VPNs for Security

[MBLittle]

Just curious how many people use VPNs to secure their Internet (and/or cellular) traffic while cruising.

Anyone run into connection problems through a marina's wifi? Or particular problems in certain countries?

[Tim R.]

VPN to what? Virtual Private Network tunnel implies a 2 ended connection that is encrypted.

Depending on the type of VPN, you could always be limited by a public wifi firewall. IPSEC seems to be more widely accepted.

ie: I use a VPN to connect to my office when out cruising. This creates an encrypted virtual network that allow me access to my private company network while riding the internet via wifi or cellular connection.

[MBLittle]

Quote:

Originally Posted by Tim R.

VPN to what? Virtual Private Network tunnel implies a 2 ended connection that is encrypted.

Depending on the type of VPN, you could always be limited by a public wifi firewall. IPSEC seems to be more widely accepted.

ie: I use a VPN to connect to my office when out cruising. This creates an encrypted virtual network that allow me access to my private company network while riding the internet via wifi or cellular connection.

Yes, I know what a VPN is and does. There are off the shelf VPN companies and software that allow encrypted VPN tunneling to their servers and your IP traffic goes from there under their IP address. I personally use HMA on all my computers and iPhones and iPads.

http://www.hidemyass.com/

Can also check out:
http://netforbeginners.about.com/od/...-Providers.htm

http://lifehacker.com/5759186/five-b...vice-providers

So my question is geared to those that don't VPN into the company they work for, but rather, VPN to have 128bit encryption for their personal Internet traffic, ie: shopping and banking.

Personally (based on years of experience in the military), I can pull anyone's Internet traffic from a public wifi that I am also connected to( unless they run a propriety VPN software on their device). Therefore I know others can as well.

[MBLittle]

Quote:

Originally Posted by Tim R.

VPN to what? Virtual Private Network tunnel implies a 2 ended connection that is encrypted.

Depending on the type of VPN, you could always be limited by a public wifi firewall. IPSEC seems to be more widely accepted.

ie: I use a VPN to connect to my office when out cruising. This creates an encrypted virtual network that allow me access to my private company network while riding the internet via wifi or cellular connection.

And yes, that public wifi firewall was what I was referring to about connection problems in certain countries or off certain 3G providers

[muttnik]

Quote:

Originally Posted by MBLittle

So my question is geared to those that don't VPN into the company they work for, but rather, VPN to have 128bit encryption for their personal Internet traffic, ie: shopping and banking.

I'm not aware of any Internet banking not running over https. If an online store doesn't use https to protect payment, your credit card details probably aren't safe with them anyway, and if your connection to your email provider is not ssl secured you should probably be looking for an alternate provider.

Everything I actually care about protecting is already encrypted. Does it worry me if someone with too much time on their hands knows that one of their marina neighbours is wasting their time looking at LOLcats? Certainly not enough to pay for a VPN service. YMMV.

Although the OP may be aware of the difference between a VPN (with NAT at the end) and an encrypted link to a web proxy, not everyone is (as I've seen from other posts on other forums raising similar privacy concerns). The free services tend to involve encrypting a link to a proxy and/or downloading and running software from the provider. I suggest that for anyone without all the information to make up their own mind about the potential for man-in-the-middle or other attacks that this may introduce, trusting to their bank / online store's own encryption with a direct connection is the safest option

[MBLittle]

Quote:

Originally Posted by muttnik

I'm not aware of any Internet banking not running over https. If an online store doesn't use https to protect payment, your credit card details probably aren't safe with them anyway, and if your connection to your email provider is not ssl secured you should probably be looking for an alternate provider.

Everything I actually care about protecting is already encrypted. Does it worry me if someone with too much time on their hands knows that one of their marina neighbours is wasting their time looking at LOLcats? Certainly not enough to pay for a VPN service. YMMV.

Although the OP may be aware of the difference between a VPN (with NAT at the end) and an encrypted link to a web proxy, not everyone is (as I've seen from other posts on other forums raising similar privacy concerns). The free services tend to involve encrypting a link to a proxy and/or downloading and running software from the provider. I suggest that for anyone without all the information to make up their own mind about the potential for man-in-the-middle or other attacks that this may introduce, trusting to their bank / online store's own encryption with a direct connection is the safest option

http://www.yougetsignal.com/tools/visual-tracert/

Do me a favor and trace your computer to the closest google.com server.

I get 15 hops. 8 to my bank. Talk about man in the middle...

https to a banks server is not secure nor "direct". Most 15 year old kids and break the security of Internet explorer. Firefox? Maybe 17 of they apply themselves.

Besides a bored neighbor, the are amateurs with a laptop, pros with software and governments with hardware. You'd clearly be surprised what's plucked from people off the Internet, especially outside the US and EU.

If I'm in the philippines and I can create a 256bit encrypted connection from my laptop to a server in Los Angeles (where my Texas based bank keeps its banking servers), then the only concern I have about pure encryption is the maybe 1 or 2 hops within LA in the US, not the 40-50 that magically route through China.

I have no doubt from the way you talk, you are fairly informed on networking, however, I spent most of my adult life at the alphabet soup agency that does just this to the rest of the world. Your Internet is not secure, even from amateurs.

Or even perhaps the neighbor at a marina that knew you were making a long passage and decided to help himself to a new watermaker thanks to your visa. Shipped overnight to the same address you were just at. Good luck fighting that one when you figure it out a week after an 82 day passage.

[muttnik]

Quote:

Originally Posted by MBLittle

https to a banks server is not secure nor "direct". Most 15 year old kids and break the security of Internet explorer. Firefox? Maybe 17 of they apply themselves.

By "direct connection" I meant from the point of view of TLS negotiation. Whilst you may have a paid-for "real" VPN, my post was raising concerns about the type of free proxies where a user's browser negotiates an encrypted link with the proxy and it proxies a connection to the remote end meaning that the user's information is exposed on the proxy, run by a bunch of people the user probably doesn't know. That may not be what you were advocating but the *free* "Hide My Ass" service appears to be (happy to be corrected on that) such a proxy and, as I was saying, I've often seen similar services advocated on other cruising forums, mistakenly described as "VPNs".

If something needs securing the number of hops is surely irrelevant: It should be secure between the endpoints.

Yes there have been published attacks on ssl: dodgy IVs and padding in cbc mode, more recently attacks on RC4, but there's a fair bit of difference between a determined offline lab-based multi-session attack with known plaintext in a known position and decrypting ssl packets swiped from the ether by a random 15 year old.

Moreover, manufacturers tend to mitigate against attacks as they're published and obviously if you're not keeping your machine up to date, an SSL attack is probably the least of your worries.

You could point out here that security also depends on the supported ciphers and implementation at the other end and relies on your bank/store keeping updated and smart. This is a legitimate concern, but hey, you're already trusting them to store your card details (or your money) securely (which I do worry about more than the security of the connection from me to them).

I'm not saying there is no theoretical weakness in any ssl implementation. That would be demonstrably wrong. Nor would I ever rule out any possibility involving specific targeting of a back door implementation flaw by a government agency although I would have thought there were many easier attack vectors.

I do however question the suggestion that your children could effortlessly swipe login details from wireless snooping of a connection to my bank or amazon (128 bit RC4) never mind my email (256 bit AES). What attack are suggesting they'd be using? You mentioned attacks on browsers: Dodgy javascript exploiting a known browser hole is a different thing to getting plaintext from SSL by packet snooping and isn't protected by a VPN.

My assertion is that those not well versed in security may expose themselves to far bigger risks downloading software and using free services described as "VPNs" (but which are actually proxies) than any risk from snooped ssl packets.

Nothing wrong with "Real" VPNs which just provide an encrypted tunnel with some NAT at the end. Fine for anyone needing to fake their geographic location or anyone really concerned about neighbours snooping their browsing habits.

Edit: Actually I do apologize for going off-topic. The OP has asked a valid question and my response was about something related but not answering the question asked.

[Target9000]

The number of hops is totally irrelevant to a well functioning SSL setup. It is designed to prevent MITM attacks. Its one of the points of PKI and authorities.

I'm not sure why you think that someone intercepting traffic can suddenly crack SSL. Do you have a solid understanding of the current SSL model?

[AnchorageGuy]

To try and answer your original question, we have used VPNs for our internet connections on the boat for years, but in the U.S. and western Caribbean so I can't speak of other countries. We have on rare occasions had the connection slow down but can't be 100% that it was due to the VPN. We have not been in a marina or any country where using the VPN has kept us from getting on line. We have had problems with the VPN itself dropping out with certain VPN providers. I hope this helps a bit. http://trawler-beach-house.blogspot....sheep-and.html .Chuck

[Hotel L]

Quote:

Originally Posted by muttnik

By "direct connection" I meant from the point of view of TLS negotiation. Whilst you may have a paid-for "real" VPN, my post was raising concerns about the type of free proxies where a user's browser negotiates an encrypted link with the proxy and it proxies a connection to the remote end meaning that the user's information is exposed on the proxy, run by a bunch of people the user probably doesn't know. That may not be what you were advocating but the *free* "Hide My Ass" service appears to be (happy to be corrected on that) such a proxy and, as I was saying, I've often seen similar services advocated on other cruising forums, mistakenly described as "VPNs".

If something needs securing the number of hops is surely irrelevant: It should be secure between the endpoints.

Yes there have been published attacks on ssl: dodgy IVs and padding in cbc mode, more recently attacks on RC4, but there's a fair bit of difference between a determined offline lab-based multi-session attack with known plaintext in a known position and decrypting ssl packets swiped from the ether by a random 15 year old.

Moreover, manufacturers tend to mitigate against attacks as they're published and obviously if you're not keeping your machine up to date, an SSL attack is probably the least of your worries.

You could point out here that security also depends on the supported ciphers and implementation at the other end and relies on your bank/store keeping updated and smart. This is a legitimate concern, but hey, you're already trusting them to store your card details (or your money) securely (which I do worry about more than the security of the connection from me to them).

I'm not saying there is no theoretical weakness in any ssl implementation. That would be demonstrably wrong. Nor would I ever rule out any possibility involving specific targeting of a back door implementation flaw by a government agency although I would have thought there were many easier attack vectors.

I do however question the suggestion that your children could effortlessly swipe login details from wireless snooping of a connection to my bank or amazon (128 bit RC4) never mind my email (256 bit AES). What attack are suggesting they'd be using? You mentioned attacks on browsers: Dodgy javascript exploiting a known browser hole is a different thing to getting plaintext from SSL by packet snooping and isn't protected by a VPN.

My assertion is that those not well versed in security may expose themselves to far bigger risks downloading software and using free services described as "VPNs" (but which are actually proxies) than any risk from snooped ssl packets.

Nothing wrong with "Real" VPNs which just provide an encrypted tunnel with some NAT at the end. Fine for anyone needing to fake their geographic location or anyone really concerned about neighbours snooping their browsing habits.

Edit: Actually I do apologize for going off-topic. The OP has asked a valid question and my response was about something related but not answering the question asked.

Yes.....what he said