Security Bits — 8 June 2025 — Including VPN Deep Dive

Deep Dive — Some VPN Nuance

On last week’s Chit Chat Across the Pond segment, Allison & Adam had a great discussion on VPNs, and the vast thrust of the conversation was superb. But, there were two threads left dangling a little, and one point I want to quibble with.

But nonetheless, the TL;DR is that I agree that for most people, most of the time, a VPN is not necessary!

The biggest danger VPNs are designed to protect us from is eavesdropping by some kind of adversary with the ability to see our network traffic. This means we need to discuss an important piece of recently evolved terminology before we get stuck in — AiTM is the updated term for what was previously referred to as MiTM. It stands for Adversary-in-the-Middle (replacing Man-in-the-Middle), and it has two advantages. Firstly, it reflects today’s reality that in 2025 the adversary is as likely to be an automation or an artificial intelligence as it is to be a human, and secondly, it removes some needless gendering.

Some Vital Context

VPNs are low-level networking constructs, so to understand what they do, we need to have a basic understanding of how our local networks (LANs) and the internet at large work. All the computer networks we use in our regular lives are built using the same technology stack, they are all TCP/IP networks. Without a nuanced understanding we become completely reliant on crude analogies, and all analogies break down when you dive into the weeds, leading to misconception and false asumptions!

The 4-Layer TCP/IP Network Stack

Networking is complicated and difficult, so attacking the problem all in one go would be a near-impossible task. So, the designers of the internet didn’t choose to go that route. Instead, they adopted a layered approach, with each Layer having responsibility for a different subset of the problem. The layers are strictly ordered, with each layer relying on the functionality of the layer directly below, and offering functionality to the layer directly above.

We have different addressing schemes and protocols at each Layer.

Finally, all data on TCP/IP networks travels in little pieces, called packets, and each packet makes its own way across the internet. Streams of data are broken apart, transmitted as separate little chunks, and re-assembled on the other end.

Let’s explore the layers:

1. Layer 1 is responsible for getting individual packets from one device on a single network (LAN) to another device on the same network. The primary protocol on this ayer is Ethernet, and Ethernet packets are addressed using MAC addresses. We use two flavours of Ethernet — one that runs over copper cables, and one that flies through the air, and we know them as wired Ethernet and WiFi.
2. Layer 2 is responsible for getting individual packets from one internet-connected device to any other internet-connected device, moving from network to network through routers. It’s up to the routers to figure out the route each packet should take so it moves towards its destination. The most important protocol in this Layer is the Internet Protocol, or IP. There are two versions of the IP protocol in use today, IPv4 & IPv6, and IP packets move from one IPv4 address to another IPv4 address, or from one IPv6 address to another IPv6 Address.
3. Layer 3 is responsible for moving data streams between IP addresses, and it does so using two primary protocols, the Transmission Control Protocol, or TCP, and the User Datagram Protocol, or UDP. TCP and UDP connections flow from one IP address + port number to another IP address + port number.
4. Layer 4 is the application Layer. This is where both the low-level applications that make the internet work and the high-level applications we use live. In terms of low-level protocols, the two most notable ones are DNS for resolving domain names and NTP for synchronising clocks. In terms of user-facing ones, the list is nearly endless, ranging from fully open protocols for email, the web, and file sharing like SMTP, POP, IMAP, HTTP, and SSH, to proprietary ones like those powering Windows domains and all our popular messaging platforms.

VPNs are Layer 4 Applications that User Virtual Layer 2 Network Cards for Data Input & Output

When you connect to a VPN, a new virtual network interface appears on your computer. Instead of that network card being connected to an Ethernet cable or a wifi card, it’s connected to a VPN app. The VPN app transforms the network traffic that enters its virtual network card into a data stream that it encrypts and then forwards to a VPN server using a layer 4 protocol like WireGuard or OpenVPN. The VPN server decrypts the data stream, translates it back into regular IP packets, and puts those packets back onto the internet using its virtual network card.

In effect, IP packets enter a virtual network card, get translated to encrypted data, sent across the internet like they were a Zoom call or a YouTube video, then transformed back into regular IP packets. Once the IP packets are transformed into a data stream and then encrypted they are just collections of 1s and 0s in the same way a audio waves that are captured by the electro magnets in a mic are not really sound waves anymore when they get converted into 1s and 0s and incorporated into a podcast which then gets broadcast around the world over the HTTP protocol. The data stream is just a data stream, and it moves across the internet using an appropriate layer 4 protocol just like all our pictures, sounds, and videos do.

The Importance of Routing

For each packet originating from every app on your computer, the OS has to decide which network card it should use to send that packet. Or, to use the jargon, which network card it should route the packet to. Yes, your computer has its own little internal Layer 2 router provided by your OS. It’s up to your VPN app to configure your computer’s little internal router to send some packets directly to the physical network cards, and some to the virtual network card created by the VPN app.

In terms of packets arriving to your computer that are not part of an existing data flow, your computer’s operating system uses a little internal firewall to decide whether or not to accept them, and your VPN app can also configure this internal firewall for further manage your network traffic while the VPN connection is active.

When a VPN app lets you configure whether or not you can use printers, file servers, or other network services on your LAN, that’s your VPN app altering your computer’s routing table to adjust the rules dictating which packets go to the physical network cards, and which to the virtual one connected to your VPN app.

VPNs are very Generic Tools — they can be Configured in Many Different Ways

How your VPN app configures your computer’s internal router and firewall will determine how your VPN connection behaves. This is entirely equivalent to plugging in another physical network cable (hence the name virtual private network), at which point your computer also has to decide how to treat that network, and what traffic to send to and receive through that network card.

Depending on how you configure your VPN, it can serve unimaginably many functions, including:

1. Securing your connection to the internet when you don’t trust your LAN.
2. Securely connecting to your LAN and the internet when you do trust your LAN, but not your ISP.
3. Changing the geographic location your internet traffic appears to originate from, with or without also allowing connections to and from your LAN.
4. Securely connecting back to a corporate network, with or without also allowing connections to and from your LAN.

Different VPN apps are branded and marketed differently, and their UIs expose different subsets of all the possible ways a VPN could be configured, so the low-level technical detail is not always obvious. But ultimately, the apps all implement their feature sets using a layer 2 virtual network card in combination with a layer 4 VPN protocol and a collection of routing configurations, optionally augmented with some firewall rules.

Are You Still on the LAN when a VPN is connected?

Finally, we’re ready to address the confusion that arose during Allison and Adam’s conversation about whether or not a VPN disconnects you from the LAN. This question is impossible to answer in the abstract because it really depends on what you mean by connected to the LAN. The answer is completely different from different points of view!

Something to think about though is that the answer can’t be an absolute no, why? Because your VPN app is using your physical network cards to establish and maintain a layer 4 connection to a VPN server over a protocol like WireGuard or OpenVPN! If you were actually disconnected from the LAN, then your VPN connection would drop instantly. Your proverbial tunnel would collapse the moment you finished building it!

So, at layers 1 to 3, you are absolutely connected to your LAN. Your physical network cards still send and receive data addressed to and from your MAC addresses over the Ethernet protocol, your computer continues to send packets addressed to and from the IP addresses assigned to your physical network cards using the IP protocol, and there continue to be TCP and/or UDP connections between specific ports on your computer and specific ports on other devices.

At layer four, we get into it depends territory, and what it depends on is the routing and firewall settings applied inside your computer by your VPN app.

At the very least, you will always have a Layer 3 TCP or UDP connection from your computer to your VPN server carrying a layer 4 encrypted data stream over your VPN’s chosen protocol (e.g. Wireguard or OpenVPN). In other words, there will always be a data stream from at least one port on at least one of the IP addresses for one of your computer’s physical network cards to a specific port on the IP address of your VPN server, and that flow will be traveling through you your LAN. Other LAN users could see those packets, and your ISP will see them. They’ll see the source and destination ports and IP addresses, and they’ll be able to tell that they are seeing a VPN connection. But, just like with HTTPS, any AiTMs will be able to tell that you are communicating with your VPN server, but not what you are ‘saying‘.

Whether or not you can also interact with other devices on your LAN over other Layer 4 protocols depends on your VPN configuration, as does whether or not other devices on your LAN can connect to your computer over Layer 4 protocols.

Another big it depends is how your computer handles the DNS requests that translate human-friendly domain names to IP addresses. The DNS protocols are all layer 4 protocols. Tranditional DNS uses UDP, while the newer encrypted DNS-over-HTTPS (DoH) uses TCP. Your computer could be configured to continue to use the same DNS server it was using before the VPN connection was established, meaning that if you use traditional DNS, that unencrypted traffic does not get routed through the VPN connection, or, the VPN app could have re-configured your computer to switch to a different DNS server of the VPN app’s choice with the traffic safely routed through the VPN connection.

Finally, note that absolutely everything to do with VPNs, from the VPN apps to the VPN protocols to the little routers and firewalls inside your computers all exist at Layers 2 and above. That means VPNs absolutely cannot remove your layer 1 presence from the LAN, leaving you open to all the known abuses of the ancient an utterly un-secured Ethernet protocol. That includes things like MAC address spoofing and ARP Poison Routing, both of which enable AiTM attacks from devices sharing your LAN.

So, the answer is always yes, but to what degree, well, that depends … 🙂

What does iCloud Private Relay do, and Not do?

The TL;DR is that iCloud Private Relay protects only the following three things:

1. All web browsing in Safari
2. All DNS queries made via the OS
3. All unencrypted HTTP connections from Apps using the OS’s networking APIs

That’s it!

It does nothing to protect your actual emails; the closest it gets is protecting your privacy when emails contain images hosted on the web that are fetched over HTTP, and only if you use the built-in Mail app.

Any it does nothing to protect any other network connections flowing to and from your computer.

Under the hood, iCloud Private Relay uses two open protocols:

1. Oblivious DoH (anonymous DNS-over-HTTPS)
2. HTTP proxying via HTTP/3 over QUIC through a network of anonymising relay servers

If you want to learn more, this 15-minute WWDC session video explains it in detail — developer.apple.com/…

DNS Packets are More than just a Privacy Risk, they Enable AiTM Attacks

Adam downplayed the risks posed by DNS when you’re not using a VPN because he was only thinking about it from one point of view, but there is a whole other problem that was never discussed, and it simply cannot be ignored!

Traditional DNS packets are completely unencrypted. As Adam pointed out, this means that any AiTM can see both the domain names your computer is interacting with, and the answers your computer receives. This has obvious privacy implications. If you visit the website for a cancer clinic over HTTPS, the exact page you visited on that site won’t be leaked, but the fact that you visited that site will be. That alone can cause some serious privacy invasions. Do you visit Christian sites, Jewish sites, Muslim sites, Hindu sites, and so on? Do you visit gay or trans rights sites? Do you visit Neo-Nazi sites? …

But it gets so much worse!

Ethernet is not secure, so Ethernet packets can be spoofed. This allows any device on your LAN to easily intercept all Ethernet packets destined for your computer. As already discussed, this lets attackers see your traditional DNS queries since they are unencrypted, but it also lets attackers alter the DNS responses destined for your computer! This leverage opens up all sorts of malicious possibilities, including more advanced AiTM techniques.

Sure, when you use HTTPS, you’ll get browser warnings if your computer is tricked into connecting to a fake Google server, but how many people just click by those warnings‽

You can get around this in three ways:

1. Use a VPN
2. Use iCloud Private Relay (since Oblivious DoH is encrypted)
3. Directly configure your computer to use an encrypted DNS provider over an encrypted DNS protocol like DOH.

WiFi Client Isolation

One of the modern networking advances that has really dented the AiTM danger on public WiFi is something called client isolation, which is available on enterprise-grade WiFi deployments. When a WiFi network has this feature turned on, each user on the wifi network effectively gets their own private single-device LAN, so there is literally no one sharing your LAN, so none of the Ethernet shenanigans discussed earlier are possible!

Whenever a network supports client isolation, the need for a VPN goes right down, but the problem is there’s no easy guaranteed way to tell whether or not client isolation is in effect in any given network you connect to, so you just can’t count on it being there 🙁

I can give you one tip — if a network pops up your OS’s standard WiFi password prompt like you get when you visit friends or family for the first time, then there is definitely no client isolation. But, if you have to enter both a username and a password, or, if there is a captive portal page, then you are on an enterprise grade wifi network which more likely than not has client isolation enabled. Remember, this is a rough guideline, not a hard-and-fast rule!

❗ Action Alerts

• Google patches new Chrome zero-day bug exploited in attacks — www.bleepingcomputer.com/…

Worthy Warnings

• ⚠️ Mac Users: so-called click-fix attacks have come to the Mac — thehackernews.com/…
  • This has been a trend on Windows for many months now, fake CAPTCHAs instruct users to copy-and-paste PowerShell code into the Run dialogue and run it so as to hack themselves, supposedly to prove they are human
  • Some of the same malicious sites have started to add OS-detection to present Mac users with terminal commands to run instead 🙁
• ⚠️ Apple Safari Users: Safari on the Mac is vulnerable to a sneaky trick attackers may use to red pill you — JavaScript can enable full-screen mode without warning, removing all web browser chrome (tool bars etc) allowing the content of a malicious web page to completely take over your screen, and simulate your full OS, potentially tricking you into entering your Mac’s admin password — www.bleepingcomputer.com/…
  • This trick only works when users are not paying attention enough to notice the very short animation as the window moves to full-screen mode, and don’t bounce their mouse off the top of the screen, which would cause the real menubar to appear.
  • Other browsers and/or other OSes present a permission box before JavaScript can full-screen the browser; Apple will need to implement something similar in Safari on the Mac.
• ⚠️ Android Users: both Meta and Yandex have been caught abusing an Android feature that allows installed apps to listen on a local port for incoming connections from JavaScript running within the browser to secretly share a device’s advertising ID with web ads on their respective ad networks, bypassing user privacy controls — daringfireball.net/… & daringfireball.net/…
  • Both apps stopped the practice once they were caught
  • iOS does not allow apps to listen on a local port in this way
  • Editorial by Bart: This is unfathomably sneaky and undeniably a malicious hack designed, yet again, to work around OS-level privacy protections, which is likely illegal in the EU and possibly elsewhere too.
• ⚠️ ASUS Router Owners: Check your ASUS router for a hidden hack that survives reboots & updates — appleinsider.com/…
• ⚠️ 🇺🇸 T-Mobile users in the US should be aware of a grey-area feature the carrier has silently added to their app – it records the screen (within the app only), and automatically shares the recordings with T-Mobile technical support when you open a support request — appleinsider.com/…
  • Opinion from Bart: This looks like a ham-fisted attempt to offer better support rather than any kind of malicious data-grab.
• ⚠️ 🇺🇸 Optima Tax Relief Customers: this is a breaking story so we don’t have definitive details yet, but if you’re one of this company’s very many customers, you need to monitor this to see how it evolves: Tax resolution firm Optima Tax Relief hit by ransomware, data leaked — www.bleepingcomputer.com/…

Notable News

• 🇺🇸 Texas governor signs law to enforce age verification on Apple, Google app stores — www.reuters.com/…
  • The law comes into effect on 1 January 2026
  • Goes far beyond the optional features Apple previewed earlier this year
  • Will require all Texas App Store users to prove their age to Apple & Google, and require children to connect their accounts to those of parents or guardians
  • Has major privacy implications since age verification is not possible anonymously
• 🇮🇪 The Irish Council for Civil Liberties (ICCL) has won the right to take a class action suit against Microsoft in Ireland over how Bing shares data with ad brokers — www.iccl.ie/…
  • Class actions are not normal in Ireland like they are in the US, and it was a big battle for a civil liberties group to win the right to effectively do the Irish Data Protection Commissioner’s job for them, since they are the authority responsible for enforcing the GDPR on companies with their EU headquarters in Ireland.
  • This judgment says nothing about the merits of their case, so this is not a loss for Microsoft, but for the Irish Data Protection Commissioner.
  • Important Content: The Irish DPC has been roundly criticised for being too soft on tech, with the suspicion or outright accusation that this is because of the conflict of interest the Irish government has when it comes to US tech firms, which they very actively court.
  • Observation from Bart: Based on my reading of what is being alleged, I don’t see how this doesn’t equally, or perhaps even more so, apply to Google and how they run their search business.
  • This case has a very long road to go, but if the ICCL eventually wins, search engines will need to make radical changes to protect European users’ privacy in their ad auctions.
• 🇩🇪 Germany fines Vodafone $51 million for privacy, security breaches — www.bleepingcomputer.com/… (more evidence of the cost of negligent cybersecurity practices, this sets up the right incentives to help Chief Information Security Officers get the resources they need for their jobs!)
• Apple released their annual report on government data requests for 2024, and the most notable statistic is that while the company received more requests to share push notifications, it complied with fewer of them — appleinsider.com/…
• Microsoft has started to trial a feature where third-party Windows apps could have their updates handled by Windows Update, effectively leveraging all the tooling larger organisations already have in place for automatically patching Windows and Microsoft’s first-party apps — www.bleepingcomputer.com/…
• 🇪🇺 Microsoft unveils free EU cybersecurity program for governments — www.bleepingcomputer.com/…

Interesting Insights

• 🇪🇺 It looks like things are heating up in Europe for a renewed push for magic keys for the good guys in End-to-End Encryption 🤬 — www.politico.eu/…

Palate Cleansers

• **From Allison:OpenAI Plays Hide and Seek…and Breaks The Game! 🤖 – YouTube — youtube.com/… ** (note – 5 years old but still awesome)
• From Bart:
  • 🎧 A surprisingly casual and frank conversation with Microsoft’s head of Open Source on how he’s pushing for Microsoft to open source ever more of their products, as well as a very deep dive into the recently open sourced Windows Subsystem for Linux: The Changelog Friends: Software Development, Open Source, wsl.exe … — overcast.fm/…
  • 🎧 A heart-warming podcast about how a fellow tech geek used technology to adapt to losing the use of an arm in a freak accident: 99% Invisible: Adapt or Design — overcast.fm/…

Legend

When the textual description of a link is part of the link, it is the title of the page being linked to; when the text describing a link is not part of the link, it is a description written by Bart.

Emoji	Meaning
🎧	A link to audio content, probably a podcast.
❗	A call to action.
flag	The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊	A link to graphical content, probably a chart, graph, or diagram.
🧯	A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵	A link to an article behind a paywall.
📌	A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩	A tip of the hat to thank a member of the community for bringing the story to our attention.
🎦	A link to video content.