An SSL VPN is a form of a virtual private network implementation rivaled only by IPsec VPNs since… well, since VPNs became a thing, meaning it’s as old as the Internet itself. It’s named after the Secure Sockets Layer, which is essentially a buffer zone protecting e.g. your Google queries over the final stretch of their journey from your computer to the server of whatever website you’re visiting that day – we’re not judging.
An SSL VPN is hence not a true end-to-end encryption mechanism but one that starts securing your communications only near their destination, meaning it’s designed to protect the network more than the user. Therefore, it doesn’t rely on a completely standalone app on your end, which is what a conventional VPN client is. This abstraction instead happens after your data has already left its source, meaning your mobile or broadband service provider can still see what you’re doing – to some extent.
This is the main reason why the HTTPS protocol eventually even replaced SSL with TLS, or Transparent Layer Security, a more comprehensive tech that’s much closer to true end-to-end encryption. The problem with both, however, is that the other “end” in that equation tends to be too flexible to be comparable to an IPSec VPN setup. Of course, no solution is flawless unless you own the underlying broadband infrastructure over which you’re communicating with the World Wide Web.
But still, the point of SSL isn’t to be an ultimate privacy tool but merely means to an end; the latter being giving individual clients access to a larger network. On the other hand, an IPsec VPN makes you a full-fledged part of a new network, one with a scrambled output that allows your data to get lost in the noise, all the while being encrypted in the extremely unlikely chance it’s intercepted.
Warning: clunky VPN tunneling analogies incoming
That’s why conventional IPSec VPNs are often referred to as “tunneling” networks – they’re like digging a tunnel between your and your neighbor’s house.
On the other hand, TLS encryption is akin to doing the same, except with a starting point from your yard. Sure, you’d still go through the trouble of installing a vault door over the yard entrance, but you’d also hang a sign with the name of your destination right above it.
Finally, SSL VPNs are like crossing the street, knocking on your other neighbor’s front door, having him lock it after you’re in, then digging a tunnel from his house to that of the first guy’s. Neither of those final two solutions are ideal if your goal is to cover as many of your tracks as you can. In fact, they’re arguably as clunky as these digging analogies.
Do you trust the clouds selling you privacy?
Given how neither TLC nor SSL certificates (which we’ll explain in a second) aren’t exactly Guy Fawkes masks for ISPs with market caps in the tens of billions of dollars, they alone are not enough to guarantee that your browsing history won’t get gobbled up by the only broadband monopoly in your district. They only make the process of figuring out the domains you’re visiting last a second longer.
The oldest trick in the book still works
While impressively bulletproof for a (regularly updated) computing standard from the last century, the only fundamental flaw of the original IPSec is that it doesn’t scale and can hence only be applied to communications between a limited number of clients. Otherwise, you’d quickly end up with trillions upon quadrillions of cryptographic keys that are constantly being generated and not reused fast enough as new machines join the network, leave it, and have connection issues in between, to name just some of countless other potential bottlenecks such a setup wouldn’t be able to avoid.
Not even Moore’s Law on steroids would have been able to keep up with the supercomputer demands required to operate that version of the Internet. Instead, mankind’s biggest nerds figured they’ll replace those variables with a constant called Certification Authority (CA) which will be unique to hosts and used as a starting point of their back-and-forth cipher “negotiations”. Which is essentially a series of tests ensuring two computers are representing themselves truthfully and their messages aren’t being intercepted.
That’s what SSL, in essence, is. A compromise between security and scalability. Ditto for TLS as merely another point on the same spectrum. This is also the reason why all TLS and SSL certificates have expiry dates – for security purposes. Which is an entirely different, yet tragically large problem in and of itself.
Because countless sys admins are failing to explain that to capital fund managers all too often, resulting in slashed IT department budgets paired with scolding remarks on how they’re overspending tens of dollars a year on some fancy-pants “website certificates.” Like those nerds can’t tell that’s a website without a certificate? And they call themselves IT professionals? Well, the silver lining is that those wise executives and accountants tend to come around after a couple of hours and a dozen or so millions of dollars in losses.