Originally Posted by MBLittle
https to a banks server is not secure nor "direct". Most 15 year old kids
and break the security
of Internet explorer. Firefox? Maybe 17 of they apply themselves.
By "direct connection" I meant from the point of view of TLS negotiation. Whilst you may have a paid-for "real" VPN, my post was raising concerns about the type of free proxies where a user's browser negotiates an encrypted link with the proxy and it proxies a connection to the remote
end meaning that the user's information is exposed on the proxy, run by a bunch of people the user probably doesn't know. That may not be what you were advocating but the *free* "Hide My Ass" service appears to be (happy to be corrected on that) such a proxy and, as I was saying, I've often seen similar services advocated on other cruising forums, mistakenly described as "VPNs".
If something needs securing the number of hops is surely irrelevant: It should be secure between the endpoints.
Yes there have been published attacks on ssl: dodgy IVs and padding in cbc mode, more recently attacks on RC4, but there's a fair bit of difference between a determined offline lab-based multi-session attack with known plaintext in a known position and decrypting ssl packets swiped from the ether by a random 15 year old.
Moreover, manufacturers tend to mitigate against attacks as they're published and obviously if you're not keeping your machine up to date, an SSL attack is probably the least of your worries.
You could point out here that security also depends on the supported ciphers and implementation at the other end and relies on your bank/store keeping updated and smart. This is a legitimate concern, but hey, you're already trusting them to store your card details (or your money) securely (which I do worry about more than the security of the connection from me to them).
I'm not saying there is no theoretical weakness in any ssl implementation. That would be demonstrably wrong. Nor would I ever rule
out any possibility involving specific targeting of a back door implementation flaw by a government
agency although I would have thought there were many easier attack vectors.
I do however question the suggestion that your children
My assertion is that those not well versed in security may expose themselves to far bigger risks downloading software and using free services described as "VPNs" (but which are actually proxies) than any risk from snooped ssl packets.
Nothing wrong with "Real" VPNs which just provide an encrypted tunnel with some NAT at the end. Fine for anyone needing to fake their geographic location or anyone really concerned about neighbours snooping their browsing habits.
Edit: Actually I do apologize for going off-topic. The OP has asked a valid question and my response was about something related but not answering the question asked.