Understanding VPNs: Common VPN terms and what they mean.
Advanced Encryption Standard. A symmetric encryption standard also known as Rijndael, after its inventors Joan Daemen and Vincent Rijmen. A well audited and understood standard used to encrypt data of all kinds in many different applications. It became widely used after gaining the trust of the U.S. government in 2002.
You are anonymous if it is not possible to identify you in a group. Anonymity only exists within groups, and the larger the group, the more valuable your anonymity is. For example, as part of the Tor network you can only be identified as ‘a Tor user.’ The more Tor users there are, the less this identification is meaningful. See also: Pseudonymity.
Any encryption protocol in which the participants create a key pair, consisting of a public and private part. The private key is usually created randomly, and the public key derived through a function. Public keys are required for communication and can be safely handed out, while private keys usually never leave the owner’s device.
A payment method secured by cryptography rather than institutions. Generally not controlled by anybody, Bitcoin allows for more anonymous payments than other electronic options.
A classified program by the U.S. National Security Agency and used to decrypt every communication channel. VPN services and protocols are targeted by Bullrun.
Certificate Authority. When relating to VPNs, this usually refers to a file that identifies which key is considered the authority, or whether a connection to a Server is authentic. The Certificate Authority consists of a public and private key. The public key is given to each user (or included in the Software). The private key is one of the most secured files in a VPN company.
The suppression of speech by powerful individuals or institutions. On the internet, censorship is usually deployed through DNS poisoning, DDos attacks, and Deep Package Inspection. However, the threat of physical violence is the biggest censorship enforcer, making anonymity a highly desired feature of online speech.
Referring to the algorithm that’s used to encrypt the connection between the client and the server. Popular ciphers include Blowfish, Twofish, and AES.
Computing power that is not dedicated to a single organization, but rather shared and provided as a utility. It’s increasingly common to host sensitive information in the cloud, rather than an intranet behind a firewall, which drastically changes the security models of the internet.
The amount of data that can be transmitted in a certain amount of time. Usually measured in kilobit or megabit per second.
The study of communications secured by mathematics.
The part of the internet that exists on pseudonymity networks like Tor and I2P. The dark web can only be accessed with special software that typically hides the identity and location of its participants.
A overlay network that shields users from each other by routing traffic randomly around the world. The darknet allows for hidden services like the Tor and I2P networks. Often used interchangeably with Dark Web.
The policy or law under which a company retains data of its users. In most jurisdictions Internet Service Providers (ISPs) are required to store information such as browsing history for a few months.
A Linux-based operating system or firmware for a router. Typically open source, routers running this type of software can be more easily modified for things like VPN connections. Many VPN providers provide software for DD-WRT routers.
A hosting service in which the physical machine works exclusively for a single customer. See also: VPS.
Deep package inspection
A technique that looks at each transferred data package to check for malicious content, or undesired recipients. This can be done for surveillance, but also for censorship, and man-in-the-middle attacks.
The part of the internet that is not indexed by search engines. The Deep Web includes private forums and social networking sites that give control over privacy settings and chat services. Not to be confused with Dark Web.
Diffie–Hellman key exchange
Allows two parties to negotiate a secret (such as a asymmetric encryption key) over an unsecure channel, without having to meet in person. The D-H is used by VPN Protocols and HTTPS alike. The Diffie–Hellman key exchange is a type of handshake.
Under certain circumstances, a misconfigured VPN connection can lead a user to identify themselves to the sites they visit inadvertently.
The proposed Data Retention and Investigatory Powers Act 2014 required ISPs to keep records of their customers’ internet activity and make it available to law enforcement without judicial oversight. Succeeded by the Snoopers’ Charter (Investigatory Powers Act 2016).
A former employee of U.S. intelligence, in 2013 Snowden released information that proved the United States and its allies were guilty of grave violations of privacy.
The process of encoding information so that only authorized people can access it. Usually achieved through mathematics, secret numbers and, primes.
The key that allows someone to encrypt or decrypt information. Often just a large number that is either created randomly or negotiated in a key exchange.
Encryption key length
The size of the Encryption Key. Usually denominated in bits. Common key lengths in symmetric systems like AES are 128, 256, and 512 bit. In asymmetrical systems like RSA, keys are usually 1024 to 4096 bits in length.
Any encryption system in which data can only be accessed at the end-points, e.g. nobody but the sender and recipient can access it.
The dominant standard network connection cable. Infamously dropped by Apple. Such a network is called a LAN.
The fingerprint of data is its unique identifier, commonly derived through a Hash Function. Fingerprints are used to authenticate encrypted channels or to verify the integrity of data.
A system that monitors inbound and outbound packets between networks and devices. Firewalls come as both software or hardware and are commonly used to protect infrastructure, but can also be used to restrict access and censor content. See also Great Firewall.
An intelligence ring that traces back to World War II. The United States, the United Kingdom, Australia, New Zealand, and Canada are members. Documents released by Edward Snowden shows that Five Eyes intelligence agencies have been systematically spying on each other’s citizens. The information is then shared amongst the group, which circumvents restrictions that disallow a state from surveilling its citizens.
Given by a court to an individual or organization to forbid them from talking about something, e.g. an ongoing investigation or trial. Gag orders are commonly used to conceal companies that are ordered to spy on their customers in Five Eyes countries. A possible defense is a warrant canary.
Self-imposed mechanisms by companies that restrict access to their service in certain locations, often through IP addresses or GPS coordinates.
See also Great Firewall.
Golden Shield (Chinese: 金盾工程) is the name of the systems used to monitor and control the internet in China. Golden Shield has also been used to attack foreign platforms to impose China’s censorship practices. The Great Firewall is a part of the Golden Shield.
The Great Firewall of China often abbreviated GFW (Chinese: 防火长城). A sophisticated system used by the government of China to restrict access to foreign media and protect its intranet from attacks. The GFW is part of the Golden Shield.
A function that condenses a file or text into some a fixed length. While the information in the document is lost, the number serves as a unique identifier of the file. They are used to identify encryption keys and software. Because they cannot be reversed (decrypted), they are also called one-way encryption.
See Domain Name.
A service similar to a VPN Service. But HTTP proxies will reroute only your browsing traffic.
Technology that secures your connection to a website with end-to-end encryption. HTTPS needs to be enabled by the website administrator and is quickly becoming a minimum standard for security on the web. Check for an HTTPS connection by looking for a lock symbol in your address bar.
Invisible Internet Project. An anonymity network similar to Tor. Hidden services on the I2P network end with .i2p.
The intranet is a private network that interacts little with the open internet. Intranets were popular among big corporates to manage proprietary data, but recently intranets have increasingly been replaced with Cloud infrastructure.
The unique identifier of a device in a network. A device might be identified within its LAN to the router, and the router identified to the internet. In this case, the router has two IP Addresses, one facing the internet, another facing the LAN. The router performs NAT between the two networks.
When anonymity software fails to route traffic properly, some data might go around the tunnel and reach a service directly, thus revealing the true IP.
Internet Service Provider. The company that connects a home, office, or datacenter to the internet. This service is usually heavily licensed, and ISPs are subject to laws that require them to monitor and censor their users.
Before encrypted channels can be established, there must be an exchanging of keys. Asymmetric encryption systems exchange and verify public keys. Symmetric encryption systems use processes like the Diffie–Hellman key exchange.
A feature of popular VPN Software that ensures no data can leave the device after a VPN Connection has been interrupted or terminated.
Kilobit / Megabit / Gigabit
Common unit to measure internet speeds, e.g. Gigabit per second, or Gb/s or gbs. 8 Gigabit/s is equal to 1 Gigabyte/s.
Kilobyte / Megabyte / Gigabyte
Common unit to measure file sizes, e.g. 1 Megabyte. On a connection with a speed of 1mb/s (1 Megabit per second), it will take 8 seconds to download one Megabyte.
A file maintained by a server that records activity. While no server can function without logs, it is considered problematic to maintain logs of user activity, such as web browsing. Other logs providers keep may concern how much data a client consumers or which platform they use.
Data about data. In the context of a letter, metadata would describe any characteristic visible without opening the envelope, such as recipient, sender, weight, date, and size. All data, even encrypted data, reveals something about itself by its metadata.
Network Address Translation. A device is needed to translate between private and public networks, such as an intranet and the internet and their IP addresses. A router commonly performs Network Address Translation, as well as a VPN Service.
An alternative name of the Tor network, named after its layered privacy. .onion (dot onion) is also the ending of Tor URLs, which are not registered, but generated like an encryption key.
Open Secure Shell. A set of tools used to secure communications between devices. Frequently used as a VPN Protocol.
The most commonly trusted VPN protocol among commercial VPN providers. OpenVPN uses technology similar to HTTPS connections, making it the most potent method to circumvent censorship as its traffic looks similar to regular web traffic.
Peer-to-peer software is any software in which users directly communicate with each other, rather than through commercial servers. Bittorrent and Bitcoin are the most popular P2P software tools, while Tor can also be regarded as P2P software. Many networks do not allow P2P traffic due to concerns about illegal file sharing.
While systems like radio simply stream data, computers on the internet, through the IPv4 and IPv6 protocols, disseminate data into packets which are re-assembled by the other side of the communication.
Perfect forward secrecy
Any encryption system in which previous communication channels do not become compromised if a key is leaked. With OpenVPN and HTTPS, for example, each session has its encryption key, gained from a Diffie-Hellman key exchange.
The time, usually measured in milliseconds, that it takes for a server to respond. Low ping times usually correspond to higher speeds, but not necessarily.
Point-to-point Tunneling Protocol. An older protocol that doesn’t offer security or privacy features such as encryption. Still in use today by users who require high connection speeds and low ping time.
Any computer that reroutes traffic, either as infrastructure or to implement or circumvent monitoring or censorship. Technically routers, VPN Services, the Great Firewall, and darknets are all proxy services, though the term is primarily used for HTTP proxies.
Pseudonymity means you are only identifiable through a pseudonym or alter-ego. Certain actions can be uniquely attributed to this pseudonym, but your “real” identity cannot be tracked back to it.
A router is a device that forwards data between computer networks. Most commonly used to connect a LAN or WLAN to the open internet. If the firmware of a router supports VPN protocols, such as DD-WRT, a router can be configured to connect a LAN to a VPN service.
Named after its designers Ron Rivest, Adi Shamir, and Leonard Adleman, RSA is an asymmetrical encryption standard, developed in 1977 and still in common use today.
A legal principle that limits the liability that another law creates. While copyright infringement is a civil or criminal offense, safe harbor statutes limit the liability of Internet Service Providers, Data Center Operators, or VPN Services.
Secure Hashing Algorithm. SHA-1 is a hashing function increasingly used less due inherent insecurities. SHA-2 (which includes SHA-256 and SHA-512) is commonly used to identify files and cryptographic keys.
Terminology used by VPN Services to define how many devices are permitted to connect to the service at the same time by a single user.
Successor of DRIPA. Officially called the Investigatory Powers Act, it went into effect on December 31, 2016, and forces ISPs in the United Kingdom to collect and hand over customer user data to law enforcement.
A network switch is a device that forwards packets between network participants.
Any encryption protocol in which participants negotiate or create a single key to encrypt and decrypt information.
Top Level Domain. Often the identifier of a country, but increasingly arbitrary. Examples: .com, .uk (United Kingdom), .jp (Japan), .name.
The Onion Router is the most popular distributed anonymity network. Traffic is routed and encrypted through multiple HTTP proxies run by volunteers to hide the origin and destination of the traffic.
A secure and encrypted connection between your computer and a privacy network, such as a VPN or darknet.
Uniform Resource Locator. Consists of the protocol (e.g. HTTP), the domain name (e.g. www.example.com) and the file name (e.g. index.html). http://www.example.com.
Voice over IP. A protocol that allows users to send real-time phone conversations over the internet. It has become very common even for traditional telecoms to route phone calls over VoIP.
see VPN Client
The VPN client connects to the VPN Server to establish a secure connection with the internet. VPN clients are controlled by the user and usually installed on a phone, tablet, computer, router, or server.
A VPN service offers one or more VPN servers for their customers to connect to. Usually, the service is provided for a fee or bundled together with another product. Some companies also provide their VPN service to employees
Since a gag order can force someone to be silent but not force them to lie. Some companies employ warrant canaries to subtly let their customers know about a gag order. The warrant canary might read “we do not spy on our customers” and will regularly be renewed. Once the message does not get renewed, the company is likely under a gag order.
Wired Equivalent Privacy. Deprecated standard to secure Wi-Fi networks. Trivial to hack.
Wi-Fi connects devices via radio signals to a network, typically through a router. These radio signals can easily be intercepted by anyone, which is why it’s important to use Wi-Fi Encryption or a VPN.
Wireless Local Area Network. See Wi-Fi.
Wi-Fi Protected Access 2. Successor of Wi-Fi Protected Access, it’s the current recommended standard to encrypt radio signals of Wi-Fi networks from surveillance. WPA2 is also used to limit access to a Wi-Fi network through the use of a password.