VPN Basic Question

Can someone please help explain a VPN question I have

I have a good understanding on VPNs and the concept behind them etc. I signed up for a VPN service also. What I am confused about is, everyone says they are secure and to always use them if I’m on public WiFi etc. how safe is it to check my bank accounts etc. when I am hooked into the VPN, can the VPN service see my information? I have read about people setting up their own VPN services at their home also. But I don’t know if that’s better than a service like cloak etc.

Thanks!

1 Like

I use TunnelBear vpn on my mac every second I’m on public wifi. I even turn off wifi when in transit to keep the mac from latching onto xfinity hotspots. Since tb VPN is point to point encrypted I feel pretty secure accessing sensitive data. Obviously, nothing is a sure thing but it’s better than having your connection wide open.

3 Likes

TLDR: you should be fine and home vs. service VPN choice is based on your paranoia and bandwidth.

The VPN will give you a secure end point to a particular Internet connection. That means you will exit onto the Internet for requests at the VPN end point for your connection … but your traffic will be routed through the VPN supplier’s infrastructure. They are a man in the middle in some senses. This gives you protection from outside the VPN, but people can still track you if they have certain capacities, knowledge of your VPN provider, etc. Think nation state actors.

Now I would expect that your bank would be using TLS (an HTTPS URL) for it’s online operations. That will encrypt your traffic and unless your VPN provider has had you install a certificate such that they act as a true middleman on your traffic (in which case they interpose and interact with your bank rather than you directly) you should be okay. That scenario typically would only occur within certain corporate environments and VPNs.

Onto the service vs. home hosted VPN. If you ara TNO (trust no one) kind of person, then control your own VPN at home. If you great bandwidth (e.g. gigabt fibre), why not save a bit of cost against paying for a service? You want more reliability, a choice of geographic end points and someone to just take care of the technical stuff for you. Go for a service.

Just remember, if you use a home VPN, this is just the same as egressing onto the Internet via your home Internet connection regardless of where you are. If you use a service, you could use that from home as well. Your ISP will know where you go when you exit your home VPN node. They won’t if you use a VPN service node.

Hope that helps.

5 Likes

It is really necessary. Back in 2009, I used public WiFi in a cafe and someone managed to get my email password. Within 24hrs they had tried to withdraw money from my PayPal. I’ve always used a VPN on public networks since.

I use VyprVPN without the app (I just use the iOS/MacOS native connection software). It doesn’t seem to slow my connection at all. Being able to watch my cable sports abroad is just an added bonus.

It also allows access to the “normal” Internet in China and bypasses the “great firewall”. I’m often there for conferences so I get good value for the subscription.

2 Likes

Thanks for the info guys

@sylumer that was a really great explaination. I have read a lot online and that was the best yet!

Thanks for sharing this.

Would you say for a private VPN (home made one), is the Open VPN and a Synology a good/safe option? An easy to set up too?

TL;DR: it depends :slight_smile:

The thing with using a VPN on a public wifi is you use it to make sure your traffic is encrypted on the wifi network and leaving the encrypted state somewhere else. No matter where.

VPN with an external provider or a hown grown one is basically the same, they both provide an encryted tunnel for you to go on to, and through, the internet. With a commercial one it’s at their endpoints, with a home VPN it is at your router onto your ISP’s network. It comes down to the same thing from the tunnel aspect.

As for security, with net neutrality in the US dead:
I would think about a 3rd party like cloak or some other provider over a home VPN. But as I don’t live in the US I can’t say for sure.

And the opposite to that: how much do you trust the 3rd party VPN provider? (Maybe take a look at protonVPN?)

I’d say look at your needs, and look at what’s the best fit for that.

I use cloak for external wifi myself (endpoint in Europe), just because it has an excellent auto-on on untrusted wifi, and use Synology’s VPN options to tunnel into my home network. And sometimes I use both at the same time.

Open VPN is used by some service providers too. It’s well supported so I sent no issue with using that.

I’ve never owned a Synology (I have a QNAP NAS right now), but they are a well known brand. I’m sure someone on the forum could advise on the complexity and experience of running Open VPN off Synology devices.

I don’t see the benefit of VPN as most banks and other important sites use HTTPS which is encrypted before leaving your computer anyways. The only benefit to a VPN is that you can bypass firewalls.

First of all you note that it is “most”, not all and so that’s a key point.

Beyond the fact your using a different geographic end point to potentially circumvent restrictions on what can be accessed, VPNs obfuscate (not anonymity) aspects of your activity, cam be set to be the only way to allow access to resources across the Internet and can also be used to work around bandwidth volume and speed throttling on particular types of traffic (net neutrality anyone?) where the VPN overhead is not significant in comparison.

I’m sure there are other benefits too, but there’s certainly more than you suspect. I 'm also pretty sure they are a rather population technology amongst the IT security research community which lends further support (broadly) to the security benefits they offer.

The biggest problem with VPN’s is there advertising. They’re using scare tactics to sell a service that is not what people think it is. VPNs are nothing more than a proxy service that uses HTTPS which you would have used anyways to connect to a secure site.

If you’re using HTTPS your connection is secure, the data between you and the website is encrypted and only you and the sever can read it. But the fact that you’re talking to that website is not secured. Its like having a tube that on the outside says “facebook” but the contents in the tube can not be read by anyone except those on either end of the tube.

A VPN puts a tube around your tube so the fact that you’re visiting “facebook” is hidden, but the bigger tube says the name of the VPN service you’re using. This keeps ISP from messing with or tracking your movement on the internet. But this just moves the trust away from the ISP to the VPN service and there is no way to prove that they too don’t track and sell your data (even if they say they don’t). Even worse is the cookie that get stored from Facebook or Google are stored on the VPN server since it proved the ID of the account - so if there is a breach of that VPN you could have issue of account theft.

The moral of the story is only trust sites that use https.

Ah… sorry… you do know what a vpn is…? Right?

It has nothing to do with advertising, and everything to do with security,
Turn on vpn = security (most of the time)
No vpn = you’re on your own, Budd,

And yes, it’s all about trust, but I’d rather trust encrypt.me than chucky cheeses’ wifi…

1 Like

When I say advertising I mean every YouTuber recommending TunnelBear or whatever VPN flavor of the month. Even podcasters are pushing these things and saying they’re a bullet proof plan to protect you while online.

So long as the website you’re visiting is HTTPS, with the green lock in the address bar, your information is secure and safe. The only real advantage a VPN has is if you need to hide your IP address or make it look like you’re in a different location.

Then there is the past breaches and lack of doing what you pay them to do with past VPN services. The connection between your computer and the VPN is encrypted but its can be read and stored by the VPN and the information sold. You’re just kicking the can down the road to a service that has people willing and paying to hand over there browsing data. It’s a prime target for attacks and they do happen. It boils back down to just simply only using sites with HTTPS if you want your data secure.

@ecophoscys I can see your point but do not agree with your assessment that as long as a site uses https it is secure. it always needs to use a dns, “handshake” etc and that is all unsecured for the most part, and furthermore: that would be only web surfing, your devices barf out a lot more traffic onto the network than just the https pipe.

no matter what your feeling about commercial vpn’s, a VPN is the only safe way to make a network connection to an untrusted network in all cases. (commercial or otherwise)

I don’t understand. There’s no danger of being compromised on public WiFi? Passwords and info that demands privacy…

If you’re connecting to a site that is HTTPS and NOT HTTP the connection is secure, so passwords and other data you transmit can only be read by you and the website. Even when on Public WIFI, if the site you’re connecting to uses HTTPS then the data you get and send is secure.

This video does a great job explaining how VPNs and HTTPS are pretty much the same https://www.youtube.com/watch?v=wPULaiZH_4o

Another good video that explains why VPNs are not really needed if the site is HTTPS https://www.youtube.com/watch?v=Z_-HDbd-EmQ

My main point is that people need to be careful as many of these VPN services are backed by affiliates looking to make a buck. This has created a scare tactic (sales tactic) to make people think the internet is not safe and you need to buy this VPN to make it safer for you. Since the commission is good you get many YouTuber and such promoting them and driving it more into the ground that you need it but the ironic part is that if you’re connecting to a site that uses HTTPS you’re getting the same level of protection. In fact, with a VPN you only kick the can down the road and instead of trusting your ISP you now have to trust this VPN who may or may not sell or steal your information anyways.

VPNs 20 years ago was a very smart way to go about surfing the internet securely in a coffee shop. This was because HTTPS was not as wildly used, even some banks didn’t use HTTPS 20 years ago. Now you have almost 80% of the internet using HTTPS which is a “VPN” between your computer and the website. Google helped push this into place by making HTTPS easy to implement and forcing websites saying it will affect rankings. Since there is such a mass adoption of HTTPS, paying for a VPN service is a waste if you only care about security. A VPN is worth it if you want to mask/hide your IP address but that is a different debate from security. Stick to sites that use HTTPS and you’re getting the same level of protection, if not better, than what a VPN gives.

The VPN debate has turned into that moment in Idiocracy where the people give plants the energy drink instead of water and they say it’s because it has electrolytes. Everyone saying you need a VPN because its safer is like saying the plants need electrolytes - people don’t fully understand what is really going on. Just to be clear, I’m not calling anyone dumb just pointing out how effective the advertising for VPNs are.

But the fact that you’ve connected to a particular site is not. With a VPN + HTTPS, it would be.

1 Like

Interesting one…

HTTPS is safe, IF the SSL key system has no current or future flaws (which isn’t the case), servers/clients have no current or future weaknesses (also consider: many people running outdated OSes), servers/clients are correctly configured, all the services you use (Mail, Web, Dropbox,…) have no current or future weaknesses, etc.
I once set up a free WiFi in an airport (SSID “Free Lounge WiFi”). Within minutes, dozens of people had connected, since the actual complimentary WiFi was crap. With Wireshark it was easy to record all the traffic and read everything HTTP, POP3 (no joke!), etc. The trigger “password” showed several hits. Do you really know what you are connecting to when using a WLAN in an airport, café, etc? Yes, HTTPS prevents easy eavesdropping and makes is impossible to decypher, IF there’s no flaw. But, remember the Heartbleed bug in OpenSSL? Can you rule out the next one?
So, by tunelling everything through VPN, I just add another layer of security. What’s the probability of HTTPS getting broken into: very slim. But not 0. So, don’t call people idiots.
And since it’s easy to do and for free (I run my own OpenVPN), why not?
HTTPS=very secure. VPN=very secure. VPN+HTTPS=extremely secure.

1 Like

So, don’t call people idiots

I’ve got to make it clear that I did not call anyone an idiot, here is the exact quote that you also quoted too…

Just to be clear, I’m not calling anyone dumb just pointing out how effective the advertising for VPNs are.

I feel this is important.

Other than that I agree with most of what you say. I think people are overlooking my issue with VPNs, it’s the advertising that is the issue. If you have your own VPN than that is amazing and the proper way to go about this. I just don’t like the advertising methods or scare tactics being used to scare people into a service that they might not need or understand.

As for the point on flaws of SSL do keep in mind that many of the same encryption that is used in SOME VPNs is the same. So if there is a flaw in the encryption of HTTPS then there is sure to be a flaw in some VPNs as well. Even worse is that some VPNs have been caught not encrypting or even doing what you pay them to do.

Eighteen percent of the mobile VPNs tested created private network “tunnels” for traffic to move through but didn’t encrypt them at all, exposing user traffic to eavesdropping or man-in-the-middle attacks. Put another way, almost a fifth of the apps in the sample didn’t offer the level of security that’s basically the entire point of VPNs
https://www.wired.com/2017/02/beware-mobile-vpns-arent-safe-seem/

This whole debate is starting to get out of hand. Can we all not agree that its okay to use a proper VPN but the advertising of some is a little too much in that it’s scaring people into a service that they might not fully need?