#1  
Old 02-14-2020, 05:32 PM
Jinx is offline
Member
 
Join Date: Dec 1999
Location: Lost In Space
Posts: 8,104

Why Is a VPN Secure?


Can a VPN be hacked, and if not, why isn't this technology a silver bullet again hacking? Can you explain to me in basic terms or analogies?
  #2  
Old 02-14-2020, 05:46 PM
friedo's Avatar
friedo is online now
Guest
 
Join Date: May 2000
Location: Las Vegas
Posts: 24,523
A VPN is an encrypted tunnel between your computer and some other network. Can it be hacked? It depends on what you mean by "it." Your computer can be compromised, which renders a VPN connection moot since it protects data only when it transit. Your password or private key for the VPN can be stolen. The remote network that the VPN connects to can be operated by bad guys. Some badly-configured node on the remote network can be compromised and used to sniff traffic after it's been decrypted.

A VPN is one tool out of many for dealing with potential security threats. There's nothing magical about it.
  #3  
Old 02-14-2020, 05:57 PM
Squink is offline
Guest
 
Join Date: Oct 2000
Location: Yes
Posts: 20,530
Rather than sending out my address all over the web, I send out some anonymous address from Chicago, or tel Aviv that thousands of others are also sending their anonymyzed addresses out from. You do need to be careful in choosing a vpn service, as they keep varying amounts of info on your wanderings. Far from all vpn providers are reputable, so it pays to do a little research. Remember the old saw, if it is free, YOU are the product.
  #4  
Old 02-14-2020, 06:09 PM
slash2k is offline
Guest
 
Join Date: Feb 2014
Posts: 2,666
Also note that a VPN's security is no better than the encryption algorithm chosen (and may be worse). Mathematically, it is possible to create algorithms that would take an NSA-level supercomputer millions of years to decrypt, but in practice decisions have to be made balancing speed and secrecy, and it is possible that some of the common algorithms have "back doors" or deliberate weaknesses. For example, it came out recently that the CIA owns an encryption company (jointly with their German counterpart).
  #5  
Old 02-14-2020, 06:22 PM
Mind's Eye, Watering is online now
Guest
 
Join Date: Jun 2009
Posts: 1,549
In fiction, I've read that multiple VPNs could be used in a chain to add additional difficulty (usually to NSA, CIA, etc.) in tracking the source of the data. Is that purely fiction?
  #6  
Old 02-14-2020, 07:20 PM
DPRK is offline
Guest
 
Join Date: May 2016
Posts: 4,467
Quote:
Originally Posted by Mind's Eye, Watering View Post
In fiction, I've read that multiple VPNs could be used in a chain to add additional difficulty (usually to NSA, CIA, etc.) in tracking the source of the data. Is that purely fiction?
This sounds like a variant of "onion/garlic/mix routing", which is supposed to increase your security under certain assumptions. For instance, maybe at least one VPN in your chain is a mysterious black box where the internal network traffic is opaque to the attacker.
  #7  
Old 02-14-2020, 08:07 PM
Defensive Indifference is offline
Guest
 
Join Date: Jul 2007
Location: St. Louis, MO
Posts: 7,547
To add to what others have said, a VPN protects your privacy, not your security from threats like malware. It makes it really difficult for someone to intercept your communications or to pinpoint your physical location, but a VPN by itself doesn't block malware or other attacks

Also note that there are anonymizing VPNs (which we're talking about here) and corporate VPNs, which allow remote users to connect to a central network.(like allowing distributed employees to connect to the HQ network). The technology is pretty much the same. but the use case is different.
  #8  
Old Yesterday, 09:05 AM
md2000 is offline
Guest
 
Join Date: Feb 2009
Posts: 15,391
Quote:
Originally Posted by Mind's Eye, Watering View Post
In fiction, I've read that multiple VPNs could be used in a chain to add additional difficulty (usually to NSA, CIA, etc.) in tracking the source of the data. Is that purely fiction?
This brings us back to the important questions: "how badly do they want to know, how much resources do they have, and what starting guesses do they have?"

Since way back when, the warning has always been that communications can be listened to and decrypted. However, I have yet to hear of any significant hacks using information passing through the outside networks, unless it's some group with unlimited resources like the NSA. For Joe Hacker, it's a lot easier to get established inside either the source or the destination.

A VPN is like a second router. If you have several computers behind your home router and surf normally, it is difficult for someone at the other end to tell which computer is which on the web - they all come from the same IP address. (OK, they can tell from things like which version of browser you use, cookies they stuck there earlier, what version of Java, etc.) With a VPN, you send your data packets to the VPN company, and it sends them out on the web using it's address in New York or London or wherever. Plus, you are combined with thousands of others using the same VPN, so it's harder to sort them out.

The HTTPS and similar encrypted protocols need a critical data and/or some clever tricks and are supposedly hack-proof to the typical hacker. (I have yet to hear of anyone successfully faking certificates even) Typically, these protocols can be hacked because there's a flaw, and upgrades fix the flaws.

If you are the NSA, then you can (maybe) monitor a VPN's complete input and output and match things up - when a flow come from Joe's home address to the VPN in-point in Berkley, a similar volume of data comes out the VPN endpoint in Seattle. Since all data starts with source and end IP's, now they got you. Or they could be watching you and determine which VPN in-point you send to and start watching the out-points. Again, all this mixed up with thousands of others using the same service, so not a slam-dunk.

The other protection is that possibly, your home router has a flaw that lets hackers in - since although theoretically secure most are bought off the shelf, and sometimes not even password is updated, let alone firmware. (Less likely when router is also the cable or phone companies' modem - they can do their own updates remotely.) VPN companies we hope have more powerful up to date firewalls; and don't pass unsolicited traffic to your router, don't tell strange websites your home IP address, and most likely are filtering for known hacks.
  #9  
Old Yesterday, 12:21 PM
The Librarian's Avatar
The Librarian is online now
Guest
 
Join Date: May 2002
Location: Delft
Posts: 1,243
Quote:
Originally Posted by Bruce Schneier
There's really no such thing as security in the abstract. Security can only be defined in relation to something else. You're secure from something or against something. (...)

A VPN is a useful extra layer when protecting remote access. It is also useful when you are accessing the internet through dodgy WiFi (anything you don’t own or know the owner of). Or If you do not trust your ISP. Or if you use P2P stuff and live somewhere with draconian copyright enforcement.

For a “normal” user accessing the internet from home a VPN is an extra single point of failure. (I trust my ISP more than most VPN providers)

So: VPNs are imminently useful, if your application requires one. For most people they are unnecessary and do not add “security”.
__________________
Oook!
  #10  
Old Yesterday, 01:31 PM
echoreply's Avatar
echoreply is offline
Guest
 
Join Date: Dec 2003
Location: Boulder, CO
Posts: 1,014
Quote:
Originally Posted by The Librarian View Post
(I trust my ISP more than most VPN providers)
Except when your ISP is not trustworthy. For example, I do not trust my mobile provider, AT&T, due to their past use of things like supercookies, that attempt to track all data use across multiple sites. Sure, they still know where my phone is, and how much data I use, but because of my VPN, they do not know what I'm doing with that data. (All of the major mobile providers have done stuff like this, and due to other circumstances AT&T is very inexpensive for me, so switching providers will not change my privacy/security situation, but will cost me more money.)

The primary residential ISP in my area is Comcast, and Comcast residential intercepts standard port 53 DNS requests, regardless of where they're sent, and replies to the requests themselves. I prefer to use a custom DNS for ad blocking purposes, which is not possible on Comcast residential (at least in my area). Therefore I use a VPN when I'm on a Comcast residential connection.

I will soon by hosting a conference at a hotel that uses nanny filters on their guest internet. Because such filters have errors, they have in the past blocked legitimate sites we wanted to access, such as European universities. To route around that, I may run all the data from my network at the conference through my work's non-filtered VPN.
  #11  
Old Yesterday, 10:23 PM
Caldazar is offline
Guest
 
Join Date: Aug 2000
Posts: 854
VPN stands for Virtual Private Network. It's a "virtual" private network because the network traffic is carried across a public network, or at least a network that contains machines other than the two communicating computers. To prevent other computers from eavesdropping on the communication, the communication is encrypted. It's like two people having a conversation in a coffee shop by speaking in code; everyone else in the coffee shop can hear the sounds of the conversation, but nobody but the two code-speakers know what the conversation means.

Properly-implemented VPN prevents eavesdropping and modification of the network traffic by unauthorized parties. It does not prevent other attack vectors.

Quote:
Originally Posted by md2000 View Post
The HTTPS and similar encrypted protocols need a critical data and/or some clever tricks and are supposedly hack-proof to the typical hacker. (I have yet to hear of anyone successfully faking certificates even) Typically, these protocols can be hacked because there's a flaw, and upgrades fix the flaws.
The NSA recently announced a flaw in Microsoft's validation of ECC Cryptography that allowed one to spoof certificates that Windows systems would accept ("D'oh"). The vulnerability was patched on January 14, 2020. Not a problem with ECC itself of course, rather Microsoft's implementation of it.
  #12  
Old Today, 04:37 PM
The Librarian's Avatar
The Librarian is online now
Guest
 
Join Date: May 2002
Location: Delft
Posts: 1,243
Quote:
Originally Posted by echoreply View Post
Except when your ISP is not trustworthy. For example, I do not trust my mobile provider, AT&T, due to their past use of things like supercookies, that attempt to track all data use across multiple sites. Sure, they still know where my phone is, and how much data I use, but because of my VPN, they do not know what I'm doing with that data. (All of the major mobile providers have done stuff like this, and due to other circumstances AT&T is very inexpensive for me, so switching providers will not change my privacy/security situation, but will cost me more money.)

The primary residential ISP in my area is Comcast, and Comcast residential intercepts standard port 53 DNS requests, regardless of where they're sent, and replies to the requests themselves. I prefer to use a custom DNS for ad blocking purposes, which is not possible on Comcast residential (at least in my area). Therefore I use a VPN when I'm on a Comcast residential connection.

I will soon by hosting a conference at a hotel that uses nanny filters on their guest internet. Because such filters have errors, they have in the past blocked legitimate sites we wanted to access, such as European universities. To route around that, I may run all the data from my network at the conference through my work's non-filtered VPN.
Ah yes, the other important use-case for a VPN is "you live in the USA".
__________________
Oook!
  #13  
Old Today, 05:01 PM
BeardOfBees is offline
Guest
 
Join Date: Feb 2019
Posts: 16
What's the best VPN to use?
  #14  
Old Today, 05:44 PM
engineer_comp_geek's Avatar
engineer_comp_geek is online now
Robot Mod in Beta Testing
Moderator
 
Join Date: Mar 2001
Location: Pennsylvania
Posts: 26,073
Moderator Note

Quote:
Originally Posted by BeardOfBees View Post
What's the best VPN to use?
That's probably better asked in a separate thread in IMHO.
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:50 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright 2019 STM Reader, LLC.

 
Copyright © 2017