Some VPN services offer SOCKS5 proxies. Proton VPN doesn’t, and we never will. In this article, we explain why.
What is a proxy?
A proxy is a server that sits between your device and the internet. This means your internet traffic passes through the proxy server and any website you connect to will only see that server’s IP address and physical location.
VPN servers, like the ones run by Proton VPN, are a special kind of proxy server.
What is a SOCKS5 proxy?
SOCKS5 is the latest version of SOCKS, a simple proxy protocol originally specified in 1996.
It’s a useful protocol for forwarding all kinds of internet traffic, including File Transfer Protocol (FTP), POP3 and SMTP (used for sending and receiving emails), Internet Relay Chat (IRC), and BitTorrent.
Why Proton VPN does not support SOCKS 5 (and never will)
SOCKS5 does not encrypt your data, so anyone who can intercept your traffic (for example, using a man-in-the-middle attack) can access it.
This is in sharp contrast to a VPN, where all your device’s internet traffic is routed to the VPN server through a secure encrypted VPN tunnel. Proton VPN’s VPN tunnel is secured using only the most proven and robust VPN protocols.
For example, Proton VPN secures OpenVPN connections using AES-256, with RSA-4096 to ensure secure TLS key exchange, and HMAC SHA-384 hash authentication to verify the TLS certificates. Data transfer during a session is secured using AES-GCM, and our encryption suite includes a Diffie-Hellman key exchange (DHE) to provide forward secrecy.
WireGuard connections are secured using an amalgam of proven state-of-the-art cryptographic primitives, including the ChaCha20 symmetric key cipher, Poly1305 MAC authentication, a Curve25519 Diffie-Hellman key exchange, and more.
SOCKS5 provides none of these security protections, making it fundamentally insecure. For this reason, Proton VPN does not offer SOCKS5 connections and never will.
What about HTTPS?
HTTPS connections routed through a SOCKS5 proxy are still protected by HTTPS, but HTTPS does not provide the same level of protection as a VPN does. For example, while the actual content of the communication is encrypted, nothing else is. Information such as the Server Name Indication (SNI), destination address, and are left exposed by HTTPS.
In addition to this, Certificate Authorities (CAs) can be (and have been) pressured by governments to issue HTTPS certificates to dubious websites or hacked by criminals to issue fake certificates.
Research also shows that in a highly targeted attack, it is possible to use HTTPS traffic analysis to uncover the individual web pages a target visits on HTTPS-secured websites.