GUIDE

BestVPN glossary – a guide to VPN jargon

Ad blocker – software (usually a browser Add-on) that wholly or partially prevents advertisements from being displayed on web pages. Most ad blockers also help to prevent cross-website tracking and ad-based malware. Adblock Plus (ABP) is the most widely used Add-blocker, but uBlock Origin is fast gaining a dedicated following.

Adversary – any individual or organization that seeks to access your data, communications, or browsing habits (etc.) against your wishes. Who exactly your adversary (or more likely adversaries) is/are depends on your threat model, but popular candidates include criminal hackers, government surveillance originations (such as the NSA), and websites seeking to profile you for advertising purposes.

AES (Advanced Encryption Standard) – now considered the ‘gold standard’ of encryption ciphers by the VPN industry, 256-bit AES is used by the US government to secure sensitive communications. Despite concerns about AES being NIST certified, until OpenVPN supports non-NIST ciphers such as Twofish or Threefish, AES is probably the best encryption standard available for VPN users. See here for a more complete discussion.

Backdoor –  a mathematical weakness or a secret cryptograpic key deliberately built-in to encryption. Governments and law enforcement agencies around the world are pushing for tech companies to introduce these into their cryptography products, arguing that this in necessary in order to combat the use of encryption by terrorists and criminals. Just about everyone else argues that backdoors are a terrible idea, because to deliberately weaken encryption makes everyone unsafe, as a backdoor accessible to law enforcement is equally accessible to criminals. This is currently a very hotly contested debate.

Bitcoin (BTC or XBT) – a decentralized and open source virtual currency (cryptocurrency) that operates using peer-to peer technology (much as BitTorrent and Skype do). Like traditional money, Bitcoins can be traded for goods or services (such as VPN), and exchanged with other currencies. Unlike traditional currencies, however, there is no ‘middle man’ (such as a state controlled bank). Many VPN providers accept payment via Bitcoin as it introduces another layer of privacy between them and their customers (the provider will still know your IP addresses, but cannot learn your true name and contact details through the payment processing method). We have a series of articles that look at buying and using Bitcoin anonymously, starting here.

Bitcoin mixing – also known as Bitcoin laundering, Bitcoin tumbling, or Bitcoin washing, this breaks the link between you and your Bitcoins by mixing your funds with others so the trail back to you is confused. Depending on the exact method used, while Bitcoin mixing may not guarantee 100 percent anonymity in the face of a highly determined and powerful adversary (such as the NSA), it does provide a very high level of anonymity, and it would be a very arduous task for anybody (including the NSA) to link you with properly mixed coins. For more details see here.

Bitcoin wallet – a software program that stores and manages Bitcoins. Online, offline and mobile (plus hybrid) options are available. For more details see here.

BitTorrent – a peer-to-peer protocol that allows decentralized, distributed, and highly efficient sharing of files. The BitTorrent protocol has many legitimate uses (and potential uses), but has achieved notoriety for its popularity among copyright infringers. To download using BitTorrent you need a BitTorrent client (software) and small torrent file containing the information your client needs to download a desired file. Indexes of torrent files are available on torrent sites such as The Pirate Bay. You should be aware that because files are shared among all other current downloaders and uploaders, it is very easy to trace the IP address of downloaders. For this reason we strongly advise that anyone illegally downloading copyrighted content using the BitTorrent protocol protect themselves using a VPN service that permits P2P.

Block chain – a distributed database or public ledger that cannot be tampered with. Block chains are most closely associated with cryptocurrencies such as Bitcoin, where they are used to record and verify every transaction made using a whole or a fraction of that currency in order to prevent fraud and other irregularities. Other uses for the block chain are also being developed.

Browser Addon/Extension – most modern web browsers such as Google Chrome and Firefox allow you to download and install small programs that integrate with your browser to provide increased functionality. Here at BestVPN we are mainly concerned with extensions that improve users’ privacy and/or security, and have recommendations for Chrome and Firefox users.

Browser fingerprinting – a technology that uses various attributes of a browser to create a unique ‘fingerprint’ of website visitors, which is used to identify them and then track them as they further browse the internet. Browser fingerprinting is particularly pernicious because it is very difficult to block (in fact every Add-on used will to prevent other forms of tracking only serves to make a browser more unique, and thus more susceptible to fingerprinting.) A full debate on this subject can be found here.

Canvas fingerprinting – a special form of browser fingerprinting developed and used primarily (over 95 percent) by web analytics firm AddThis. It is a script that works by asking your browser to draw a hidden image, and uses tiny variations in how the image is drawn to generate a unique ID code, which can then be used to track you. Turning off JavaScript, using the NoScript browser add-on, or using the CanvasBlocker Firefox Add-on are all effective ways to block canvas fingerprinting. More information is available here.

Certificate Authority (CA) – when you visit an SSL secured website (https://), in addition to the connection being secured using SSL/TSL encryption, the website will present your browser with an SSL certificate showing that it (or more accurately ownership of the website’s public key) has been authenticated by a recognized Certificate Authority (CA). There are some 1200 such CAs in existence. If a browser is presented with a valid certificate then it will assume a website is genuine, initiate a secure connection, and display a locked padlock in its URL bar to alert users that it considers the website genuine and secure. For more information see here.

Cipher – a mathematical algorithm used to encrypt data. Modern ciphers use very complex algorithms, and even with the help of supercomputers are very difficult to crack (if not impossible to all practical purposes). VPN connections are usually secured using the PPTP, L2TP/IPSec, or OpeVPN ciphers, of which OpenVPN is by far the best. See here for a discussion on VPN ciphers.

Closed source software – Most software is written and developed by commercial companies. Understandably, these companies are keen not to have others stealing their hard work or trade secrets, so they hide the code away from prying eyes using encryption. This is all quite understandable, but when it comes to security it presents a major problem. If no-one can ‘see’ the details of what a program does, how can we know that it not doing something malicious? Basically we can’t, so we simply have to trust the company involved, which is something us paranoid security types are loath to do (with good reason). The alternative is open source software.

Connection logs (metadata logs) – a term BestVPN uses to refer to metadata records kept by some ‘no logs’ VPN providers. Exactly what is logged varies by provider, but typically includes details such as when you connected, how long for, how often, to who, etc. Providers usually justify this as necessary for dealing with technical issues and instances of abuse. In general we are not too bothered by this level log keeping, but the truly paranoid should be aware that, at least in theory, it could be used to identify an individual with known internet behavior through an ‘end to end timing attack’.  A more in-depth discussion on VPNs and log keeping can be found here.

Cookies (HTTP cookies) – small text files stored by your web browser, cookies have many legitimate uses (such as remembering login details or website preferences). Unfortunately, however, cookies have been widely abused by websites to track visitors (to the extent that the EU passed a largely ineffective ‘cookie law’ to limit their use.) The public has become more wise to the threat posed by cookies and taken steps to counter them, resulting in websites and advertisers increasingly turning to new tracking technologies such as browser fingerprinting, supercookies, web storage, and more.

Copyright trolls – legal firms known who specialize in monetizing the prosecution of piracy, seeking damages. A particularly pernicious tactic commonly employed is “speculative invoicing,” wherein individuals accused of copyright piracy are sent letters demanding a cash settlement in return for avoiding legal prosecution.

Cryptocurrency – a medium of exchange that uses cryptography to secure the transactions and to control the creation of new units. Bitcoin is the most famous example, but many alternative cryptocurrencies such as Dogecoin, Litecoin, and Dash (formerly Darkcoin) also exist (and are sometimes accepted as payment by VPN providers.)

Darkweb (also Dark net, Deep web etc.) – a parallel internet that includes all the websites not indexed by search engines. How big this Dark web is no-one really knows, although it has been famously estimated as 400 to 550 times larger than the commonly defined World Wide Web. Much of the so-called Darkweb simply comprises private websites (some of which have taken active measures to avoid being listed by search engines), IIRC chat forums, Usenet groups, and other perfectly legitimate web uses. There also exist publicly accessible ‘darkwebs’ – secure networks that can be accessed by the public, but which allow users a very high level of anonymity. The best known and most used of these are Tor hidden services and I2P. Traditionally (and notoriously) the preserve of pedophiles, terrorists, drug dealer, gangsters and other people and material that most right-headed internet users would want nothing to do with, increasing awareness of pervasive government surveillance (thank you Mr Snowden) and ever more draconian copyright enforcement measures are fueling a surge of public interest in an internet that is ‘off-grid’. See here for more information.

Data authentication – in order to verify encrypted data and connections (such as VPN), a cryptographic hash function is commonly used. By default OpenVPN uses SHA-1 although how secure this is has been thrown into doubt. Some VPN providers therefore offer more secure data authentication, such as SHA256, SHA512, or even SHA3. See VPN encryption terms explained (AES vs RSA vs SHA etc.) for a full discussion.

DD-WRT – open source firmware for routers that gives you a great deal of control over your router. You can setup DD-WRT so that all connected devices are routed through a VPN, can extend the WiFi range of the , set it up as a repeater, NAS hub, or print server, and more. DD-WRT can be “flashed” into your existing router (removing its factory-default firmware), or you can buy routers that have been pre-flashed,

DMCA notice – although technically this term refers to the Digital Millennium Copyright Act, which only has legal power in the United States, the term ‘DMCA notice’ is often used to refer to any copyright infringement alert sent to an ISP or content provider, regardless of jurisdiction. Content providers such as YouTube are usually pressured into removing any infringing material from their servers upon receiving such a notice, while ISPs are heavily lobbied to identify and impose sanctions on (alleged) infringing customers, and even to pass on customers’ details for independent legal action by the copyright holders. Because VPN users’ outward-facing IP is that of their provider’s VPN server rather than the IP owned and assigned to them by their ISP, DMCA notices are sent to their VPN provider instead of the ISP. Many VPN providers are ‘P2P friendly’ and protect customers from copyright holders, but some ban offenders, and will even pass on their details. Downloaders should therefore always check that their VPN provider permits P2P.

DNS (Domain Name System) – basically a database used to translate the easy-to-understand and remember web addresses (URLs) that we are familiar with, to their ‘true’ numerical IP addresses that computers can understand: for example translating the domain name www.bestvpn.com to its IP address of 198.41.187.186. Every internet connected device and every internet connection has a unique IP address (although these can change). DNS translation is usually performed by your ISP, but as the IP address of the server that performs this translation can be easily detected, in order to protect users’ privacy, all DNS requests made while connected to a VPN should be routed through the VPN tunnel and resolved by the VPN provider (instead of your ISP.)

DNS leak – if DNS requests are handled by your ISP rather than your VPN provider (when connected to a VPN), then you are suffering a DNS leak. These occur for a number of reasons, but the most  effective way to prevent them is to use a custom VPN client that features “DNS leak protection”. See A Complete Guide to IP Leaks for a full discussion.

DOM storage – see Web storage.

DRD (EU Data Retention Directive) – the EU adopted the extensive and highly controversial mass surveillance legislation, the mandatory Data Retention Directive in March 2006, requiring all ISPs and communications providers to keep data for at least 12 months. Over the next few years most (but not all) EU counties incorporated the DRD into their local legislation. In April 2014, however, the European Court of Justice (ECJ), the highest court in the EU, declared the EU-wide DRD invalid on human rights grounds. Despite this ruling, most EU counties have yet to abolish local implementation of the law (and the UK has gone so far as to strengthen it). See here for details on how the Directive was implement by each country, and how they have responded to the ECJ ruling.

Edward Snowden – former NSA contactor turned whistleblower, Edward Snowden absconded in 2013 with a huge trove of classified data that exposes the almost insane scale of US government spying operations on both its own citizens, and those of the rest of the world. Facing almost certain prison for the rest of his life (or worse) should he return home to United States, Snowden currently resides with his girlfriend in Moscow. All data collected by Snowden was handed over to journalists before he went public, and revelations contained in it are still being published by the press that have the power to shock. Snowden’s actions raised public consciousness about the extent to which our governments invade our privacy, has created a global debate about the role and ethics of government surveillance in society, and fuelled a huge rise in demand for products and services that enhance users’ privacy… such as VPN…

Encryption – encoding data using a mathematical algorithm (known as a cipher) in order to prevent unauthorized access to that data. Encryption is the one thing that prevents just anyone from being able to read (or track you through etc.) your digital data, and is the absolute cornerstone of all internet security. Strong encryption is very difficult to ‘crack’ without the correct ‘keys’, so who holds or can access these keys is a vital security issue. We discuss many issues relating to VPN encryption here.

Encryption key length – the crudest way of determining how long a cypher will take to break is the raw number of ones and zeros used in the cypher. Similarly, the crudest form of attack on a cypher is known as a brute force attack (or exhaustive key search), which involves trying every possible combination until the correct one is found. Ciphers used by VPN providers are invariably between 128-bits to 256-bits in key length (with higher levels used for handshake and data authentication).

End to end timing attack – a technique used to de-anonymise VPN and Tor users by correlating the time they were connected to the timing of otherwise anonymous behavior on the internet (see here for a great example of this in action). Users of VPN providers who keep connection (metadata) logs are theoretically vulnerable to such an attack, although use of shared IP addresses goes a long way towards countering this threat.

End-to-end (e2e) encryption – where data is encrypted by you on your own device and where you (and only you) hold the encryption keys (unless you choose to share them). Without these keys an adversary will find it extremely difficult to decrypt your data. Many services and products do not use e2e encryption, instead encrypting your data and holding the keys for you. This can be very convenient (allowing easy recovery of lost passwords, syncing across devices, etc.), but does mean that these third parties can be compelled to hand over your encryption keys. We therefore only consider products and services that use end-to-end encryption to be ‘secure’.

Etags – are a  ‘part of HTTP, the protocol for the World Wide Web whose purpose is to identify a specific resource at a URL, and track any changes made to it’ The method by which these resources are compared allows them to be used as fingerprints, as the server simply gives each browser a unique ETag, and when it connects again it can look the ETag up in its database. Etags are therefore sometimes used to by websites to uniquely identify and track visitors for advertising purposes.

Filesharing– downloading and uploading files via a P2P network such as BitTorrent, and often associated with copyright piracy.

Firefox – an open source web browser developed by the non-profit Mozilla Foundation. Although no longer as popular with the general public as Google Chrome, Firefox’s open source nature and abundant security enhancing Add-ons make it a top choice (and our recommendation) for security conscious web users. We do, however, recommend that Firefox users install various Add-ons, and tweak the browser’s advanced privacy settings (disabling WebRTC in particular,) to improve security further.

Five Eyes (FVFY): A spying alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States, and which Edward Snowden described as a ‘supra-national intelligence organization that doesn’t answer to the known laws of its own countries.’ Intelligence is freely shared between security organizations of member countries, a practice that is used to evade legal restrictions on spying on their own citizens.

Flash cookies – uses Adobe’s multimedia Flash plugin to hide cookies on your computer that cannot be accessed or controlled using your browser’s privacy controls (at least traditionally, most major browsers now include deletion of Flash cookies as part of their cookie management). One of the most notorious (and freaky!) kinds of Flash cookie is the ‘zombie cookie’, a piece of Flash code that will regenerate normal HTTP cookies whenever they are deleted from a browser’s cookie folder.

Gag order – a legally binding demand that prevents a company or individual from alerting others about something. For example, a gag order can be used to prevent a VPN provider from alerting customers that its service has been compromised in some way. Some service attempt to reassure customers that no gag order has been issued through the use of warrant canaries.

GCHQ (Government Communications Headquarters) – Britain’s version of the NSA. It’s Tempora program intercepts up around 60 percent of all internet data in the world by tapping into major fiber-optic cables (data which is then shared with the NSA), and it performs extensive blanket surveillance of UK citizens. Snowden famously described GCHQ as being ‘worse than the US.’

Geo-restrictions – limiting access to online services based on geographic location. For example, only US residents are permitted to access Hulu, and UK residents BBC iPlayer. Geo-restrictions are usually enforced so that copyright holders can make lucrative licensing deals with distributors around the world, at the expense of consumers.

Geo-spoofing – using a VPN, SmartDNS, or proxy to ‘spoof’ your geographic location. This allows you to bypass geo-restrictions and access content denied to you based on your real location.

Handshake – the negotiation process used by SSL/TLS to exchange and authenticate certificates, and to establish an encrypted connection. To ensure this process cannot be tampered with, OpenVPN can use either RSA encryption or Elliptical Curve Cryptography (ECC). It known that RSA-1024 has been cracked by the NSA back in 2010, and it is entirely possible that the NSA can crack stronger versions of it. It is, however, also widely rumored that ECC has been backdoored by the NSA. We therefore recommend using VPN services that offer the strongest RSA encryption possible (up to RSA-4096). See VPN encryption terms explained (AES vs RSA vs SHA etc.)

History stealing – exploits the way in which the Web is designed in order to allow a website to discover your past browsing history. The simplest method, which has been known about for a decade, relies on the fact that web links change color when you click on them (traditionally from blue to purple). When you connect to a website it can query your browser through a series of yes/no questions to which your browser will faithfully respond, allowing the attacker to discover which links have changed color, and therefore to track your browsing history. For more information see here.

HTTPS (HTTP over SSL, or HTTP Secure) – a protocol that uses SSL/TLS encryption to secure websites. It is used by banks, online retailers, and any website that needs to secure users’ communications, and is the fundamental backbone of all security on the internet. When you visit an HTTPS website, any outside observer can see that you have visited the website, but cannot see what you do on that website (for example the actual webpages you view on that website, or any details you enter into forms etc.) You can tell that a website is protected by HTTPS by looking for a closed padlock icon in your browser’s URL bar, and because the website address (URL) will begin with https://.

I2P (Invisible Internet Project) – a decentralized anonymizing network built using Java on similar principles to Tor hidden services, but which was designed from the ground up as a self-contained darkweb. As with Tor, users connect to each other using peer-to-peer encrypted tunnels, but there are some key technical differences, including the use of a distributed peer-to-peer directory model. The end result is that if using hidden services, I2P is both much faster than using Tor (it was designed with P2P downloading in mind), more secure, and more robust. It is however not at all user friendly, and has a high learning curve. For more information, see here.

IP address (Internet Protocol address) – Every device connected to the internet is assigned a unique numerical IP address (although these can be dynamically reassigned each time a device connects, or rotated on regular basis.) One of the most important things a VPN services does is to hide your true IP address (often just shorted to ‘IP’) from outside observers (remembering that the VPN provider itself will be able to see it).

IP leak – if for any reason a website or other internet service can see your true IP address or detect your ISP, then you have an IP leak. To determine if you are suffering an IP leak, visit ipleak.net.  Note that ipleak.net does not detect IPv6 leaks, so to test for these you should visit test-ipv6.com. There are a variety of reason why your IP might leak, which discuss in our Complete Guide to IP Leaks.

IPv4 (Internet Protocol version 4) – currently the default system used to define numerical IP address values (see the DNS entry). Unfortunately, thanks to the unprecedented rise in internet use over the last few years, IPv4 addresses are running out, as IPv4 only supports a maximum 32-bit internet address. This translates to 2^32 IP addresses available for assignment (about 4.29 billion total).

IPv6 ((Internet Protocol version 4) – while various mitigating strategies have been deployed to extend the shelf-life of IPv4, the real solution comes in the form of a new standard – IPv6. This utilizes 128-bit web addresses, thus expanding the maximum available web addresses to 2^128 (340,282,366,920,938,000,000,000,000,000,000,000,000!), which should keep us supplied for the foreseeable future. Unfortunately, adoption of IPv6 has been slow, mainly due to upgrade costs, backward capability concerns, and sheer laziness. Consequently, although all modern Operating Systems support IPv6, the vast majority of websites do not yet bother. For more details and the consequences this has for VPN users, see here.

ISP (Internet Service Provider) – the guys you pay to supply your internet connection. Unless your internet data is encrypted (by using VPN, for example), your ISP can see what you get up on the internet. In many counties (notably in Europe, despite a major court ruling against it last year) ISPs are required by law to retain customers’ metadata, and to hand it over to the authorities if requested. Most ISPs will also take action against users if they receive DMCA-style notices from copyright holders. In the US, for example, most ISPs have agreed to implement a ‘six strikes’ graduated response system for punishing repeat copyright offenders.

Kill switch – a feature built into some custom VPN clients that prevents either individual programs or your entire system from connecting to the internet when no VPN connection is present. This is important, as even the most stable VPN connection can ‘drop’ occasionally, and, if no kill switch is used, expose your internet activity to anyone watching. Note that we call such a feature a ‘kill switch’, but the term is not standardized, and may also be called ‘secure IP’, ‘internet block’, ‘network lock’, or something else. If your provider does not offer a client with a VPN kill switch, third party options are available, or you can build your own using custom firewall settings.

L2TP/IPsec – a VPN tunnelling protocol + encryption suite. Built into most internet enabled platforms, L2TP/IPsec has no major known vulnerabilities, and if properly implemented may still be secure. However, Edward Snowden’s revelations have strongly hinted at the standard being compromised by the NSA, and it may have been deliberately weakened during its design phase. More information is available here.

Logs – records kept, for example by an ISP or VPN provider. Some VPN providers keep extensive logs of customers’ internet activity, while some claim to keep none. Of those who claim to keep ‘no logs’, here at BestVPN we make a clear distinction between those who keep no logs of what users get up to the internet (i.e. no usage logs) but do keep some connection (metadata) logs, and those who claim to keep no logs at all. See this article for more details.

Metadata – information on when, where, to who, how long, etc., as opposed to actual content (e.g. of phone calls, emails, or web browsing history.) Governments and surveillance organizations are keen to downplay the significance of collecting ‘only’ metadata, but if it is so harmless, why are they so keen to obtain in by any means necessary? Metadata can in fact provide a vast amount highly personal information about our movements, who we know, how we know them, and so on. As NSA General Counsel Stewart Baker said, ‘metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.’

NSA (United States National Security Agency) – the organization responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes. Thanks to Edward Snowden we now know that the NSA also collects vast amounts of information on US citizens, and that the staggering power and scope of both its domestic and foreign intelligence gathering are on a scale that few imagined possible. Attempts to reign in this power following Snowden’s revelations have either failed or had little practical effect. The term ‘the NSA’ is sometimes used as a general catch-all phrase to indicate any hugely powerful government funded global adversary.

Open Source Software – an open access and collaborative development model where software code is made freely available for any developer to improve, use, or distribute as they wish. This is particularly important in reference to security related programs, as it means that ‘anyone’ can look at the code and audit it to ensure that it does not contain engineered weaknesses or backdoors, is not sneakily sending users’ details to the NSA, or doing some else similarly malicious. In practice, there are few people with the expertise, time, and inclination to audit often very complex code (usually for free), so the vast majority of open source code remains un-audited. Nevertheless, the fact that the code can be examined offers the best guarantee that it is ‘clean’ we have, and here at BestVPN we are extremely leery of recommending any software that is not open source (see also our entry for closed source software).

OpenVPN – the most commonly used VPN protocol used by commercial VPN providers, OpenVPN is open source, and, when backed by a strong encryption cypher (such as AES), is thought to be secure against even the NSA. Where possible we generally always recommend using OpenVPN. For a more detailed discussion on OpenVPN and other VPN protocols, see here.

P2P (Peer-to-peer) – a term often used almost interchangeably with ‘downloading’, ‘torrenting’, or filesharing’, and often associated with copyright piracy, a peer-to-peer network is a distributed and decentralized platform for sharing data (such as files) between users. The most famous application of P2P is the BitTorrent protocol. Because there is no central database, and files are shared among users, P2P networks are very resilient to attack.

Password manager – in our Ultimate Guide we suggest ways to pick memorable passwords that are more secure than the ones you are probably using right now, but the only practical solution to deploying genuinely strong passwords is to employ technology in the form of a ‘password manager’. These programs (and apps) generate strong passwords, encrypt them all, and hide them behind a single password (which should be memorable, but also as unique as you can choose.) Helpfully, they usually integrate into your browser and sync across your various devices (laptop, phone, tablet etc.), so the passwords are always readily accessible by you. Check out 5 Best Password Managers.

Password/passphrase – the single most important thing that anyone can do improve their online security is to improve the strength of their passwords. Although weak passwords (or not changing default passwords) are an absolute gift to criminals and any others who wish to access your data, their use is so common as to be almost laughable (‘123456’ and ‘password’ consistently remain the most commonly used passwords, while a list of 100 or so passwords are so popular that any hacker will simply type them in before first trying something else.) Strong passwords should include a mix of capital and non-capital letters, spaces, numbers, and symbols. Because remembering just one secure password is not easy, let alone a different one for each important website and service you use, we recommend using a password amanger.

Perfect Forward Secrecy (PFS, also referred to simply as Forwards Secrecy, since ‘perfect’ is regarded controversial in this context) – a way to improve the security of HTTPS connections by generating a new and unique (with no additional keys derived from it) private encryption key for each session. This is known as an ephemeral key because it quickly vanishes. It is a simple idea (even if the Diffie-Hellman exchange maths is complex), and means that each session with an HTTPS service has its own set of keys (i.e. no ‘master key’). Despite the fact that there is very little excuse for not using PFS, uptake has been slow, although post-Snowden the situation is improving somewhat. For more information see here.

PPTP – an old VPN protocol available as standard on just about every VPN capable platform and device, and thus easy to set up without the need to install additional software, PPTP remains a popular choice both for businesses and VPN providers. It is, however, widely known to be very insecure, and can be trivially cracked by the NSA. Perhaps even more worrying is that the NSA has (or is in the process of) almost certainly decrypted the vast amounts of older data it has stored, which was encrypted back when even security experts considered PPTP to be secure. PPTP will probably protect you against a casual hacker, but should only be used when no other option is available, and even then not for protecting sensitive data. See here for more details.

Pretty Good Privacy (PGP) – the best way to keep your private email private is to use PGP encryption. However, the concepts involved are complex and often confusing; a problem compounded by the fact that setting up PGP encrypted email is unintuitive and poorly explained in existing documentation. This has resulted in poor uptake of the protocol. Although it encrypts all contents and attachments, PGP also does not secure an email’s header (which contains a lot of metadata information).

Proxies – A proxy server is a computer that acts as an intermediary between your computer and the internet. Any traffic routed through a proxy server will appear to come from its IP address, not yours. Unlike VPN servers, proxy servers do not usually need to devote resources to encrypting all traffic that passes through them, and therefore can accept simultaneous connections from a great many more users (typically tens of thousands). A recent survey found that most public proxies are very unsafe, so if you must use a public proxy then only use ones that permit HTTPS, and try to stick with visiting only HTTPS secured websites. More details about the difference between proxies and VPN can be found here.

Root certificate – Certificate Authorities issue certificates based on a chain of trust, issuing multiple certificates in the form of a tree structure to less authoritative CAs. A root Certificate Authority is therefore the trust anchor upon which trust in all less authoritative CAs is based. A root certificate is used to authenticate a root Certificate Authority. Generally speaking, root certificates are distributed by OS developers such as Microsoft and Apple. Most third party apps and browsers (such as Chrome) use the system’s root certificates, but some developers use their own, most notably Mozilla (Firefox), Adobe, Opera, and Oracle, which are used by their products. For more information see here.

RSA encryption –  in order to securely negotiate a VPN connection, SSL (and therefore OpenVPN and SSTP) usually uses the RSA asymmetric public-key cryptosystem (asymmetric because a public key is used to encrypt the data, but a different private key is used to decrypt it.) RSA acts as an encryption and digital signature algorithm used to identify SSL/TLS certificates, and has been the basis for security on the internet for the last 20 years or so.As we know that RSA-1048 has been cracked by the NSA, for VPN we recommend using the strongest RSA key length possible (RSA-4096 is very good.) See VPN encryption terms explained (AES vs RSA vs SHA etc.) for more details.

RSA Security – a disgraced security company that should not be confused with (and is not related to) the RSA encryption standard. RSA Security, is the US firm behind the world’s most commonly used encryption toolkit, but which was caught with its pants down weakening its own products after being bribed to do so by the NSA.

Safe Harbor Framework – a voluntary set of rules agreed between the European Commission and the US Department of Commerce with the aim of ensuring that that US firms comply with EU data protection laws when handling EU citizen’s data. Wide-scale abuse of the provisions, however, culminating in a successful legal case brought against Facebook over use of EU citizens’ data means that the Framework is now effectively invalidated. What this means in practice for US companies that handle EU citizens’ data remains unclear at this time.

Shared IP addresses (shared IPs) – a common strategy (in fact now the default) used by VPN providers to increase customer’s privacy by assigning many customers the same IP address (which they share.) This makes it very difficult (but with enough effort not necessarily impossible) for both outside observers and the VPN provider to determine which user of a given IP is responsible for any given behavior on the internet.

Simultaneous connections – with 2 simultaneous connections you can connect both your laptop and your smart phone to a VPN service at the same without disconnecting one of them. With 3 you can also connect your tablet or let your sister protect her online activity using VPN at the same time (and so on). The more simultaneous connections a VPN allows, therefore, the better (5 being the most generous we have yet seen offered)!

SmartDNS – refers to commercial services that allow you to evade geo-restrictions by locating DNS servers in different counties. When a device is configured to connect to these it appears to be located in that country. How many countries are supported depends on the service, but almost all have servers in the United States and the UK thanks to the popularity of their online TV services (such as Hulu and BBC iPlayer). Because no encryption or other fancy stuff is involved, SmartDNS is much faster than VPN (so fewer buffering issues), but it provides none of the privacy and security benefits of VPN. If your only concern is to access geo-restricted media content from abroad, then SmartDNS may be a better option than VPN. If you are interested in finding out more, check out our sister-site SmartDNS.com.

Sotfware audit – this is when experts carefully examine a program’s code to determine if it is free of backdoors, deliberately engineered weaknesses’, or other similar security concerns. Open source (or source available) software is open for independent audit at any time, although in practice there are few people with the expertise, time, and inclination do actually do it, so the vast majority of open source code remains un-audited. Some companies (such as ProtonMail) have released products that are closed source, but which have been professionally audited by independent and respected experts. This introduces the tricky question of which can be trusted more – code that is closed but has been independently audited, or code that is open as is therefore available for anyone to audit, but hasn’t been…?

Source available – a limited form of open source software license that allows others to freely inspect code for backdoors and suchlike, but does not allow them to modify or distribute it. Many in the open source community consider this antithetical to the open source ethos, but from a security stand-point it makes no real difference.

SSL/TLS (Secure Socket Layer and Transport Layer Security) – TLS is the successor to SSL, but the terms are often used interchangeably. It is the cryptographic protocol used to secure HTTPS websites (https://), and an open source implementation of it, OpenSSL, is used extensively by OpenVPN. Despite occasional panics, SSL encryption is generally considered fairly secure, but concern is growing over the certificate system used authenticate connections.

SSL/TLS certificates – certificates used by SSL/TLS to verify that the website you connect to is the website you think you are connecting to. If a browser is presented a valid certificate then it will assume a website is genuine, initiate a secure connection, and display a locked padlock in its URL bar to alert users that it considers the website genuine and secure. SSL certs are issued by Certificate Authority (CA).

Supercookies – a catch-all term used to refer to bits code left on your computer that perform a similar function to cookies, but which are much more difficult to find and get rid of than regular cookies. The most common type of supercookie is the Flash cookie (also known as an LSO or Local Shared Object), although ETags and Web Storage also fall under the moniker. In 2009 a survey showed that more than half of all websites used Flash cookies. The reason that you may never have heard of supercookies, and reason they are so hard to find and get rid of, is that their deployment is deliberately sneaky, and designed to evade detection and deletion. This means that most people who think they have cleared their computers of tracking objects have likely not. More information on supercookies can be found here and here.

Targeted ads – lots of people want to sell you stuff, and one way that has proven very successful at doing this is to display ads to tailored to individual internet users that speak to their own personal interests tastes, hobbies, and needs. In order to deliver this kind of personalized advertising targeted directly at you!, advertisers need to learn as much about you as they can. To this end, the likes of Google and Facebook scan all your emails, messages, posts, Likes/+1’s, geolocation check-ins, and searches made, etc. in order to build up a scarily accurate picture of you (including your ‘personality type’, political views, sexual preferences, and most importantly all, of course, what you like to buy!). They and a host of smaller advertising and analytics companies also use a variety of deeply underhand technologies to uniquely identify you and track you across websites as you surf the internet.

Threat model – when considering how to protect your privacy and stay secure on the internet, it is useful to carefully consider exactly who or what you are most worried about. Not only is defending yourself against everything difficult to the point of being impossible, but any attempt to do so will likely seriously degrade the usability (and your enjoyment) of the internet. Identifying to yourself that being caught downloading an illicit copy of Game of Thrones is a bigger worry than being targeted by a crack NSA TAO team for personalised surveillance will not only leave you less stressed (and with a more useable internet), but likely also with more effective defences against the threats that matter to you. Of course, if your name is Edward Snowden, then TAO teams will be part of your threat model…

Tor – an anonymity network that provides free software designed to allow you to access the internet anonymously. Unlike VPN, where the VPN provider knows your real IP address and can see your internet traffic at the exit point (the VPN server), with Tor your signal is routed through a number of nodes, each of which is only aware of the IP addresses ‘in front’ of the node and ‘behind’ it. This means that at no point can anyone know the whole path between your computer and the website you are trying to connect with. Tor therefore allows for true anonymity while surfing the web, but does come with a number of important downsides. See this article for more details.

Tor hidden services – one of the biggest dangers of using the Tor anonymity network is Tor exit nodes – the last node in the chain of nodes that your data travels through, and which exits onto the web. Tor exit nodes can be run by any volunteer, and who can potentially monitor your internet activities. This not as bad it sounds, as thanks to the random path your data takes between nodes, the exit node cannot know who you are. However, a global adversary with unlimited resources (such as the NSA) could, in theory, take control of enough nodes to endanger the anonymity of Tor users. In order to counter this threat, Tor allows users to create ‘hidden’ websites (with the .onion suffix) that can only be accessed from within the Tor network (so there is no need to use a potentially untrustworthy exit node). Tor hidden services are often considered a ‘darkweb’ (and are the best known such darkweb.)

Two factor authentication (2FA) – something you know + something you have. One factor authentication requires a single step to verify your identity, such as knowing your username and password (something you know.) Two Factor Authentication provides an additional layer of protection against hackers by also requiring you to have something. For online services this is typically your phone (to which a text is sent), but FIDO USB keys are becoming more popular.

URL (Uniform Resource Locator) – the alphanumeric address of websites that humans use (e.g. www.bestvpn.com). All browsers have a URL address bar at the top, where if you enter the URL you will be taken to the named website. Computers do not understand the URL, per se, so a DNS translation service converts the URL into an numeric IP address that computers do understand.

USA Freedom Act – legislation designed to reign in NSA bulk collection of phone metadata, the USA Freedom Act languished last year after just about all the civil liberties groups who supported it dropped their support following major watering down of its provisions. The Act was resurrected following the Senate’s failure to renew the USA Patriot Act, and in its highly weakened form became law on 2 June 2015. Despite major problems that in practice made its provisions meaningless, passage of the Act was widely hailed as a victory for democracy and civil liberties. Although the FISA court initially responded by extending NSA collection of phone metadata for another 180 days, on 28 November 2015 this extension was allowed to expire, and (at least officially and under a very limited set of circumstances) mass collection of phone metadata has come to an end.

USA Patriot Act – a raft of security measures passed in the wake of 9/11, its controversial Section 215 is the primary legal foundation upon which the NSA’s mass surveillance of US citizen’s phone and internet data rests. It is a provision of the Act that was initially intended to expire (‘sunset’) on 31 December 2005, but was successively renewed (without any real opposition) to ensure the NSA continued to have a mandate for its activities. Ever since Edward Snowden revealed to the public the lack of oversight, the over-reach, and the sheer scope of the NSA’s spying operations, however, public concern over Section 215 grew, culminating in the legislation being allowed to expire on 31 May 2015 (amid a great deal of debate and opposition.)

Usage logs – our term for the collection and storage of details about what users actually get up to on the internet – as opposed to the collection of metadata (connection logs). Many VPN providers who claim to keep ‘no logs’ are in fact only referring to keeping no usage logs, and do keep various (often extensive) connection logs.

VPN (Virtual Private Network) – a privacy and security technology originally developed in order to allow remote workers to connect securely to corporate computer networks, it now more commonly refers commercial VPN services that allow you to access the internet with a high degree of privacy and security. It is this aspect of VPN that BestVPN is concerned with. In such a setup you subscribe to a VPN service and then connect your computer (including smart phone or tablet etc.) to a server run by your VPN provider using an encrypted connection. This secures all communications between your computer and the VPN server (so for example your ISP cannot see what you get up to on the internet), and means that anyone on the internet will see the IP address of the VPN server rather than your real IP address. As providers usually locate VPN servers in various locations around the world, VPN is also useful for evading censorship and for geo-spoofing your location.

VPN client – software that that connects your computer to a VPN service. Following convention we generally refer to such programs on desktop systems as ‘VPN clients’, and on mobile platforms as ‘VPN apps’ but they are the same thing (and the terns can be used interchangeably). As most internet enabled devices and operating systems have a client for PPTP and/or L2TP/IPSec built into them, we usually use the term to refer to third part clients, and in particular to OpenVPN clients. Generic open source Open VPN clients are available for all major platforms, but many VPN providers also offer custom clients that add extra features such as DNS leak protection and a VPN kill switch.

VPN server – see VPN.

VPN tunnel – the encrypted connection between your computer (or smart phone etc.) and a VPN server.

VPS (Virtual Private Server) – is more or less exactly what it sounds like – you rent some of the resources on a physical server run by a VPS company, which provides a closed environment that acts as if it was a complete physical remote server. You can install any operating system on a VPS (as long as the provider allows it), and basically treat the VPS as your own personal remote server. Importantly for us, you can use a VPS as a personal VPN server.

Warrant canary – a method used to alert people that a gag order has been served. This typically takes the form of a regularly updated statement that no gag order has been served. If the statement does not receive its regular update, then the warrant canary has been “tripped”, and readers should assume the worse. Warrant canaries work on the notion that a gag order can compel users to keep quiet, but cannot compel them not to simply act (i.e. update the warrant canary).  However, a) this notion has not been legally tested in most counties, and it is entirely possible that courts would find the use of a warrant canary in contempt of the gag order (in Australia warrant canaries have already been made illegal) , and b) failure to update warrant canaries is routinely ignored, making their existence completely pointless.

Web storage (also known as DOM storage) – a feature of HTML5 (the much vaunted replacement to Flash), wen storage allows websites to store information on your browser in a way analogous to cookies , but which is much more persistent, has a much greater storage capacity, and which cannot normally be monitored, read, or selectively removed from your web browser. Unlike regular HTTP cookies which contain 4 kB of data, web storage allows 5 MB per origin in Chrome, Firefox, and Opera, and 10 MB in Internet Explorer. Websites have a much greater level of control over web storage and, unlike cookies, web storage does not automatically expire after a certain length of time (i.e. it is permanent by default). For more details, and how to turn web storage off, see here.

WiFi hotspot – a public WiFi internet access point of the kind commonly found in cafes, hotels, and airports. Although very handy, WiFi hotspots are a godsend to criminal hackers who can set up fake ‘evil twin’ hotspots that look thing the real think, sniff out unencrypted internet traffic as it travels by radio wave between your computer and the hotspot, or hack the router itself. Because it encrypts the internet connection between your computer to the VPN server, using VPN protects your data when using a public hotspot. We therefore strongly recommend against using public WiFi hotspots unless also using VPN.

Zombie cookies -see Flash cookies

When discussing VPN issues it can be difficult to avoid jargon. We do try to explain terms as we go along, but here is our big jargon guide bit.ly/1Sr2bVQ.

When discussing VPN it can be difficult to avoid jargon, so here is our big guide to terms we use ‪#‎privacy ‪#‎security ‪#‎technology bit.ly/1Sr2bVQ.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


Leave a Reply

Your email address will not be published. Required fields are marked *