ExpressVPN

5 Most Secure VPN Services 2016

In this article on most secure VPN services, I look at providers that offer the highest levels of technical security for their VPN products.  This largely means VPNs that offer the best encryption, but also includes factors such as include DNS leak protection, whether there any weaknesses in how users’ password are transmitted upon signup, and whether any protection against IP leakage due to WebRTC.

Secure VPN

Before starting, however, there are a couple of things worth noting. The first is that is list is by no means exclusive.  More and more  secure VPN companies now offer high levels of encryption (at least on paper), and this article cannot cover them all.

Furthermore, getting security right is about far more than simply ticking features off a list, because as always, the devil is in the detail. It is how these features are implemented that really matters.

BestVPN can only recommend services with which we are familiar, and understanding these details takes time and information that often has to be prized out of providers. I have therefore concentrated on looking at VPN industry leaders that have a reputation for being very secure.

The second thing this to note that in this article I am primary looking at VPN providers technical security – not, for example, their general attitude to privacy. If privacy, rather than security, per se., is your primary concern, then be sure to check out 5 Best Logless VPNs.

Best Secure VPN Services Summary

Disclosure: compensated affiliate: click here for more information

Rank Company Score Price Link

1

NordVPN LogoNordVPN
10/10
Read Review
$4.00 / monthVisit Site

2

Windscribe LogoWindscribe
9.2/10
Read Review
$7.50 / monthVisit Site

3

AirVPN LogoAirVPN
8.6/10
Read Review
$5.08 / monthVisit Site

4

VPNArea LogoVPNArea
7.8/10
Read Review
$4.92 / monthVisit Site

5

LiquidVPN LogoLiquidVPN
7.4/10
Read Review
$4.99 / monthVisit Site
Editor's Choice Award

Winner

NordVPN

5/5

Best Secure VPN Services

  • ProsPROS
  • No logs
  • Based in Panama
  • Accepts Bitcoin payment
  • Tor over VPN
  • Two simultaneous connections
  • ConsCONS
  • Can be slow
  • Sends password in plaintext

This Panama-based secure VPN provider uses the DHE-RSA-AES256-SHA algorithm for its OpenVPN connections. Although this almost certainly means ordinary RSA-2048 key encryption and HMAC SHA1 authentication, use of the Diffie-Hellman key exchange allows deployment of Perfect Forward Secrecy. As noted in text of this article, there are issues with DHE, but this is not a problem here as security is primarily handled using RSA.

It is also worth noting that NordVPN’s iOS app also uses an impressive level of encryption – IKE ciphers (phase1) to negotiate keys are AES-256-GCM for encryption, with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) and 3072-bit Diffie-Hellmann keys. Unusually, NordVPN’s upcoming Mac OSX client will use IKv2 with Cisco’s NGE (Next Generation Encryption) settings, instead of OpenVPN.

The NordVPN desktop client has kill switch and prevents DNS leaks. WebRTC protection is not provided, however. A guide to disabling WebRTC is available, but you have to look for it. A bigger problem is that NordVPN sends your VPN password via plaintext email! This is easily fixed by changing your password in the website accounts portal, but is nevertheless a boo-boo in what is otherwise a very secure setup.

Additional features: Double encryption,  P2P: yes.

Get the most secure VPN now!

Visit NordVPN »

 30-Day Money Back Guarantee

2nd place

Windscribe

4.6/5

Windscribe

  • ProsPROS
  • No logs
  • Double-hop
  • SSL tunnelling
  • Unlimited simultaneous connections
  • Limited Free service (10GB)
  • ConsCONS
  • Limited customer support
  • New service (less established)
  • Based in Canada

Based in Canada, Windscribe has made something of a splash on the VPN scene thanks to its high level of technical proficiency. The encryption it uses, for example, is among the best available anywhere. OpenVPN uses AES-256 with RSA-4096 handshake and SHA512 authentication. Perfect Forward Secrecy is used, and DNS and IPv6 leaks are blocked by the firewall in the custom client. This firewall also acts as a kill switch, and should prevent any WebRTC leaks. Like NordVPN, Windscribe supports “double VPN” chaining. I am yet to be convicted about the security value of this. But others disagree, and it is a nice extra to have.

Visit Windscribe »


3rd place

AirVPN

4.3/5

AirVPN

  • ProsPROS
  • No logs at all
  • VPN through Tor
  • SSL & SSH tunneling
  • Accepts Bitcoin
  • P2P: yes
  • ConsCONS
  • Very Techy
  • Customer support could be better

AirVPN is at the top of the game when it comes secure VPN technology, but its tech-heavy focus and rather brusque support manner alienates many would-be users. OpenVPN uses AES-256 with RSA-4096 handshake, HMAC SHA1 authentication (HMAC SHA384 control auth), and DHE-4096 Perfect Forward Secrecy. It allows users to connect completely anonymously to its servers via the Tor network, and can hide OpenVPN communications inside an SSH and SSL tunnel.

The open source desktop client disables IPv6, and its “network lock” feature acts as a kill switch and prevents DNS leaks. WebRTC leaks are blocked by both “network lock”, and at the server level. This means that users are protected from WebRTC leaks even when using the generic OpenVPN app. AirVPN runs its own bare metal servers.

Additional features: Real-time user and server statistics, VPN through SSL and SSH tunnels,  3-day free trial, three simultaneous connections.

Visit AirVPN »


4th place

VPNArea

3.9/5

VPNArea

  • ProsPROS
  • No logs
  • Based Bulgaria (no data retention)
  • Five simultaneous devices
  • great customer service
  • P2P: ok
  • ConsCONS
  • Uses VPS instances

This friendly Bulgarian secure VPN provider uses AES-256 with RSA-2048 handshake and SHA256 data authentication for its OpenVPN connections. PFS keys are re-negotiated regularly during each session.  VPNArea’s desktop client is a custom version of Viscocity, and offers DNS leak protection, disables IPv6, and provides a per-app kill switch. The auto IP feature changes your IP every 5 minutes, which is interesting. VPNArea uses a mix of VPS instances and bare metal servers, but support assures me that whatever the circumstances, it maintains complete control over its servers.

Visit VPNArea »


5th place

LiquidVPN

3.7/5

LiquidVPN

  • ProsPROS
  • No usage logs
  • Stealth server
  • P2P: yes
  • Modulating (shared) IPs
  • Port forwarding
  • ConsCONS
  • Based in US
  • Connection logs
  • Uses VPS instances

Based in the US, LiqudVPN uses very strong OpenVPN encryption – AES-256 (default), AES-128-CBC or Camellia-256-CBC (alternatives), with RSA-4096 keys and SHA2 authentication. Perfect Forward Secrecy is enabled through the use of DHE. LiquidVPN does primarily use VPS server instances, but its highly customizable Viscocity-based client blocks IPv6, DNS, and WebRTC leaks using its “Liquid Lock” firewall. It also includes a per-app kill switch

Visit LiquidVPN »


VPN Security considerations

Encryption

Cryptography is an insanely complex subject. With regards to secure VPN, however, there are a relatively few terms that will help you understand the core concepts involved. And will give you a better idea of the level of security that any given provider is offering.

VPN Protocol

The main VPN protocols are PPTP, L2TP/IPSec, OpenVPN, SSTP, and IKE/IKEv2. These are the set of instructions used to negotiate a secure encrypted connection between two computers, and are discussed in depth here.

OpenVPN is the industry standard secure VPN protocol, and for good reason. It is very secure, and can be used on almost all VPN-capable devices (with the notable exception of Blackberry and Windows Mobile devices). I therefore recommend using OpenVPN wherever possible, and the rest of this article primarily concerns implementation of this protocol.

Custom iOS apps use the IKE or IKEv2 protocols in order to comply with Apple’s developer guidelines. But the generic OpenVPN Connect app allows OpenVPN to be deployed on iOS instead.

Cipher

Your actual data is encrypted using a cipher. 256-bit AES has become the industry standard. This great, as AES-256 is arguable the strongest cipher known to mankind (although AES-128 has a stronger key schedule). Some VPN providers do still use OpenVPN’s default Blowfish-128 cipher, but this is pretty lame.

Handshake

Also referred to as key encryption or certificate encryption, the handshake acts as an encryption and digital signature algorithm used to identify TLS/SSL certificates.

RSA handshakes have been the basis for security on the internet for the last 20 years or so, although Diffie-Hellman and Elliptic Curve Diffie-Hellman (ECDH) key exchanges are sometimes used for OpenVPN instead. Diffie-Hellman exchanges, however, have a major weakness, but this does not affect ECDH exchanges.

RSA key encryption

RSA-2048 key encryption is considered secure, although a case can be made for choosing even stronger 3072-bit or 4096-bit RSA encryption. RSA-2048 is now the minimum standard for commercial VPN providers.

SHA hash authentication

A Secure Hash Algorithm (SHA) is a cryptographic hash function used (among other things) to authenticate OpenVPN connections. SHA1 is broken, and should therefore never be used to simply authenticate encrypted data. SHA-2 (up to SHA-384) should be used for this instead, as OpenVPN does not support SHA3.

OpenVPN, however, does use SHA1 for HMAC (Hash Message Authentication Code) authentication. HMAC SHA1 is much less vulnerable to collision attacks than standard SHA1 hashes. For example, you would need to break HMAC in order to reach the underlying hash in order to start collisions attempts on it. Use of HMAC SHA1 in OpenVPN is therefore not considered a weakness.

For further information on the above subjects, please check out my articles on:

Perfect Forward Secrecy

Perfect Forward Secrecy (PFS) is a system whereby a new and unique (with no additional keys derived from it) private encryption key is generated for each OpenVPN session. That is, each new OpenVPN session uses ephemeral key exchanges.

If PFS is not used, then the same key is used each time you connect to the VPN server. This makes the connection much easier to hack. OpenVPN is considered to be very secure (even against the NSA!), but only if Forward Secrecy is used.

One advantage of both DH and ECDH key exchanges, is that they allow PFS to be used. This obviates the need for it to be implemented in OpenVPN.

Dedicated or virtual servers?

Many VPN providers offer servers in locations all over the world. This can be very convenient for customers (and can count as a “feature”). But when it comes to security, it begs the question: who operates those servers?

Many VPN companies simply rent VPS server space in order to run OpenVPN instances. Users’ data is fully encrypted at all times, so this is not as bad for security as it may sound at first. VPS providers will keep metadata logs, but these are much more limited than those that can be kept by VPN providers themselves.

That said, for a VPN provider to operate its own physical servers (“bare metal” servers), is clearly more secure than virtual servers operated by a third party VPS provider.

DNS leaks and IPv6 leaks

Please see my Complete Guide to IP Leaks for a full discussion on this subject. I think it sufficient to say here that a “secure” VPN service should protect its users against such problems when using its custom software.

WebRTC leaks

Again, I discuss this issue in great depth elsewhere. This is primarily a browser issue, and is easily fixed if you are aware of the problem. A few providers do manage to protect their clients against the WebRTC “bug” using either server-side firewalls, or firewalls built into their custom VPN clients. But most don’t.

Because it is a browser issue, I do not blame VPN providers for not fixing the problem, but they should at least clearly flag the issue up to customers, and provide instructions on how they can fix the problem themselves.

DNS and WebRTC leaks

Providers who fail do this is highly irresponsible as they put VPN users are at risk because their IP address not is hidden by their VPN when they think that it is, which therefore constitutes a major security failure.

Other secure VPN issues

Security is hard, very hard, and it is very easy for even experts to make elementary mistakes. It is not unknowns, for example, for VPN providers to send users’ passwords via regular unencrypted email! Duh! I have flagged up any such issues as I have encountered them.

Conclusion

Getting security right is hard, but some VPN providers are very good at it! The services listed above use excellent encryption, and are on the case when it comes to the technical side of keeping your VPN connection secure.

Best Secure VPN Services Summary

Disclosure: compensated affiliate: click here for more information

Rank Company Score Price Link

1

NordVPN LogoNordVPN
10/10
Read Review
$4.00 / monthVisit Site

2

Windscribe LogoWindscribe
9.2/10
Read Review
$7.50 / monthVisit Site

3

AirVPN LogoAirVPN
8.6/10
Read Review
$5.08 / monthVisit Site

4

VPNArea LogoVPNArea
7.8/10
Read Review
$4.92 / monthVisit Site

5

LiquidVPN LogoLiquidVPN
7.4/10
Read Review
$4.99 / monthVisit Site

Published 2016-08-08
Douglas Crawford Written by Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


2 responses to “5 Most Secure VPN Services 2016

  1. can you access to the site in https or by tor ?yes is better
    does it exist a linux version ?yes is better
    can you choose your password ?yes is better
    is it on 443 ?yes is better
    does a trial or free version exist ?yes is better
    do you need to register for a free/trial version ?no is better
    have you found reviews about your version ?yes is better
    does the name of the vpn-provider appear when you go to checkip or testleak ?no is better
    does it work with your usual app like a webmail, stream online, facebook etc .?yes is better

    1. Hi Ares,

      Security is a complex and multi-faceted thing, and your points are all valid. In this article, however, I have concentrated on technical aspects such as encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *