Cruisers Forum
 


Join CruisersForum Today

Reply
 
Thread Tools Rate Thread Display Modes
Old 22-05-2013, 10:15   #1
Registered User
 
MBLittle's Avatar

Join Date: Apr 2013
Location: St Thomas, USVI
Posts: 542
VPNs for Security

Just curious how many people use VPNs to secure their Internet (and/or cellular) traffic while cruising.

Anyone run into connection problems through a marina's wifi? Or particular problems in certain countries?
__________________

__________________
MBLittle is offline   Reply With Quote
Old 22-05-2013, 11:02   #2
Registered User
 
Tim R.'s Avatar

Join Date: Jul 2012
Location: Portland, Maine
Boat: Caliber 40LRC
Posts: 604
Re: VPNs for Security

VPN to what? Virtual Private Network tunnel implies a 2 ended connection that is encrypted.

Depending on the type of VPN, you could always be limited by a public wifi firewall. IPSEC seems to be more widely accepted.

ie: I use a VPN to connect to my office when out cruising. This creates an encrypted virtual network that allow me access to my private company network while riding the internet via wifi or cellular connection.
__________________

__________________
Tim R.
Our Carina is sold
1997 Caliber 40LRC
TKR on a Boat Website
Tim R. is offline   Reply With Quote
Old 22-05-2013, 11:29   #3
Registered User
 
MBLittle's Avatar

Join Date: Apr 2013
Location: St Thomas, USVI
Posts: 542
Quote:
Originally Posted by Tim R. View Post
VPN to what? Virtual Private Network tunnel implies a 2 ended connection that is encrypted.

Depending on the type of VPN, you could always be limited by a public wifi firewall. IPSEC seems to be more widely accepted.

ie: I use a VPN to connect to my office when out cruising. This creates an encrypted virtual network that allow me access to my private company network while riding the internet via wifi or cellular connection.
Yes, I know what a VPN is and does. There are off the shelf VPN companies and software that allow encrypted VPN tunneling to their servers and your IP traffic goes from there under their IP address. I personally use HMA on all my computers and iPhones and iPads.

http://www.hidemyass.com/

Can also check out:
http://netforbeginners.about.com/od/...-Providers.htm

http://lifehacker.com/5759186/five-b...vice-providers

So my question is geared to those that don't VPN into the company they work for, but rather, VPN to have 128bit encryption for their personal Internet traffic, ie: shopping and banking.

Personally (based on years of experience in the military), I can pull anyone's Internet traffic from a public wifi that I am also connected to( unless they run a propriety VPN software on their device). Therefore I know others can as well.
__________________
MBLittle is offline   Reply With Quote
Old 22-05-2013, 11:30   #4
Registered User
 
MBLittle's Avatar

Join Date: Apr 2013
Location: St Thomas, USVI
Posts: 542
Quote:
Originally Posted by Tim R. View Post
VPN to what? Virtual Private Network tunnel implies a 2 ended connection that is encrypted.

Depending on the type of VPN, you could always be limited by a public wifi firewall. IPSEC seems to be more widely accepted.

ie: I use a VPN to connect to my office when out cruising. This creates an encrypted virtual network that allow me access to my private company network while riding the internet via wifi or cellular connection.
And yes, that public wifi firewall was what I was referring to about connection problems in certain countries or off certain 3G providers
__________________
MBLittle is offline   Reply With Quote
Old 23-05-2013, 04:37   #5
Registered User

Join Date: Oct 2012
Location: Brighton, UK
Boat: Westerly Oceanlord
Posts: 374
Re: VPNs for Security

Quote:
Originally Posted by MBLittle View Post
So my question is geared to those that don't VPN into the company they work for, but rather, VPN to have 128bit encryption for their personal Internet traffic, ie: shopping and banking.
I'm not aware of any Internet banking not running over https. If an online store doesn't use https to protect payment, your credit card details probably aren't safe with them anyway, and if your connection to your email provider is not ssl secured you should probably be looking for an alternate provider.

Everything I actually care about protecting is already encrypted. Does it worry me if someone with too much time on their hands knows that one of their marina neighbours is wasting their time looking at LOLcats? Certainly not enough to pay for a VPN service. YMMV.

Although the OP may be aware of the difference between a VPN (with NAT at the end) and an encrypted link to a web proxy, not everyone is (as I've seen from other posts on other forums raising similar privacy concerns). The free services tend to involve encrypting a link to a proxy and/or downloading and running software from the provider. I suggest that for anyone without all the information to make up their own mind about the potential for man-in-the-middle or other attacks that this may introduce, trusting to their bank / online store's own encryption with a direct connection is the safest option
__________________
muttnik is offline   Reply With Quote
Old 23-05-2013, 08:29   #6
Registered User
 
MBLittle's Avatar

Join Date: Apr 2013
Location: St Thomas, USVI
Posts: 542
Quote:
Originally Posted by muttnik View Post

I'm not aware of any Internet banking not running over https. If an online store doesn't use https to protect payment, your credit card details probably aren't safe with them anyway, and if your connection to your email provider is not ssl secured you should probably be looking for an alternate provider.

Everything I actually care about protecting is already encrypted. Does it worry me if someone with too much time on their hands knows that one of their marina neighbours is wasting their time looking at LOLcats? Certainly not enough to pay for a VPN service. YMMV.

Although the OP may be aware of the difference between a VPN (with NAT at the end) and an encrypted link to a web proxy, not everyone is (as I've seen from other posts on other forums raising similar privacy concerns). The free services tend to involve encrypting a link to a proxy and/or downloading and running software from the provider. I suggest that for anyone without all the information to make up their own mind about the potential for man-in-the-middle or other attacks that this may introduce, trusting to their bank / online store's own encryption with a direct connection is the safest option
http://www.yougetsignal.com/tools/visual-tracert/

Do me a favor and trace your computer to the closest google.com server.

I get 15 hops. 8 to my bank. Talk about man in the middle...

https to a banks server is not secure nor "direct". Most 15 year old kids and break the security of Internet explorer. Firefox? Maybe 17 of they apply themselves.

Besides a bored neighbor, the are amateurs with a laptop, pros with software and governments with hardware. You'd clearly be surprised what's plucked from people off the Internet, especially outside the US and EU.

If I'm in the philippines and I can create a 256bit encrypted connection from my laptop to a server in Los Angeles (where my Texas based bank keeps its banking servers), then the only concern I have about pure encryption is the maybe 1 or 2 hops within LA in the US, not the 40-50 that magically route through China.

I have no doubt from the way you talk, you are fairly informed on networking, however, I spent most of my adult life at the alphabet soup agency that does just this to the rest of the world. Your Internet is not secure, even from amateurs.

Or even perhaps the neighbor at a marina that knew you were making a long passage and decided to help himself to a new watermaker thanks to your visa. Shipped overnight to the same address you were just at. Good luck fighting that one when you figure it out a week after an 82 day passage.
__________________
MBLittle is offline   Reply With Quote
Old 23-05-2013, 11:47   #7
Registered User

Join Date: Oct 2012
Location: Brighton, UK
Boat: Westerly Oceanlord
Posts: 374
Re: VPNs for Security

Quote:
Originally Posted by MBLittle View Post
https to a banks server is not secure nor "direct". Most 15 year old kids and break the security of Internet explorer. Firefox? Maybe 17 of they apply themselves.
By "direct connection" I meant from the point of view of TLS negotiation. Whilst you may have a paid-for "real" VPN, my post was raising concerns about the type of free proxies where a user's browser negotiates an encrypted link with the proxy and it proxies a connection to the remote end meaning that the user's information is exposed on the proxy, run by a bunch of people the user probably doesn't know. That may not be what you were advocating but the *free* "Hide My Ass" service appears to be (happy to be corrected on that) such a proxy and, as I was saying, I've often seen similar services advocated on other cruising forums, mistakenly described as "VPNs".

If something needs securing the number of hops is surely irrelevant: It should be secure between the endpoints.

Yes there have been published attacks on ssl: dodgy IVs and padding in cbc mode, more recently attacks on RC4, but there's a fair bit of difference between a determined offline lab-based multi-session attack with known plaintext in a known position and decrypting ssl packets swiped from the ether by a random 15 year old.

Moreover, manufacturers tend to mitigate against attacks as they're published and obviously if you're not keeping your machine up to date, an SSL attack is probably the least of your worries.

You could point out here that security also depends on the supported ciphers and implementation at the other end and relies on your bank/store keeping updated and smart. This is a legitimate concern, but hey, you're already trusting them to store your card details (or your money) securely (which I do worry about more than the security of the connection from me to them).

I'm not saying there is no theoretical weakness in any ssl implementation. That would be demonstrably wrong. Nor would I ever rule out any possibility involving specific targeting of a back door implementation flaw by a government agency although I would have thought there were many easier attack vectors.

I do however question the suggestion that your children could effortlessly swipe login details from wireless snooping of a connection to my bank or amazon (128 bit RC4) never mind my email (256 bit AES). What attack are suggesting they'd be using? You mentioned attacks on browsers: Dodgy javascript exploiting a known browser hole is a different thing to getting plaintext from SSL by packet snooping and isn't protected by a VPN.

My assertion is that those not well versed in security may expose themselves to far bigger risks downloading software and using free services described as "VPNs" (but which are actually proxies) than any risk from snooped ssl packets.

Nothing wrong with "Real" VPNs which just provide an encrypted tunnel with some NAT at the end. Fine for anyone needing to fake their geographic location or anyone really concerned about neighbours snooping their browsing habits.

Edit: Actually I do apologize for going off-topic. The OP has asked a valid question and my response was about something related but not answering the question asked.
__________________
muttnik is offline   Reply With Quote
Old 23-05-2013, 12:06   #8
Registered User
 
Target9000's Avatar

Join Date: May 2009
Location: New Orleans LA
Boat: 74 Westsail 32
Posts: 1,379
Re: VPNs for Security

The number of hops is totally irrelevant to a well functioning SSL setup. It is designed to prevent MITM attacks. Its one of the points of PKI and authorities.

I'm not sure why you think that someone intercepting traffic can suddenly crack SSL. Do you have a solid understanding of the current SSL model?
__________________
Let your heart tell you where to go, but let your brain tell you how to get there.

Sundowner Sails Again
Target9000 is offline   Reply With Quote
Old 23-05-2013, 15:17   #9
Marine Service Provider
 
AnchorageGuy's Avatar

Join Date: Mar 2003
Location: Wherever the boat is!
Boat: Marine Trader 34DC
Posts: 4,618
Re: VPNs for Security

To try and answer your original question, we have used VPNs for our internet connections on the boat for years, but in the U.S. and western Caribbean so I can't speak of other countries. We have on rare occasions had the connection slow down but can't be 100% that it was due to the VPN. We have not been in a marina or any country where using the VPN has kept us from getting on line. We have had problems with the VPN itself dropping out with certain VPN providers. I hope this helps a bit. http://trawler-beach-house.blogspot....sheep-and.html .Chuck
__________________
Chesapeake Bay, ICW Hampton Roads To Key West, The Gulf Coast, The Bahamas

The Trawler Beach House
Voyages Of Sea Trek
AnchorageGuy is offline   Reply With Quote
Old 23-05-2013, 17:37   #10
Registered User

Join Date: Apr 2011
Location: Maryland
Boat: Island Packet 35
Posts: 132
Quote:
Originally Posted by muttnik View Post

By "direct connection" I meant from the point of view of TLS negotiation. Whilst you may have a paid-for "real" VPN, my post was raising concerns about the type of free proxies where a user's browser negotiates an encrypted link with the proxy and it proxies a connection to the remote end meaning that the user's information is exposed on the proxy, run by a bunch of people the user probably doesn't know. That may not be what you were advocating but the *free* "Hide My Ass" service appears to be (happy to be corrected on that) such a proxy and, as I was saying, I've often seen similar services advocated on other cruising forums, mistakenly described as "VPNs".

If something needs securing the number of hops is surely irrelevant: It should be secure between the endpoints.

Yes there have been published attacks on ssl: dodgy IVs and padding in cbc mode, more recently attacks on RC4, but there's a fair bit of difference between a determined offline lab-based multi-session attack with known plaintext in a known position and decrypting ssl packets swiped from the ether by a random 15 year old.

Moreover, manufacturers tend to mitigate against attacks as they're published and obviously if you're not keeping your machine up to date, an SSL attack is probably the least of your worries.

You could point out here that security also depends on the supported ciphers and implementation at the other end and relies on your bank/store keeping updated and smart. This is a legitimate concern, but hey, you're already trusting them to store your card details (or your money) securely (which I do worry about more than the security of the connection from me to them).

I'm not saying there is no theoretical weakness in any ssl implementation. That would be demonstrably wrong. Nor would I ever rule out any possibility involving specific targeting of a back door implementation flaw by a government agency although I would have thought there were many easier attack vectors.

I do however question the suggestion that your children could effortlessly swipe login details from wireless snooping of a connection to my bank or amazon (128 bit RC4) never mind my email (256 bit AES). What attack are suggesting they'd be using? You mentioned attacks on browsers: Dodgy javascript exploiting a known browser hole is a different thing to getting plaintext from SSL by packet snooping and isn't protected by a VPN.

My assertion is that those not well versed in security may expose themselves to far bigger risks downloading software and using free services described as "VPNs" (but which are actually proxies) than any risk from snooped ssl packets.

Nothing wrong with "Real" VPNs which just provide an encrypted tunnel with some NAT at the end. Fine for anyone needing to fake their geographic location or anyone really concerned about neighbours snooping their browsing habits.

Edit: Actually I do apologize for going off-topic. The OP has asked a valid question and my response was about something related but not answering the question asked.
Yes.....what he said
__________________

__________________
Hotel L is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -7. The time now is 19:45.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.