• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • FREE webinar: What does a post IR35 reform CV look like? : Wed, Jul 28, 2021 7:15 PM - 8:15 PM BST More details here.

VPNs - how more secure?

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    #11
    My personal view is that pretty much all your 'data' is stored and retrievable by whoever really really wants it.

    The main thing is that in reality no one really really wants your data because you are no one.

    Comment


      #12
      No-One's have a lot of interesting data. The main difference between No-One's data and banks data is that, if you still No-One's data, you won't fo to jail until you do something very stupid.

      VPNs are secure. The most relevant treat against VPNs is social engineering. Collect private information, call a customer, convince him to collaborate because you're just a technician doing his job, get the info needed to access a system. In this case, the instructions to setup and configure the VPN.

      Stealing hard disks or laptops is possible, yes. The easiest solution is to hope that this won't happen, but a more interesting one is to encrypt disks (if it is worth the effort).
      Federico Razzoli
      Database Consultant

      Website:https://federico-razzoli.com
      Email: info@federico-razzoli.com

      Comment


        #13
        Originally posted by Federico Razzoli View Post
        No-One's have a lot of interesting data. The main difference between No-One's data and banks data is that, if you still No-One's data, you won't fo to jail until you do something very stupid.

        VPNs are secure. The most relevant treat against VPNs is social engineering. Collect private information, call a customer, convince him to collaborate because you're just a technician doing his job, get the info needed to access a system. In this case, the instructions to setup and configure the VPN.

        Stealing hard disks or laptops is possible, yes. The easiest solution is to hope that this won't happen, but a more interesting one is to encrypt disks (if it is worth the effort).
        WTF is any of that supposed to mean??
        'CUK forum personality of 2011 - Winner - Yes really!!!!

        Comment


          #14
          Originally posted by meridian View Post
          I'm using IPVanish at the moment. A mate is using NordVPN.

          My question though was about the security aspects of them. Nord, for example, says that they have a "no log" policy. Having a policy is one thing, but I don't understand the technical aspects enough to be able to say whether that is enough.
          The provider can set up packet capturing at their VPN endpoint to monitor your traffic in the clear. You have to trust your VPN provider (or at least, trust them more than the random WiFi hotspots). Roll your own is certainly an option, but it's a public internet facing server that can be attacked and pwned (a VPN provider is more likely to have the resources to monitor and protect their network against this risk than you are - and if you run a server you need to patch it etc).

          What exactly do you mean by 'enough'?

          TLS over HTTPS (which is typically used between your PC and a secure website), is generally sufficient for protecting the detailed session content between you and the website you're connected to as anyone in the middle (e.g. coffee shop customers, ISPs, etc) will be dealing with encrypted traffic (which is widely considered too time consuming to decrypt and contains countermeasures to prevent replaying previous traffic etc). The vulnerable period is during the initial set up of the encryption between your PC and the remote server (which is why public and private certificate pairs are used - to mitigate the risk of a third party pretending to be to be the other end). I'm happy to go into detail (or you could try a google), but in short, generally speaking (there previously have been known vulnerabilities that successfully weakened the agreed encryption standard down to one that's considered easily broken) if someone/a device has attempted to get in the middle of this initial certificate exchange or adversely affect it, your browser or application will warn you there's something wrong with the certificates. And that should be enough warning for you to NOT proceed. Sadly, there are various legitimate reasons that you can get certificate errors, so many users proceed anyway, despite the risks...

          The risks are more with insecure by design DNS requests (unless you're pushing them to a VPN provider through the tunnel) - these can be used to send you towards an attacker's server instead of where you actually wanted to go, HTTP based websites (and the risk you won't realise you're actually connected by HTTP until it's too late), applications that use proprietary protocols that aren't encrypted or use a poor implementation of encryption. And of course, all of your metadata, regardless of encryption (your connection to the bank may be 'secure' but anyone in the middle can still see you connected to yourbank.com, the session lasted for X duration and Y bytes were downloaded, Z were uploaded). If your traffic is all going through the VPN tunnel, you only have to provide trust to the VPN provider and their upstream ISP (and even the risks there are mitigated somewhat as many VPN providers will have multiple subscribers sharing an IP address so it's harder to unpick who is actually behind each connection coming into and out of the VPN endpoints).

          I use Mullvad at the moment.
          Last edited by man; 23 January 2019, 21:33.

          Comment


            #15
            Originally posted by darrylmg View Post
            Don't implicitly trust the free ones. As you say, you don't know who runs it.
            You can always setup your own with AWS or Azure. At least you might have a better comfort factor that way.
            Don't forget the main crux of the problem with free WiFi is man-in-the-middle. Very complex attacks can easily and dynamically mock-up a web page login imitating popular sites.
            So if you do roll your own VPN make sure you set it up so your client checks the server SSL cert is the correct one and matches a pre-stored serial and alerts you if not correct.

            Sent from my SM-T280 using Tapatalk
            Open VPN on an AWS Instance - Securepoint client on Windows 10 / OpenVPN client on my phone.

            Not too difficult to set up and much more secure than sending your WiFi or phone traffic in the clear. -- Other benefit is you can use AWS DNS and tunneling all your traffic removes the need for multiple connections on a tulipty coffee house network. So once you are connected it runs much better.

            Comment

            Working...
            X