockchain VPN market, such as it is
At the moment, the blockchain VPN market does not look very impressive. There are a few noticeable names, but the services themselves are at various stages of development. There’s Privatix, the Mysterium Network, Orchid, and Lethean among others. Each of these seems to have advanced somewhat since we last checked a few months ago and all are set to deliver some sort of blockchain VPN product in the foreseeable future. Perhaps the only exception here is Orchid, whose website is still just a landing page (although its whitepaper seems the most compelling of them all).
Over the past couple of months, we’ve reached out to all these projects and asked them some of the same questions we raise in the previous section of this article. The only ones to comment in-depth were Lethean, for which we give them kudos. Regardless, we’ll look at each of the projects in turn and try to answer some questions.
In some senses, Orchid seems like the most serious project. The Delaware, US-based Orchid Labs combines a number of people with rather public records – people who can speak well and have a reputation to worry about. Most of the other P2P VPN projects have neither this PR asset nor the level of personal responsibility it creates.
The knowledge and experience of people at Orchid clearly show in their whitepaper. It demonstrates a lot of attention to detail and covers some of the commonly-cited concerns against the idea of a P2P Blockchain VPN.
Firstly, Orchid provides a solution for the danger of someone controlling a large part of the network. It does so by stopping attackers from operating a disproportional number of bandwidth sellers in relation to their share of the total computational power of the Orchid network.
This isn’t the only attack scenario Orchid presents solutions for. We won’t go into these – suffice to say they’ve done their homework.
Secondly, Orchid protects exit nodes from misuse of their bandwidth through the use of blacklists and whitelists. Basically, if you’re a bandwidth seller who resides in, say, Germany and would like to stop people from using your IP for torrenting – you can do so by blacklisting P2P traffic. This is certainly a solution, but we wonder whether the mess it creates on the marketplace will be too much for convenience. Or, for that matter, whether it’s enough.
While the Orchid team seems confident that connection speeds on their network will be competitive, we remain skeptical. This is particularly true for Orchid, where connections are “multi-hopped,” meaning, they pass through several relays before reaching the host server.
After some initial financial success (investors have paid over $36 mln for the right to buy coins during the public ICO), the project seems to have gone suspiciously quiet. The website is still just a landing page with a few nice logos and social links. The official Reddit has been inactive for months and the latest user comments asking for status updates remain unanswered. Orchid’s Twitter page is still actively posting, but the posts are mainly unrelated to Orchid (although we must admit – it’s a good source of interesting articles).
Is this a calm before the storm? Guess we’ll have to wait and see.
Unlike Orchid, Mysterium did an ICO before having an active product and raised almost $15 mln. Also unlike Orchid, Mysterium has been quite active with the updates and has been able to produce an Alpha version. Users can even run a test node on the network (if they have the technical expertise to do so) or try the VPN out.
The issues with the Mysterium Network is that they fail to address the speed issue, various attack scenarios, or the issue of exit node vulnerability. On the Mysterium FAQ there is a question: “What if someone uses my node for illegal purposes?” The answer is a bit baffling:
“Then they will most probably be breaking the law. By installing our client software, the users undertook to use it only for legal purposes and avoid any criminal or illegal activities.”
Okay then, case closed?
The rest of the questions in the “Legal” section of the FAQ betray a worrying attitude, basically repeating that, if their understanding of the law is correct, things should be fine. Call us old-fashioned, but we’d prefer solutions over consolations.
It is our understanding that Mysterium also doesn’t offer multi-hop, which creates even bigger worries. Perhaps an individual node runner is a less visible target for those who want to get user data, but they are also less likely to have the means to resist if they do become a target.
The MYST token is not as appealing as it was at the time of the ICO, and we reckon there are good reasons for that.
This tool is very similar to the Mysterium Network. Privatix also has a product in its Alpha stage and has already had its public ICO (approx. $2.4 mln raised). The whitepaper is huge – 78 pages (!) – and they even translated it to 9 other languages.
Also like Mysterium, Privatix has done little to address the most pressing security matters. For example, their connections seem to be single-hop, raising the question of whether this is really any better security-wise than centralized solutions. And they also don’t provide a satisfactory solution for exit-node security.
As per the Privatix whitepaper:
“We will provide to all Agents a document stating that we as a company lease their network for our use and resell it. This document will contain the Agent’s node IP and hash in blockchain and the Agent will be able to download it from his dashboard.”
Firstly, that sounds a bit like logging. Secondly, it leaves the question of whether this solution will help users get out of legal jeopardy open. This would likely depend on the Agent’s country, the individual case, and so on. The people at Mysterium at least don’t pretend they know how the situation would go down in the wild.
As with any of these tools, there seems to be no reason why they would be able to offer a level of performance that could compete with top centralized VPN services.
Last, but not least, we have Lethean, who were kind enough to answer our questions in a detailed and honest manner. This project is different in some important ways, but similar in others.
Unlike the before-mentioned P2P blockchain VPN services, Lethean does not operate on the Ethereum blockchain and its coins are not ERC20. Citing the openness of the Ethereum ledger as a privacy issue, Lethean have elected to rely on a different algorithm, the CryptoNight protocol. According to Lethean, this “tumbles transactions being sent through a process called RingCT, which creates multiple inputs and outputs to hide the sender from an outside source.”
Lethean plans to offer an “Enhanced Privacy Mode,” which is essentially a multi-hop feature. Currently, Lethean is only available as a browser extension and only offers single-hop connections. This should change at some point in 2019 Q2. Until then, the software suffers from the same privacy issue as Mysterium or Privatix.
As for exit node security against the misuse of their bandwidth, Lethean has the same answer as Mysterium or Privatix. On the one hand, exit nodes should take “precautions to ensure that the end users are following their local regulations.” On the other, “the wallet will store some data that will verify that the misuse of the exit node’s bandwidth was not done by the person hosting the exit node.”
Furthermore, according to Lethean, this “question is a concern for all VPN providers.” We disagree and will use this opportunity to raise a point that we’ve briefly touched upon already. In a practical sense, misuse of traffic is not nearly as big a concern for VPN providers because they can rely on a structure built to deal with legal issues. Often they operate under the guise of offshore shell companies. And even if they don’t, they have legal teams to handle law enforcement questions.
This also applies when discussing the user privacy question – users can trust a good VPN to stand between them and, for example, law enforcement (up to a point, of course). Meanwhile, in the case of P2P VPN services users must rely on individuals who have no responsibility to protect their identity.
Lastly, we’d like to highlight Lethean’s answer about performance:
“The speed of the VPN services is not related to the blockchain itself. The blockchain is the payment mechanism and is not the means by which the VPN or Browser Extension is tunneling traffic through the Internet. Once connected and payment is received, provided the node is of good quality, performance should be the same as any other VPN service.”
They are right, of course. However, our reason for claiming that P2P VPN can (almost) never be as fast as the best centralized VPN services is precisely the quality of the node. Put simply, the joint stock company was invented to fund expensive ventures – building trading posts along the trade route to India or building the necessary infrastructure to provide VPN users with fast connections.
Perhaps the argument could be that these nodes need not be run by private individuals. That’s probably true, but it only raises more questions – can these companies make a profit within such an infrastructure without resorting to shady practices? Would such companies, if successful, become more or less the same as current-day centralized VPN service providers?
Blockchain VPN – our conclusions
Having investigated the blockchain-based P2P VPN industry, we can say that their criticisms are valid, but their solutions raise doubts. Even if the developers of these tools manage to solve the security issues (as Orchid seems to have done, at least on paper), there still remains the question of competitiveness.
Top players in the regular VPN industry offer users great performance and a rich package of features. We don’t see how private bandwidth sellers could ever compete with the speeds enjoyed by users of, for example, Astrill VPN.
We do see a niche where these tools could be useful – under-developed, censorship-heavy states. The reason is that nodes of a P2P network would, in theory, be more difficult for ISPs to block than VPN servers. Additionally, the fact that users would be paying only for the traffic they use, rather than a general subscription fee, could make the services more affordable. Privatix, for example, estimates that users of P2P VPN services would “pay less than $5-10 per year.”
However, if these VPNs only have niche-appeal and are not particularly profitable, the incentive system falls apart.
For the time being, we suggest choosing a regular VPN service. Just make sure you do your research before investing – our Best VPN Services list is a good place to start!
Disclaimer: Affiliate links help us produce good content. Learn more.
Ethan is a security researcher and digital privacy advocate. He spends his time unraveling various anonymity and security tools, plus contributing to open-source projects. Otherwise, he keeps a low profile by hiking or cycling around the countryside.