When looking to sign-up to a VPN service, the most obvious question is “Are they safe?”. This can mean any number of things: the logging policy, the privacy policy, the available encryption, the network infrastructure, the history of the company (i.e. have they ever been hacked?) and more.
We will try and answer all these questions in regard to NordVPN.
The Elephant in the Room
You may have heard that NordVPN was hacked in 2018. The news came out in October 2019, when hacker/web developer ‘undefined’ published a series of tweets on the matter. These tweets did not go unnoticed and both Ars Technica and CNET published stories on the hack.
So what exactly happened?
A lot of commercial VPN providers rent their servers from third-parties. This makes it easier for providers to deploy servers around the world and enhance their offering.
However, the downside is that the provider’s servers are not fully under their control. NordVPN is a provider that rents at least some of its servers.
In March of 2018, the data center that managed their Finland server installed remote management software on the server.
NordVPN was not aware this software had been installed. The attacker was able to compromise the server by exploiting a vulnerability in the remote management software.
The exploit enabled the attacker to obtain three TLS keys belonging to NordVPN. With these keys, the attacker could operate a fake NordVPN.com website. Or impersonate a NordVPN server, using a man-in-the-middle attack.
NordVPN acknowledged the issue in October 2019. They claim they waited to audit all their other servers before making a statement on the matter.
When they did acknowledge it, they made it clear that the compromised keys had since expired. And that even if they remained active, they could not be used to decrypt the traffic of their users.
So they got hacked because of their infrastructure model. But no user information was compromised.
Visit NordVPN and get 70% offThen Things, Apparently, Got Worse
Shortly after the Finland server hack story broke, Ars Technica reported that NordVPN user credentials had leaked. Indeed, in early November, the breach notification service Have I Been Pwned reported upwards of 10 lists of compromised NordVPN user credentials.
To the casual observer, this second story could make it look as if the Finland hack was actually worse than what was initially reported. But it turns out that all of the compromised passwords were very weak. And they were all obtained by using a technique called credential stuffing.
Credential stuffing is the name of an attack that takes the compromised credentials from one leak/site and uses them to break into user accounts from other services/sites which use the same username and password.
A VPN provider should always enforce strong passwords in their native apps. However, that being said, this credentials leak had nothing to do with the Finland server hack. And it was not the result of a breach at NordVPN.
Let’s now turn to the security features of the service itself. After that, we will discuss everything we looked at and answer the question: Is NordVPN safe?
Policies
If we look at NordVPN’s Privacy Policy, we find the following:
“NordVPN guarantees a strict no-logs policy for NordVPN services, meaning that your activities using NordVPN Services are provided by automated technical process, are not monitored, recorded, logged, stored or passed to any third party. We do not store connection time stamps, session information, used bandwidth, traffic logs, IP addresses or other data. From the moment a NordVPN.com user turns on the NordVPN.com software, their Internet data becomes encrypted. Any online traffic coming from user’s device is no longer visible to ISP, third-party snoopers or cyber criminals. Further, NordVPN have a strict no logs policy when it comes to seeing user activity online: NordVPN is based in Panama, which does not require data storage.”
What does this tell us?
NordVPN's Privacy Policy explicitly states:
- No user activity logging
- No connection timestamps logging
- No session information logging
- No bandwidth consumption logging
- No connection IP address logging
This is what you would expect from a safe VPN service provider.
Jurisdiction
The no-logging policy is more important than jurisdiction, in regards to the security of the service. However, it could be argued that VPN providers based in jurisdictions outside of the 14 Eyes nations are slightly safer. As such, NordVPN is based in Panama.
So those of you who would rather steer clear of the 14 Eyes Alliance can do so using NordVPN. Bear in mind that jurisdiction in itself is no guarantee of privacy and security.
We discuss the issue in-depth, in our 5, 9 & 14 Eyes: What Does It All Mean For VPN Users? article, if you would like more information on the subject.
Security Features
Encryption
They use industry-standard AES256 encryption. There are no known vulnerabilities or backdoors in this encryption scheme.
VPN Kill Switch
In the event that your VPN disconnects, for whatever reason, Their native apps will automatically block all Internet traffic from your system. This ensures that if your connection drops, even while unattended, your traffic will not leak outside of the VPN tunnel.
DNS Leak Protection
They operate secure, no-logging DNS servers inside the tunnel. This means that your DNS requests are also protected by strong encryption and do not leak outside the VPN tunnel. They also explain on their website how you can test for DNS leaks yourself.
Onion Over VPN Servers
Once connected, these servers route your traffic through the Tor Anonymizing Network. Tor stands for The Onion Router. Tor encrypts and bounces your traffic over several different locations. From that last bounce, it then forwards your traffic to its ultimate destination.
This, coupled with a VPN makes it very difficult to identify and track your activities.
Bear in mind that Tor can significantly slow down your Internet connection. And certain activities (such as streaming) are not recommended over Tor. For more information, visit Tor's website.
Double VPN
A double VPN bounces your connection through two servers before going to its ultimate destination. This accomplishes something similar to Tor, but with only two bounces. Its impact on the speed of your Internet connection is much smaller.
CyberSec
CyberSec is a blocking service for ads and trackers. This certainly enhances your security. Ads and trackers can expose you to malware and viruses and compromise your system.
WebRTC Blocking
WebRTC is a popular communication protocol, included in most Web browsers. WebRTC is know to expose your real internal LAN IP address.
The tools included in NordVPN's native apps, such as CyberSec and Onion Over VPN Servers already help mitigate WebRTC leaks. But NordVPN goes a step further by providing guides on how to disable WebRTC in different browsers.
P2P Servers
Your ISP can sometimes block or throttle P2P sharing. And it may be riskier in certain countries. This is why NordVPN offers dedicated servers for P2P sharing. As with all NordVPN servers, there are no bandwidth limits and no traffic logs.
So Is NordVPN Safe to Use?
I would answer: Yes. But it depends on your threat model.
If you are a dissident in an authoritarian country and that your life could be threatened if your online activities end up in the wrong hands, I would recommend a VPN provider who does not rent its servers from third-parties.
As the NordVPN example demonstrates, if the server belongs to a third-party, it is not under the VPN provider’s control. They are not in a position to make security guarantees on that server.
The data center installed software on NordVPN’s Finland server without their knowledge and they got hacked. Mistakes happen, and every company will eventually make them (even if they are not disclosed).
But unless all their infrastructure is owned and controlled by them, it means others have access to it. And anything can happen - like getting hacked.
If however, you are someone who lives in a non-authoritarian country and that you use a VPN primarily to avoid corporate surveillance and to hide your online activities from your ISP, I think NordVPN is more than secure enough for you.
No-logging, strong encryption, VPN Kill Switch, DNS Leak Protection, CyberSec, Double VPN, Tor, and dedicated P2P servers will definitely keep you and your online activities safe and private.
Can you be tracked using NordVPN?
With all of the security features available, with the right configuration, it should be difficult to track your online activities. Enable CyberSec and use their Double VPN or Onion Over VPN servers and you should be pretty close to being "off the grid".
NordVPN does offer dedicated IP servers, for an extra fee. This can be useful if you want to host services from behind the VPN. But for privacy and anonymity, shared IPs are better. Shared IPs are the default.
Is NordVPN safe for torrenting?
Yes, NordVPN is safe for torrenting / P2P. They have dedicated servers for P2P file sharing. Again, enable CyberSec and use the Double VPN feature if you want extra security.
As above, use a shared IP address. The Kill Switch feature will make sure none of your data leaks if the VPN disconnects for whatever reason.
For more information on torrenting over NordVPN, take a look at our Does NordVPN Allow Torrenting / P2P? article.
Visit NordVPN and get 70% offIs NordVPN Safe?
By Marc Dahan
Last updated: April 4, 2020
