The Truth About VPNs and the Rise of Quantum Decryption
During Risk Assessments, and working with clients, I routinely run into situations where users think everything they are doing on their laptop is confidential because they are using a VPN. After some discussion, it often turns out that they are using a browser-based VPN. That is a big problem.
Browser-based VPNs, worse than nothing?
Lots of people talk about the poor encryption and encapsulation protocols used in browser-based VPNs (SSL-TLS), but that is not my primary concern. Those protocols might have their weaknesses, but at least it’s something.
I see users (and, shockingly, IT personnel) running into issues. They think once they connect with a browser-based VPN, all applications, other browsers and the operating system traffic is going through this VPN. It is not. When users and IT think they have protection, and they are acting as if they do, this opens up a very serious gap.
If browser-based VPNs have poor encryption protocols, poor traffic encapsulation, and can only protect the browser application use, why are they so popular? The answer is easy. No, really, it's because they are easy. They don't require IT to install and manage a client VPN application, and they require very little user knowledge or (gasp) interaction. Hybrid SSL/TLS products (Network Extender from Check Point is an example) can add a few Band-Aids, but in the end you still have an SSL/TLS product.
If you have been ignoring quantum computers and the eventual impact on VPNs, you might already be in trouble.
When I speak with some network engineers about their VPN plans and quantum computing, the common response is that once quantum computers reach commercial usefulness, they will migrate to "something else."
The problem with this plan is that the time to prepare for quantum decryption is today, or for some, perhaps even yesterday. One of the most sought after killer applications of quantum computers is those that decrypt files, drives and recordings that we can't get into today because of lost passwords or ciphers. Hey, did I say “recording?” Yes, saved recordings of encrypted VOIP traffic and VPN traffic.
The second big misconception I see as a big issue is network engineers thinking quantum computing is a problem to be solved years from now when actually we are already exposing data right now. Anyone recording VPN traffic now will be able to play that traffic back through quantum decryption a few years from now and get potentially useful dialog, plans, recipes, research, tech, documents, PII, other ciphers and, well, the imagination is the limit.
Any recorded user data that actually managed to get into an SSL/TLS VPN will likely be able to be decrypted in real-time or faster, then AI will pull out anything of “interest.” Traffic that was captured going through a “real VPN” using ciphers that are not quantum resistant will take longer but still astonishingly fast.
Assuming your organization deployed SSL/TLS VPNs to mitigate exposure of sensitive information, NOW is the time to start planning a migration to other solutions. If your organization deployed VPNs to just check a checkbox on an audit form or required framework, then this article is not likely much use to you for now.
If you have a client-based VPN or site-to-site VPN, your preparations should be much easier. You will need to find out what quantum-resistant protocols your VPN product supports and what, if any, traffic overhead they will cause when you implement them. Better yet, you might consider changing to a new architecture such as a private fiber network.
If after all of this you are still in the “wait and see” club, well that might be OK. After all, we don't know when or even if commercially useful quantum computers will be available. Don't you want to know the current forecasts, though?
I had to rewrite this article four times now. Every time I thought I had a good draft, a new announcement came out that pushed the date for the quantum revolution closer.
Useful quantum computers are expected to be here in just a few years
- IBM has announced the invention of a new qubit error correction algorithm that will bring their quantum computers to market in 2029, and a more affordable version in 2033.
- PsiQuantum expects to have a commercial quantum computer this year, but I don't think many of us are holding our breath for this one. It uses photonic qubits, which might prove difficult to use.
- A new quantum algorithm has been pre-published in a new paper that says 2048 bit RSA cryptosystems will be far easier to decrypt than previously thought. This means that even “small” quantum computers will be viable decryption systems.
- New algorithmic processes are being created and tested that continue to shorten the likely time frame and quantum computer requirements needed to do significant decryption work.
I hope that I have made a convincing argument that the time to begin deploying Post-Quantum Cryptography (PQC) technology is now. If I have made you think we are on the brink of a security apocalypse, that was not my intent and I don't think it is true.
Quantum hype is everywhere, and most of it is vaporware or worse. One of the best and largest security companies in the world has named its flagship firewalls and software products "Quantum" but it is all marketing—not a single qubit or entangled particle in any of it. Rumor has it, they got into trouble when the US military thought they were importing (real) quantum technology.
Human factor security issues (like those at the start of this article) are still and will remain the largest and most poorly addressed security gap for the foreseeable future. If your IT department is badgering your employees with relentless phishing tests and your users are still using work passwords on their social media accounts, you have worse issues to deal with.
If it's your job to make sure what goes “across the wires” stays in the organization, then start reconfiguring for algorithms like AES-256, ChaCha20, and FPE-FFX. This should begin with a Risk Assessment to ensure you are applying appropriate mitigation to risks and not leaving gaps.
Recommended Continued Reading:
AI did not generate this article.
In fact, this article was drafted on a 1982 Apple LISA computer, which introduced the most profound advancement in personal computer history…
No part of this material may be used or reproduced in any manner for the purpose of training artificial intelligence.
