A thread about VPNs

Factual Questions
1

This is a spinoff of the ATMB thread here:

This is to address the factual questions about what a VPN is, how it works, etc.

Note that one application of VPNs (as noted in the ATMB thread) is to access a remote network and use that to access the internet by proxy. This is a method of IP Spoofing, which is a topic that we do not want to discuss here. So to be clear, no discussions of IP Spoofing in this thread.

While this is intended for Charlie Wayne’s benefit, anyone else who has questions or comments about VPNs should feel free to post here as well.

2

Can you tell us if there is any information about VPNs or related topics that you feel would be beneficial to the members here - specifically to protect against Identity Theft.

But also on a more general scale - to increase our privacy and security.

Someone suggested a few good general (mainly common sense) techniques people can use like frequently changing passwords. I’m certain there are web sites that recommend good techniques for choosing passwords and common mistakes people make.

But, what about other commercial products? I bought a VPN and I pay $35 per year. To protect my identity and to try to avoid Identity theft, I would pay much more. A lot more.

What other kinds of products or services can you recommend to help members here protect themselves?

3

That is all? I honestly thought it would be something like $35 a month. I might look into this.

4

This was posted in the ATMB thread.

Here’s what a VPN is and how it works.

To create a VPN, you start by setting up a computer as a VPN server. Anyone can do this, and you can find free versions of VPN server software out there. Note that setting up a VPN server involves opening certain software ports to the internet, which is a huge security risk. If you don’t understand things like sockets and ports, you should not even consider doing something like this yourself.

Once this is set up, then other computers can create VPN connections to this VPN server. There are VPN clients that you can purchase, but most operating systems these days can make VPN connections without the use of external software. In Windows 10, for example, you go to your network connections, go under VPN connections, and add a new connection (that’s glossing over a lot of details).

Once you create your VPN connection, you can use it to connect to the VPN server.

Now that these are connected, your computer will appear to be on the remote server’s network as if it were just another local computer.

The data between your computer and the VPN server is encrypted. Once the data gets out onto the VPN server’s network though, it is no longer encrypted.

Just to be clear, because this seems to be the question being asked, a VPN is not a generic data encryption system that protects you from the internet in general.

So here’s what happens if you use the remote computer’s network to connect to the internet. Your data is encrypted, and sent over the internet to the VPN server. The VPN server then un-encrypts your data and sends it out over the internet. At that point, your data is no longer encrypted. The encryption is just the method used to make it look like your computer is connected to the remote computer’s network.

What the VPN ends up doing is making it look like you have some magical private wire going between your computer and the VPN server. But it’s not really a wire. It’s a virtual connection (hence the V in VPN) not a real physical connection. You have a virtual connection between you and the VPN server that only the two of you can use, so it’s private (that’s the P in VPN).

If you do connect to the internet, whatever you connect to sees the data as originating from the VPN server’s network. And that gets us into the topic of IP Spoofing, so let’s not go any further than that.

5

A VPN tunnel will not meaningfully protect you from identity theft, assuming your network and internet usage is typical for your average home user.

VPNs work by encrypting network traffic between your machine and the VPN server. The primary purpose of the encryption is to prevent unauthorized third parties from eavesdropping on your traffic and capturing the data sent between your machine and the destination endpoint. This works because even if some entity manages to tap into your data stream and capture the data, they are not able to decrypt and read the transmitted data over the VPN stream, and so eavesdropping has limited data-gathering value. I would also add that eavesdropping is a pretty poor way to gather data generally. If you know who and what you are targeting, eavesdropping on traffic is a decent way to get what you want (again, assuming no encryption). But if you’re just capturing all traffic, and sifting through the piles of data looking for “interesting stuff”, that’s rather inefficient.

However, TYPICALLY when sensitive data in transferred over a public network, SSL is used, which already encrypts the traffic (SSH is another network protocol that is sometimes used). That’s why some websites, or some parts of websites, show as “https://”… instead of just “http://”… Since the traffic is already encrypted to prevent eavesdropping, there’s less added value to encrypting the traffic a second time via some VPN encryption method.

Now if you are transmitting sensitive information “in the clear” (unencrypted), then sure, having a VPN between your machine and the destination endpoint may be useful. But VPN is more complex to implement; the endpoint server you are hitting must support VPN connections with you. And as engineer_comp_geek said, if you are trying to use the VPN connection to connect to a server “beyond” the VPN endpoint, the connection between you and the VPN server is encrypted, but the connection between the VPN server and final destination is not, by default. And if you are using the VPN server as an intermediary, the VPN server itself can eavesdrop on your network traffic.

So you might as well get an administrator to implement SSL on the destination endpoint instead, which is simpler and more flexible. Or not transmit sensitive information with the endpoint at all, if the endpoint administrator is unwilling to implement SSL security.

6

VPNs don’t really help you much with identity theft.

Let’s use a VPN example that I use frequently. The company I work for has a VPN server in its building, and doesn’t allow network traffic coming in from the outside internet to access the building’s internal network, other than through that VPN connection. So this protects our building network from outside intruders. However, if I want to work from home, all I have to do is set up a VPN connection between my home computer and work, and my home computer appears to be on the work computer’s network. Now I can access my company’s proprietary source code and all the other stuff that we want protected.

But now, if I go out onto the internet while connected to my work VPN, the data between my home computer and the company’s building network is connected, but then from there it is no longer encrypted or protected. So my data as it actually goes out onto the internet hasn’t received any additional protection just because I went through the VPN.

Another point to be made here is that my computer now looks like any other computer on my work’s network. Now, I happen to know how we do things from a security viewpoint so I know our building network is secure. Other networks might not be so secure, though.

Let’s say for example that some random idiot in Bangladesh decides to set up a VPN server. He sets up a PC in his garage, puts some VPN server software on it, and makes a fancy web page advertising himself like he’s some hot shot company. But he’s really an idiot when it comes to networking and his PC isn’t well protected from outside hackers. Once those hackers get into his PC’s network, they see your computer as just another node on the network. And that encryption between your PC and his VPN server doesn’t help you at all, because all that does is make the virtual network connection. Once a hacker is on the VPN server’s network, they can send packets through that encrypted connection just as easily as if it were a wire between Bangladesh and your house.

Fortunately, most of the folks selling VPN services like this aren’t idiots from Bangladesh, but the important thing is that if you are going to sign up for some kind of service like this, I would personally recommend that you do a LOT of research on them first. Often, all you are looking at is some slick web page. You don’t know if that web server is in a protected room in a first class business with a highly trained professional watching over everything or if it is some moron in Bangladesh. So do your research.

(by the way, I’m intentionally picking on Bangladesh because that’s where the a-holes who keep using IP Spoofing to post their live stream spams are coming from)

7

I’m not sure how helpful this example will be for most posters, maybe for those unfamiliar with a VPN and what it may be typically used for.

I once had a field position where I would need a secure internet connection into my company’s server to send and access proprietary/confidential data and email. So, this was done through a VPN between my laptop in the field and the company server.

8

I’m trying to understand your example. What do you mean by “a field position”?

Do you mean that you were employed by company A who sent you to do some work in company B’s building?

So you were an employee of company A but were temporarily working offsite in a building owned by company B?

Is the assumption that you were like a contractor employed by Company A but Company B had hired Company A to do some consulting or similar work for them?

I’m just trying to understand what you mean by “a field position”.

9

To: Caldazar & E_C_G

Those are very comprehensive descriptions and I feel like I will need a few days to read them again and try to understand them.

10

I was more of a trainer on company products and would typically do 1-3 day visits for demos and troubleshooting at customer sites located throughout the US and Canada. When not traveling, I generally worked from home or at local customer sites.

So, I worked from customer sites, my home office, and when I would travel “in the field”, from hotels and airport terminals during layovers, say. Basically, I didn’t go to work at my company’s building.

11

I see. Thank you.

12

Field position means working out in the field, rather than in the home office. The field is anywhere off site, either at customer sites or other locations. The specific details of his assignment shouldn’t be important to this discussion.

13

I guess I never thought of a VPN as something that would help protect against identity theft. Can you tell us what you bought, and what it’s for?

If I needed to get onto my home network of computers (I have three or so computers, plus iPhones, iPads, Androids, a Chromecast and a Raspberry Pi) from an away location, I could use a VPN. I don’t normally need this, and there are other ways of doing anything I need using services like Dropbox, but if I really did need it, I could set up a VPN. But this wouldn’t be to protect me against identity theft; it would open up lines of attack that would make me less secure, and you really need to know what you’re doing to eliminate those risks.

The one way I could see it helping with security is if I am at a public Internet location - a hotel or restaurant, and I don’t want my Internet traffic exposed on that public network. If I’m at a hotel, someone could see all my Straight Dope message reading and posting, and they could see that I went to secure sites like my bank or shopping web site, although with SSL they couldn’t see the contents of those communications. So if I used my own VPN, all my Internet traffic would go through an encrypted channel back to my house, and the traffic can’t be sniffed by the guy in the next room.

Is that what you mean?

14

I have asked him to specifically not mention the company name in this thread.

It’s basically a company whose primary business is IP Spoofing, so we don’t want to discuss too many details about them in this thread.

Basically, though, what we can say is that it’s a proxy network set up somewhere. You make a VPN connection to their network, and from there your traffic goes out onto the internet.

15

Oh, I’d call that a proxy service. To me, a VPN is a way to tunnel into your own network, although the same technology could be used for a proxy.

16

Can vB code be set to redact certain words like: “proxy” and “spoofing” with black-out boxes?

17

I guess ECG doesn’t want us mentioning specifics, but slashdot.org has a “deals” section with many VPN offers–including some very cheap lifetime subscriptions (<$60).

To be honest, I don’t understand how to talk about the positive qualities of VPNs without talking about proxies, IP “spoofing” (which is a misnomer anyway), and so on. The features that make VPNs valuable for privacy or identity theft protection are exactly the same ones that enable sockpuppeting or easier copyright infringement. They aren’t separable.

It really just comes down to marketing. Some VPN services market themselves to professionals and advertise their security advantages. Others market themselves to BitTorrenters and the like. But the actual service is the same. Saying that the latter type is in the business of “IP spoofing” is basically nonsense.

18

My understanding so far:

  1. I buy a VPN service for use at my home: I can’t see an advantage for the purposes of identity theft. Unless I have shifty roommates maybe?

  2. I buy a VPN service and use it when I’m using my laptop at an internet cafe. Now we’re talking. The internet cafe just sees encrypted traffic. True, when the bits leave the VPN the stuff may or may not be encrypted. But that’s not the attack vector I’m worried about.
    So if I connect to my bank (or my email account, either via https: ) via a competently run VPN service at Joe’s internet cafe, I should be ok. Provided I know what I’m doing. For example if I use one of their computers, I’d be vulnerable to hardware keyloggers.

Full disclosure: In fact I do not know what I am doing, so I have never connected to a bank at an internet cafe and don’t plan to.

19

Think of a VPN as creating a pipeline that all your data flows through between your computer and the computer you are connecting to. Nothing can see what is passing through the tube, only you and the computer on the other end you are connected to.

Such connections are pretty much worthless for protecting against something during general web browsing. They could allow you to connect securely to an email provider that offers such services but unless the mail is delivered by a similar pipe/tunnel on the other side it will be exposed on the next leg of the trip.

for working on company computers from home, they are great and make it so that nobody can see what is passing between you and your work computer. Such connections are not generally created spontaneously, they are part of a prearranged connection procedure. You would not VPN to Ebay, then amazon, and walmart doing online shopping for example, they would not complete a VPN connection with you.

20

If you are on their machine, no force in the universe can stop them from recording anything they want as it happens on the machine before entering the VPN.

Software monitoring, hardware based loggers, all works just fine.

Cite, I do employee monitoring for a few clients, its like being able to read peoples minds, its kinda freaky.