ExpressVPN

5 Most Secure VPN Services 2016

In this article on most secure VPN services, I look at VPN providers that offer the highest levels of technical security for their VPN products.  This largely means VPNs that offer the best encryption, but also includes factors such as include DNS leak protection, whether there any weaknesses in how users’ password are transmitted upon signup, and whether any protection against IP leakage due to WebRTC.

fast secure VPN

Before starting, however, there are a couple of things worth noting. The first is that this list is by no means exclusive.  More and more fast secure VPN companies now offer high levels of encryption (at least on paper), and this article cannot cover them all.

Furthermore, getting security right is about far more than simply ticking features off a list, because as always, the devil is in the detail. It is how these features are implemented that really matters.

BestVPN.com can only recommend secure VPN services with which we are familiar, and understanding these details takes time and information that often has to be prized out of providers. I have therefore concentrated on looking at VPN industry leaders that have a reputation for being very secure.

The second thing this to note that in this article I am primary looking at VPN providers technical security – not, for example, their general attitude to privacy. If privacy, rather than security, per se., is your primary concern, then be sure to check out 5 Best Logless VPNs.

Best Secure VPN Services Summary

Disclosure: compensated affiliate: click here for more information

Rank Company Score Price Link

1

NordVPN Logo
Read Review10/10
$5.75 / monthVisit Site

2

Windscribe Logo
Read Review9.2/10
$7.50 / monthVisit Site

3

AirVPN Logo
Read Review8.6/10
$4.82 / monthVisit Site

4

VPNArea Logo
Read Review7.8/10
$4.92 / monthVisit Site

5

LiquidVPN Logo
Read Review7.4/10
$4.99 / monthVisit Site
Editor's Choice Award

Winner

NordVPN

5/5

Best Secure VPN Services

  • ProsPROS
  • No logs
  • Based in Panama
  • Accepts Bitcoin payment
  • Tor over VPN
  • Two simultaneous connections
  • ConsCONS
  • Can be slow
  • Sends password in plaintext

This Panama-based secure VPN provider uses the DHE-RSA-AES256-SHA algorithm for its OpenVPN connections. Although this almost certainly means ordinary RSA-2048 key encryption and HMAC SHA1 authentication, use of the Diffie-Hellman key exchange allows deployment of Perfect Forward Secrecy. As noted in text of this article, there are issues with DHE, but this is not a problem here as security is primarily handled using RSA.

It is also worth noting that NordVPN’s iOS app also uses an impressive level of encryption – IKE ciphers (phase1) to negotiate keys are AES-256-GCM for encryption, with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) and 3072-bit Diffie-Hellmann keys. Unusually, NordVPN’s upcoming Mac OSX client will use IKv2 with Cisco’s NGE (Next Generation Encryption) settings, instead of OpenVPN.

The NordVPN desktop client has kill switch and prevents DNS leaks. WebRTC protection is not provided, however. A guide to disabling WebRTC is available, but you have to look for it. A bigger problem is that NordVPN sends your VPN password via plaintext email! This is easily fixed by changing your password in the website accounts portal, but is nevertheless a boo-boo in what is otherwise a very secure setup.

Additional features: Double encryption,  P2P: yes.

Get the most secure VPN now!

Visit NordVPN »

 30-Day Money Back Guarantee

2nd place

Windscribe

4.6/5

Windscribe

  • ProsPROS
  • No logs
  • Double-hop
  • SSL tunnelling
  • Unlimited simultaneous connections
  • Limited Free service (10GB)
  • ConsCONS
  • Limited customer support
  • New service (less established)
  • Based in Canada

Based in Canada, Windscribe has made something of a splash on the VPN scene thanks to its high level of technical proficiency. The encryption it uses, for example, is among the best available anywhere. OpenVPN uses AES-256 with RSA-4096 handshake and SHA512 authentication. Perfect Forward Secrecy is used, and DNS and IPv6 leaks are blocked by the firewall in the custom client. This firewall also acts as a kill switch, and should prevent any WebRTC leaks. Like NordVPN, Windscribe supports “double VPN” chaining. I am yet to be convicted about the security value of this. But others disagree, and it is a nice extra to have.

Visit Windscribe »


3rd place

AirVPN

4.3/5

AirVPN

  • ProsPROS
  • No logs at all
  • VPN through Tor
  • SSL & SSH tunneling
  • Accepts Bitcoin
  • P2P: yes
  • ConsCONS
  • Very Techy
  • Customer support could be better

AirVPN is at the top of the game when it comes fast secure VPN technology, but its tech-heavy focus and rather brusque support manner alienates many would-be users. OpenVPN uses AES-256 with RSA-4096 handshake, HMAC SHA1 authentication (HMAC SHA384 control auth), and DHE-4096 Perfect Forward Secrecy. It allows users to connect completely anonymously to its servers via the Tor network, and can hide OpenVPN communications inside an SSH and SSL tunnel.

The open source desktop client disables IPv6, and its “network lock” feature acts as a kill switch and prevents DNS leaks. WebRTC leaks are blocked by both “network lock”, and at the server level. This means that users are protected from WebRTC leaks even when using the generic OpenVPN app. AirVPN runs its own bare metal servers.

Additional features: Real-time user and server statistics, VPN through SSL and SSH tunnels,  3-day free trial, three simultaneous connections.

Visit AirVPN »


4th place

VPNArea

3.9/5

VPNArea

  • ProsPROS
  • No logs
  • Based Bulgaria (no data retention)
  • Five simultaneous devices
  • great customer service
  • P2P: ok
  • ConsCONS
  • Uses VPS instances

This friendly Bulgarian secure VPN provider uses AES-256 with RSA-2048 handshake and SHA256 data authentication for its OpenVPN connections. PFS keys are re-negotiated regularly during each session.  VPNArea’s desktop client is a custom version of Viscocity, and offers DNS leak protection, disables IPv6, and provides a per-app kill switch. The auto IP feature changes your IP every 5 minutes, which is interesting. VPNArea uses a mix of VPS instances and bare metal servers, but support assures me that whatever the circumstances, it maintains complete control over its servers.

Visit VPNArea »


5th place

LiquidVPN

3.7/5

LiquidVPN

  • ProsPROS
  • No usage logs
  • Stealth server
  • P2P: yes
  • Modulating (shared) IPs
  • Port forwarding
  • ConsCONS
  • Based in US

Based in the US, LiquidVPN uses very strong OpenVPN encryption – AES-256 (default), AES-128-CBC or Camellia-256-CBC (alternatives), with RSA-4096 keys and SHA2 authentication. Perfect Forward Secrecy is enabled through the use of DHE. Its highly customizable Viscocity-based client blocks IPv6, DNS, and WebRTC leaks using its “Liquid Lock” firewall. It also includes a per-app kill switch.

Visit LiquidVPN »


VPN Security considerations

Encryption

Cryptography is an insanely complex subject. With regards to secure VPN, however, there are a relatively few terms that will help you understand the core concepts involved. And will give you a better idea of the level of security that any given provider is offering.

VPN Protocol

The main VPN protocols are PPTP, L2TP/IPSec, OpenVPN, SSTP, and IKE/IKEv2. These are the set of instructions used to negotiate a secure encrypted connection between two computers, and are discussed in depth here.

OpenVPN is the industry standard secure VPN protocol, and for good reason. It is very secure, and can be used on almost all VPN-capable devices (with the notable exception of Blackberry and Windows Mobile devices). I therefore recommend using OpenVPN wherever possible, and the rest of this article primarily concerns implementation of this protocol.

Custom iOS apps use the IKE or IKEv2 protocols in order to comply with Apple’s developer guidelines. But the generic OpenVPN Connect app allows OpenVPN to be deployed on iOS instead.

Cipher

Your actual data is encrypted using a cipher. 256-bit AES has become the industry standard. This great, as AES-256 is arguable the strongest cipher known to mankind (although AES-128 has a stronger key schedule). Some VPN providers do still use OpenVPN’s default Blowfish-128 cipher, but this is pretty lame.

Handshake

Also referred to as key encryption or certificate encryption, the handshake acts as an encryption and digital signature algorithm used to identify TLS/SSL certificates.

RSA handshakes have been the basis for security on the internet for the last 20 years or so, although Diffie-Hellman and Elliptic Curve Diffie-Hellman (ECDH) key exchanges are sometimes used for OpenVPN instead. Diffie-Hellman exchanges, however, have a major weakness, but this does not affect ECDH exchanges.

RSA key encryption

RSA-2048 key encryption is considered secure, although a case can be made for choosing even stronger 3072-bit or 4096-bit RSA encryption. RSA-2048 is now the minimum standard for commercial VPN providers.

SHA hash authentication

A Secure Hash Algorithm (SHA) is a cryptographic hash function used (among other things) to authenticate OpenVPN connections. SHA1 is broken, and should therefore never be used to simply authenticate encrypted data. SHA-2 (up to SHA-384) should be used for this instead, as OpenVPN does not support SHA3.

OpenVPN, however, does use SHA1 for HMAC (Hash Message Authentication Code) authentication. HMAC SHA1 is much less vulnerable to collision attacks than standard SHA1 hashes. For example, you would need to break HMAC in order to reach the underlying hash in order to start collisions attempts on it. Use of HMAC SHA1 in OpenVPN is therefore not considered a weakness.

For further information on the above subjects, please check out my articles on:

Perfect Forward Secrecy

Perfect Forward Secrecy (PFS) is a system whereby a new and unique (with no additional keys derived from it) private encryption key is generated for each OpenVPN session. That is, each new OpenVPN session uses ephemeral key exchanges.

If PFS is not used, then the same key is used each time you connect to the VPN server. This makes the connection much easier to hack. OpenVPN is considered to be very secure (even against the NSA!), but only if Forward Secrecy is used.

One advantage of both DH and ECDH key exchanges, is that they allow PFS to be used. This obviates the need for it to be implemented in OpenVPN.

Dedicated or virtual servers?

Many VPN providers offer servers in locations all over the world. This can be very convenient for customers (and can count as a “feature”). But when it comes to security, it begs the question: who operates those servers?

Many VPN companies simply rent VPS server space in order to run OpenVPN instances. Users’ data is fully encrypted at all times, so this is not as bad for security as it may sound at first. VPS providers will keep metadata logs, but these are much more limited than those that can be kept by VPN providers themselves.

That said, for a VPN provider to operate its own physical servers (“bare metal” servers), is clearly more secure than virtual servers operated by a third party VPS provider.

DNS leaks and IPv6 leaks

Please see my Complete Guide to IP Leaks for a full discussion on this subject. I think it sufficient to say here that a “secure” VPN service should protect its users against such problems when using its custom software.

WebRTC leaks

Again, I discuss this issue in great depth elsewhere. This is primarily a browser issue, and is easily fixed if you are aware of the problem. A few providers do manage to protect their clients against the WebRTC “bug” using either server-side firewalls, or firewalls built into their custom VPN clients. But most don’t.

Because it is a browser issue, I do not blame VPN providers for not fixing the problem, but they should at least clearly flag the issue up to customers, and provide instructions on how they can fix the problem themselves.

DNS and WebRTC leaks

Providers who fail do this is highly irresponsible as they put VPN users at risk because their IP address is not hidden by their VPN when they think that it is, which therefore constitutes a major security failure.

Other secure VPN issues

Security is hard, very hard, and it is very easy for even experts to make elementary mistakes. It is not unknowns, for example, for VPN providers to send users’ passwords via regular unencrypted email! Duh! I have flagged up any such issues as I have encountered them.

Conclusion

Getting security right is hard, but some VPN providers are very good at it! The secure VPN services listed above use excellent encryption, and are on the case when it comes to the technical side of keeping your VPN connection safe.

Best Secure VPN Services Summary

Disclosure: compensated affiliate: click here for more information

Rank Company Score Price Link

1

NordVPN Logo
Read Review10/10
$5.75 / monthVisit Site

2

Windscribe Logo
Read Review9.2/10
$7.50 / monthVisit Site

3

AirVPN Logo
Read Review8.6/10
$4.82 / monthVisit Site

4

VPNArea Logo
Read Review7.8/10
$4.92 / monthVisit Site

5

LiquidVPN Logo
Read Review7.4/10
$4.99 / monthVisit Site

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


11 responses to “5 Most Secure VPN Services 2016

  1. The user id is irrelevant, these companies will give one to anybody on this planet that throws money at them. It merely grants one access to the backbone, it’s what happens on that backbone, after they gain access.

    We came here to make people aware that these networks are not as secure as the public is lead to believe. Their network designs are inferior and they know it. If a key is shared, the tunnels have glass walls to an experienced user/organization. We will point you in the direction of a secure (real) vpn provider and invite you to do your own research.

    Have a nice day!

  2. People are deluded into a false sense of security with these vpn providers.

    If the certificates are shared, that means all users have the same key to unlock each others’ sessions. They can eavesdrop on each other, they are on the same backbone. IP packets can be disassembled. Traffic can be monitored. There are many levels of intrusion. Their VPN tunnels have glass walls, it’s not secure, anybody can see inside. Does one not fathom, that unscrupulous individuals/organizations will setup vpn accounts with these providers knowing this?

    You wouldn’t give a stranger a key to your house, so why would you give them a copy of your certificate. It defeats the entire purpose of encryption. A properly encrypted VPN has encrypted certificates at each end of the tunnel and those certificates are unique to only those two interfaces. Allowing anybody else a copy of that certificate, grants them access to that tunnel.

    The VPN providers all know this. Ask them, they’ll try to avoid your question.

    The more secure providers will issue your own unique certificate, those are the companies you want to deal with.

    People need to be aware of this!

    1. Hi notsosafe,

      So… let’s say that you and I are both customers of a VPN service that uses shared OpenVPN certs. I have my own login details for that service, and we are using the same cert to connect to it. How could I use this to compromise your account or internet connection (assuming that you use a strong password that I do not have access to)?

      I do agree that unique certs are preferable, but do not see how shared certs are the security nightmare that you describe.

  3. @Douglas Crawford, your site won’t allow me to reply to the original comment posted.

    I commend you for not burying the truth and letting the public be informed about the false sense of security when using vpn’s.

    It’s not the fact that your own individual account is compromised, it can be anybody’s account. Because it’s a shared certificate, that means you are compromised if another user is. Can you rely on what others do with their login credentials?

    Also, https/ssl are compromised, so it wouldn’t be too difficult to get those credentials in the first place.

    It’s the reality of the systems they setup, many vpn providers are hiding this.

    You want to make sure the VPN provider you deal with, issues your OWN UNIQUE cert/keys right from the moment you login, then NOBODY else has it but you. Otherwise it defeats the purpose, it’s like leaving the key in the deadbolt of your house, anybody can get in, because you’ve shared it.

    1. Hi notsosafe,

      – I apologize for your problems using our website. I will pass on your issue to our tech team.
      – If unique certs are not used, then individual accounts are secured with a username and password. If an adversary does not have your username and password then your account cannot be compromised just because the certificates are shared. In other words, use of shared certs does not compromise your login credentials or compromise HTTPS. It simply means that everyone connected to the VPN servers in the same way.
      – I agree that unique certificates and keys are more secure, but do not think that using shared certs compromises accounts in the way you describe. If someone steals one users’ login details then sure, they can connect to the service using the stolen account. I do not see how this give them access to other users’ accounts, however.

  4. NordVPN is not secure, they use shared keys amongst all their users. The Openvpn files are available online for anybody to download. The only requirement is for someone to intercept your login credentials, which can easily be done through a web interface and then they have full access to your session.

    They should be providing unique certificates/keys locked to each user ID, and encrypting the login sessions to those certificates, which they do not do, they are all shared. When you start asking their tech support about this, they start becoming very evasive with their answers.

    Many of the other vpn providers are much the same way. So the reality is, you need to hunt down a vpn provider that guarantees you have your OWN unique certificates assigned to you ONLY, or you’re not as safe as you think you are, you can easily be eavesdropped on.

    1. Hi notsosafe,

      As you say, when pre-shared keys are used an adversary would still need to obtain your login credentials. I do not consider this as big an issue as you do, but is an issue, and I will discuss it in my next update to this article. Off the top of my head, the only VPN provider to generate unique OpenVPN certs/keys for each customer is AirVPN (I’m sure some others do too).

  5. I truly enjoyed your article very well written and informative however I don’t see the need for a VPN for anyone who’s using a smartphone considering every application that you choose to use you sign an agreement which basically gives away every constitutional right that you have to any kind of privacy that being said the information for anyone who might think they need it is out there and available you can shut applications off you can actually clear every bit of the data but the minute the phone is turned off and comes back on there are programs that put everything right back every carrier backs up your information with or without your permission Google of course we know that they have a copy of every single thing you do every minute of every day the phones allowed to take pictures it’s allowed to turn on and off the microphone it’s it’s allowed to read contacts delete contacts it’s allowed to retrieve messages it’s allowed to make up its own email addresses it is allowed to basically do anything that lives so security is a thing of the past privacy is a thing of the past however but I would like to know is once your phone has been hacked which I know that mine has unfortunately by someone I love which doesn’t make it any easier but if I get a new SIM card and I request every archive there is and delete that how do I protect any phone from having a spyware program installed on it is there any safety and setting up call forwarding from the original phone to a new one using a third-party number how do I keep it from happening again if you could help me with that I would greatly appreciate it thank you so much and thank you for your article, however overly optimistic it may have been I still enjoyed it.. Sincerely, zemindar54

    1. Hi Janice,

      – Mobile apps do send back a lot of information directly to their makers. Using a VPN is still useful, however, if you access services using their web portals via your mobile phone’s browser (I recommend using Firefox because it is open source and has some great privacy add-ons).
      – If you get a new sim card and perform a a full factory reset on your phone, this should get rid of any malware on it.

  6. can you access to the site in https or by tor ?yes is better
    does it exist a linux version ?yes is better
    can you choose your password ?yes is better
    is it on 443 ?yes is better
    does a trial or free version exist ?yes is better
    do you need to register for a free/trial version ?no is better
    have you found reviews about your version ?yes is better
    does the name of the vpn-provider appear when you go to checkip or testleak ?no is better
    does it work with your usual app like a webmail, stream online, facebook etc .?yes is better

    1. Hi Ares,

      Security is a complex and multi-faceted thing, and your points are all valid. In this article, however, I have concentrated on technical aspects such as encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *