PFS is sometimes known simply as forward secrecy by those uncomfortable with the idea that any cryptographic feature might be “perfect”. It can also be more descriptively referred to as using ephemeral encryption keys.

• Public-key cryptography
• The problem
• How perfect forward secrecy solves this problem
• Perfect forward secrecy explained
• The current state of perfect forward secrecy
• Proton VPN uses PFS

Public-key cryptography

For two computers to securely communicate with each other, they must exchange encryption keys. This creates the problem of how to securely communicate the encryption keys, but this was solved in the 1970s with the development of public-key cryptography (also known as asymmetric cryptography).

With public-key cryptography, the encryption software program generates two keys — a public key and a private key. Together, these are known as a key pair. Data is encrypted with the public key, and can only be decrypted using its matching private key.

This solves the problem of how to send data securely over the internet: You make your public key widely available to anyone who wants it. They encrypt data they wish to send to you with your public key, and only you can decrypt it with your matching private key.

In practice, asymmetric cryptography is very slow compared to more conventional symmetric key cryptography (where the same key is used to encrypt and decrypt the data), and so is mainly used to transfer encryption keys (which are small). The data itself is encrypted using symmetric encryption.

Asymmetric cryptography is at the heart of the TLS key exchange used to secure your connection to HTTPS websites. Without it, you wouldn’t be able to perform online banking, securely pay for stuff on the internet, or enter personal information into an online form.

Learn more about HTTPS

Asymmetric cryptography is also used to establish a secure VPN connection between your device and a VPN server. Like HTTPS, the OpenVPN VPN protocol uses TLS for this. As its name suggests, the Internet Key Exchange (IKE) part of the IPsec/IKEv2 encryption suite handles this for IKEv2 connections. 

The problem

This is all great, but there’s a problem. If the same key pair is reused many times and the long-term encryption key (such as the private key of a server) becomes compromised in some way, then an adversary will be able to decrypt all communications that were encrypted using that key pair. All VPN sessions, for example. 

This private encryption key therefore becomes a “master key” that can be used to unlock all communications with a server or company.

How perfect forward secrecy solves this problem

The solution is (at least in principle) quite simple — don’t reuse the same key pair for each session. When developers use perfect forward secrecy, the program generates a new and unique key pair for each session. In fact, it’s even possible to regenerate keys within a session (for example, after a specified period of time). When PFS is used, there is no “master key”.

This means that even if a session is compromised in some way, only that session is compromised. Past and future sessions remain secure. Each and every session must be individually compromised, which is a highly arduous and impractical task against modern encryption schemes.

Perfect forward secrecy explained

Although the idea behind PFS is simple, the math required to achieve it is highly complex. All modern key agreement protocols capable of PFS use a version of Ephemeral Diffie–Hellman (DHE) or ephemeral Elliptic Curve Diffie-Hellman (ECDH) to generate new keys for each session.

The Diffie-Hellman key exchange is not without controversy. Its re-use of a limited set of prime numbers makes it vulnerable to being cracked by a powerful adversary (for example, the NSA). This means that a static (non-ephemeral) Diffie-Hellman key exchange isn’t very secure, but it’s fine when ephemeral keys are used (DHE). 

ECDH is a newer form of cryptography that uses the properties of a particular type of algebraic curve to encrypt a connection, instead of a large prime number. The different math used allows ECDH to be more secure at any given key length, which makes it much more practical to implement securley.  

The current state of perfect forward secrecy

Until 10 years ago, there was a pervading complacency across the technology industry about the need to secure TLS and other internet connections with PFS. 

However, the release of documents by Edwards Snowden in 2013 exposed the breathtaking scale, scope, and sophistication of the NSA and GCHQ’s mass surveillance programs. One of the most shocking revelations was that the NSA adopted a “collect it all” policy — storing vast amounts of encrypted communication data that it could not currently access, but which it hoped to be able to mass-decrypt and access at some future point in time. 

This was followed just a year later by the discovery of the Heartbleed bug, which could be used to compromise almost all HTTPS connections in the world.  Although now fixed, doing so was hugely expensive and multiple major data breaches occurred before any fix was implemented.

In both cases, the use of perfect forward secrecy would have severely mitigated the amount of damage done. Companies across the globe have since scrambled to implement forward secrecy on their servers to secure the privacy and security of their users.

Final thoughts

Perfect forward secrecy is an essential component of any secure communications over the internet. Thankfully, its use is now routine. 

Proton VPN uses perfect forward secrecy to secure all connections to our VPN servers. For example, the cipher suite used by our apps for OpenVPN includes a DHE key exchange, while WireGuard (and Stealth) uses ECDH with the Curve25519 elliptic curve.

To try out a VPN service that uses only the strongest VPN protocols, with strong encryption settings, and perfect forward secrecy, you can download Proton VPN for free.

The post What is perfect forward secrecy? appeared first on Proton VPN Blog.

A zero-day exploit (or attack) is a cyberattack that takes advantage of a zero-day to compromise a computer system. As with any cyberattack, they can be used to compromise systems, steal data, or execute malicious code without any prior warning or protection in place. 

• Why does software have security vulnerabilities?
• What is a zero-day exploit?
• Who uses zero-day exploits?
• How to prevent zero-day exploits
• Notable zero-day exploits

Why does software have security vulnerabilities?

No software is perfect. Even relatively simple apps and programs consist of many thousands of lines of highly complex code, and many popular software suites consist of tens of millions of lines of code. 

No developer, no matter how expert and security-focused they are, can guarantee that no mistakes have been made in their code, or can fully predict the security implications of their program’s interactions with the host operating system, with other apps installed locally on the same computer, with backend APIs and other cloud-based infrastructure, and more.

This means all but the simplest software has multiple vulnerabilities and weaknesses that can potentially be abused to comprise the software itself, the system it runs on, or even all systems connected to it over a network. 

To address this problem, developers routinely check their code for bugs and other issues that might be a security risk. They then write new code to fix or mitigate against the issues they discover, and release these fixes to the public as security updates or patches.

Unfortunately, developers and other legitimate security researchers aren’t the only people who scour software code with the aim of uncovering vulnerabilities. When a hacker discovers a vulnerability in a program before its developers do, it’s called a zero-day.

What is a zero-day exploit?

A zero-day exploit is malicious code written to leverage a zero-day vulnerability. The export can then be used to perform a cyberattack. They are particularly dangerous because the developer is simply unaware of the vulnerability, and therefore has no opportunity to write a patch or otherwise mitigate against the issue.

This often means that the only defenses against a zero-day exploit are routine security measures such as intrusion detection systems, behavior-based anomaly detection, and network monitoring.

Developers often first become aware of zero-days when they are actually exploited — that is, when they are used to attack a system or organization running the affected software. However, it is entirely possible for zero-days to be repeatedly exploited by many cybercriminals over long periods of time before developers even realize their software is under attack (the Pegasus zero-day discussed later in this article is a food example of this). 

Who uses zero-day exploits?

Cybercriminals

Criminal hackers routinely use zero-day exploits to steal data or implant malware (such as keyloggers or ransomware) on target systems.

Many hackers who research and discover zero-days don’t exploit the zero-days themselves. Instead, they sell them on the dark web, where there is a thriving market for zero-days. This can he highly lucrative for the discoverers of zero-days, while being less risky than performing the actual criminal attacks themselves.

It’s not uncommon for hackers to offer software developers the first chance to buy zero-days for their own software, and some “white hat” hackers will even voluntarily disclose zero-days to developers without asking for compensation.

Cyber warfare

State-level actors particularly value zero-days that can be exploited to target networks and systems relating to national infrastructure and national security. They often hoard such knowledge as powerful weapons in their cyber warfare arsenals. 

Corporate espionage

Commercial companies sometimes use zero-day exploits to steal information or otherwise gain an edge over their competitors.

Government agencies

It has been largely documented that government agencies such as the United States’ National Security Agency (NSA), and the UK’s GCHQ use zero-days exploits to gain backdoor access to domestic companies. Companies that provide communications or internet access and infrastructure hardware that allow for mass surveillance are particular targets.

How to prevent zero-day exploits

Since zero-day attacks exploit vulnerabilities that are unknown to the developers of the software you use, there’s no reliable way to prevent them. However, there are steps you can take to enhance your personal cybersecurity, reduce the risk of falling victim to such attacks, and to mitigate against the damage these attacks can cause.

1. Keep your software updated

Regularly update your operating system, web browsers, and software applications to ensure you have the latest security patches. Zero-days are often exploited in outdated software, and when a zero-day is discovered and developers patch it, you’ll be protected against it. 

2. Use a reputable anti-malware program

Install and maintain a trusted antivirus or anti-malware app on your computer, and keep it up to date. This can help detect and block known malware and suspicious files. Software capable of performing heuristic analysis are particularly useful against zero-days and other unknown threats (such as virus variants in the wild).

3. Use a firewall

Firewalls allow you to monitor and control network traffic as it enters and exits your computer. Enabling your computer’s built-in firewall or using a third-party firewall can help block unauthorized access to your system.

4. Use strong, unique passwords

Create strong, unique passwords for your online accounts and avoid using the same password across multiple sites. A good password manager, such as Proton Pass, can generate and store complex passwords securely, remembering them so you don’t need to. 

5. Enable two-factor authentication (2FA)

Whenever possible, enable two-factor authentication for your online accounts. This provides an extra layer of security by requiring a second authentication method, such as a one-time code from a mobile app or a text message. Proton Pass has a built-in two-factor authenticator.

Learn how to use 2FA in Proton Pass

6. Be cautious with email links

Zero-day attacks can often begin with phishing emails. Be skeptical of unsolicited emails and links in emails, especially if they come from unknown sources. Don’t click on suspicious links or download attachments from untrusted senders. 

7. Regularly back up your important data

Regularly back up your important data to an external drive or cloud storage. This can protect your files in case of a ransomware attack or other data loss.

8. Regularly review your app permissions

On your mobile devices, review the permissions you give to the apps you install. Ensure your apps only have access to the data and features they truly need.

9. Disable features and services that you don’t need

Any code ruining in your device can be exploited, so features, apps, and services that you don’t use are an unnecessary security risk that are often targeted by hackers. For example, a zero-day in Apple’s iMessage app allowed the Israeli NSO Group to hack into at least one Bahraini activist’s iPhone.

Notable zero-day exploits

The Zero Day Initiative recorded a single vulnerability in 2005. By 2016, this had risen to 700 vulnerabilities, and as of November 2023, the organization recorded over 1,550 zero-day vulnerabilities. 

Some of the most infamous zero-day exploits include:

EternalBlue

A powerful zero-day exploit developed by the US National Security Agency (NSA) sometime around 2011, EternalBlue exploits a vulnerability in Windows’ Server Message Block (SMB) protocol, allowing attackers to run code on target computers. 

The NSA knew about this Windows vulnerability for around five years, and allegedly only warned Microsoft about the exploit once EternalBlue had fallen into the wrong hands. Microsoft released a patch for the vulnerability, but many Windows users don’t update their systems. 

Since escaping the NSA, the EternalBlue exploit has been used in many high-profile cyberattacks, notably being used by hackers to spread the notorious WannaCry ransomware in 2016.

Stuxnet

In 2010, a self-replicating computer worm caused the gas centrifuge motors at a number of nuclear facilities around the world to self-destruct without triggering the alerts and safeguards that should be in place. 

Although never conclusively proved, it is widely speculated that Stuxnet was developed by Israel, working in collaboration with the United States, to impede Iran’s nuclear program at its Natanz nuclear facilities. However, once “in the wild”, Stuxnet infected numerous nuclear facilities around the world. 

Yahoo! data breach

Yahoo has been victim to a number of high-profile data breaches in recent years, but the first of these, which occurred in August 2013 as a result of a zero-day attack, is notable for its sheer scale.

Now considered the largest known breach of its kind, in 2016 Yahoo! revealed that some three billion of its user accounts containing sensitive information, including passwords and unencrypted security questions and answers, were compromised.

Verizon was in the process of acquiring Yahoo! When the news broke, resulting in about $350 million being wiped from the purchase price. A zero-day exploit in Yahoo!’s code caused the breach.

Pegasus

A spyware tool developed by the Israeli company NSO Group, Pegasus has been used to target journalists, activists, and politicians around the world. Pegasus exploits zero-day vulnerabilities in iOS and some Android devices to gain access to sensitive data, including passwords, contact lists, calendar events, text messages, and live voice calls.

Pegasus has been targeted at numerous politicians and human rights activists around the world, including the Egyptian prime minister, French President Emmanuel Macron and 14 of his ministers, and political opponents of Hungarian Prime Minister Victor Orbán.   

Final thoughts

Zero-day exploits are often devastating because it’s all but impossible to prevent or effectively mitigate against something you don’t even know exists. However, individuals, companies, and software developers can minimize the risk by respond effectively to security breaches by being vigilant, staying informed, and following best practices

The post What is a zero-day exploit and why are they dangerous? appeared first on Proton VPN Blog.

An lP address is a number that uniquely identifies every device that connects directly to the internet (where devices connect to the internet via a router/modem, for example, the IP address is that of the router).

Learn more about IP addresses

Most ISPs dynamically assign IP addresses, issuing new ones as required. In practice, IP addresses issued by ISPs don’t change very often, but they can change at any time. 

Although not a major problem for most domestic customers, this can be very inconvenient for businesses who operate resources that must be accessible from the internet — such as corporate VPN intranets and database servers. Users of these resources need to know the IP addresses on which these resources can be accessed.

Some ISPs offer dedicated (also known as static) IP addresses to business customers. These provide companies with one or more fixed IP addresses that are guaranteed to be the same for as long as they maintain the lease.

• How datacenters and VPNs handle IP addresses
• Benefits of a dedicated IP address
• Proton VPN for Business

How datacenters and VPNs handle IP addresses

Datacenters house banks of servers and then rent use of these servers to mainly business customers. To make these servers accessible to their customers from the internet, datacenters lease dedicated IP addresses from their ISPs.

To offer their services in many countries, commercial VPN services rent server space from third-party datacenters. (In Proton VPN’s case, we only always use bare-metal servers that we have complete control over, and use full-disk encryption so that only our own engineers can access their contents). 

Most VPN services, (including Proton VPN) use shared IP addresses, which means that often hundreds of customers at a time connect to the same IP address. If the VPN service uses bare-metal servers (as they should be), this will be the IP address of the server itself. 

Shared IP addresses are great for privacy, as it makes it harder to identify an individual who is connected to that IP address. Unfortunately, it’s not so good for businesses who want the privacy and security advantages a VPN can provide for their organization, but who also need their company resources to be available from the internet.

To address this problem, some VPN services offer dedicated IP addresses. Like the dedicated IP addresses offered by ISPs and datacenters, these don’t change for as long as you lease them and allow you to access company resources from the internet.

Benefits of a dedicated IP address

There are numerous of benefits for businesses to lease one or more dedicated IP addresses:

Secure remote access to your business servers

With a dedicated IP address, you can ensure that only authorized staff can access your company servers and resources. Anyone trying to access your servers must be connected to a special VPN server dedicated solely to your business and available only to your organization members.

This is particularly useful if your company employs remote workers, as it allows them to securely access company resources while working from home. 

Segmented access to your online resources

Traditional dedicated IP addresses allow you to access resources that your company hosts on its own servers or on server space rented from a datacenter. 

An advantage of using dedicated IP addresses from a VPN service such Proton VPN is that you can use dedicated IP addresses to restrict access to third-party online resources such as cloud storage services, online communication and collaboration platforms, CRMs, HR management tools, and more. 

Further, the flexible nature of VPN-based dedicated IP addresses allows you to provide granular segmented access to your company’s online resources. That is, you can restrict access to resources based on dedicated IP addresses that only certain staff members can access.

For example, you might run a company that leases three VPN-based dedicated IP addresses. All staff members can use server #1 to access commonly used company resources such as your CRM and collaboration platforms. Only some staff members can use server #2, which provides need-to-know access to specific company resources, and only senior staff members can access server #3, allowing them to see staff management tools and other sensitive resources. 

Pain-free access to online services

If you use a VPN service to protect the privacy of your staff members, the use of shared IP addresses can make using online services such as banks, AWS, and Github difficult because they will continually serve up CAPTCHAs or use other means to verify your identity. 

This is because shared IP addresses can be abused by other customers. Dedicated IPs solve this problem, since your IP address isn’t shared with anyone else.

Emails are less likely to be sent to the spam folder

Another problem with using shared IP addresses is that there’s always the possibility other users will abuse the VPN service to send spam emails. 

When email services like Gmail detect the abuse, they often simply blocklist the IP address the spam emails were sent from so that they get sent directly to their users’ spam folders. 

Alternatively, the email service may employ additional checks to ensure emails from the shared IP are legitimate before allowing them to find their way into users’ inboxes. This can dramatically slow down the delivery of emails.

With a dedicated IP address, you can be sure none of this will happen. Only emails belonging to your company will be sent using your dedicated IP address, so there’s little danger of it being flagged as suspicious or spam. This means it will be delivered promptly and directly to your partners’ and customers’ inboxes.

Helps to defeat censorship

If your company or organization is based in an authoritarian country, restrictions on your access to the free and open internet can damage your business. In such situations, it’s common for businesses to use VPN services to evade the restrictions, but this often simply leads governments to block IP addresses belonging to VPN services.

A dedicated IP address that is unique to your business is unlikely to be blocked in this way, allowing your staff to have the unrestricted access to the internet that their jobs demand, and for the outside world to do business with your company. 

Final thoughts — Proton VPN for Business

Proton VPN is trusted by journalists, activists, and ordinary people around the world to protect their privacy and defeat censorship. With our new Proton VPN for Business initiative, you can also protect your business using our service.

With Proton VPN for Business, you can lease VPN-based dedicated IP addresses that provide much greater flexibility than traditional corporate VPN intranet solutions. In addition to allowing remote workers to security access your company’s resources, these allow you to secure access to the online platforms your company relies on, and to segment access to resources on a need-to-know basis. 

The post What is a dedicated IP address and how can it help your business? appeared first on Proton VPN Blog.

A VPN protocol is a set of instructions or rules that determine how the connection between your device and the VPN server is made.

Learn more about how a VPN works

The protocol determines how secure and fast a connection is. OpenVPN and WireGuard are alternative VPN protocols that we now use exclusively on official Proton VPN apps (plus Stealth, which is based on WireGuard). However, you can still set up Proton VPN using IKEv2 on third-party VPN clients.

Learn more about OpenVPN

Learn more about WireGuard

IKEv2 is the VPN protocol officially supported on all Apple devices (Mac computers, iPhones, and iPads), but the way that Apple implements VPN connections is badly flawed. 

• What is IPSec?
• What is IKEv2
• Is IKEv2/IPSec secure?
• Can I use IKEv2 with Proton VPN?
• IKEv2 vs. OpenVPN and WireGuard

What is IPSec?

Internet Protocol Security (IPSec) is a flexible protocol suite that provides a framework for securing VPN connections. Crucially, it:

• Sets up the key exchange between your device and the VPN server. 
• Provides authentication to verify the source of data packets and ensure they haven’t been tampered with during transit.
• Encrypts and decrypts data sent over the VPN connection

As a framework rather than a complete solution itself, IPSec supports multiple protocols and encryption standards to perform these functions.

What is IKEv2?

IKEv2 is the second iteration of the Internet Key Exchange (IKE) protocol. Originally developed by Microsoft and Cisco as part of the IPSec suite, there are now many open-source versions of the protocol.

IKE is used to set up a security association (SA) for IPSec when connecting your device and the VPN server. That is, it’s responsible for negotiating a set of mutually agreed-upon keys and algorithms to be used by both parties. 

IKE is built on the Oakley protocol and Internet Security Association and Key Management Protocol (ISAKMP). It uses X.509 certificates for authentication and a Diffie-Hellman exchange (DHE) to secure the key exchange.

When IPSec is used with IKEv1, it’s often referred to simply as IPSec. IKEv2 was released in 2005 and improves on IKEv1 in several key ways, including using less bandwidth and being able to detect if a connection is still active. If it isn’t, IKEv2 can quickly re-establish a dropped connection.

Another improvement is its support for the Mobility and Multihoming (MOBIKE) protocol, which allows IKEv2 to switch networks easily. For example, when moving between hotspots or between home WiFi and mobile connections.

IKEv2 is also more resistant to denial of service (DoS) attacks than IKEv1, is more efficient in terms of the number of cryptographic mechanisms it uses, and can easily traverse through NAT firewalls.

Is IKEv2/IPSec secure?

The consensus among cryptographic experts is that IKEv2/IPSec is a secure VPN protocol. 

In 2013, John Gilmore, a technology specialist and founding member of the Electronic Frontier Foundation, published a white paper outlining how IPSec was deliberately weakened during its design phase. Additionally, revelations obtained by Edward Snowden about the US National Security Agency (NSA)’s Bullrun program cast further doubt on the security of IPSec. 

However, IPSec has no known weaknesses when implemented with IKEv2 (Apple’s implementation of IKEv2 is problematic, but the problem lies with Apple, not IKEv2/IPSec itself).  

Can I use IKEv2 with Proton VPN?

Proton VPN no longer supports IKEv2 in our official apps, but the protocol remains supported on our servers. This means you can configure third-party apps to use IKEv2 with Proton VPN.

• Learn how to manually configure IKEv2 on Windows
• Learn how to manually configure IKEv2 on macOS
• Learn how to manually configure IKEv2 on Android
• Learn how to manually configure IKEv2 on iOS and iPadOS

Final thoughts — IKEv2 vs. OpenVPN and WireGuard

Although IKEv2 is considered secure, OpenVPN is considered even more secure and can be run over TCP for increased censorship resistance. WireGuard is considered to be as secure as OpenVPN, but is also much faster. Under Proton VPN’s implementation, it can also run over TCP.

So while there is nothing wrong with IKEv2, there is also little reason to use it over OpenVPN or (especially) WireGuard these days. 

IKEv2 continues to be widely supported because it’s the VPN protocol officially supported on Apple devices. But as we’ve already mentioned, Apple’s implementation of IKEv2 is best avoided.

The post What is IKEv2? appeared first on Proton VPN Blog.

Thus concludes a recent damning privacy study on the privacy of Amazon Smart Speaker Ecosystem from the University of Washington, University of California, and Northeastern University. So, to answer the question posed in our headline, yes, your Amazon Alexa is spying on you, and with an estimated 35% of adults (some 91 million people) now owning a smart speaker in the United States alone, this is alarming. 

This is a view strongly held by the US Federal Trade Commission, which in May 2023 imposed a $25 million fine on Amazon over privacy violations involving its Alexa voice assistant (and its doorbell camera, Ring). 

• What is Alexa?
• What’s supposed to happen when you use Alexa?
• What actually happens when you use Alexa
• Final thoughts and Alexa alternatives

What is Alexa?

Amazon Alexa is a virtual assistant technology you can control using voice commands. Alexa is built into many Amazon devices but is best known for its use in the Amazon Echo, Amazon Dot, and Amazon Studio smart speakers, where you can instruct it to play music, create to-do lists, control other smart devices around the home, provide live news, weather, and traffic reports, and much more.

Alexa is also built into third-party hardware, such as smart TVs and sound bars. 

What’s supposed to happen when you use Alexa?

According to Amazon, Alexa devices are always listening but only start recording when you say the wake word (by default, “Alexa”) or press a button on the Alexa device. This behavior can be customized, but blocking vocal activation undermines the purpose of having an Alexa device in the first place. 

When Alexa hears its wake word, it sends the audio “snippet” containing the wake word to Amazon, where it undergoes a cloud-based wake word verification process designed to ensure the wake word was actually spoken.

If the wake word is verified, Alexa will record everything it hears for the next few seconds and send this recording to Amazon’s cloud computers, where it’s processed and (hopefully) triggers the correct response.  

Alexa devices are supposed to give visual cues to ensure you can always tell if it’s actively listening to your conversation. For example, an Amazon Echo will show a circular blue light after it hears its wake word and is actively listening. 

Alexa collects personal information

Amazon makes no secret of the fact that it links every interaction you have with your Alexa to your Amazon account and uses them to profile you for targeted advertising. In some ways, this is no different from tracking your web browsing history using cookies and recording your purchase and search history on the Amazon website.

However, thanks to its highly versatile nature — answering your obscure questions, playing your favorite radio shows and podcasts, curating your music tastes, managing your smart devices, etc., Alexa provides Amazon with a much more detailed and intimate picture of your life than it could ever hope to gain through your shopping history. 

In fact, the nature of information gained from your interactions with Alexa devices is so valuable that (as the research paper quoted earlier reports) advertisers will pay Amazon up to 30 times more for it than for information gathered by more traditional means. 

By default, Amazon keeps your recordings forever. However, you can delete them entirely via your device’s privacy settings or limit how long Amazon keeps them before they’re deleted. (At least in theory — see the FTC case against Amazon, discussed below). 

What actually happens when you use Alexa

Alexa listens to more than it should

A 2019 study by researchers from Northeastern University and the Imperial College of London found that smart speakers (including Alexa devices) misheard their wake words and accidentally activated up to 19 times a day.

Around half of these accidental activations resulted in recordings longer than six seconds. Echo Dot 2nd Generation devices were among the worst offenders, with activation times of 20-43 seconds.

Amazon employees listen to your voice recordings

Bloomberg reported (also in 2019) that Amazon employs a team of thousands of people worldwide to listen to Alexa voice recordings, transcribe them, and feed them back into the Alexa algorithm. 

Amazon claims this is to improve Alexa’s AI and natural language recognition capabilities and that “employees do not have direct access to information that can identify the person or account“. 

However, this statement is clearly disingenuous. A screenshot obtained by Bloomberg showed that while employees don’t have direct access to a user’s full name and address, the transcription is associated with an account number, the user’s first name, and their device’s serial number.

Not only are employees expected to transcribe accidental interactions with Alexa, but they can often hear background conversations, which include private details like names and banking information. When this happens, guidelines stipulate that they click a “critical data” box and move on. 

Amazon has defended the practice, saying anyone can opt out of having their voice recordings analyzed by humans via their account settings. But even if you opt out, your recordings may be analyzed by hand by a person with access to your account details as part of Amazon’s regular review process. 

Alexa makes mistakes

In 2018, Alexa recorded a private conversion without the wake word even being uttered and sent that recording to a random contact on the Alexa owner’s contact list. In the same year, it also mistakenly sent 1,700 Alexa voice recordings to another user.

Amazon shares a lot of Alexa data with third parties

Alexa skills are small free apps that can add functionalities to your Alexa device, and by allowing some 200,000 skills from third-party developers onto the Amazon Marketplace, Alexa’s usefulness has greatly expanded. 

However, this usefulness comes at a steep price. Amazon does impose strict privacy restrictions on the data these third-party “skills” are allowed to access. For example, they can’t collect highly sensitive information such as your social security number or bank account details. They must also ask for permission to access certain pieces of personal information, such as your email address, phone number, or location. 

The 2022 research paper confirms previous research that thousands of third-party skills developers abuse Amazon’s privacy policies and actively collect voice data stored on Alexa devices, using it to deliver targeted advertising. They also share this data (and other Alexa interactions) directly with other third parties, with no oversight or control from either Alexa users or Amazon itself.

Many third-party skills don’t publish any privacy policy whatsoever, and even when they do, they don’t adhere to it.

Amazon doesn’t always delete your data when it says it does

The crux of the recent (2023) FTC settlement with Amazon over Alexa is that Amazon failed to delete active child accounts, some voice recordings, and geolocation information after it was asked to do so by users and parents. 

“Amazon prominently and repeatedly assured its users, including parents, that they could delete voice recordings collected from its Alexa voice assistant and geolocation information collected by the Alexa app. The company, however, failed to follow through on these promises when it kept some of this information for years and used the data it unlawfully retained to help improve its Alexa algorithm.”

According to the FTC, Amazon has thus fallen foul of the Children’s Online Privacy Protection Act (COPPA). (At the time of writing, the FTC’s settlement with Amazon must still be approved by a federal court.)

Final thoughts

Amazon Alexa devices are undoubtedly amazing pieces of technology that can bring a level of convenience into our lives that would have been the stuff of science fiction only a few years ago.  

But this convenience comes at a price — your privacy. Even if you take Amazon at its word, Alexa knows an awful lot about you. Amazon uses this information to profile you and target you with ever more personalized ads, or it sells this information to unknown third parties that you never consented to share your data with. As noted earlier in this article, information obtained through Alexa is up to thirty times more valuable than data gained in more traditional ways.

But as the recent FTC ruling shows, you can’t always trust Amazon. It also has little or no control and oversight over third-party skills that actively abuse your privacy. 

So what can you do if you care about privacy but can’t do without the convenience of smart speakers? Of the big players in the commercial virtual assistant space — Amazon Alexa, Google Assistant, and Apple’s Siri — Apple offers the greatest privacy. Although Apple doesn’t allow you to delete past Siri recordings, it doesn’t tie recordings to your account, and it doesn’t allow third-party integrations. 

For those who prefer open-source options and don’t mind making some compromises to improve their privacy, Mycroft is a free open-source natural language voice assistant designed to run on Linux-based devices. DIY enthusiasts can install Mycroft on a Raspberry Pi, or even flash an Amazon Echo’s firmware to replace Alexa with Mycroft! If you’re less technically-minded, you can purchase the Mycroft Mark II smart display off-the-shelf (but please be aware that Mycroft AI, as a company, will soon be shutting down).

The post Is Amazon Alexa spying on you? appeared first on Proton VPN Blog.

When you use a virtual private network (VPN), your device connects to VPN server run by a VPN service such as Proton VPN. The connection between your device and VPN server is encrypted.

This means your internet service provider (ISP) can’t see what you do on the internet (only that you’ve connected to a VPN server), and anyone on the internet (such as websites and P2P peers) can’t see your real IP address (only that of the VPN server).

Learn more about how a VPN works 

However, if your VPN connection fails for any reason, your ISP will be able to see any connections you make on internet, and websites, P2P peers, and anyone else you’re connected to on the internet, will be able to identify you through your unique internet protocol (IP) address. 

Learn more about IP addresses

A kill switch (if implemented correctly) prevents this. If you disconnect from a VPN server unexpectedly, a kill switch blocks all external network traffic to and from your device until either the VPN connection is reestablished or you disable the kill switch. 

How does a kill switch work?

There are basically two kinds of kill switches:

Reactive kill switches

A reactive kill switch monitors your device’s internet connection to ensure it is connected to a VPN server. If it detects that it isn’t, the kill switch closes down your internet connection. Reactive kill switches are not well regarded by security professions for two main reasons:

1. There is an inevitable delay between the VPN connection dropping, the kill switch detecting the drop, and then terminating your internet connection. This delay might be only milliseconds, but that’s enough time for your real IP address to be exposed to the internet.

2. Reactive kill switches are usually not good at detecting connections that your operating might make outside the VPN interface. They might, for example, monitor your IPv4 connection to ensure the VPN connection is active, while being completely unaware that your device is connecting to a server via IPv6, and thus exposing its IPv6 address. 

Fortunately, these limitations mean that reactive kill switches are rarely used these days.

System-level kill switches

A system-level kill switch uses firewall rules and other platform-specific mechanisms to ensure that no traffic can enter or exit your device outside the VPN interface.

On Windows, most VPN kill switches use the Windows Filtering Platform, while Android 8.0+ features a built-in Always-On VPN & Kill Switch setting. macOS and iOS devices have their own mechanisms, but these are flawed. We’ll discuss this later in this article. 

Properly-configured, a system-level kill switch makes it impossible to connect to the internet without an active VPN connection. Since no connections can enter or leave your device outside its VPN interface, if the VPN interface isn’t active, then no connections are possible.

System-level kill switches are passive, and therefore much more reliable than reactive kill switches. There is no need to detect if a VPN connection is working, so no need to close the internet connection. If the VPN connection isn’t active, then no internet connection is possible. 

The engineering required to build a good system-level kill switch also ensures that IPv6 leaks and DNS leaks are also impossible when the VPN is active. It also ensures that nothing is leaked during the connection process and when switching between VPN servers.  

Platforms

As noted above, system-level kill switches are built using platform-specific mechanisms. This means VPN services must develop separate kill switch solutions for each platform they support. The result is that some VPN services advertise that they offer a kill switch, but the feature is only available on some platforms.

Proton VPN offers a full system-level kill switch on all platforms that we support — Windows, macOS, iOS/iPadOS, Linux, Linux CLI (and, of course, Android). 

Kill switch modes

Usually, a kill switch only engages when you start a VPN connection, and is disabled when you manually disconnect the VPN or shut down your device. When the VPN is disconnected, you can access the internet as normal. 

It is also possible to run a kill switch so that all internet activity is disabled unless the VPN connection is active. This way of running a kill switch can be less convenient, as you can’t simply turn the VPN off without additional steps required to access the internet). However, it ensures that you never accidentally connect to the internet without the VPN enabled. 

This is especially effective when you boot up a device, as it prevents apps that load before the VPN client (for example, a torrent client) from establishing an internet connection before the VPN tunnel is created. 

At Proton VPN, we call this kill switch mode a permanent kill switch, which is available on our Windows and Linux apps. 

Learn more about our permanent kill switch

Who needs a kill switch?

A kill switch helps to ensure you never access the internet thinking that you’re protected with a VPN, when you aren’t. As such, a kill switch is an invaluable privacy and security tool for activists, journalists, anyone who uses a VPN to stay private on the internet. 

It’s worth noting that when simply surfing the web, your real IP address usually only becomes exposed when you actively click on a link or type in a URL. However, this is not true for P2P downloaders, who often leave their active connections to P2P peers unattended for long periods of time. This make using a kill switches particularly important for torrenters.  

A note on kill switches and Apple

A number of vulnerabilities have been discovered in how Apple implements VPN connections on its macOS, iOS, and iPadOS platforms. This includes routing traffic from Apple apps directly to Apple, regardless of whether a kill switch is enabled. 

This problem affects all VPN services, although Proton VPN has introduced a number of measures to mitigate against it.

Final thoughts

A kill switch ensures that if a VPN connection fails, your real IP address isn’t exposed to websites you visit, and the websites you visit aren’t exposed to your ISP. If privacy is even a small part of why you use a VPN, you should enable a kill switch. 

The post What is a VPN kill switch and when should you use one? appeared first on Proton VPN Blog.

Although run from the same router (which may also be your modem), a guest network operates as an entirely separate WiFi network, providing guests with internet access without giving them access to your main WiFi network or the devices connected to it. 

Guest networks offer several security, privacy, and network management benefits, which we’ll discuss in this article. 

What is a guest network?

A guest network is a WiFi network you run alongside your regular WiFi network. It has a completely different WiFi network name (SSID) and password and is (as the name suggests) intended for use by temporary guests.

Guest networks can be useful in your home but are invaluable for many businesses. Any public venue that offers guests WiFi access, such as a café, restaurant, bar, or hotel, will want guests using a different WiFi network than the one its staff uses to ensure staff members have sufficient bandwidth to perform their jobs. 

Similarly, an office may want to allow visitors to access the internet but not company resources such as printers, NAS drives, or confidential files shared among employees. 

Reasons to set up a guest network

There are many reasons to set up a guest network in a business or home environment.

1. Make guest access easy

Setting up a guest network allows you to set an easy-to-remember password for your guests and customers, while securing your “real” home or business network with a secure password. 

For the ultimate convenience, you could even offer a guest network with no password at all. This means neighbors and passers-by would be able to access your network without restrictions, but it might make sense under certain circumstances. For example, if you run a hotel in the countryside with few neighbors.

2. Protect shared resources on your network 

If you share folders, NAS drives, or printers across your home or office network, these will be accessible to anyone connected to your network. Creating a guest network allows you to safely provide guests and customers with internet access while reserving access to confidential resources to your own family or employees.  

Although you’re very unlikely to be hacked or be infected by malware simply from someone connecting to your WiFi, malware can easily spread (unintentionally or otherwise) through infected files that are shared across a network.

3. Manage guests’ internet access 

If you run a café or hotel, you probably don’t want guests using your WiFi to download copyrighted content, access inappropriate or illegal content, or take up your precious bandwidth to stream Netflix shows. 

On more sophisticated guest networks, you can restrict access to certain content, limit how long guests can connect to the internet, and turn the guest network off when you don’t want guests using it. You can also specify how much bandwidth is available to the guest network to ensure users o either the main network or the guest network have sufficient bandwidth.

4. Hide your real WiFi network from hackers

Once you’ve set up a guest network for visitors, you can hide your primary network’s SSID so that only people who already know it exists can access it. This isn’t a foolproof solution, but it will help protect you from more casual hackers who want access to your router.

5. Secure your network from IoT devices

Although the situation is improving, internet of things devices, such as smart speakers, Ring doorbells, smart security cameras, smart baby monitors, and smart fridges, are notoriously insecure and vulnerable to hackers. 

A guest network allows you to segment access to the internet for your IoT devices, connecting them to a separate network from your main network. This won’t prevent the individual IoT devices from being hacked, but it can deter intruders from exploiting weaknesses in your IoT devices to access your primary network. 

6. VPN access  

A creative way to use guest networks is to set up a VPN connection on your router for just the guest network.  

This allows for a kind of split tunneling effect, where devices that connect to the guest network benefit from the VPN while devices on your main network don’t. 

How to set up a guest network

Most modern routers support creating a guest network, although the details will vary by manufacturer and model. 

Routers designed for home networks typically provide only limited control over guest networks, but commercial routers often allow you to filter content, restrict bandwidth, and otherwise manage your guest network in granular detail. 

If your router doesn’t offer guest networks or provides too limited control for your liking, you could flash your router with more capable firmware, such as DD-WRT or OpenWRT. 

Another option is to plug a secondary router into your primary router and use it for your guest network. 

How to set up a guest network on a router

This guide uses a typical modern consumer router — the TP Link AX5400 Wi-Fi 6. Setting up a guest WiFi network is similar on most routers, but details will vary.

1. Log in to your router’s admin page. Typically, you can do this by entering the address 192.168.1.1 or 192.168.1.0 into your browser’s URL bar. Modern routers can often also be administered using a mobile app.

Many manufacturers print the router’s default admin password on a sticker attached to the router itself. Consult your router’s manual for additional details on how to log in to the admin panel.  

2. Locate your router’s guest network settings. These are typically found under the WiFi or Wireless tab.

3. Enable the guest network on whatever WiFi channels you wish, and give it a name. The 2.4 Ghz channel is the slowest option, but it has the greatest range. 5 Ghz and the new 6 Ghz bands are much faster but have less range.

On most modern routers, you can select a smart connect option that will automatically connect users to the best channel for their needs.

4. Select a password. Since this is not your primary network, it’s usually best to have a simple password that guests can quickly remember and enter. You can even leave the password field blank to create a truly open network. 

Regardless of whether you set a password, you should always set a WiFi encryption scheme to prevent hackers from snooping your guest’s unencrypted data.

Learn more about whether someone can see your internet history if you use the same WiFi

There is no reason to use anything less than WPA2/WPA3 to secure your WiFi. 

5 (optional). As a security measure, you can hide the SSID of your primary network so that visitors will only see your guest network when they scan for WiFi connections.

Save your settings when you’re done. 

Final thoughts

If anyone other than your close family uses your WiFi, it’s a good idea to set up a guest network for them. This is especially true for businesses. Amongst other things, guest networks prevent visitors from accessing confidential resources and hogging all your bandwidth.

The post Guest networks – What they are, why you need one, and how to set them up appeared first on Proton VPN Blog.

These cables have been largely replaced by WiFi, a family of protocols that allow you to connect to a router wirelessly over certain radio frequencies (the 2.4 GHz, 5 GHz, and now 6GHz bands). When you connect to a router over WiFi, it’s still useful to think of your connection as being like a wired Ethernet connection — discrete and completely separate from the connections of everyone else who is connecting to the router… until all connections converge on the router.  

This means that ordinary users who share the same WiFi cannot see what anyone else is doing on that WiFi network. However, whoever controls the router can see a great deal.

• What can a WiFi owner see? 
• Can WiFi owners see my search history? 
• Can public WiFi owners see my internet history? 
• Can parents see my internet history?
• Can my office, school, or college see my internet history? 
• Can a WiFi owner see what sites I visit on my phone? 
• What can WiFi hackers see? 
• How to protect your internet history when using WiFi 

What can a WiFi owner see?

Anyone with direct access to a router — usually its owner (or manager in commercial or educational contexts), but potentially also a hacker who has managed to compromise the router in some way — can see and log:

• Your entire browsing history while connected to the router
• How long you spend on each website
• The exact time you connect to a website
• The total time you are online
• Your device’s MAC address

The widespread adoption of HTTPS over the last few years means that a WiFi owner can see which websites you visit, but can’t see what individual pages you browse or any sensitive data you enter on that website — such as web forms and payment details.

However, in (thankfully now rare) cases where HTTPS isn’t used, a WiFi owner can see everything you do on a website. 

Learn more about HTTPS

The WiFi owner can also see the MAC addresses of all devices connected to the router, which they could potentially use to physically track you as you move between WiFi networks.

Learn more about what a MAC address is and what it can reveal about you

Can WiFi owners see my search history?

Search engines such as Google, Bing, and DuckDuckGo are secured with HTTPS, so while a WiFi owner can see that you’ve visited the search engine, they can’t see what you searched for once there.

But (and this a big but), as soon as you actually click on a link that takes you away from the search engine (like a website that’s listed in the search results), the WiFi owner can see that you’ve visited that site. 

Can public WiFi owners see my internet history?

Yes, and many sell this data to advertising and analytics companies, who use it to target you with ever more personalized ads. The reason you’re often required to sign in to “free” public WiFi networks using your email address and other personal details is so that your browsing can be tied to your real identity. 

You’re also likely to be required to agree to an opaquely long terms and conditions contract that allows the WiFi provider to do what it wants with your personal browsing data. This practice is especially common with commercial public WiFi providers who supply their third-party WiFi services to other businesses. 

Even when businesses don’t log or exploit your browsing history, they’ll often monitor and filter the websites you visit in real time so they can block access to illegal or inappropriate content.  

Can parents see my internet history? 

Yes, and it’s common practice to market routers with parental controls that allow parents to monitor their children’s browsing histories and block access to content they deem inappropriate for them to see. 

These logs and filters can usually be configured per device (based on the device’s IP address or MAC address), allowing parents, for example, to target different children with different levels of logging and filtering based on their age. 

Can my office, school, or college see my internet history?

Yes, and many organizations will use filters that actively flag and identify users who try to access content that is illegal, immoral, or which may otherwise be of concern. For example, many schools and universities will alert administrators if a student attempts to access websites relating to suicide or drug use. 

Can a WiFi owner see what sites I visit on my phone?

If your device connects to the internet via WiFi, then yes, a phone in this context is no different than any other device. 

However, with a phone, you can connect to the internet using your phone’s mobile (cellular) data connection, bypassing the need to use a WiFi network. Please be aware, though, that your mobile provider will be able to see your browsing history instead.

What can WiFi hackers see?

On almost all modern private WiFi networks, data traveling between your device and the router will be encrypted using the WPA (WiFi Protected Access), WPA2, or the new WPA3 wireless security protocols. These will prevent hackers from using packet sniffing tools to intercept your data as it is transmitted between your device and the router.

In theory, this is also true for public WiFi networks. But these can sometimes be misconfigured, use the old (and insecure) WEP (Wired Equivalent Privacy) wireless security protocol, or even not use any wireless security at all.

In these cases, a WiFi hacker might be able to intercept your data. However, the widespread use of HTTPS means that your data (what you actually do on a website) will probably be encrypted anyway and cannot be accessed by a hacker.

Similarly, if a hacker controls the router you connect to (either by hacking a public WiFi router or by tricking you into connecting to an evil twin hotspot), HTTPS will prevent them from being able to access your data. In this case, the hacker will be able to see your browsing history while connected to the router, but this is of little interest to most hackers.

Although once a problem, the widespread adoption of HTTPS means modern criminal hackers rarely target WiFi networks.

How to protect your internet history when using WiFi

 A virtual private network (VPN) encrypts all your data (including DNS queries) between your device and a VPN server run by a VPN service such as Proton VPN.

This prevents WiFi owners, hackers, internet service providers (ISPs), mobile internet providers, or anyone else sitting between your device and the VPN server from being able to access your data (in the unlikely event it’s not protected by HTTPS) or your browsing history.

Of course, if your parents see that you only connect to a single IP address (that of the VPN server) for hours at a time, they might ask some questions.

Proton VPN is an independently audited no-logs VPN service based in Switzerland, which has some of the strongest privacy laws in the world. 

Final thoughts

While other users on the same WiFi can’t see your internet history, the WiFi owner (or whoever has access to the WiFi router) can. However, it’s easy to protect your privacy from WiFi owners (and their ISPs) — just use a VPN!

The post Can someone see my internet history if we use the same WiFi? appeared first on Proton VPN Blog.

However, VPNs were originally developed to let remote workers securely access corporate intranets as though they were physically connected to their office’s local area network (LAN). 

This setup has become less common as businesses shift to more flexible cloud services and online tools. Instead, business VPNs have evolved into services that offer dedicated IP addresses.

Many businesses also find it very useful to provide individual VPN subscriptions to their staff to ensure they can access the internet privately. In this article, we’ll explore why many businesses use VPNs.

There are basically two ways a business can use a VPN:

• Provide staff with VPN subscriptions
• Use dedicated IP addresses

These uses are by no means exclusive. Your business can protect staff members’ privacy with bulk VPN subscriptions and provide secure access to company resources via dedicated IPs. 

The advantages of bulk VPN subscriptions

Bulk VPN subscriptions for businesses work exactly like the individual VPN plans you can buy from commercial VPN services. This allows staff who are remote, hybrid, or traveling to securely connect to any VPN server located anywhere in the world. 

Providing staff with VPN subscriptions gives them all the usual privacy benefits of using a VPN. A VPN’s ability to bypass censorship and access the internet using different countries’ IP addresses can be particularly beneficial in a business context, especially if you have an office or staff in a country that restricts internet access.

Bypass censorship

Staff located in countries that restrict internet access can use a VPN to access the free and open internet. This is useful because it allows employees to bypass biased local narratives and understand how situations are viewed by the international community. 

In places such as China, Russia, Belarus, access to external news sources such as the New York Times or The Guardian is blocked. This can severely restrict staff in PR or other roles that require access to news sources outside their country to do their jobs properly. 

A VPN allows staff to bypass censorship blocks and access news sources as if they were in the news sources’ country of origin.  

Bypass geo-restrictions

VPNs allow businesses to overcome geographical restrictions to access region-specific content and services. With a VPN, staff can connect to servers located in different countries, making it appear that they’re accessing the internet from those locations. 

This can be useful for market research, competitor analysis, and accessing localized business resources.

The advantages of dedicated IP addresses

A dedicated IP address is an IP address that only your organization can use. This means:

1. The IP address will always be available to your business
2. You don’t share it with anyone else

Learn more about dedicated IP addresses

Because the IP address belongs exclusively to your business, it offers several important and unique benefits.

Secure remote access to company resources

Dedicated VPN IP addresses allow you to restrict who can access company resources, files, and applications from remote locations. They act as secure gateways so that only authorized personnel you supply with the correct IP address can access your company’s resources. 

Whether working from home, traveling, or on-site at a client’s office, your staff can establish a VPN connection to your corporate network, effectively extending your company’s private network to their device.

This enables seamless access to internal systems and promotes productivity without sacrificing security.

Segmented access to company resources

Dedicated IP addresses also give you the flexibility to decide who can access which company resources. Employees and contractors can be given access to different VPN servers that have different IP addresses, allowing you to provide granular access to content and apps based on their roles within your organization. 

Improved collaboration

This segmented access to company resources can be used to facilitate secure collaboration between business partners, clients, and remote teams. By setting up one or more dedicated IP addresses, you can grant controlled access to network resources, ensuring secure data sharing and collaboration while maintaining privacy and security standards.

Added protection against cyberattacks

A dedicated IP address adds a layer of defense against denial-of-service (DoS) attacks by obscuring the actual IP addresses of your company’s resources.

Data privacy compliance

Many businesses must protect customer information to comply with data privacy regulations, and the thresholds they have to meet can be affected by their size, industry, and the country (or countries) they operate in. Examples include the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the USA. 

Dedicated IPs can assist a business in meeting (or even exceeding) these requirements by securely restricting access to data to those authorized to access it.

Final thoughts

Here are some specific examples of how businesses use VPNs:

• A financial services company that uses a VPN to allow customers to securely access their personal information online.
• A law firm that uses a VPN to allow its lawyers to securely access client files from anywhere in the world.
• A retail company that uses a VPN to allow its employees to access the company’s inventory system from home.
• A marketing company that uses a VPN to localize consumer product research.

Proton for Business plans allow you to protect your staff’s privacy with bulk VPN subscriptions and reserve dedicated IP addresses that you can use as doors to securely access your business’s resources and data.

In addition to the benefits of using a secure no-logs VPN, Proton for Business plans provide your company access to Proton Mail, our world-famous secure email service, plus end-to-end encrypted cloud storage and calendars.   

The post Why use a VPN for business? appeared first on Proton VPN Blog.

Ever since we launched Proton VPN, we’ve received inquiries from businesses. While we haven’t publicized it in the past, we’ve been providing VPN services for business use since 2019. In recent years, the demand for Proton VPN from businesses has increased exponentially,  and today there are thousands of business users, ranging from startups to Fortune 500 companies to major governmental and non-governmental organizations. As a result, we’re formally rolling out a Proton VPN for Business offering today. 

What is Proton VPN for Business?

A VPN has long been an essential business security tool, and today, practically all organizations, large and small, use some type of VPN. The shift to remote work and the need for compliance have increased the work of keeping business networks secure. Instead of simply protecting your office network, your team must now figure out how to provide secure access to employees worldwide and segment access to various company resources. No matter how big your organization is, Proton VPN can help give your team fast, easy access to internal resources while keeping attackers and fraudsters out.

While Proton VPN for Business leverages some of the technology in our world-renowned consumer VPN offering, it’s fundamentally a different product with additional capabilities. Proton VPN for Business is designed to support small and large organizations and has the administrative tools required to manage thousands of users and devices across complex businesses.

Protect employees out in the field

Some international organizations have team members in the field, working in countries with hostile internet conditions where resources are routinely blocked and connections actively monitored. In such situations, a VPN becomes an essential personal security tool, enabling secure connectivity to the outside world.

Segment access with private gateways

Proton VPN for Business also provides private gateway capabilities via dedicated servers and IP addresses. Each private gateway is only accessible to specifically authorized members and groups within your organization, making it easy for businesses to limit and segment access. You can limit access to resources based on the gateway, ensuring people can only access the resources they need to do their job. You can choose to have the servers and IP addresses that form your private gateway in any of the over 65 locations that Proton VPN operates in today, providing low latency access from anywhere on the globe.

Private gateways also make it easy to segment and control access to sensitive resources, allowing you to meet the requirements for security certifications such as ISO 27001, SOC2, and more.

No hardware, easy to manage

Unlike existing corporate VPN services, Proton VPN for Business requires no dedicated hardware or installation. We can instantly configure private gateways and other services, and you can rapidly scale your service up or down as needed. Proton VPN for Business is also a fully managed service, so you won’t need in-house experts to manage your corporate VPN. Instead, you benefit from Proton’s highly redundant infrastructure and our experience operating one of the world’s largest VPN services.

More than just a VPN

Proton VPN also provides capabilities that make it more than just a VPN service — it’s an all-around network security tool. For instance, our NetShield Ad-blocker feature blocks malware and helps prevent malicious internet sites from infecting your team’s devices. It can also block ads, trackers, and other categories of unwanted online activity.

Proton VPN applications have built-in protections against man-in-the-middle attacks for operations over hostile networks. Proton VPN apps will proactively warn you if such an attempt is detected and refuse connections to a malicious server.

Proton VPN offers security you can trust – and verify

The VPN you choose for your business will be the front door for your remote, hybrid, and traveling employees. This means you need a VPN whose security you can trust.

 Proton VPN offers several advantages over standard business VPNs:

Open source and publicly audited

Proton was founded by scientists who met at CERN, and we’re guided by the principles of transparency and peer review. As scientists, we don’t accept any claims we can’t verify ourselves, and we wouldn’t expect you to either. That’s why Proton VPN is open source, and our code is open to inspection. Our security claims are more than just claims — they’re facts you can verify for yourself.

We also publish audits conducted by independent security experts for all our services and no-logs policy, giving you access to an independent assessment.

A Swiss-based VPN

Switzerland is home to some of the strongest data privacy laws in the world. As our headquarters is in Geneva, this means your usage of Proton VPN is also subject to these strong legal protections. Switzerland’s foreign policy of neutrality, strong rule of law, and advanced infrastructure means we’ll always be able to provide our service to your organization.

Unparalleled track record in security

As one of the most widely used VPNs in the world, Proton VPN has a long track record of defending against hostile threats. Our high-impact work has been chronicled on the front page of The New York Times, and we also assist high-profile organizations such as Novaya Gazeta (winner of the 2021 Nobel Peace Prize). The UN has also recommended Proton services as a secure way to deliver sensitive information.

Advanced features to help you get your work done

With VPN Accelerator, Stealth protocol, and Alternative Routing, you can be sure that your VPN connection always works fast, no matter where you’re located, and even if the network is hostile.

Get started with Proton VPN for Business

We’re excited to bring a new level of protection and access to businesses of all sizes with our new Proton VPN for Business plans:

• Proton VPN Essentials — Safely access the internet from anywhere with basic monitoring and organization management.
• Proton VPN Business — Get all advanced security features, including private gateways with dedicated servers and IPs, easy access segmentation, and more advanced organization management.

As before, we will continue to provide a Proton VPN Enterprise offering, which provides customized solutions to meet the exact needs of your organization. A full comparison, plus the contact details for our enterprise team, can be found on our new Proton VPN for Business pricing page.

In the months and years to come, we look forward to expanding the features and functionality of Proton VPN for Business based on your feedback. To learn more about Proton VPN for Business, you can get in touch with us directly using the form below.

The post Introducing Proton VPN for Business appeared first on Proton VPN Blog.