Securing a VPN (Virtual Private Network)

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Shorty
Posts: 231
Joined: Sat Feb 23, 2019 3:54 pm

Re: Securing a VPN (Virtual Private Network)

Post by Shorty »

Phone network is a much better idea for OP than public wifi based on service provider trustworthiness. VPN adds privacy and security, but probably not necessary given OP stated requirements and concerns.

Ignore *Hawkeye*. Why make such assertive claims when you don’t understand the subject matter? Your advice is dangerous. There are numerous additional risk factors that would concern OP by connecting to a public wifi network including eavesdropping, man in the middle attacks and session hacking. Direct attacks from the local wifi network are also possible.

Hawkeye’s proposal is like running around a COVID party naked then donning a mask to link up with your known vaccinated friend - you were probably exposed by some other shady characters at the party. VPN is more like calling that friend on the phone.
HawkeyePierce wrote: Sun Jun 13, 2021 10:52 am This is simply untrue. Adding a VPN, Brave or Tor to any of that adds no additional security. A public wifi network is made safe simply through HTTPS, which the vast majority of websites use.
Shorty
Posts: 231
Joined: Sat Feb 23, 2019 3:54 pm

Re: Securing a VPN (Virtual Private Network)

Post by Shorty »

@ozone. Makes sense on owned home wifi (trusted network). OP was asking about public (untrusted) connections. Best advice, don’t use them. Next best, use a VPN.
Ozonewanderer wrote: Sun Jun 13, 2021 9:50 pm I read the same AARP article and actually subscribed to a VPN after reading this thread. Then I noticed this from Norton;:
Do you need a VPN if you’re logging onto the internet from your home?

Probably not. When you established your home Wi-Fi network, it is likely that you protected your network with a password. Because of that, you may not need the added security of a VPN to shield your online activity.
Fortunately there was a 30-day trial period for my VPN so I have requested to cancel.
HawkeyePierce
Posts: 2352
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Securing a VPN (Virtual Private Network)

Post by HawkeyePierce »

Shorty wrote: Sun Jun 13, 2021 10:49 pm Phone network is a much better idea for OP than public wifi based on service provider trustworthiness. VPN adds privacy and security, but probably not necessary given OP stated requirements and concerns.

Ignore *Hawkeye*. Why make such assertive claims when you don’t understand the subject matter? Your advice is dangerous. There are numerous additional risk factors that would concern OP by connecting to a public wifi network including eavesdropping, man in the middle attacks and session hacking. Direct attacks from the local wifi network are also possible.

Hawkeye’s proposal is like running around a COVID party naked then donning a mask to link up with your known vaccinated friend - you were probably exposed by some other shady characters at the party. VPN is more like calling that friend on the phone.
HawkeyePierce wrote: Sun Jun 13, 2021 10:52 am This is simply untrue. Adding a VPN, Brave or Tor to any of that adds no additional security. A public wifi network is made safe simply through HTTPS, which the vast majority of websites use.
:oops:

Feel free to waste money on a VPN and trust someone you've never heard of rather than the HTTPS support built into your browser.

HTTPS protects against eavesdropping, MITM and session hijacking attacks. A VPN adds literally zero protection against those attacks while forcing you to trust a third party instead. VPN providers are among the least trustworthy actors in the IT security space.

Eavesdropping: you can't eavesdrop on an encrypted connection.

MITM: Requires forging a certificate, which will throw up all sorts of warnings from your browser.

Session hijacking: requires reading an unencrypted session ID from a cookie. Solved by HTTPS.

VPNs are a kludge at best and I look forward to their demise. Both for individual and corporate use they are at-best a lazy alternative to proper access control mechanisms and at-worst a giant pile of their own security problems.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Securing a VPN (Virtual Private Network)

Post by Gadget »

HawkeyePierce wrote: Mon Jun 14, 2021 9:11 am
Shorty wrote: Sun Jun 13, 2021 10:49 pm Phone network is a much better idea for OP than public wifi based on service provider trustworthiness. VPN adds privacy and security, but probably not necessary given OP stated requirements and concerns.

Ignore *Hawkeye*. Why make such assertive claims when you don’t understand the subject matter? Your advice is dangerous. There are numerous additional risk factors that would concern OP by connecting to a public wifi network including eavesdropping, man in the middle attacks and session hacking. Direct attacks from the local wifi network are also possible.

Hawkeye’s proposal is like running around a COVID party naked then donning a mask to link up with your known vaccinated friend - you were probably exposed by some other shady characters at the party. VPN is more like calling that friend on the phone.
HawkeyePierce wrote: Sun Jun 13, 2021 10:52 am This is simply untrue. Adding a VPN, Brave or Tor to any of that adds no additional security. A public wifi network is made safe simply through HTTPS, which the vast majority of websites use.
:oops:

Feel free to waste money on a VPN and trust someone you've never heard of rather than the HTTPS support built into your browser.

HTTPS protects against eavesdropping, MITM and session hijacking attacks. A VPN adds literally zero protection against those attacks while forcing you to trust a third party instead. VPN providers are among the least trustworthy actors in the IT security space.

Eavesdropping: you can't eavesdrop on an encrypted connection.

MITM: Requires forging a certificate, which will throw up all sorts of warnings from your browser.

Session hijacking: requires reading an unencrypted session ID from a cookie. Solved by HTTPS.

VPNs are a kludge at best and I look forward to their demise. Both for individual and corporate use they are at-best a lazy alternative to proper access control mechanisms and at-worst a giant pile of their own security problems.
I feel like I need to +1 HawkeyePierce's post. I don't think most people using a VPN understand the actual legitimate attack vectors and complexities to pull them off.

I foresee a day when we all laugh that half of all VPNs were actually setup by world governments to spy on people. Kind of like the "secure" messaging app created by the FBI called "ANOM" to spy on people doing illegal things.
HawkeyePierce
Posts: 2352
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Securing a VPN (Virtual Private Network)

Post by HawkeyePierce »

Gadget wrote: Mon Jun 14, 2021 2:47 pm
HawkeyePierce wrote: Mon Jun 14, 2021 9:11 am
Shorty wrote: Sun Jun 13, 2021 10:49 pm Phone network is a much better idea for OP than public wifi based on service provider trustworthiness. VPN adds privacy and security, but probably not necessary given OP stated requirements and concerns.

Ignore *Hawkeye*. Why make such assertive claims when you don’t understand the subject matter? Your advice is dangerous. There are numerous additional risk factors that would concern OP by connecting to a public wifi network including eavesdropping, man in the middle attacks and session hacking. Direct attacks from the local wifi network are also possible.

Hawkeye’s proposal is like running around a COVID party naked then donning a mask to link up with your known vaccinated friend - you were probably exposed by some other shady characters at the party. VPN is more like calling that friend on the phone.
HawkeyePierce wrote: Sun Jun 13, 2021 10:52 am This is simply untrue. Adding a VPN, Brave or Tor to any of that adds no additional security. A public wifi network is made safe simply through HTTPS, which the vast majority of websites use.
:oops:

Feel free to waste money on a VPN and trust someone you've never heard of rather than the HTTPS support built into your browser.

HTTPS protects against eavesdropping, MITM and session hijacking attacks. A VPN adds literally zero protection against those attacks while forcing you to trust a third party instead. VPN providers are among the least trustworthy actors in the IT security space.

Eavesdropping: you can't eavesdrop on an encrypted connection.

MITM: Requires forging a certificate, which will throw up all sorts of warnings from your browser.

Session hijacking: requires reading an unencrypted session ID from a cookie. Solved by HTTPS.

VPNs are a kludge at best and I look forward to their demise. Both for individual and corporate use they are at-best a lazy alternative to proper access control mechanisms and at-worst a giant pile of their own security problems.
I feel like I need to +1 HawkeyePierce's post. I don't think most people using a VPN understand the actual legitimate attack vectors and complexities to pull them off.

I foresee a day when we all laugh that half of all VPNs were actually setup by world governments to spy on people. Kind of like the "secure" messaging app created by the FBI called "ANOM" to spy on people doing illegal things.
I would not be surprised to learn that at least some VPN services are run by—or compromised by—various three-letter agencies.

Even more likely, many VPN providers which claimed not to log your data turned out to be lying:

https://www.theregister.com/2020/07/17/ ... _database/
Shorty
Posts: 231
Joined: Sat Feb 23, 2019 3:54 pm

Re: Securing a VPN (Virtual Private Network)

Post by Shorty »

Great points - but you’re (mostly correctly) arguing geekery to the point of a take-away that seriously misses the mark for OPs request and leads to dangerous advice. Why you would claim that VPN, Brave (privacy browser) or TOR (anonymizer network) add no additional security over “HTTPS”? You’re clearly technical minded and know better. I challenge you to ask your cybersecurity folks about that assertion. Those 3 have different purposes, sharing many of the same underlying technologies and principals as “https”. Also, I strongly disagree with your use of “rather than” instead of “in addition to”. The VPN is purely additive as an encapsulation layer. OP is clearly a non-technical user, likely senior citizen, worried about risk when connecting to a threatening environment (untrusted wifi in airports and hotels, of all places). “Https”, (TLS 1.3 and 1.2) offer a secure communication channel with strong features, similar to modern VPN implementations, but this is not the main risk issue for the scenario.

The problem with this advice is that we’re implicitly endorsing OP to connect to an unsafe network to conduct his business. Would you do this at Black Hat? OPs device is fully exposed within that wireless network. He may be connecting to a malicious wireless access point or any local threat actors. Clearly risk is decreased by a knowledgeable user who follows best practices (updated/patched system, looks for browser queues, doesn’t execute code, suspicious of OS privilege escalation requests, etc. Our novice user could be sitting in a minefield. Think some punk kid on Kali Linux at the coffee shop attacking his device directly. Or malware spreading from other infected devices. Also, your confidence in “https” mitigation for session hijacking may or may not be applicable on the same wireless network segment. Access to all the OSI layers provides the attacker options like MAC spoofing and ARP/DNS poisoning - perhaps hijacking the session with the TCP sequence instead of using cookies. At best it’s a simpler problem set working “inside the router”. VPN provides that logical layer 3 boundary, hopefully with a firewall and endpoint protection. Also, from a privacy perspective, all of the flow data (headers) are necessarily being broadcast in the clear on the Wifi network, regardless of payload encryption. A local eavesdropper can see the outside headers - VPN or TLS. With a VPN you see the VPN provider that you’re connected to and all the https traffic is encapsulated. With “https” it’s the party that you’re connected to, when, for how long, and how much data. The VPN relocates that capability from anyone on the local wifi network to the VPN provider (who may be untrustworthy, but presumably less so than attackers operating at airports or hotels).

Best case for our user is not connecting to untrusted public wifi. You always have someone implicitly trusted for the above (inside your first route step). Normally, that’s your ISP. That’s why I recommended using a phone hotspot, which was previously mentioned. Much better start, then use “https” from there. But if the user is going to connect to public wifi, there’s a strong argument that they’re significantly better protected with a VPN service.

To your points - I am equally suspicious of VPN providers. You’ll note the earlier discussion on “free” VPN providers to save a small amount of $$. In my estimate, a conservative assumption is that they’re logging all traffic but probably not exposing you to malware or direct attack. They probably have strong firewalls and security stack to protect themselves from you. So it’s an issue of privacy, which, ironically is what people think they’re getting. However, with a little research there are certainly better and worse options - which relate to reputation and trustworthiness more than technology. OP presumably trusts AARP to some extent based on his asking about their paid service offering. This thread has a lot of advice about that.

Also, I agree with your sentiment about VPNs, particularly with what they are often thought to provide and do not. For example, proper “identity, credential, and access control” systems and the move to Zero Trust get after many actual challenges. VPNs often just provide a secure connection between insecure environments with a false sense of security “because you’re using a VPN”.

All that said, consider OP and this thread. A non-technical user who is concerned about connecting to untrusted, public wifi connections (airport and hotels). A VPN is the best simple tool that I can think of. What better options are available? Trust “https” comes across to me as “connect to the network” and go about your business, which is a terrible idea for him. All this to save OP from “wasting” $30-100/year when he’s concerned about cybersecurity risk?
bhwabeck3533 wrote: Thu Jun 10, 2021 3:15 pm AARP is recommending the use of a VPN to avoid Airport and Hotel Wi-Fi hacks. Seems like a smart idea and relatively inexpensive (they quote $30 to $100 per year).

Two questions:
1. What are your experiences with a VPN services?
2. Where do I apply for one/which are the best?

Thanks.
HawkeyePierce wrote: Mon Jun 14, 2021 9:11 am
:oops:

Feel free to waste money on a VPN and trust someone you've never heard of rather than the HTTPS support built into your browser.

HTTPS protects against eavesdropping, MITM and session hijacking attacks. A VPN adds literally zero protection against those attacks while forcing you to trust a third party instead. VPN providers are among the least trustworthy actors in the IT security space.

Eavesdropping: you can't eavesdrop on an encrypted connection.

MITM: Requires forging a certificate, which will throw up all sorts of warnings from your browser.

Session hijacking: requires reading an unencrypted session ID from a cookie. Solved by HTTPS.

VPNs are a kludge at best and I look forward to their demise. Both for individual and corporate use they are at-best a lazy alternative to proper access control mechanisms and at-worst a giant pile of their own security problems.
Last edited by Shorty on Tue Jun 15, 2021 4:25 am, edited 19 times in total.
Shorty
Posts: 231
Joined: Sat Feb 23, 2019 3:54 pm

Re: Securing a VPN (Virtual Private Network)

Post by Shorty »

Don’t get razzle-dazzled. You don’t need to understand the intricacies of a condom for it to work. Or a lock.
Gadget wrote: Mon Jun 14, 2021 2:47 pm I feel like I need to +1 HawkeyePierce's post. I don't think most people using a VPN understand the actual legitimate attack vectors and complexities to pull them off.
Yep, you’re probably right. But OP was asking about mitigating risk when connecting to free public wifi (hotels and airports). Not the end-all solution to his digital privacy.
Gadget wrote: Mon Jun 14, 2021 2:47 pm I foresee a day when we all laugh that half of all VPNs were actually setup by world governments to spy on people. Kind of like the "secure" messaging app created by the FBI called "ANOM" to spy on people doing illegal things.
User avatar
Topic Author
bhwabeck3533
Posts: 462
Joined: Thu Sep 21, 2017 6:25 am
Location: Baldwin County, AL

Re: Securing a VPN (Virtual Private Network)

Post by bhwabeck3533 »

Shorty wrote: Tue Jun 15, 2021 3:22 am OP is clearly a non-technical user, likely senior citizen, worried about risk when connecting to a threatening environment (untrusted wifi in airports and hotels, of all places).

The problem with this advice is that we’re implicitly endorsing OP to connect to an unsafe network to conduct his business. Would you do this at Black Hat? OPs device is fully exposed within that wireless network. He may be connecting to a malicious wireless access point or any local threat actors. Clearly risk is decreased by a knowledgeable user who follows best practices (updated/patched system, looks for browser queues, doesn’t execute code, suspicious of OS privilege escalation requests, etc.

Best case for our user is not connecting to untrusted public wifi. You always have someone implicitly trusted for the above (inside your first route step). Normally, that’s your ISP. That’s why I recommended using a phone hotspot, which was previously mentioned. Much better start, then use “https” from there. But if the user is going to connect to public wifi, there’s a strong argument that they’re significantly better protected with a VPN service.

All that said, consider OP and this thread. A non-technical user who is concerned about connecting to untrusted, public wifi connections (airport and hotels). A VPN is the best simple tool that I can think of. What better options are available? Trust “https” comes across to me as “connect to the network” and go about your business, which is a terrible idea for him. All this to save OP from “wasting” $30-100/year when he’s concerned about cybersecurity risk?
I'm back. I'm the OP.
> I am a retired 65 year old male with and engineering degree and possess decent technical capabilities (from an IT perspective)
> My devices to be protected are my Lenovo Yoga 730 laptop running Windows 10 with Kaspersky security software and Samsung (Android) smartphone
> I always employ a Verizon hotspot while traveling to access the internet (Chrome is my primary browser, Firefox is secondary)
> My school of hard knocks includes getting hacked at a Starbucks in Lafayette, LA three years ago... an experience I intend to avoid in the future
> Had to Google "https"....Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet

I've enjoyed the banter between Shorty, Gadget, and Hawkeye (and others)... thanks, my knowledge has multiplied through your thoughtful contributions to this thread. Interestingly, I am in the same position I was at the time of the original/initial post (OIP). I was not aware the "hotspot" option which I have employed was going to be endorsed by the experts. I'd like to understand more about the "privacy" vs "security" implications of browsing the internet both from home or away from one's "secure ISP-provided portal".

PS....What is "Black Hat"?
Soon2BXProgrammer
Posts: 3289
Joined: Mon Nov 24, 2014 10:30 pm

Re: Securing a VPN (Virtual Private Network)

Post by Soon2BXProgrammer »

bhwabeck3533 wrote: Tue Jun 15, 2021 6:42 am PS....What is "Black Hat"?
Black Hat Hacker = someone who hacks stuff for fun/profit/exploitation/etc -- Console hacker for the sake of piracy. -- would look for exploits to hack and cause havoc

White Hat Hacker = someone with the same skills as a Black Hat but works typically for a company and works to probe their own defenses for the purposes of improving them. -- would look for exploits to improve their own security

Grey Hat Hacker = Someone who sometimes breaks the laws but doesn't have the malicious intent of a black hat hacker. Some people would put hackers who hack devices/consoles and want to run "homebrew" on it in this category. They argue they own their device and should be able to run Linux as an example. but due to encryption laws and the DCMA, etc, technically they are breaking the law when they figure out ways to dump keys and and figure out how to use exploits to run their own code. -- would look for exploits, notify the right company, give them a chance to patch it, then announce it once the company agrees they can for fame/street cred.

(it should be noted that in my experience, 95% of white hat hackers, are white hats during the day... and grey hats outside of work)
Earned 43 (and counting) credit hours of financial planning related education from a regionally accredited university, but I am not your advisor.
Shorty
Posts: 231
Joined: Sat Feb 23, 2019 3:54 pm

Re: Securing a VPN (Virtual Private Network)

Post by Shorty »

OP - welcome. Sorry, wasn't trying to be offensive. Was pointing out that your requirement was about protecting yourself when connecting to high risk networks. This is a nuanced area filled with fear, uncertainty, and doubt (FUD). It's' tricky even for smart, technical people who know enough to be dangerous - think WEP designed by Engineers, not cryptographers.

SoontobeXProgrammer is correct, but I was referring to the Black Hat security conference. I should have mentioned DEFCON - the two are usually hosted in Las Vegas back to back weeks. You'd be well advised to not connect to wifi in that crowd.

"Security" traditionally referred to properties of: confidentiality, integrity, and availability (CIA) and has grown to Authentication, Authorization, and Accounting (AAA) in Cisco-land. To me, the implied topic of your question was asking to address integrity - not getting malware on your phone/computer, and integrity + confidentiality for your web traffic so snoopers can't see your business, get your password, hijack/use your account, etc. Privacy overlaps the above, but is a bit different - somewhat "up and coming" as far as I can tell.

Hawkeye correctly points out that "https" - really, I think we're talking about TLS 1.3, which provides end-to-end secure connections indicated by the the browser "green lock", has a number of strong security features to mitigate previous types of network based attacks. I'm surprised he didn't bring up "perfect forward secrecy" and "ephemeral keys" as well to prevent "replay attacks" (re-transmitting old communication) and for cases where cryptographic keys are compromised in the future for recorded traffic.

There are different VPN protocols, but conceptually they work similarly to a TLS/https "secure tunnel". The main difference is that the VPN is usually configured to pass (encapsulate) all your traffic, whereas the secure tunnel is between endpoints, such as you and your bank. Both have their uses. Hawkeye correctly points out that VPNs often get incorrectly thrown where not applicable (e.g. secure connection into an insecure network) - this is frustrating and often hard to communicate (as you may have noticed).

To your privacy question. This gets extremely nuanced, especially if you are concerned about being tracked by resourced organizations such as nation states, governments, or folks with money. The "Ad Tech" industry (including social media) developed to monetize this. It's pretty creepy if you look into it. Basically aggregation of tracking data with databases. You don't need to know what data is being passed for tracking (payload, often encrypted). Flow data is usually sufficient (who you're talking to, when, where, for how long). VPNs used as we're discussing flow all your traffic through them. So your ISP only sees the VPN, but the VPN provider gets all the traffic before routing it. They can't see "inside" the https communication, but they get more than enough for tracking purposes. This is why you might be suspicious of "free" VPN services. You are the product. Combine this with cookies, profiles, tracking accounts, and other data - including what sites might track, browser plugins, etc, and you get a pretty complete picture of what's going on. Add smart phones to the mix and you might get: accurate location data, call and text records, purchase history, etc, etc. Privacy browsers (like Brave) attempt to mitigate adware running on sites, clean cookies, separate things, etc.

You might also be suspicious of Kasperky, Norton/Symantec, etc. While they provide endpoint protection, they also act as enormous sensor networks that report back to the mother ship. You're trading off who you trust. For most people, they probably provide a significant net positive in malware protection. However, consider that they get good, widespread information that could be monetized. There are huge secondary markets for that sort of thing.

I could put the "tin foil hat" on and go much farther...but hopefully you get the idea.
bhwabeck3533 wrote: Tue Jun 15, 2021 6:42 am I'm back. I'm the OP.
> I am a retired 65 year old male with and engineering degree and possess decent technical capabilities (from an IT perspective)
> My devices to be protected are my Lenovo Yoga 730 laptop running Windows 10 with Kaspersky security software and Samsung (Android) smartphone
> I always employ a Verizon hotspot while traveling to access the internet (Chrome is my primary browser, Firefox is secondary)
> My school of hard knocks includes getting hacked at a Starbucks in Lafayette, LA three years ago... an experience I intend to avoid in the future
> Had to Google "https"....Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet

I've enjoyed the banter between Shorty, Gadget, and Hawkeye (and others)... thanks, my knowledge has multiplied through your thoughtful contributions to this thread. Interestingly, I am in the same position I was at the time of the original/initial post (OIP). I was not aware the "hotspot" option which I have employed was going to be endorsed by the experts. I'd like to understand more about the "privacy" vs "security" implications of browsing the internet both from home or away from one's "secure ISP-provided portal".

PS....What is "Black Hat"?
Bogle64Pilot
Posts: 152
Joined: Fri Mar 08, 2019 11:36 am

Re: Securing a VPN (Virtual Private Network)

Post by Bogle64Pilot »

I would not use any Kaspersky product. They are a Russian state-run information operation.
cheerfulcharlie
Posts: 78
Joined: Sat Jul 27, 2019 3:22 pm

Re: Securing a VPN (Virtual Private Network)

Post by cheerfulcharlie »

Useful survey:

Which VPN Providers Really Take Privacy Seriously in 2021?
https://torrentfreak.com/best-vpn-anonymous-no-logging/
sfnerd
Posts: 348
Joined: Tue Apr 08, 2014 1:16 am

Re: Securing a VPN (Virtual Private Network)

Post by sfnerd »

VPNs provide a few simple things:

1 - Privacy: only the VPN company sees your traffic; if you trust them, good. If not, don't use them.

2 - Protection against man in the middle attacks from compromised routers on non-HTTPS traffic. This is actually a real issue if you aren't someone who understands the details of the last sentence.

3 - Location spoofing - VPNs allow you to pretend you are in different countries, states, etc. This is useful if you are outside of your home country.

For most US-based people, I would recommend just using your 4g/5g connection on your phone. This will largely cover #2, and I would trust your phone provider just as much as i trust one of the large VPN companies.

For anyone that travels a lot, or lives abroad, I recommend either ExpressVPN, PIA, Nord, etc. These are all reputable companies. The ability to VPN into your home country and to hide your traffic from local phone companies is essential.

For what it's worth, I have contacts in high places at a couple of the VPN companies above and I trust them a lot, so while mistakes can be made, these companies are pretty legit.
Shorty
Posts: 231
Joined: Sat Feb 23, 2019 3:54 pm

Re: Securing a VPN (Virtual Private Network)

Post by Shorty »

+1 to the last 3 posts! :sharebeer
sycamore
Posts: 6360
Joined: Tue May 08, 2018 12:06 pm

Re: Securing a VPN (Virtual Private Network)

Post by sycamore »

sfnerd wrote: Tue Jun 15, 2021 7:49 pm VPNs provide a few simple things:

1 - Privacy: only the VPN company sees your traffic; if you trust them, good. If not, don't use them.
Please confirm my understanding below of how the VPN works in regard to who/what "sees your traffic." I'm happy to be corrected if there's anything wrong or missing.

1. The end user has a typical computer/laptop device and wants to browse bogleheads.org.
2. The VPN connection is set up between user's device and the VPN company.
2b. To be clear, the VPN connection is not set up between user's device and bogleheads.org web server.
3. Web traffic (destined for bogleheads.org) from user's device is encrypted as it goes over the VPN connection.
4. Network devices between user and VPN company only see encrypted traffic. This where we have some privacy so far.
5. Traffic is received by VPN company.
6. VPN company decrypts the traffic and put the packets out on the network to be routed to bogleheads.org web servers.

Right there is where other computers/network devices (besides the VPN company and bogleheads.org) see your traffic.

If that's accurate description of what happens, it contradicts the "only the VPN company sees your traffic". Main point being that a VPN doesn't give complete privacy between a user and the other "end". If one is concerned about complete end-to-end privacy, a VPN as described in this thread isn't going to cut it.
nordsteve
Posts: 1104
Joined: Sun Oct 05, 2008 9:23 am

Re: Securing a VPN (Virtual Private Network)

Post by nordsteve »

@sycamore, you're missing the fact that the browser uses encryption when communicating with bogleheads.org, as our great site admins have TLS enabled by default.
sycamore
Posts: 6360
Joined: Tue May 08, 2018 12:06 pm

Re: Securing a VPN (Virtual Private Network)

Post by sycamore »

nordsteve wrote: Tue Jun 15, 2021 10:53 pm @sycamore, you're missing the fact that the browser uses encryption when communicating with bogleheads.org, as our great site admins have TLS enabled by default.
Yes, that's a good thing for sure, and HTTPS is a good thing with or without a VPN.

Without a VPN at all, consider what happens on a public wifi segment: while a snooper can't see inside the HTTPS payload (they don't know which posts you're reading) they can see that IP packets are destined to bogleheads.org. Simply knowing that someone is browsing to a site means your activity is not completely private, HTTPS notwithstanding.

By contrast, with a VPN someone packet snooping the VPN traffic wouldn't see the traffic was destined for bogleheads.org, only that it was destined for the VPN server.

My previous post was focused on the claim that in regard to privacy "only the VPN company sees your traffic". I'm stuck on the fact that once a VPN server decrypts and forward the traffic to bogleheads, the traffic can be "seen" by at least some network devices. But... is the main advantage of the VPN in the fact that even though traffic (after the VPN) can be seen, an observer won't know who the actual end user is? I.e., the outbound source IP address./TCP port number refers to the VPN server rather than the actual end user's device?

I think that may have answered my question...
killjoy2012
Posts: 1329
Joined: Wed Sep 26, 2012 5:30 pm

Re: Securing a VPN (Virtual Private Network)

Post by killjoy2012 »

I haven't read the whole thread, but if you have any IT chops, the best bet is to either setup a VPN gateway at your house or AWS.

If the scenario is needing some level of extra security when travelling to risky places, just VPN in from the devices you're travelling with to a VPN gateway/server sitting back on your home network. Many of the higher end, pro-sumer grade Internet routers support this natively. One click on my iPhone or iPad to enable VPN routes all my traffic back to my home router via VPN.

If you can't or don't want to do that, sign up for AWS Free Tier account and create user data script that will launch an EC2 VM in one of the AWS regions and config it to auto build an Ubuntu OS with OpenVPN or other VPN SW. Spin it up when needed. Shut it down when done. Free, but takes some know-how.

I personally think the $1.99/month PIA, Nord, etc. services are kinda silly. Just trading one devil for another. If torrenting or doing other semi-questionable activities, then I get it.

And yes, many people responding to this thread are overlooking that many websites today use SSL/TLS via HTTPS and that network transport is encrypted. So all VPN is going to buy you, assuming you have it setup correctly, is hiding your DNS lookups and dest IPs of sites you're hitting.
RetiredAL
Posts: 3537
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Securing a VPN (Virtual Private Network)

Post by RetiredAL »

sycamore wrote: Tue Jun 15, 2021 9:34 pm
sfnerd wrote: Tue Jun 15, 2021 7:49 pm VPNs provide a few simple things:

1 - Privacy: only the VPN company sees your traffic; if you trust them, good. If not, don't use them.
Please confirm my understanding below of how the VPN works in regard to who/what "sees your traffic." I'm happy to be corrected if there's anything wrong or missing.

1. The end user has a typical computer/laptop device and wants to browse bogleheads.org.
2. The VPN connection is set up between user's device and the VPN company.
2b. To be clear, the VPN connection is not set up between user's device and bogleheads.org web server.
3. Web traffic (destined for bogleheads.org) from user's device is encrypted as it goes over the VPN connection.
4. Network devices between user and VPN company only see encrypted traffic. This where we have some privacy so far.
5. Traffic is received by VPN company.
6. VPN company decrypts the traffic and put the packets out on the network to be routed to bogleheads.org web servers.

Right there is where other computers/network devices (besides the VPN company and bogleheads.org) see your traffic.

If that's accurate description of what happens, it contradicts the "only the VPN company sees your traffic". Main point being that a VPN doesn't give complete privacy between a user and the other "end". If one is concerned about complete end-to-end privacy, a VPN as described in this thread isn't going to cut it.
Yes and no.

1.Between you and the VPN, everyone sees traffic coming from your node to the VPN server. No one of that side can see who you are actually talking too.
2. Between the VPN and your destination, BH in your case, anyone can see the VPN is talking to the BH.org. No on that side can ascertain who is talking to BH.org, as the VPN anonymizes that. No one can read your traffic between your VPN and BH.org because HTTPS has encrypted that data.
3. In your example, you have prevented your ISP and your local DNS server from knowing that you are talking to BH.org.
4. If you had no VPN, no one anywhere can read your data (HTTPS), but all along the path they can see that your node is talking to BH.org.

The question I have to ask, why do you need to hide from the world that you are talking to BH.org. Now if you are an insurrectionist, you might want to use a VPN tunnel to keep the FBI from knowing your node is talking to insurrection site. Short of that, most likely no one cares that you, John.Q.Public, is talking the BH.org, or Schwab, or BofA.

So in short, VPN adds some privacy, but does not add much in security. If you are worried that a gov't agency might track you, then pick a good VPN. But do remember the FBI just caught a pile of bad guys because the FBI built and ran supposedly secure messaging service where they knew the encryption keys, thus they could read every message. If you are in a police-state country, just the fact you connected to a VPN server might attract attention towards you.

Just my 2-bits!
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Securing a VPN (Virtual Private Network)

Post by Marseille07 »

killjoy2012 wrote: Tue Jun 15, 2021 11:20 pm I haven't read the whole thread, but if you have any IT chops, the best bet is to either setup a VPN gateway at your house or AWS.

If the scenario is needing some level of extra security when travelling to risky places, just VPN in from the devices you're travelling with to a VPN gateway/server sitting back on your home network. Many of the higher end, pro-sumer grade Internet routers support this natively. One click on my iPhone or iPad to enable VPN routes all my traffic back to my home router via VPN.

If you can't or don't want to do that, sign up for AWS Free Tier account and create user data script that will launch an EC2 VM in one of the AWS regions and config it to auto build an Ubuntu OS with OpenVPN or other VPN SW. Spin it up when needed. Shut it down when done. Free, but takes some know-how.

I personally think the $1.99/month PIA, Nord, etc. services are kinda silly. Just trading one devil for another. If torrenting or doing other semi-questionable activities, then I get it.

And yes, many people responding to this thread are overlooking that many websites today use SSL/TLS via HTTPS and that network transport is encrypted. So all VPN is going to buy you, assuming you have it setup correctly, is hiding your DNS lookups and dest IPs of sites you're hitting.
I do something similar. I have an instance running 24/7 for something else anyway. Adding a gateway is trivial.
sfnerd
Posts: 348
Joined: Tue Apr 08, 2014 1:16 am

Re: Securing a VPN (Virtual Private Network)

Post by sfnerd »

RetiredAL wrote: Wed Jun 16, 2021 12:17 am
sycamore wrote: Tue Jun 15, 2021 9:34 pm
sfnerd wrote: Tue Jun 15, 2021 7:49 pm VPNs provide a few simple things:

1 - Privacy: only the VPN company sees your traffic; if you trust them, good. If not, don't use them.
Please confirm my understanding below of how the VPN works in regard to who/what "sees your traffic." I'm happy to be corrected if there's anything wrong or missing.

1. The end user has a typical computer/laptop device and wants to browse bogleheads.org.
2. The VPN connection is set up between user's device and the VPN company.
2b. To be clear, the VPN connection is not set up between user's device and bogleheads.org web server.
3. Web traffic (destined for bogleheads.org) from user's device is encrypted as it goes over the VPN connection.
4. Network devices between user and VPN company only see encrypted traffic. This where we have some privacy so far.
5. Traffic is received by VPN company.
6. VPN company decrypts the traffic and put the packets out on the network to be routed to bogleheads.org web servers.

Right there is where other computers/network devices (besides the VPN company and bogleheads.org) see your traffic.

If that's accurate description of what happens, it contradicts the "only the VPN company sees your traffic". Main point being that a VPN doesn't give complete privacy between a user and the other "end". If one is concerned about complete end-to-end privacy, a VPN as described in this thread isn't going to cut it.
Yes and no.

1.Between you and the VPN, everyone sees traffic coming from your node to the VPN server. No one of that side can see who you are actually talking too.
2. Between the VPN and your destination, BH in your case, anyone can see the VPN is talking to the BH.org. No on that side can ascertain who is talking to BH.org, as the VPN anonymizes that. No one can read your traffic between your VPN and BH.org because HTTPS has encrypted that data.
3. In your example, you have prevented your ISP and your local DNS server from knowing that you are talking to BH.org.
4. If you had no VPN, no one anywhere can read your data (HTTPS), but all along the path they can see that your node is talking to BH.org.

The question I have to ask, why do you need to hide from the world that you are talking to BH.org. Now if you are an insurrectionist, you might want to use a VPN tunnel to keep the FBI from knowing your node is talking to insurrection site. Short of that, most likely no one cares that you, John.Q.Public, is talking the BH.org, or Schwab, or BofA.

So in short, VPN adds some privacy, but does not add much in security. If you are worried that a gov't agency might track you, then pick a good VPN. But do remember the FBI just caught a pile of bad guys because the FBI built and ran supposedly secure messaging service where they knew the encryption keys, thus they could read every message. If you are in a police-state country, just the fact you connected to a VPN server might attract attention towards you.

Just my 2-bits!
You're correct.

However, there are several reasons that you may want anonymity that aren't so nefarious. One is connecting to US based services that block foreign IPs. Another is connecting to sites that have been blocked for some small reason (example: here in Bangkok the Chicago Tribune is blocked).

VPNs do offer additional security as I've stated above, but for most domestic users it's probably better to use your cell network.

If you're trying to evade detection by the US government you need a lot more than a commercial VPN.
User avatar
Voltaire2.0
Posts: 279
Joined: Thu Sep 26, 2019 10:12 am

Re: Securing a VPN (Virtual Private Network)

Post by Voltaire2.0 »

How about CloudFlare's "1.1.1.1" app? It's free, anonymized (yes, with a grain of salt) DNS, allegedly faster DNS and a built-in VPN.

It seems to be CloudFlare's gateway product to sell enterprise services, but as an individual that doesn't affect me.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Securing a VPN (Virtual Private Network)

Post by Gadget »

Voltaire2.0 wrote: Thu Jun 17, 2021 10:39 am How about CloudFlare's "1.1.1.1" app? It's free, anonymized (yes, with a grain of salt) DNS, allegedly faster DNS and a built-in VPN.

It seems to be CloudFlare's gateway product to sell enterprise services, but as an individual that doesn't affect me.
I'd never heard of this before. It actually looks like a cool product. I don't really care about privacy (I've been using Google DNS because it's faster than my ISP), but if it's faster than Google's I'll give it a try.
Cruise
Posts: 2750
Joined: Mon Nov 21, 2016 6:17 pm

Re: Securing a VPN (Virtual Private Network)

Post by Cruise »

Bogle64Pilot wrote: Tue Jun 15, 2021 4:17 pm I would not use any Kaspersky product. They are a Russian state-run information operation.
+1

https://www.wsj.com/articles/u-s-govern ... _permalink

https://en.wikipedia.org/wiki/Kaspersky ... nment_ties
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Securing a VPN (Virtual Private Network)

Post by Gadget »

Gadget wrote: Thu Jun 17, 2021 2:12 pm
Voltaire2.0 wrote: Thu Jun 17, 2021 10:39 am How about CloudFlare's "1.1.1.1" app? It's free, anonymized (yes, with a grain of salt) DNS, allegedly faster DNS and a built-in VPN.

It seems to be CloudFlare's gateway product to sell enterprise services, but as an individual that doesn't affect me.
I'd never heard of this before. It actually looks like a cool product. I don't really care about privacy (I've been using Google DNS because it's faster than my ISP), but if it's faster than Google's I'll give it a try.
I tried this 1.1.1.1 app and it was terrible. Wouldn't connect to multiple sites on mobile. Uninstalled after 15 minutes.
User avatar
Voltaire2.0
Posts: 279
Joined: Thu Sep 26, 2019 10:12 am

Re: Securing a VPN (Virtual Private Network)

Post by Voltaire2.0 »

Gadget wrote: Fri Jun 18, 2021 11:05 am
Gadget wrote: Thu Jun 17, 2021 2:12 pm
Voltaire2.0 wrote: Thu Jun 17, 2021 10:39 am How about CloudFlare's "1.1.1.1" app? It's free, anonymized (yes, with a grain of salt) DNS, allegedly faster DNS and a built-in VPN.

It seems to be CloudFlare's gateway product to sell enterprise services, but as an individual that doesn't affect me.
I'd never heard of this before. It actually looks like a cool product. I don't really care about privacy (I've been using Google DNS because it's faster than my ISP), but if it's faster than Google's I'll give it a try.
I tried this 1.1.1.1 app and it was terrible. Wouldn't connect to multiple sites on mobile. Uninstalled after 15 minutes.
You had a settings issue, I suspect. I run it on two iOS devices using different connection protocols. Always connects (over WiFi or cell) and is fast. Anonymity...? One can only hope.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: Securing a VPN (Virtual Private Network)

Post by Gadget »

Voltaire2.0 wrote: Fri Jun 18, 2021 11:26 am
Gadget wrote: Fri Jun 18, 2021 11:05 am
Gadget wrote: Thu Jun 17, 2021 2:12 pm
Voltaire2.0 wrote: Thu Jun 17, 2021 10:39 am How about CloudFlare's "1.1.1.1" app? It's free, anonymized (yes, with a grain of salt) DNS, allegedly faster DNS and a built-in VPN.

It seems to be CloudFlare's gateway product to sell enterprise services, but as an individual that doesn't affect me.
I'd never heard of this before. It actually looks like a cool product. I don't really care about privacy (I've been using Google DNS because it's faster than my ISP), but if it's faster than Google's I'll give it a try.
I tried this 1.1.1.1 app and it was terrible. Wouldn't connect to multiple sites on mobile. Uninstalled after 15 minutes.
You had a settings issue, I suspect. I run it on two iOS devices using different connection protocols. Always connects (over WiFi or cell) and is fast. Anonymity...? One can only hope.
There are no settings to change on the app, unless I start messing with my router, which is overkill and I don't want to do. It's either 1.1.1.1 DNS lookup, or WARP which adds the VPN.

I'm on Android, and I see a lot of people in reviews for the app in the past couple months say the app got terrible after having worked for a long time. So I guess your mileage may vary. But I'm not motivated enough to try it out over Google's DNS (or Google's VPN service that comes with Google One storage) when it didn't work the first try.
Oregano
Posts: 365
Joined: Fri Nov 22, 2019 8:30 pm

Re: Securing a VPN (Virtual Private Network)

Post by Oregano »

This was a helpful discussion as I am going on vacation soon and was planning to buy a 1-month VPN plan. I tested TorGuard (with 7-day money back guarantee) this morning and the Ookla speed test shows a substantial drop in speed using the VPN. Since it appears there's not a lot of extra security since I mostly use https sites, I don't really want that speed drop so I will go without the VPN.
nordsteve
Posts: 1104
Joined: Sun Oct 05, 2008 9:23 am

Re: Securing a VPN (Virtual Private Network)

Post by nordsteve »

It’s a couple years since this thread started, but if anything the privacy issues of VPNs are becoming more visible and serious.

https://www.washingtonpost.com/technolo ... an-tiktok/
Some of the most popular VPNs have misled consumers about their practices while disguising their origins, ownership and locations, including apps based in China or controlled by Chinese nationals, according to corporate records reviewed by The Washington Post as well as interviews and researchers.
Point
Posts: 661
Joined: Mon Jul 10, 2017 9:33 pm

Re: Securing a VPN (Virtual Private Network)

Post by Point »

A VPN app or application gives you a secure tunnel to the VPN server in the enterprise offering the service. If your packets go outside that service from that point, they are not secure. VPN is used by enterprises to give employees and a select group of other people access to parts of the enterprise without the packets being vulnerable to attack en route.

Keep all of this in mind, as the packet stream leaving the VPN enterprise can be attacked. Presumably, their connections to your end point destination are better than yours from home, Starbucks, McDonald’s, or via your cell provider. That is why yuu use VPN in some circumstances- it encrypts the data over part of the route.

Your first level of defense is HTTPS, and your second level is 2FA. Your base level protection is the most critical: unique, complex, non-shared, securely kept passwords. And of course, paying attention to where you use your device, how you key in your password, how long your device stays open without reauthenicating, and most importantly, using face or fingerprint ID. Lastly, if your financial institution has a FOB with a rolling password number, that’s definitely something to consider adopting as well.

VPN is just one tool in the toolbox.
nordsteve
Posts: 1104
Joined: Sun Oct 05, 2008 9:23 am

Re: Securing a VPN (Virtual Private Network)

Post by nordsteve »

Point wrote: Tue Mar 28, 2023 9:02 amPresumably, their connections to your end point destination are better than yours from home, Starbucks, McDonald’s, or via your cell provider. That is why yuu use VPN in some circumstances- it encrypts the data over part of the route.
The issue with most VPN providers is that there is no evidence supporting this presumption. All I have to go on is whether I trust Comcast or Verizon more that Bob’s VPN.
Point
Posts: 661
Joined: Mon Jul 10, 2017 9:33 pm

Re: Securing a VPN (Virtual Private Network)

Post by Point »

Exactly. You don’t know what’s in the VPN providers infrastructure. You don’t know if it’s set up to filter, attack, and harvest your data. You don’t know if they send your stream onto the internet or into a cesspool. Best to go with a legitimate VPN provider and use it when you sense your path to the internet is less secure than thru the VPN provider.
Post Reply