• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "VPNs - how more secure?"

Collapse

  • Stevie Wonder Boy
    replied
    Originally posted by darrylmg View Post
    Don't implicitly trust the free ones. As you say, you don't know who runs it.
    You can always setup your own with AWS or Azure. At least you might have a better comfort factor that way.
    Don't forget the main crux of the problem with free WiFi is man-in-the-middle. Very complex attacks can easily and dynamically mock-up a web page login imitating popular sites.
    So if you do roll your own VPN make sure you set it up so your client checks the server SSL cert is the correct one and matches a pre-stored serial and alerts you if not correct.

    Sent from my SM-T280 using Tapatalk
    Open VPN on an AWS Instance - Securepoint client on Windows 10 / OpenVPN client on my phone.

    Not too difficult to set up and much more secure than sending your WiFi or phone traffic in the clear. -- Other benefit is you can use AWS DNS and tunneling all your traffic removes the need for multiple connections on a tulipty coffee house network. So once you are connected it runs much better.

    Leave a comment:


  • man
    replied
    Originally posted by meridian View Post
    I'm using IPVanish at the moment. A mate is using NordVPN.

    My question though was about the security aspects of them. Nord, for example, says that they have a "no log" policy. Having a policy is one thing, but I don't understand the technical aspects enough to be able to say whether that is enough.
    The provider can set up packet capturing at their VPN endpoint to monitor your traffic in the clear. You have to trust your VPN provider (or at least, trust them more than the random WiFi hotspots). Roll your own is certainly an option, but it's a public internet facing server that can be attacked and pwned (a VPN provider is more likely to have the resources to monitor and protect their network against this risk than you are - and if you run a server you need to patch it etc).

    What exactly do you mean by 'enough'?

    TLS over HTTPS (which is typically used between your PC and a secure website), is generally sufficient for protecting the detailed session content between you and the website you're connected to as anyone in the middle (e.g. coffee shop customers, ISPs, etc) will be dealing with encrypted traffic (which is widely considered too time consuming to decrypt and contains countermeasures to prevent replaying previous traffic etc). The vulnerable period is during the initial set up of the encryption between your PC and the remote server (which is why public and private certificate pairs are used - to mitigate the risk of a third party pretending to be to be the other end). I'm happy to go into detail (or you could try a google), but in short, generally speaking (there previously have been known vulnerabilities that successfully weakened the agreed encryption standard down to one that's considered easily broken) if someone/a device has attempted to get in the middle of this initial certificate exchange or adversely affect it, your browser or application will warn you there's something wrong with the certificates. And that should be enough warning for you to NOT proceed. Sadly, there are various legitimate reasons that you can get certificate errors, so many users proceed anyway, despite the risks...

    The risks are more with insecure by design DNS requests (unless you're pushing them to a VPN provider through the tunnel) - these can be used to send you towards an attacker's server instead of where you actually wanted to go, HTTP based websites (and the risk you won't realise you're actually connected by HTTP until it's too late), applications that use proprietary protocols that aren't encrypted or use a poor implementation of encryption. And of course, all of your metadata, regardless of encryption (your connection to the bank may be 'secure' but anyone in the middle can still see you connected to yourbank.com, the session lasted for X duration and Y bytes were downloaded, Z were uploaded). If your traffic is all going through the VPN tunnel, you only have to provide trust to the VPN provider and their upstream ISP (and even the risks there are mitigated somewhat as many VPN providers will have multiple subscribers sharing an IP address so it's harder to unpick who is actually behind each connection coming into and out of the VPN endpoints).

    I use Mullvad at the moment.
    Last edited by man; 23 January 2019, 21:33.

    Leave a comment:


  • northernladuk
    replied
    Originally posted by Federico Razzoli View Post
    No-One's have a lot of interesting data. The main difference between No-One's data and banks data is that, if you still No-One's data, you won't fo to jail until you do something very stupid.

    VPNs are secure. The most relevant treat against VPNs is social engineering. Collect private information, call a customer, convince him to collaborate because you're just a technician doing his job, get the info needed to access a system. In this case, the instructions to setup and configure the VPN.

    Stealing hard disks or laptops is possible, yes. The easiest solution is to hope that this won't happen, but a more interesting one is to encrypt disks (if it is worth the effort).
    WTF is any of that supposed to mean??

    Leave a comment:


  • Federico Razzoli
    replied
    No-One's have a lot of interesting data. The main difference between No-One's data and banks data is that, if you still No-One's data, you won't fo to jail until you do something very stupid.

    VPNs are secure. The most relevant treat against VPNs is social engineering. Collect private information, call a customer, convince him to collaborate because you're just a technician doing his job, get the info needed to access a system. In this case, the instructions to setup and configure the VPN.

    Stealing hard disks or laptops is possible, yes. The easiest solution is to hope that this won't happen, but a more interesting one is to encrypt disks (if it is worth the effort).

    Leave a comment:


  • original PM
    replied
    My personal view is that pretty much all your 'data' is stored and retrievable by whoever really really wants it.

    The main thing is that in reality no one really really wants your data because you are no one.

    Leave a comment:


  • NickFitz
    replied
    I'm running my own VPN on EC2 in AWS's us-east-1 region. I set it up primarily to get around GDPR blocking by US news sites, but it has all the other benefits of a VPN.

    It was very straightforward to set up and configure using Algo: GitHub - trailofbits/algo: Set up a personal IPSEC VPN in the cloud

    Add the certificates and such on my Macs, iPhone and iPad and it was good to go. As I recall it took me less than an hour including reading the instructions, experimenting a couple of times and cocking things up, then setting up the one that's been running without incident since last May.

    Looking at the AWS billing console, it would appear it costs me about $9 per month, but it's all mine and nobody's sniffing my traffic

    Leave a comment:


  • Lance
    replied
    Originally posted by meridian View Post
    I'm on a VPN at the moment, in a coffee shop, and apart from spoofing my location (good for accessing streaming apps that have location restrictions) and causing Gmail to have a hissy fit and block my email access because it thinks I'm somewhere else, I can't quite get my head around how more secure they might be.

    If I were to be doing my online banking my details might be hidden from sniffers on the coffee shop wireless, but surely my details are now going through a server in God knows where that I have no clue who owns or has access to?
    Indeed. Better off trusting the randomers in a coffee shop than a remote location you have no idea about.
    It's not easy to break SSL encryption but deliberately passing all your traffic, via VPN, to a man in the middle makes it considerably easier.

    Leave a comment:


  • SimonMac
    replied
    Originally posted by darrylmg View Post
    Don't implicitly trust the free ones. As you say, you don't know who runs it.
    You can always setup your own with AWS or Azure. At least you might have a better comfort factor that way.
    Don't forget the main crux of the problem with free WiFi is man-in-the-middle. Very complex attacks can easily and dynamically mock-up a web page login imitating popular sites.
    So if you do roll your own VPN make sure you set it up so your client checks the server SSL cert is the correct one and matches a pre-stored serial and alerts you if not correct.

    Sent from my SM-T280 using Tapatalk
    This is my set up at the moment, I use OpenVPN which was simple enough to set up

    Leave a comment:


  • meridian
    replied
    Originally posted by Scruff View Post
    I use SurfShark VPN. It's about £2 per month.
    I'm using IPVanish at the moment. A mate is using NordVPN.

    My question though was about the security aspects of them. Nord, for example, says that they have a "no log" policy. Having a policy is one thing, but I don't understand the technical aspects enough to be able to say whether that is enough.

    Leave a comment:


  • meridian
    replied
    Originally posted by darrylmg View Post
    Don't implicitly trust the free ones. As you say, you don't know who runs it.
    I don't know who runs the paid-for ones, either

    You can always setup your own with AWS or Azure. At least you might have a better comfort factor that way.
    Don't forget the main crux of the problem with free WiFi is man-in-the-middle. Very complex attacks can easily and dynamically mock-up a web page login imitating popular sites.
    So if you do roll your own VPN make sure you set it up so your client checks the server SSL cert is the correct one and matches a pre-stored serial and alerts you if not correct.
    Cheers, thanks for the info.

    If nothing else, at least the thread's confirmed my suspicions and I won't be doing anything too sensitive over VPNs.

    Leave a comment:


  • Scruff
    replied
    I use SurfShark VPN. It's about £2 per month.

    Leave a comment:


  • darrylmg
    replied
    Originally posted by meridian View Post
    I'm on a VPN at the moment, in a coffee shop, and apart from spoofing my location (good for accessing streaming apps that have location restrictions) and causing Gmail to have a hissy fit and block my email access because it thinks I'm somewhere else, I can't quite get my head around how more secure they might be.

    If I were to be doing my online banking my details might be hidden from sniffers on the coffee shop wireless, but surely my details are now going through a server in God knows where that I have no clue who owns or has access to?
    Don't implicitly trust the free ones. As you say, you don't know who runs it.
    You can always setup your own with AWS or Azure. At least you might have a better comfort factor that way.
    Don't forget the main crux of the problem with free WiFi is man-in-the-middle. Very complex attacks can easily and dynamically mock-up a web page login imitating popular sites.
    So if you do roll your own VPN make sure you set it up so your client checks the server SSL cert is the correct one and matches a pre-stored serial and alerts you if not correct.

    Sent from my SM-T280 using Tapatalk

    Leave a comment:


  • jamesbrown
    replied
    Absolutely. Depends how much you trust your VPN provider. Still, I think the worry is more about privacy (snooping, logging etc. by the provider) than security.

    Leave a comment:


  • xoggoth
    replied
    Quite. VPN might stand for Vladimir Putin Network.
    Last edited by xoggoth; 12 January 2019, 16:44.

    Leave a comment:


  • meridian
    started a topic VPNs - how more secure?

    VPNs - how more secure?

    I'm on a VPN at the moment, in a coffee shop, and apart from spoofing my location (good for accessing streaming apps that have location restrictions) and causing Gmail to have a hissy fit and block my email access because it thinks I'm somewhere else, I can't quite get my head around how more secure they might be.

    If I were to be doing my online banking my details might be hidden from sniffers on the coffee shop wireless, but surely my details are now going through a server in God knows where that I have no clue who owns or has access to?

Working...
X