5 Most Secure VPN Services 2017 - BestVPN.com
NordVPN

5 Most Secure VPN Services 2017

Douglas Crawford

Douglas Crawford

June 28, 2017

Although the subjects are often confused (and are related), internet privacy and internet security are different issues. This article focuses on secure Virtual Private Network (VPN) services that offer very high levels of technical security.

fast secure VPN

In practice this means:

  1. They use strong OpenVPN encryption.
  2. They use software that prevents any and all forms of IP leak.
  3. Their software has a kill switch feature.
  4. They don’t make any silly noob mistakes.

Great technical security provides robust protection against hackers accessing your online activity, be they criminals or working for your government.

What it will not do is prevent a powerful government, the police, or the mafia, from demanding that your VPN provider hand over any logs it keeps relating to your online activity. If such a scenario is part of your threat model, then be sure to also pick a good no logs VPN service for maximum privacy.

Best Secure VPN Services: Summary

Rank Company Score Price Link
1
ExpressVPN review
$6.67 / monthVisit Site
Special Deal: Save 49% Today!
2
Windscribe review
$7.50 / monthVisit Site
3
AirVPN review
$4.82 / monthVisit Site
4
VPNArea review
$4.92 / monthVisit Site
5
NordVPN review
$3.29 / monthVisit Site
Editor's Choice Award

Winner

ExpressVPN

5/5

Best Secure VPN Services

  • ProsPROS
  • 30-day money-back guarantee
  • No usage logs
  • Servers in 94 countries
  • Great customer service
  • P2P: yes
  • ConsCONS
  • Connection logs
  • A bit pricey
ExpressVPN’s focus on providing a great customer-focused experience has always impressed me. Central to this is 24/7 live chat support, a genuinely no-quibbles 30-day money-back guarantee, and easy-to-use apps for all major platforms.

OpenVPN Encryption
Cipher
AES-256
Data Auth
HMAC SHA-512
Handshake
RSA-4096
Forward Secrecy
ECDH
Logs & Legal
Connection
minimal
Traffic
None
Country
BVI

ExpressVPN now matches this with truly excellent technical security. It uses AES-256 cipher for OpenVPN, with an RSA-4096 handshake and SHA-512 keyed-hash message authentication code (HMAC). Perfect forward secrecy is provided courtesy of Elliptic Curve Diffie–Hellman (ECDH) key exchanges for data channel encryption.

This is great. In addition, unlike most iOS apps, the ExpressVPN iOS app uses OpenVPN. Add in full Domain Name System (DNS) leak and Web Real-Time Communication (WebRTC) leak protection, along with a firewall-based kill switch, and it is clear that ExpressVPN offers exceptional VPN security.

Additional features: three simultaneous connections, “stealth” servers in Hong Kong, free Smart DNS, .onion web address.

Get the most secure VPN now!

Visit ExpressVPN »

30-day money-back guarantee

2nd place

Windscribe

4.6/5

Windscribe

  • ProsPROS
  • No logs
  • Double-hop
  • SSL tunnelling
  • Unlimited simultaneous connections
  • Limited free service (10GB)
  • ConsCONS
  • Limited customer support
  • New service (less established)
  • Based in Canada

When reviewing Canadian company Windscribe we found the encryption their service uses, is among the best available anywhere. Which has made something of a splash on the VPN scene.

OpenVPN Encryption
Cipher
AES-256
Data Auth
HMAC SHA-512
Handshake
RSA-4096
Forward Secrecy
yes
Logs & Legal
Connection
minimal
Traffic
None
Country
Canada

OpenVPN uses AES-256 with RSA-4096 handshake and SHA512 authentication. Perfect forward secrecy (PFS) is used, and DNS and Internet Protocol version 6 (IPv6) leaks are blocked by the firewall in the custom client. This firewall also acts as a kill switch, and should prevent any WebRTC leaks.

Like NordVPN, our review of Windscribe found that it supports “double VPN” chaining. I am yet to be convinced about the security value of this, but others disagree. It certainly does no harm as an extra feature to have, if you want it.

Visit Windscribe »


3rd place

AirVPN

4.3/5

AirVPN

  • ProsPROS
  • No logs at all
  • VPN through Tor
  • SSL and SSH tunneling
  • Accepts bitcoin
  • Peer-to-peer (P2P): yes
  • ConsCONS
  • Very techy
  • Customer support could be better

AirVPN is at the top of the game when it comes fast, secure VPN technology, but its tech-heavy focus and rather brusque support manner alienates many would-be users.

OpenVPN Encryption
Cipher
AES-256
Data Auth
HMAC SHA1
Handshake
RSA-4096
Control Auth
HMAC SHA384
Forward Secrecy
DHE-4096
Logs & Legal
Connection
None
Traffic
None
Country
Italy

OpenVPN uses AES-256 with RSA-4096 handshake, HMAC SHA1 data channel authentication, HMAC SHA384 control authentication, and DHE-4096 for perfect forward secrecy. It allows users to connect completely anonymously to its servers via the Tor network, and can hide OpenVPN communications inside a Secure Shell (SSH) and Secure Sockets Layer (SSL) tunnel.

The open source desktop client disables IPv6, and its “network lock” feature acts as a kill switch and prevents DNS leaks. WebRTC leaks are blocked by both the network lock function and at the server level. This protects users from WebRTC leaks, even when using the generic OpenVPN app. Furthermore, AirVPN runs its own bare metal servers.

Additional features: real-time user and server statistics, three-day free trial, three simultaneous connections.

Visit AirVPN »


4th place

VPNArea

3.9/5

VPNArea

  • ProsPROS
  • No logs
  • Based in Bulgaria (no data retention)
  • Five simultaneous devices
  • Great customer service
  • P2P: ok
  • ConsCONS
  • Uses Virtual Private Server (VPS) instances

This friendly, Bulgarian secure VPN provider uses AES-256 with RSA-2048 handshake and SHA256 data authentication for its OpenVPN connections. PFS keys are re-negotiated regularly during each session.

OpenVPN Encryption
Cipher
AES-256
Control Auth
HMAC SHA-512
Handshake
RSA-2048
Forward Secrecy
yes
Logs & Legal
Connection
minimal
Traffic
None
Country
Bulgaria

VPNArea’s desktop client is a custom version of Viscocity, and offers DNS leak protection, disables IPv6, and provides a per-app kill switch.

The auto IP feature changes your IP every five minutes, which is interesting. VPNArea uses a mix of VPS instances and bare metal servers, but support assures me that whatever the circumstances, it maintains complete control over its servers.

Visit VPNArea »


5rd place

NordVPN

4.2/5

NordVPN

  • ProsPROS
  • No logs at all
  • Six simultaneous devices
  • Servers in 47 countries
  • 30-day money-back guarantee
  • OpenVPN encryption with PFS
  • ConsCONS
  • Issues with support

NordVPN is a no logs VPN provider based in Panama. This alone makes it one of the best VPN choices available for privacy fanatics, as it puts it comfortably outside the direct influence of both the NSA and copyright holders.

OpenVPN Encryption
Cipher
AES-256
Data Auth
HMAC SHA1
Handshake
RSA-2028
Forward Secrecy
DHE
Logs & Legal
Connection
None
Traffic
None
Country
Panama

It backs up this privacy-friendly stance by using great encryption, and accepting potentially anonymous payment in bitcoins. Although I have to be convinced of its utility, many also value NordVPN’s support for “double-hop” VPN chaining (which essentially routes traffic through two servers rather than one).

NordVPN uses the DHE-RSA-AES256-SHA encryption suite for its OpenVPN connections. This almost certainly means ordinary RSA-2048 key encryption and HMAC SHA1 authentication, which is just fine. Use of a Diffie-Hellman key exchange provides perfect forward secrecy.

It is worth noting that NordVPN’s iOS app also uses an impressive level of encryption – Internet Key Exchange (IKE) ciphers (phase1) to negotiate keys are AES-256-GCM for encryption, with SHA2-384 to ensure integrity, combined with PFS and 3072-bit Diffie-Hellmann keys.

Unusually, NordVPN’s Mac OS X client uses IKEv2 with Cisco’s NGE (Next Generation Encryption) protocol, instead of OpenVPN. Please check out my Complete VPN Encryption Guide for the pros and cons of IKEv2. The NordVPN client has a per app kill switch. This is undoubtedly handy, but is not as secure as a firewall-based one.

Additional features: P2P permitted, supports obfsproxy technology to defeat censorship, three-day free trial, dedicated IP available on request.

Visit NordVPN »

30-day money-back guarantee

VPN Security Considerations

Encryption

The simplest analogy is that encryption is a lock. If you have the correct key, then the lock is easy to open. If someone does not have the correct key but wants to access the contents of a strong box (that is, your data) protected by that lock, then they can try to break the lock.

In the same way that the lock securing a bank vault is stronger than the one securing a suitcase, some encryption is stronger than other encryption. Please check out my Complete VPN Encryption Guide for a detailed but layman-friendly look at this subject.

VPN Protocols

A VPN protocol is the set of instructions (mechanism) used to negotiate a secure encrypted connection between two computers. A number of such VPN protocols are commonly supported by commercial VPN services.

Although there is some merit in the IKEv2 protocol, OpenVPN is the recommended VPN protocol under most circumstances.

It is fast, reliable, secure, and open source. It has no real downsides, per se, but to be truly secure it is important that it is implemented well. This means the use of strong encryption with perfect forward secrecy.

RSA key encryption

OpenVPN Encryption

When it comes to encryption, the devil is in the detail. It is common to see VPN providers say they use “ultra-strong 256-bit” Advanced Encryption Standard (AES) OpenVPN encryption. However, in reality this does not tell us very much.

AES-256 is indeed a strong cipher, but if other aspects of the encryption suite used are weak, then your data will not be secure.

  • Cipher – this protects your actual data. AES-256 is now the industry standard, and is recommended.
  • Handshake – this secures your connection to the VPN server. RSA-2048+ or ECDH-384+ are secure. Importantly, RSA-1024 and Diffie-Hellman handshakes are not.
  • Hash authentication – this creates a unique fingerprint, which is used to validate data and Transport Layer Security (TLS) certificates (that is, to check that the server you are connecting to really is the one you think you are connecting to). HMAC SHA-1 is absolutely fine, but HMAC SHA-2 (SHA-256, SHA-384, and SHA-512) and HMAC SHA-3 are better.
  • Perfect forward secrecy – this ensures that new encryption keys are created for each session. OpenVPN should not be considered secure unless PFS is implemented. This can be done either by including a Diffie-Hellman or ECDH key exchange in an RSA handshake, or a DH or ECDH handshake.

OpenVPN will negotiate ciphers between client and server at will. Unless very specific parameters are defined, OpenVPN may default to weak settings. All the providers listed above use strong settings.

OpenVPN Encryption
Cipher
AES-256
Data Auth
HMAC SHA1
Handshake
RSA-4096
Control Auth
HMAC SHA384
Forward Secrecy
DHE-4096
Logs & Legal
Connection
None
Traffic
None
Country
Italy

All of our full VPN reviews now include a “traffic light” audit of the OpenVPN encryption used by that VPN provider. This is intended to clearly flag-up weaknesses in the cipher suite, in an easily digestible, at-a-glance format.

It is BestVPN.com’s hope that initiatives such as this will improve encryption standards across the VPN industry.

IP Leaks

Unbreakable encryption is one cornerstone of what makes a VPN service secure. The other is ensuring that the VPN is actually doing what it is supposed to – hiding your real IP address. If it is not, then you have an IP leak.

DNS and WebRTC leaks

To determine if you are suffering an IP leak, visit ipleak.net. If you are connected to a VPN and you can see your true IP address, or even just the name of your Internet Service Provider (ISP), anywhere on this page, then you have an IP leak.*

*An exception to this rule is that Private Use RFC IPs detected by WebRTC are local IPs only. They cannot be used to identify an individual, and so do not constitute an IP leak.

When testing the above VPN service I was connected to a Netherlands VPN server, but could see an IP address belonging to my UK ISP. This could be used to trace my real-life identity and constitutes a clear IP leak (an IPv4 DNS leak).

Please check out my Complete Guide to IP Leaks for a full discussion on why IP leaks happen. In that article I also talk about how to fix them. However, with a secure VPN service you shouldn’t need to! I will note that since writing that article, most good VPN services have now implemented WebRTC leak protection.

Kill Switch

VPN connections fail sometimes. This usually happens due to reasons far beyond your VPN provider’s control. There is no point in having a super-secure VPN connection, however, if your real IP address and non-HTTPS encrypted web traffic is exposed the second this happens!

Secure VPN services solve this problem by including a “VPN kill switch” (also called, somewhat more accurately, an “internet kill switch”) with their software.

The most secure way to build a VPN kill switch is using firewall rules that prevent any internet connections outside the VPN tunnel. Such rules also prevent DNS leaks.

A less secure way to build a VPN kill switch is for the software to detect that a VPN connection has been dropped and then disable the internet connection (or block or close specified programs). There can be a delay between the client detecting the VPN drop and it disabling the internet, during which time your real IP might be exposed.

Additionally, if the VPN client crashes, it will leave you without kill switch protection. This can be particularly nasty if the same crash also causes the VPN to disconnect! On the other hand, per-app kill switches are quite handy, and any kill switch is better than none.

Silly Mistakes

Never underestimate humans’ ability to mess up! VPN companies occasionally make elementary mistakes in their security setup. A classic example is sending your login details via plaintext email (it happens!).

Conclusion

Good VPN services provide top-notch security. However, many VPNs on the market do not. It is therefore important not to take claims of “military grade” encryption and suchlike at face value.

The devil really is in the detail. Fortunately, some VPN providers care a great deal about getting the details right. And when good technical security is combined with good privacy practices, then everyone wins!

Best Secure VPN Services Summary

Rank Company Score Price Link
1
ExpressVPN review
$6.67 / month Visit Site
Special Deal: Save 49% Today!
2
Windscribe review
$7.50 / month Visit Site
3
AirVPN review
$4.82 / month Visit Site
4
VPNArea review
$4.92 / month Visit Site
5
NordVPN review
$3.29 / month Visit Site
Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

13 responses to “5 Most Secure VPN Services 2017

  1. Hi Douglas & notsosafe,

    ExpressVPN is more secure(with better enryption?) than AirVPN? Do they offer unique OpenVPN certs/keys as well? Should I cancel/ditch AirVPN for ExpressVPN?

    notsosafe what VPN do you use?

    Thanks.

    1. Hi hmmmmm,

      ExpressVPN now offers slightly stronger encryption than AirVPN (stronger SHA hash authentication), although both are so strong that it really makes little difference. Be aware that ExpressVPN does keep some very connection minimal logs. With regard to shared OpenVPN certificates, I have changed my mind since I wrote these comments last September. A lengthy discussion with the guys at IVPN has convinced that use of shared certs is not a problem, and is, in fact, better for privacy than unique certs. A summary of IVPNs argument can be found here. Please note, however, that pre-shared keys _are_ a problem when it comes to L2TP/IPec.

  2. The user id is irrelevant, these companies will give one to anybody on this planet that throws money at them. It merely grants one access to the backbone, it’s what happens on that backbone, after they gain access.

    We came here to make people aware that these networks are not as secure as the public is lead to believe. Their network designs are inferior and they know it. If a key is shared, the tunnels have glass walls to an experienced user/organization. We will point you in the direction of a secure (real) vpn provider and invite you to do your own research.

    Have a nice day!

  3. People are deluded into a false sense of security with these vpn providers.

    If the certificates are shared, that means all users have the same key to unlock each others’ sessions. They can eavesdrop on each other, they are on the same backbone. IP packets can be disassembled. Traffic can be monitored. There are many levels of intrusion. Their VPN tunnels have glass walls, it’s not secure, anybody can see inside. Does one not fathom, that unscrupulous individuals/organizations will setup vpn accounts with these providers knowing this?

    You wouldn’t give a stranger a key to your house, so why would you give them a copy of your certificate. It defeats the entire purpose of encryption. A properly encrypted VPN has encrypted certificates at each end of the tunnel and those certificates are unique to only those two interfaces. Allowing anybody else a copy of that certificate, grants them access to that tunnel.

    The VPN providers all know this. Ask them, they’ll try to avoid your question.

    The more secure providers will issue your own unique certificate, those are the companies you want to deal with.

    People need to be aware of this!

    1. Hi notsosafe,

      So… let’s say that you and I are both customers of a VPN service that uses shared OpenVPN certs. I have my own login details for that service, and we are using the same cert to connect to it. How could I use this to compromise your account or internet connection (assuming that you use a strong password that I do not have access to)?

      I do agree that unique certs are preferable, but do not see how shared certs are the security nightmare that you describe.

  4. @Douglas Crawford, your site won’t allow me to reply to the original comment posted.

    I commend you for not burying the truth and letting the public be informed about the false sense of security when using vpn’s.

    It’s not the fact that your own individual account is compromised, it can be anybody’s account. Because it’s a shared certificate, that means you are compromised if another user is. Can you rely on what others do with their login credentials?

    Also, https/ssl are compromised, so it wouldn’t be too difficult to get those credentials in the first place.

    It’s the reality of the systems they setup, many vpn providers are hiding this.

    You want to make sure the VPN provider you deal with, issues your OWN UNIQUE cert/keys right from the moment you login, then NOBODY else has it but you. Otherwise it defeats the purpose, it’s like leaving the key in the deadbolt of your house, anybody can get in, because you’ve shared it.

    1. Hi notsosafe,

      – I apologize for your problems using our website. I will pass on your issue to our tech team.
      – If unique certs are not used, then individual accounts are secured with a username and password. If an adversary does not have your username and password then your account cannot be compromised just because the certificates are shared. In other words, use of shared certs does not compromise your login credentials or compromise HTTPS. It simply means that everyone connected to the VPN servers in the same way.
      – I agree that unique certificates and keys are more secure, but do not think that using shared certs compromises accounts in the way you describe. If someone steals one users’ login details then sure, they can connect to the service using the stolen account. I do not see how this give them access to other users’ accounts, however.

  5. NordVPN is not secure, they use shared keys amongst all their users. The Openvpn files are available online for anybody to download. The only requirement is for someone to intercept your login credentials, which can easily be done through a web interface and then they have full access to your session.

    They should be providing unique certificates/keys locked to each user ID, and encrypting the login sessions to those certificates, which they do not do, they are all shared. When you start asking their tech support about this, they start becoming very evasive with their answers.

    Many of the other vpn providers are much the same way. So the reality is, you need to hunt down a vpn provider that guarantees you have your OWN unique certificates assigned to you ONLY, or you’re not as safe as you think you are, you can easily be eavesdropped on.

    1. Hi notsosafe,

      As you say, when pre-shared keys are used an adversary would still need to obtain your login credentials. I do not consider this as big an issue as you do, but is an issue, and I will discuss it in my next update to this article. Off the top of my head, the only VPN provider to generate unique OpenVPN certs/keys for each customer is AirVPN (I’m sure some others do too).

  6. I truly enjoyed your article very well written and informative however I don’t see the need for a VPN for anyone who’s using a smartphone considering every application that you choose to use you sign an agreement which basically gives away every constitutional right that you have to any kind of privacy that being said the information for anyone who might think they need it is out there and available you can shut applications off you can actually clear every bit of the data but the minute the phone is turned off and comes back on there are programs that put everything right back every carrier backs up your information with or without your permission Google of course we know that they have a copy of every single thing you do every minute of every day the phones allowed to take pictures it’s allowed to turn on and off the microphone it’s it’s allowed to read contacts delete contacts it’s allowed to retrieve messages it’s allowed to make up its own email addresses it is allowed to basically do anything that lives so security is a thing of the past privacy is a thing of the past however but I would like to know is once your phone has been hacked which I know that mine has unfortunately by someone I love which doesn’t make it any easier but if I get a new SIM card and I request every archive there is and delete that how do I protect any phone from having a spyware program installed on it is there any safety and setting up call forwarding from the original phone to a new one using a third-party number how do I keep it from happening again if you could help me with that I would greatly appreciate it thank you so much and thank you for your article, however overly optimistic it may have been I still enjoyed it.. Sincerely, zemindar54

    1. Hi Janice,

      – Mobile apps do send back a lot of information directly to their makers. Using a VPN is still useful, however, if you access services using their web portals via your mobile phone’s browser (I recommend using Firefox because it is open source and has some great privacy add-ons).
      – If you get a new sim card and perform a a full factory reset on your phone, this should get rid of any malware on it.

  7. can you access to the site in https or by tor ?yes is better
    does it exist a linux version ?yes is better
    can you choose your password ?yes is better
    is it on 443 ?yes is better
    does a trial or free version exist ?yes is better
    do you need to register for a free/trial version ?no is better
    have you found reviews about your version ?yes is better
    does the name of the vpn-provider appear when you go to checkip or testleak ?no is better
    does it work with your usual app like a webmail, stream online, facebook etc .?yes is better

    1. Hi Ares,

      Security is a complex and multi-faceted thing, and your points are all valid. In this article, however, I have concentrated on technical aspects such as encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *