VPN

[PaulC]

Its also bullshit when vpns claim they don't log any data, which is why I use Golden Frog who are open and honest what data they log and how long for.

[PompeyVillan]

I use NordVPN. It's good. I use it in public wifi hotspots as everyone should. Loads of servers and most are very fast.

What protection do you think you get from this when using public wifi? If you connect to an unknown network you can't know if your VPN session has been "man in the middled". I'd trust my mobile operator with VPN connections before any public network.

My understanding was that most internet connections were vulnerable to man in middle, but at least a VPN would offer you security from your device to the VPN gateway?

I'm not sure how a mitm really works. Where would the mitm have to sit to intercept/trick VPN traffic?

Please explain because your knowledge is better than mine!

[limpid]

11 hours ago, PompeyVillan said:

My understanding was that most internet connections were vulnerable to man in middle, but at least a VPN would offer you security from your device to the VPN gateway?

I'm not sure how a mitm really works. Where would the mitm have to sit to intercept/trick VPN traffic?

Please explain because your knowledge is better than mine!

Every connection you make goes from your device to the wireless device. You have no way to trust that first hop. If that network is rogue, it can take the requests you make and proxy them to where you thought they were going (being a mitm). That means they have all your traffic before you've been able to negotiate a VPN connection. In fact, it's likely that you will have a VPN connection to the rogue and the rogue will have a VPN connection to the VPN gateway.

This is pretty advanced stuff, but of course, you can buy software which will allow you to run a wifi hotspot on your laptop which can do all of this for you. Watch out that you aren't connecting to the guy behind you's laptop with an open connection called "Coffee Shop Wifi". You've no idea what you might be getting into.

Using a VPN is better than not, but it's far from perfect. Use a network you trust (like your mobile network). It'll be a while before bad guys are emulating femto and pico BTS. It'll happen though.

[Davkaus]

Tbh, these days I'm not too worried about using open WiFi spots, anything of any importance should be encrypted traffic anyway. I guess someone could get my Villatalk password, I think this might be the only website I use that still doesn't use https!

If someone's found a way to MitM HTTPS without giving my device a certificate warning, frankly, they're not going to be wasting such a vulnerability on me.

Edited December 16, 2015 by Davkaus

[limpid]

1 hour ago, Davkaus said:

Tbh, these days I'm not too worried about using open WiFi spots, anything of any importance should be encrypted traffic anyway. I guess someone could get my Villatalk password, I think this might be the only website I use that still doesn't use https!

That's why you can login with a whole bunch of third party SAML providers

[imavillan]

Been doing a bit of simple research on VPN's if this helps anyone who is after one.

There is a whole thread on this on reddit

click here for the google doc spreadsheet

There are so many out there. At the end of the day you pays your money and takes your choice.

 

[PompeyVillan]

I don't connect to public wifi unless I can verify if it is what it says it is. I would never connect to 'free WiFi' networks. I figure this out offers as much protection as using a VPN though.

I've looked into mitm attacks, if most of your internet traffic is using https protocol, that offers you a strong level of protection too right? Even if your traffic were intercepted it would be encrypted?

I'm a relative newbie to this, but having read on tech blogs that VPNs give you safety on public wifi it is disconcerting to learn that in fact you are still vulnerable to a sophisticated hacker.

[limpid]

Just now, PompeyVillan said:

I don't connect to public wifi unless I can verify if it is what it says it is. I would never connect to 'free WiFi' networks. I figure this out offers as much protection as using a VPN though.

Out of interest, how do you do this? Any network can use any name. That guy sat at the table behind you might be using the same SSID as the shop you are in. The automated stuff will probably do this by default. If your device can see two APs with the same name, it will select the strongest signal and you'll connect to his laptop rather than the shop.

Just now, PompeyVillan said:

I've looked into mitm attacks, if most of your internet traffic is using https protocol, that offers you a strong level of protection too right? Even if your traffic were intercepted it would be encrypted?

I'm a relative newbie to this, but having read on tech blogs that VPNs give you safety on public wifi it is disconcerting to learn that in fact you are still vulnerable to a sophisticated hacker.

https has exactly the same problem, however it is mitigated by the use of Certificate Authorities. These are organisations that you (or more likely your browser or OS supplier) have decided are trustworthy. They sign the SSL certificates used by sites and that chain of trust means that your browser can tell that the certificate is signed by who it says it is signed by. Your browser will tell you if the certificate for the site you connect to is not correct or is not signed by a CA that you (your software) trusts. If it is then you have an end-to-end encrypted circuit from your browser to the SSL terminator at the far end. 

You must check that you are actually on the site you think you are on. ie. You should check that you have connected to www.ebay.co.uk and not www.ebaj.co.uk. Both might have valid SSL certificates, so the onus is on you to make sure you are on the correct site.

Without SSL, the bad guy can read all your traffic or manipulate DNS so that your browser says you are on one site when you are on a totally different one.

There is no perfect security. Sorry. Making it hard and hoping they'll move to an easier target is the best you can do and you're already doing that. If you are being targeted by someone who knows what they are doing it's unlikely that you can protect against that without being extremely paranoid (or by not going online at all).

[PompeyVillan]

Thank you Limpid for your posts. You explain things in a way I can understand.

Again, if I'm in public wifi and there are two networks with the same SSID, I most certainly will not connect to either. I guess I can't be sure, but I always 'forget' public networks.

It's an interesting thought though. It would be interesting to find out what percentage of public hotspots are compromised at any given time.

[limpid]

14 minutes ago, PompeyVillan said:

Again, if I'm in public wifi and there are two networks with the same SSID, I most certainly will not connect to either. I guess I can't be sure, but I always 'forget' public networks.

You won't be able to tell (unless you can access the driver). The client will just show the SSID - it will assume that it is a network with multiple APs and will select the "best".

[Davkaus]

I spent this afternoon fairly bored at work (what can I say, only 3 days left in this job), remembered this thread, and realised that months ago I bought a high end Asus router than can run VPN services. Everything I browse through my laptop/phone outside of my house now runs through a VPN on my home connection. 

Also took advantage of Lets Encrypt entering public beta and have an SSL certificate for my home connection. Most productive work day ever.

[leviramsey]

It's trivial to secure an OpenVPN-based VPN from MITM, though it does require setting up one's own CA.

Whether any of the commercial VPN providers do that is another question entirely.

[StefanAVFC]

New VPN roll-out at my company.

I liked the old one, I knew how to fix all of the errors

[limpid]

7 hours ago, leviramsey said:

It's trivial to secure an OpenVPN-based VPN from MITM, though it does require setting up one's own CA.

Whether any of the commercial VPN providers do that is another question entirely.

I like the idea that setting up your own CA is trivial. I'm going to guess that there are fewer than three people who read this that know what's involved without googling it.

I do this using pppd over SSH with strict host checking. The tunnel won't form if there's a MITM. I own the device at both ends though.

I'm aware that this isn't useful to most people.

[leviramsey]

All it needs is for the provider of the VPN to know how to be their own CA.  Then it's just a case of signing a server certificate and distributing the CA's public key and signed client certificates to the users (e.g. through an installer).

 

[limpid]

8 hours ago, leviramsey said:

All it needs is for the provider of the VPN to know how to be their own CA.  Then it's just a case of signing a server certificate and distributing the CA's public key and signed client certificates to the users (e.g. through an installer).

Oh is that all

How do they handle the scenario where their key gets compromised by an ex-employee and they have to distribute a new public key and new client certificates? I don't think that it's nearly as simple as you suggest, or they'd all do it already.

[darrenm]

14 hours ago, limpid said:

I like the idea that setting up your own CA is trivial. I'm going to guess that there are fewer than three people who read this that know what's involved without googling it.

I do this using pppd over SSH with strict host checking. The tunnel won't form if there's a MITM. I own the device at both ends though.

I'm aware that this isn't useful to most people.

I hope I was one

[limpid]

10 hours ago, darrenm said:

I hope I was one

I don't know, I'm not. I'd have to Google.