Without AES Over Port 443, VPN Is Compromised

VPN services are a vital tool for protecting free speech. Following the death of net neutrality, their business model is more vulnerable than ever. If they don't adapt to protect themselves from ISPs, they'll become obsolete.

Yesterday's virtual private networks were designed to give employees remote access to corporate servers. Today that same technology is used to anonymize internet activity using random exit nodes across the globe. It protects journalists, activists, and everyday citizens who don't want their personal browsing history stored, analyzed, and sold.

The best VPN services allow signups with gift cards and anonymous email accounts, and offer more than one high bandwidth server. The loss of net neutrality has changed the game, and forward-thinking services will need to encrypt traffic with modern ciphers, and allow users to route traffic over multiple ports - including port 443. Together, all of these options will help users protect their identity and hide traffic from the prying eyes of ISPs and state actors.

Why AES And 443?

Without net neutrality, ISPs can eliminate VPN use by blocking the ports on which they operate. Private Internet Access operates over many ports, but only a handful (501, 502, 1197, 1198) support AES encryption. These are trivial to block. Other ports (53, 80, 443, 8080) cannot be blocked, but are limited to the outdated BF-CBC cipher. Not only is this an insecure protocol, it precludes use on network appliances such as home routers.

For VPNs to continue making money, protecting their user base is paramount. If ISPs force these companies to close up shop, there will be no turning back.


Nefarious Laboratories now operates Heimdall, a free VPN service for journalists and individuals under threat, by invitation only. It's available for Linux and MacOS clients over port 443.

Published January 05, 2018 by Ethan F Grant