Microsoft Edge: Tumult over VPN function
Currently, a report is circulating: Microsoft Edge Secure Network is not a VPN at all. However, it does what was announced.
(Image: DANIEL CONSTANTE/Shutterstock.com)
Reports are currently piling up that the “Microsoft Edge Secure Network” function is not a VPN at all. It only provides the function for the browser and not for the entire system. Furthermore, not all traffic is tunneled. However, Microsoft never promised that.
The current outcry stems from a post on X by a young IT security researcher named Sooraj Sathyanarayanan. He writes: “I did a thorough security analysis of Microsoft Edge's 'Secure Network VPN'.” However, the official name is “Microsoft Edge Secure Network” (somewhat awkwardly translated into German as “sichere Microsoft Edge-Netzwerk”). The description in the browser settings under “Privacy, search, and services” – “Use Microsoft Edge Secure Network” actually reads “integrated VPN that protects you from online trackers. You get 5 GB of free VPN per month.” A bit more detail can be read by clicking on the question mark next to the function: “Secure Network is an integrated VPN that helps you secure your network connections against online hackers, protect you from online trackers, and keep your location private. You get 5 GB of free secure network data each month when you sign in to Edge with your Microsoft account.”
Tunnel for clear text connections in the browser
Sathyanarayanan explains that Edge Secure Network is not a VPN. It is an “HTTP CONNECT” proxy that relies on Cloudflare's privacy proxy platform. Only traffic from the Edge browser is tunneled. Other system requests, such as DNS requests, email clients, background services, operating system updates, simply everything outside of Edge remains visible. Worse still: by default, the “optimized” setting is pre-selected, which only intervenes in public Wi-Fi or when visiting unencrypted HTTP pages. In the home network, the VPN does nothing when visiting HTTPS pages, unless you change the settings to “All pages.” “Most users will never do this, meaning most users are getting zero protection most of the time,” the IT researcher explains. Another problem is that the traffic continues without encryption if the connection to Cloudflare servers fails -- without users being warned.
Furthermore, you have to log in with a Microsoft account. This links your identity to VPN usage. As long as an account is logged in, it synchronizes most data, history, passwords, favorites, form data, extensions, and open tabs across all Edge instances. Therefore, Edge Secure Network requires the full disclosure of user identities. Additionally, Cloudflare handles the routing. The company deletes diagnostic and support data every 25 hours. Microsoft claims that Cloudflare never sees the account identity, and Cloudflare states that it does not inspect the traffic. Users have to trust these companies here, as they cannot perform independent verification and the codebase is closed source.
Microsoft's Offer
While the observations are correct. However, Microsoft does not claim that it is a full-fledged VPN. Already at the introduction in a preview version of Microsoft Edge in April 2022, the benefit of the quasi-VPN in the web browser was clear: “The data traffic is no longer interceptable, even for connections that are not SSL-secured. Furthermore, the tunnel obscures your IP address, making tracking more difficult. The tunnel is established via the CDN and internet security provider Cloudflare.”
Videos by heise
On the linked website for “Microsoft Edge Secure Network,” the company also explains the default setting that, to limit traffic, only insecure connections are routed through the VPN tunnels. “To conserve your allocated VPN data bandwidth, content streaming sites such as Netflix, Hulu, HBO, and more won't be routed through the Secure Network VPN service unless you choose to run the VPN for all sites,” Microsoft writes there.
Exaggerated Excitement
The excitement surrounding the Microsoft Edge function therefore appears exaggerated. Interested parties must first find and activate the function. The fact that this leads to the expectation that all device traffic will be routed through a VPN tunnel due to the description is at least questionable. One presumably also expects this from other web browsers with integrated VPN functionality. Furthermore, Microsoft is open about the fact that users must be logged in and that Cloudflare provides the service.
(dmk)
