How well do you trust VPN's? -[ACCC takes Onavo to court]

Status
Not open for further replies.

harvyk

Senior Member
Joined
Apr 15, 2009
Posts
6,987
Qantas
Gold
Over the years I've been fairly critical of VPN's as "security" for travel, well here is a perfect example of why -> ACCC takes court action against Facebook over VPN service

One of the big problems I have with VPN's being used for "security" is that they where never designed for that purpose. What you're actually doing is sending all your internet traffic via a different "outlet" so to speak (think of it in terms of freeway off-ramps and taking the 2nd exit rather than the 1st even though it's longer but you know there is a copper waiting at the 1st). If that outlet isn't trustworthy then all you're really doing is handing over the key's to the kingdom to a untrustworthy third party.

Don't think "encryption" will save you either, once you download an application which interferes with where internet traffic goes (like Onavo made it's users do), it's possible for them to decrypt and monitor what you're doing real time (not alleging that's what Onavo did, it's just very technically possible to do).

So do VPN's have a place in the world of travel? Yes..... but.......

I see them as useful for getting around geo-blocks, either at the source end (eg where content is only available in certain countries) or destination end (eg great firewall of china).
 
Simple solution.
Don't use a known 'VPN Service'.

For anywhere between $0 and $5/mo you can spin up your own openvpn server and have a private VPN that nobody knows is a VPN.
Change the ports and you'll never be blocked in China every again (unlike almost every public VPN provider that is blocked there).
 
i run my own VPN server at home on my NBN connection.
the last time I went to China I used a roaming sim (Starhub from Singapore).. then you don't need a VPN to access any google services etc. if/when I go again will just use my aussie SIM on roaming now.
 
Simple solution.
Don't use a known 'VPN Service'.

For anywhere between $0 and $5/mo you can spin up your own openvpn server and have a private VPN that nobody knows is a VPN.
Change the ports and you'll never be blocked in China every again (unlike almost every public VPN provider that is blocked there).

Whilst of course that's always going to be the gold standard, the catch is provided you know what you're doing and you maintain the setup correctly.

It's entirely possible to do a setup which is not actually secure. In my professional life, I spend a fair bit of time working with "IT penetration tester's". It's amazing just how devious some of those people are. Whilst there is certainly some talent with the good ones, even the average or cough ones still have access to the same tools that the script kiddie / "cyber criminal" has. It would be entirely possible to set up something you thought was secure, but ended up being no better than no security (or worse).

The thing is that those "VPN" services are always advertised to the novice as "the ultimate way to protect your activity online". Rather than what it actually is -> "We'll take your internet pipe and connect you to the internet via us". So the issue is that you get all these people blindly signing onto VPN's without knowing what they are actually getting, or under the impression that it's doing something that it's not.
 
There are reviews of VPN's. Those legally aware means the USA Clould Act means nothing is safe for USA concerns, and I don't understand how VPN's can operate in Australia, UK and Canada and advertise no logs. So called free vpns are useless. The best VPN's seem to handle Netflix, and offer Wireguard, and have no 'leakages' although trusting Cloudflare seems iffy, as latency delays can be a tell. NordVPN is in the top 3 consistently, cheapest on cyber Mondays once a year. If you take time to customize the default settings, should be good. Please note if you use a cloud service, its data is also subject to USA cloud Act, VPN or not. Some whinges coming off Europe - harder to pretend USA has its nose in.

For those interested Threema - Wikipedia is coming online more and more, and will throw a spanner into the we want everything whinger set.

Summary: I trust VPN's for now, as my OS is the weakest link, and because any VPN that gets caught supplying law enforcement data will soon be out of business for good. Think ISDS - god bless those trade agreements.

Word of warning to those with employer provided phones. There are add-ons that can allow HR to judge you and build up a case. So always use your own phone on issues that may get you into hot water, and the work phone to send corporate friendly messages.

The EFF is your starting point: News
 
Last edited:
Is this a web application proxy and do you need a PKI?

Any mid-range (maybe even entry level) router can run as your OpenVPN server. Eg, my Netgear RAX80 supports this. Log in to your home router and see if it supports VPN.

Alternatively if you have a NAS sitting on your home network, chances are you an run a VPN server on that. Synology certainly supports this.
 
<snip>
Alternatively if you have a NAS sitting on your home network, chances are you an run a VPN server on that. Synology certainly supports this.

Could you please explain the setup your using to get your NAS to operate as a VPN service securely? (Talking laptop in cafe connecting back home).

I can't see a way to do it securely, and every method I can think of has security holes in it (not to mention that your now allowing external traffic access all the way onto your NAS device, which one would assume has files you want to keep / not share with the world)
 
Could you please explain the setup your using to get your NAS to operate as a VPN service securely? (Talking laptop in cafe connecting back home).

I can't see a way to do it securely, and every method I can think of has security holes in it (not to mention that your now allowing external traffic access all the way onto your NAS device, which one would assume has files you want to keep / not share with the world)

A few things. Firstly, even though I can run a VPN on my NAS, I acutally use my Netgear router as the VPN server.

Can you clarify what you're trying to achieve? Are you looking to a) use your NAS as a VPN server when not at home in order to ensure any web browsing etc is router through your home connection b) just have remote access to everything on your home network c) you just want to securely access stuff on your NAS when not at home?

I actually access my NAS remotely by directly forwarding ports to it. So no need for a VPN for most stuff. My NAS is securely locked down and 2FA is enabled. The only real issue would be a unpatched vulnerability, but I'm pretty good at keeping it up to date and not running standard ports. So the risk is acceptable to me.

Even just running the VPN server on the NAS, sure you'll allowing access to that, but only the port the VPN server is listening on.
 
A few things. Firstly, even though I can run a VPN on my NAS, I acutally use my Netgear router as the VPN server.

Can you clarify what you're trying to achieve? Are you looking to a) use your NAS as a VPN server when not at home in order to ensure any web browsing etc is router through your home connection b) just have remote access to everything on your home network c) you just want to securely access stuff on your NAS when not at home?

I actually access my NAS remotely by directly forwarding ports to it. So no need for a VPN for most stuff. My NAS is securely locked down and 2FA is enabled. The only real issue would be a unpatched vulnerability, but I'm pretty good at keeping it up to date and not running standard ports. So the risk is acceptable to me.

Even just running the VPN server on the NAS, sure you'll allowing access to that, but only the port the VPN server is listening on.

I'm not trying to achieve anything, it's more that you made the comment that your NAS has built in VPN. I can't see a way of using that built in VPN without some degree of security risk, since port forwarding effectively allows "the internet" to find the NAS.

Also non-standard ports doesn't mean a thing these days, there are many products out there (I believe NMAP is one for example) that'll quite happily identify services on non-standard ports.

Finally, by using the NAS, assuming that you are fully patched, and there are no known day zero attacks available, how confident are you that you haven't made some sort of security boo-boo in your configuration? That would allow someone to waltz right in and straight onto a device which you keep files.


My day job is I build software to scan the security posture of organisations, letting them know where they have security weaknesses. You'd be surprised how frequently we find things that Security Administrators assure us they've got covered, but we find are nice and open and ready to be exploited. These are people who's day jobs is to keep undesirables out of their networks. So really what chance does a home user have as soon as they start doing things like port forwarding?
 
I'm not trying to achieve anything, it's more that you made the comment that your NAS has built in VPN. I can't see a way of using that built in VPN without some degree of security risk, since port forwarding effectively allows "the internet" to find the NAS.

Also non-standard ports doesn't mean a thing these days, there are many products out there (I believe NMAP is one for example) that'll quite happily identify services on non-standard ports.

Finally, by using the NAS, assuming that you are fully patched, and there are no known day zero attacks available, how confident are you that you haven't made some sort of security boo-boo in your configuration? That would allow someone to waltz right in and straight onto a device which you keep files.


My day job is I build software to scan the security posture of organisations, letting them know where they have security weaknesses. You'd be surprised how frequently we find things that Security Administrators assure us they've got covered, but we find are nice and open and ready to be exploited. These are people who's day jobs is to keep undesirables out of their networks. So really what chance does a home user have as soon as they start doing things like port forwarding?

About the same risk level of running the VPN server on my Netgear router really. If someone can exploit that into my home network then they can use that to traverse to my NAS and anything else on my internal network.

As for how confident am I. I'm fairly confident but also not stupid enough to think anything is fool proof. If someone really want to see what I have on my NAS, its not all that exciting. Things I want secure are are also encrypted. Anything I don't want to lose is fully backed up to the cloud nightly plus offsite backups too, all encrypted. And yes, I've actually tested restoring :)

From my perspective I have a fairly good understanding of the risks and and comfortable with the risk level I'm at.

I suspect we work in the same industry then but doing different things. I'd be genuinely interested if you wanted to see where you could get on my network. Not because I think its foolproof, but more to see where my weaknesses are. If you're keen, ping me with a DM and I'll share my public IP with you. I realise I'm asking you to do your day job for free, so feel free to tell me to bugger off :)
 
And every major website/app these days is secured (HTTPS) so the 'security' aspect these VPNs advertise isn't really an issue these days.
(Not like the early days when accessing Facebook over a shared internet connection like an airport lounge was a risk).

If anything a VPN would make a MOTM attack easier as all traffic is being routed in the same place.

Mind you I've noticed that most advertising (lots of blogger sponsorships) focus more on Netflix differences, local TV/news and cheaper flights.
 
I suspect we work in the same industry then but doing different things. I'd be genuinely interested if you wanted to see where you could get on my network. Not because I think its foolproof, but more to see where my weaknesses are. If you're keen, ping me with a DM and I'll share my public IP with you. I realise I'm asking you to do your day job for free, so feel free to tell me to bugger off :)

I have to admit, that does seem like work :)

But better still, I don't have to be the one to probe your environment. Download NMAP from here -> Nmap: the Network Mapper - Free Security Scanner and then from a public internet connection on your laptop just try and probe your public IP. That way you don't have to hand over your IP to a perfect stranger who'd technically be able to do anything if they where successful.

If you're not good with command lines there is a variety of wrappers that'll let you set up a variety of different options to really probe and see what's going on.

Some of the red flags to look out for is see if the OS fingerprinting gives any matches, as that'd be something that an attacker could then use to gain access into your private network.

Finally, something which you may find of interest, non-normal ports doesn't protect you -> Service and Version Detection | Nmap Network Scanning

However, you should not bet your security on this! People can and do run services on strange ports.



Edit: A little bit of trivia -> The movie the Matrix got credit from hacking groups as NMAP is a real world tool used by hackers to break into IT environments, and the screenshots in the Matrix movie was from NMAP.
 
And every major website/app these days is secured (HTTPS) so the 'security' aspect these VPNs advertise isn't really an issue these days.
(Not like the early days when accessing Facebook over a shared internet connection like an airport lounge was a risk).

If anything a VPN would make a MOTM attack easier as all traffic is being routed in the same place.

Mind you I've noticed that most advertising (lots of blogger sponsorships) focus more on Netflix differences, local TV/news and cheaper flights.


Not only do I agree 100% with this, but I do know of some "free" internet services that'll insist that you install their software on your machine to be able to access the internet via them. All they'd need to do is add in a root certificate into the software they insist you install and they can decrypt and inspect your "encrypted" traffic (be it Facebook or Internet banking) real time. Basically ruining the protection you get with "HTTPS".

To make matters worse, such things are not typically picked up by standard Anti Virus / malware scanners as there is many reasons why you'd want to use a private root certificate.

BTW, just an FYI, that "public wifi" offered by the local cafe is probably more secure for doing personal things like Internet Banking on than your work computer because SSL (technically TLS) is so easy to intercept if you control the end point (aka if your IT has provided you with a workstation).
 
Word of warning to those with employer provided phones. There are add-ons that can allow HR to judge you and build up a case. So always use your own phone on issues that may get you into hot water, and the work phone to send corporate friendly messages.
That's an interesting statement. I recall being told the (big company that lays fibre) used to track their vehicles and if they wanted to 'get rid of someone' they would use tracking information if that was convenient, i.e. you're at the pub all day or parked outside .......

I presume the phone trackers do the same thing?
 
Does anyone have any suggestions for the best way to encrypt an external hard drive. There seem to be lots of products out there but not sure which one to choose
 
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

Status
Not open for further replies.

Enhance your AFF viewing experience!!

From just $6 we'll remove all advertisements so that you can enjoy a cleaner and uninterupted viewing experience.

And you'll be supporting us so that we can continue to provide this valuable resource :)


Sample AFF with no advertisements? More..

Recent Posts

Back
Top