Page 1 of 2

VPN providers.

PostPosted:Thu Jan 03, 2019 2:43 pm
by flybymike
Me and Mrs fbm do a fair bit of motorhome travelling and use a good deal of non secure open Wi-fi networks while we’re away.
I’ve always been apprehensive about security on open Wi-fi particularly for banking etc.
Asking around our peers, many seem to route their Wi-fi through a VPN provider which as I understand it, disidentifies you from the ultimate server by routing you through an intermediate private network.
However my banking App seems to identify the specific device I’m using when logging on but I’m assuming I could still log on successfully via the bank website rather than the App?
Does anyone use a VPN, any recommendations for a good one, any tips, snags drawbacks etc?
Thanks.

Re: VPN providers.

PostPosted:Thu Jan 03, 2019 2:50 pm
by rikur_
Banking apps are already encrypted and designed to be used securely over open networks. As are most things nowadays. Unless you're using some old fashioned insecure service or working with state secrets, I'm not convinced that a VPN is necessary.

Re: VPN providers.

PostPosted:Thu Jan 03, 2019 2:56 pm
by PaulB
I thought most people using VPNs wanted to hide who they are or where they are. (ICBW)

Re: VPN providers.

PostPosted:Thu Jan 03, 2019 2:56 pm
by Colonel Panic
I use a VPN if using my laptop on an in-secure wi-fi network - currently TunnelBear, but have also heard Nord VPN is OK.

Unlike on a phone, accessing my bank on my laptop is not "secure" - other than https. But even so, happy for others not to be able to look at the contents of my machine.

Re: VPN providers.

PostPosted:Thu Jan 03, 2019 5:54 pm
by rikur_
PaulB wrote:I thought most people using VPNs wanted to hide who they are or where they are. (ICBW)

That's the main reason I use it - for accessing iPlayer when I'm outside the UK (!)

Originally VPN's were mostly used in a corporate context to allow people to connect to the servers in the office, when servers talked various insecure protocols. Nowadays, most businesses are using Office 365 over the internet anyway, so VPN business use has become more niche for legacy systems (particularly SCADA which are often insecure).

VPNs have also developed a role in masking a user's true location - for example bypassing regional controls on content, or less legitimate reasons for hiding your tracks.

It used to be recommended to use VPN's for web-browsing on insecure networks. The use of http (not https), basic pop3/imap (not the encrypted version used nowadays), etc allowed data in transit to be observed, and in some cases you could 'sniff' session tokens from http parts of Google, that allowed you to access https parts. But as services have implemented end-to-end encryption nowadays I think that's overkill for normal usage.

Banks design websites and apps on the assumption that the network that they'll be used on is insecure. Some of the heuristic techniques they use for fraud checking may get upset by VPNs (particularly if the VPN makes you appear to be outside the UK).

As a public network provider, what can I see if you don't use a VPN to access https sites? Typically I can see DNS look-ups (domain name), and therefore can tell what sites/services you are accessing (just the domain name, not the full URL). I'll then see that a series of https sessions exist from your device to some remote locations. Again I can use this to infer that you're using Gmail, reading the Daily Wail, etc - but I can't see your login details nor what specific web-pages you're accessing, or any content going back and forth. If you access any insecure sites (http), then I can see everything.

If you connect via a VPN, I will probably just see one DNS look-up for the VPN end-point, and then just see one or more VPN tunnels that exist to a remote location. So I don't know if you're reading the Daily Wail or the Guardian.

Ultimately https over VPN is probably more secure than https without - but unless you're doing something particularly sensitive or embarrassing, or being specifically targeted - IMHO https is adequate.

On a final note - routing your web traffic over a VPN doesn't automatically make your laptop any less vulnerable to hacking via the wifi network - i.e. someone else on the same network wants to hack into your device. This depends on a combination of your firewall setting and the VPN client and how it is configured. Both the Windows and Mac built-in VPN clients, leave the device exposed to the LAN even when connected to a VPN. So if you're running any services like file sharing, Music sharing, SSH, etc locally, these will still be accessible to others connected to the same LAN. (Unless the LAN has implemented client isolation, which is increasingly common). In this regard Windows tends to be a bit better than Macs in that by default it hides such services from unknown networks, until you explicitly tell it that this is a trusted network (the Private / Public thing it asks you from time to time).

Re: VPN providers.

PostPosted:Thu Jan 03, 2019 7:22 pm
by eltonioni
Tunnel Bear is OK for occasional use. It's at the commercial end of the market so (maybe naively) I trust it more than some of the offers out there.

Re: VPN providers.

PostPosted:Thu Jan 03, 2019 11:21 pm
by OCB
Rikur - a perfect example of a non-technical project manager’s nightmare!

Simple question, well thought and precise technical answer.

Alas, most non techies have the staying power that’s even less than a tube of 20 yr old MFI white glue...

Just to add:
SCADA -effin terrified me. The only technology I had to secure, yet let onto corporate WAN/LAN that, if compromised, could result in multi-million litre boilers exploding and killing a ferk load of people.

VPN is still widely used in the corporate world. It’s gotten easier thanks mainly to Windows being a lot more accepting of such tech. Even on the Mac it’s not that painful any more. I use it regularly as an expat- far too many times companies insist I *must* use the French or Dutch sites...ferk that!

Most or all banking sites can figure out if you’re using VPN. I can’t, for example, change my UK bank PC Banking password outside the UK, no matter what public VPN I use. Fair enough.

When it comes to personal VPN use, it’s mainly for accessing media or services that are geo-locked for idiotic reasons.

Re: VPN providers.

PostPosted:Fri Jan 04, 2019 12:09 am
by flybymike
Many thanks for the advice folks, the technical aspects of which went straight over my head.

I’m coming to the conclusion that my initial fears are largely groundless and it’s probably not worth worrying or bothering to use a VPN.

Re: VPN providers.

PostPosted:Fri Jan 04, 2019 10:23 am
by rikur_
OCB wrote:Rikur - a perfect example of a non-technical project manager’s nightmare!

Simple question, well thought and precise technical answer.

Alas, most non techies have the staying power that’s even less than a tube of 20 yr old MFI white glue...

Fair observation!

Back to analogies then....

Accessing http websites is like communicating via postcards. Anyone that handles the postcard can read who it is to/from and the message being sent.

Accessing https websites is like communicating via postcards, but with the message bit of the postcard written in secret code. Anyone that handles the postcard can see who it is to/from, but doesn't know what is being said.

Using a VPN is like putting the postcard in an envelope and posting it to someone you trust, for them to post it onwards to the final recipient. Anyone that handles the envelope doesn't know what you are saying, or who the final recipient is. When the recipient gets the postcard, it has a postmark from the VPN provider, not your original location.

As such, VPN masks your communication: the content, who it is with, and where you are.

There is a separate risk of using public networks that someone else on the same network might try to hack you. VPNs don't solve that risk - you need to use a firewall for that.

Re: VPN providers.

PostPosted:Fri Jan 04, 2019 10:37 am
by Paul_Sengupta
rikur_ wrote:and posting it to someone you trust


Who's to say you can trust the VPN providers? :D

Re: VPN providers.

PostPosted:Fri Jan 04, 2019 10:50 am
by stevelup
You beat me to it - that was going to be exactly my point.

You're just moving the trust somewhere else which - in the case of most VPN providers - is to an unaccountable overseas entity.

Who knows what they're doing at the endpoint...

Re: VPN providers.

PostPosted:Fri Jan 04, 2019 10:53 am
by rikur_
Paul_Sengupta wrote:
rikur_ wrote:and posting it to someone you trust


Who's to say you can trust the VPN providers? :D

That's my point - you are trusting them .... whether you should trust them is a different matter.

I use a VPN back to my own house when I need one for that reason.

Re: VPN providers.

PostPosted:Fri Jan 04, 2019 11:07 am
by Paul_Sengupta
I've always been a bit wary of these sort of things, especially the free ones. What are they doing with the data? Are they building up a Netflix/iPlayer library to then sell on the dark web? :D

Re: VPN providers.

PostPosted:Fri Jan 04, 2019 11:13 am
by rikur_
Absolutely.

Or equally if I was part of a state security service, I think I might set-up a free VPN as a honey trap. Or even if I hadn't, I'd pay very close attention to traffic coming off one.

Re: VPN providers.

PostPosted:Fri Jan 04, 2019 12:09 pm
by gaxor
To answer the question - ExpressVPN works well for me when in China