How does Kaspersky VPN work?


One of the critical aspects to consider when choosing a VPN service, alongside the price and connection quality, is provider trust. In a way, this is just like choosing a doctor or a bank: a mistake can be quite costly.

We get many questions about Kaspersky VPN Secure Connection. How does it work? Can it be trusted? Do we share any user information with government agencies? In this blog post, we’ve gathered some answers to the most popular questions.

So, what can Kaspersky VPN do for me?

It makes your connections secure. It encrypts all the outgoing traffic from all applications on your device. It covers your real IP with a virtual one so that no-one can get to know your real location. This is crucial today, as a lot of data breaches include user IPs alongside other data.

Besides security, Kaspersky VPN can make your life easier if you user geo-restricted services. For instance, you can continue using your local subscription plan while traveling. Or maybe you’d like to test a service that is not available in your area yet — VPN is at your service here.

All this functionality is available on all popular platforms, including smartphones (both Androids and iPhones).

If you want to know more about the very basics of VPN, you can do it here.

Can I access banned sites with your VPN?

No. Kaspersky VPN cannot provide you access to websites or services, which are legally prohibited in your country. We are a law-abiding company and stay away from everything illegal.

Why would I pay for a premium version of Kaspersky VPN?

There are two reasons to do it. The first one is traffic limitation in the free version: you only get to have 200 megabytes of your data encrypted daily. In the premium, it’s unlimited, and this is important if you use VPN regularly or download heavy files.

The second advantage of the premium version is the possibility to actually choose which geographical region you’d like to connect to. In the free version, it’s assigned for you by the program. Choosing your server means choosing your virtual location, how it’s seen on the internet.

Is choosing your server really so important?

All the servers Kaspersky VPN has to offer are equally secure and reliable. However, the connection speed may differ, and some geo-restricted resources might be unavailable for the user.

Are there any differences between how your VPN works on different platforms?

The core functionality is the same across all platforms and devices. You might notice some differences in UX, though. But that’s it.

Let’s get deeper. How exactly does your VPN work?

VPN Secure Connection monitors potentially risky situations where encryption could be necessary — such as when a user connects to an insecure Wi-Fi network or opens a sensitive website. By default, the application offers to switch on encryption in these cases.

The user then chooses which location to connect to, before being given the VPN server IP address. Anyone who tries to record or identify the user’s IP address will instead receive the IP address of the VPN server. By default, the application (not the traffic encryption itself) is automatically launched when device starts.

Product servers available for users of VPN Secure Connection are located in different countries around the world. At the moment, these locations include the USA, the UK, Canada, Czech Republic, Germany, Denmark, Spain, France, China, Ireland, Netherlands, Russia, Sweden, Turkey, Ukraine, Mexico, Singapore, and Japan. These servers are hosted by our partner, the software company AnchorFree, headquartered in Redwood City, California, USA.

Who are AnchorFree?

It’s one of the oldest VPN-providers in the modern world. And one of the most trusted ones.

Is your relationship with AnchorFree water-tight?

According to our agreement, AnchorFree is not allowed to make any changes to the software or hosted infrastructure without Kaspersky’s written consent. We have also recently signed an additional special data processing agreement to adhere to GDPR compliance. This document defines our roles (who is the data controller, who is the data processor), what information is processed and who has responsibility for it.

Furthermore, we also held an audit of the AnchorFree infrastructure to make sure everything was up to the highest standard. Part of the process also involves monitoring the quality of AnchorFree services to ensure SLAs (Service Level Agreement) are met and maintained, which also includes that of third-party intervention.

How exactly does encryption work?

Kaspersky VPN Secure Connection creates some kind of a secure tunnel between the user’s computer and the chosen server. All the data in this tunnel is encrypted, so only the user knows what’s really inside. Even if someone tries to seize what the user is sending and receiveing, they will only see some incomprehensible information.

To ensure users’ privacy and secure their data, Kaspersky uses one of the most popular and widely adopted symmetric encryption algorithms encountered today: Advanced Encryption Standard (AES). This is a cryptographic algorithm used to protect electronic data, which is impossible to carry out a successful brute-force attack on.

In short, several keys are used in the process. The server has a private key, and clients get public keys from the server certificate. Using them, an algorithm generates a session key, which is applied for subsequent traffic encryption. Here, one more layer of security is implemented.

When generating a session key, Kaspersky Secure Connection uses algorithms that support Perfect Forward Secrecy. It is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised — even if the private key of the certificate is. And if the private key of the server was compromised or stolen, the old sessions can’t be decrypted.

What if someone tries to mimic the server?

We check the authenticity of the servers to protect users. This means that no one can pretend to be the Kaspersky VPN Secure Connection or AnchorFree infrastructure, or attempt to read or decrypt user traffic. The product validates the server’s certificate chain as follows:

  1. When the user connects to the Kaspersky VPN Secure Connection, the product checks that the server certificate matches the one from its code.
  2. Once authenticity of the product server is validated, we retrieve information about the AnchorFree server certificate.
  3. When the product connects to the AnchorFree server, we check that the certificate matches the one from the previous step. After this, we check the server authenticity.
  4. Finally, we check the authenticity of the AnchorFree VPN server.

What information does the service know about me? Do you share any of it with the government?

Kaspersky VPN Secure Connection service does not store data about user’s online activity. When in use, Kaspersky Secure Connection only collects information, which is crucial for correct functioning of the software. Mostly it comes to a device used, subscription details, and wireless network specifications. This may differ a bit for various platforms and regions. You can find the full list in Kaspersky Secure Connection EULA.

In turn, AnchorFree does not store any information that identifies what the user browses, views, or does online via that VPN connection. Our partner employs a range of administrative, organizational, technical, and physical safeguards designed to protect your data against unauthorized access, loss, or modification. The only situation when a user can technically be identified is when they choose to communicate with the company (such as via chat or email) over a VPN connection and has chosen to reveal themselves to AnchorFree.

AnchorFree upholds minimal logging policy, and therefore does not have enough data to share with law enforcement and government agencies, who make requests for information about what users get up to through a VPN connection. In case the information is has to be provided, the government can see only when the user enables a VPN. But they do not know what the user is doing: they would be able to see that the user is connected to the VPN server but nothing more.

But you do cooperate with government agencies upon request, right?

We only block access to websites that were considered by special government structures illegal in your country. And we do not provide user information to them.

Let us describe the interaction process in details.

The site or other resource gets blocked after the blocking procedure, organized by special government departments (like Fedpol in Switzerland or Bundeskriminalamt in Germany). If the site was deemed prohibited, it will be blocked over time. It is important to note that this procedure does not affect the privacy of the user, who enabled the VPN.

However, the blocking procedure depends on the specific country and its legislation. For example, in Russia, all prohibited websites are stored in the special department database, and Kaspersky periodically checks the list of prohibited sites stored in it. We then pass the list of prohibited sites to the AnchorFree infrastructure where it checks destination address against the aforementioned list.

If an address is blocked, for http (HyperText Transfer Protocol) we redirect the user to a Kaspersky Secure Connection special page, which shows a warning; for websites with https (HyperText Transfer Protocol Secure) the VPN server just does not connect to them.

To check whether the Kaspersky Secure Connection blocks a prohibited site and adheres to local regulations, supervisory authorities use our service as a typical consumer would. That means they don’t have any rights to view other users’ data. As an ordinary user, they would just turn the application on and check whether the restricted sites are blocked or not. After that procedure, they can provide comments regarding policy compliance.

User privacy and protection of personal data are the main principles of our work. We are committed to developing software that satisfies our users’ needs in protecting data from prying eyes. Whether they are banking, shopping, video streaming, socializing or dating online, we use modern data protection standards to secure data. Therefore, all data sent and received is transferred via an encrypted, secure channel with location and IP address remaining confidential.