Tool to analyze VPN security, privacy aids in Consumer Reports review

VPNalyzer was used by Consumer Reports to measure the effectiveness of popular consumer VPN providers.

The VPNalyzer tool developed by CSE researchers to analyze the security and privacy of VPNs has been used in a new systematic review of popular VPN providers by Consumer Reports. With development led by Prof. Roya Ensafi and PhD candidate Reethika Ramesh, VPNalyzer aims to empower VPN users to test a number of security and privacy aspects of their provider.

VPNs (virtual private networks) have become popular with consumers for accessing region-restricted websites, protecting browsing activity on public Wi-Fi networks, and other matters of online privacy. A 2020 report by Security.org found that around 68% of US internet users were using a paid or free VPN service in 2019, either for personal use or as a work requirement.

Consumer Reports used the VPNalyzer tool to narrow down an initial list of providers up for evaluation. The tool was instrumental in narrowing the field from over 50 to just 16, using criteria such as evidence of manipulating users’ network traffic, ineffective kill switch implementation, and also good behavior such as the use of methods to prevent DNS leaks. Consumer Reports then investigated the narrowed down list of 16 VPNs further, by doing a comparative evaluation based on the Digital Standard.

“They used our data-driven methods, alongside Consumer Reports’ own testing rubrics, to come up with three VPN providers that top their list,” says Ramesh.

The VPNalyzer tool consists of a measurement test suite containing 15 measurements that test different aspects of service, misconfigurations, leakages, and security and privacy essentials.

The tool is one part of an ongoing project in Ensafi’s lab that aims to analyze the VPN ecosystem through crowdsourced empirical data, large-scale quantitative user studies, and qualitative studies surveying VPN providers. The team’s goal is to “advance the public interest, inform practical regulations and standards, enforce accountability, and empower consumers to find more trustworthy VPN products.”

Ensafi was named an inaugural Digital Lab Fellow by Consumer Reports in 2020 for her work on VPNalyzer, with support from the Alfred P. Sloan Foundation. 

Read Consumer Reports’ findings, determined in part with VPNalyzer, in the following articles:

And white paper:

VPNalyzer was developed by Ensafi, PhD candidate Reethika Ramesh, PhD student Diwen Xue, undergraduate researcher Anjali Vyas, and Leonid Evdokimov, a developer working with Ensafi’s lab. A paper detailing the VPNalyzer system will appear at the Network and Distributed System Security Symposium in February, 2022.