I hate how the ‘VPN’ term has been took over by companies selling services using VPN technology.
VPN was initially ‘Virtual PrivateNetwork’ – used to securely connect own (as belonging to an organization or person) devices over a public network. Like securely connecting bank branches. Or allowing employee connect to a company network. And VPN are still used that way. They are secure and provide the privacy needed.
Now when people say ‘VPN’ they often mean a service where they use VPN software (initially designed for the use case mentioned above) to connect to the public interned via some third-party. This is not a ‘private network’ any more. It just changes who you need to trust with you network activity. And changes how others may see you (breaking other trust).
When you cannot trust your ISP and your local authorities those ‘VPNs’ can be useful. But I have more trust to my ISP I have a contract with and my country legal system than in some exotic company in some tax haven or other country that our consumer protections or GDPR obligations won’t reach.
Back to the topic:
I do not believe that all VPN services are owned/funded by governments, but some may be. I don’t have much reason to trust them, they are doing it for money and not necessarily only the money their customers pay them. In fact I trust my government more that some random very foreign company.
You know MITM an https website is child’s play, right? If you’re inputting your password on a network you don’t trust you’re doomed. SSL certificates are worthless because they can be easily forged by anyone pretending to be the site as long as they’re between you and the actual site, which they need to be to MITM.
VPN and HTTPS solve different issues, and are better when used together. Most of the time you don’t need a VPN because you trust your home network and ISP, but if you’re using a public access point https does not replace a VPN.
Tell me more about SSL certificate forgery. As far as I know, for a device to trust it, it needs to be signed by a trusted CA. You’d either need to compromise a CA and create your own certificate for the website or make the target device trust a custom CA. In the case of a custom CA, the user explicitly needs to perform an action to trust it. How is this not enough on a public network?
There are several ways, most common is to MITM the address to redirect to a different but similar one, which is unlikely to get noticed since you know you typed the address correctly or you clicked from a trusted link/favourite, then that wrong address has it’s own valid SSL certificate. Another way is to use self-signed certificates, which browsers would warn people about, but apps are not likely to. Also you can MITM the CA themselves, whole you wouldn’t be able to actually pass by them you can do an exhaustion attack and essentially block all certificate exchanges, yes your site won’t have a valid certificate, but neither will any real site, so most people will just ignore the message the browser is showing them because it’s showing it for every site.
None of these methods would fool an attentive educated person, but they might fool someone in a rush. Also even if the attack doesn’t succeed in stealing information it 100% succeeds in blocking access, while I might not be as concerned about blocking my Facebook, blocking my bank might prevent me from doing important stuff, and worse people who need to get into their bank are likely to just wave security warnings out of the way without reading them, especially if they’ve been getting them for everything else and nothing had a problem.
Edit: I also forgot to mention the other ways, there are leaks from CAs constantly, which allow you to either impersonate them or sign other certificates. Sure these get patched rather quickly once found, but after you have the signed certificate from them it’s game over. Also what I was referring in the other post is self-signed certificates, most browsers show a warning about them nowadays, but again you can win by exhaustion.
You went from “MITM TLS is child’s play” to “there are some ways we can social engineer our way around it if the stars align just right” in like one post. You’re clearly not qualified here, stop with the FUD bullshit.
Yes, I trust my ISP more than my VPN, but I trust my VPN more than I trust the random wi-fi in the shopping mall. Using a VPN in your house for internet access is pointless, unless you’re purposefully trying to keep your ISP out of the loop for legal reasons, e.g. Torrent, but MITM a VPN is much harder to do than an open wi-fi.
I hate how the ‘VPN’ term has been took over by companies selling services using VPN technology.
Agreed. What they’re really selling is a proxy service, I don’t know why that term isn’t used. The fact that VPN software is used to establish that proxy isn’t relevant, the end result is a proxy.
How is the term “proxy” more appropriate though? It’s also the technical name for a concept that already exists. VPNs are by definition broader in scope than proxies, they work at a lower level of the networking stack and have different capabilities even if most people don’t take full advantage of it. Anyway the point is that it’s not a more appropriate term.
AFAIK the only thing VPN providers let you do, like SurfShark, ExpressVPN, NordVPN, ProtonVPN etc., is to route all of your outgoing traffic through their servers. They don’t allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.
They don’t allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.
That’s not what a VPN does, that’s what a VPN can do, if desired. What a VPN does is set up an encrypted tunnel between you and some remote network. That’s it. How that remote network is laid out, how the traffic (and also what kind of traffic) is routed into/through/out of that network, and what the clients are allowed to do within are entirely up to the wishes of the network’s owner. It might very well choose to isolate you from all the other clients on the network; that’s not just a possibility, it’s actually one of VPN’s most important, most useful features.
That’s pretty much what those commercial “VPN” providers offer.
Those commercial VPN providers offer you a fully encrypted tunnel that you can route all your network traffic through if you wish. It’s just that people don’t generally use it as anything more than just a proxy. Still, the connection is a textbook VPN connection, it’s there, and it’s capable of things a regular proxy is not, if you choose to make use of them.
Slightly off-topic rant:
I hate how the ‘VPN’ term has been took over by companies selling services using VPN technology.
VPN was initially ‘Virtual Private Network’ – used to securely connect own (as belonging to an organization or person) devices over a public network. Like securely connecting bank branches. Or allowing employee connect to a company network. And VPN are still used that way. They are secure and provide the privacy needed.
Now when people say ‘VPN’ they often mean a service where they use VPN software (initially designed for the use case mentioned above) to connect to the public interned via some third-party. This is not a ‘private network’ any more. It just changes who you need to trust with you network activity. And changes how others may see you (breaking other trust).
When you cannot trust your ISP and your local authorities those ‘VPNs’ can be useful. But I have more trust to my ISP I have a contract with and my country legal system than in some exotic company in some tax haven or other country that our consumer protections or GDPR obligations won’t reach.
Back to the topic:
I do not believe that all VPN services are owned/funded by governments, but some may be. I don’t have much reason to trust them, they are doing it for money and not necessarily only the money their customers pay them. In fact I trust my government more that some random very foreign company.
I cringe when I see people touting VPN services as somehow better than HTTPS.
Sure VPN helps you re-source your IP address but that doesn’t do anything to help the security of online banking.
You know MITM an https website is child’s play, right? If you’re inputting your password on a network you don’t trust you’re doomed. SSL certificates are worthless because they can be easily forged by anyone pretending to be the site as long as they’re between you and the actual site, which they need to be to MITM.
VPN and HTTPS solve different issues, and are better when used together. Most of the time you don’t need a VPN because you trust your home network and ISP, but if you’re using a public access point https does not replace a VPN.
Tell me more about SSL certificate forgery. As far as I know, for a device to trust it, it needs to be signed by a trusted CA. You’d either need to compromise a CA and create your own certificate for the website or make the target device trust a custom CA. In the case of a custom CA, the user explicitly needs to perform an action to trust it. How is this not enough on a public network?
There are several ways, most common is to MITM the address to redirect to a different but similar one, which is unlikely to get noticed since you know you typed the address correctly or you clicked from a trusted link/favourite, then that wrong address has it’s own valid SSL certificate. Another way is to use self-signed certificates, which browsers would warn people about, but apps are not likely to. Also you can MITM the CA themselves, whole you wouldn’t be able to actually pass by them you can do an exhaustion attack and essentially block all certificate exchanges, yes your site won’t have a valid certificate, but neither will any real site, so most people will just ignore the message the browser is showing them because it’s showing it for every site.
None of these methods would fool an attentive educated person, but they might fool someone in a rush. Also even if the attack doesn’t succeed in stealing information it 100% succeeds in blocking access, while I might not be as concerned about blocking my Facebook, blocking my bank might prevent me from doing important stuff, and worse people who need to get into their bank are likely to just wave security warnings out of the way without reading them, especially if they’ve been getting them for everything else and nothing had a problem.
Edit: I also forgot to mention the other ways, there are leaks from CAs constantly, which allow you to either impersonate them or sign other certificates. Sure these get patched rather quickly once found, but after you have the signed certificate from them it’s game over. Also what I was referring in the other post is self-signed certificates, most browsers show a warning about them nowadays, but again you can win by exhaustion.
You went from “MITM TLS is child’s play” to “there are some ways we can social engineer our way around it if the stars align just right” in like one post. You’re clearly not qualified here, stop with the FUD bullshit.
Yes, I trust my ISP more than my VPN, but I trust my VPN more than I trust the random wi-fi in the shopping mall. Using a VPN in your house for internet access is pointless, unless you’re purposefully trying to keep your ISP out of the loop for legal reasons, e.g. Torrent, but MITM a VPN is much harder to do than an open wi-fi.
Agreed. What they’re really selling is a proxy service, I don’t know why that term isn’t used. The fact that VPN software is used to establish that proxy isn’t relevant, the end result is a proxy.
How is the term “proxy” more appropriate though? It’s also the technical name for a concept that already exists. VPNs are by definition broader in scope than proxies, they work at a lower level of the networking stack and have different capabilities even if most people don’t take full advantage of it. Anyway the point is that it’s not a more appropriate term.
AFAIK the only thing VPN providers let you do, like SurfShark, ExpressVPN, NordVPN, ProtonVPN etc., is to route all of your outgoing traffic through their servers. They don’t allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.
Quote from Wikipedia:
That’s pretty much what those commercial “VPN” providers offer.
That’s not what a VPN does, that’s what a VPN can do, if desired. What a VPN does is set up an encrypted tunnel between you and some remote network. That’s it. How that remote network is laid out, how the traffic (and also what kind of traffic) is routed into/through/out of that network, and what the clients are allowed to do within are entirely up to the wishes of the network’s owner. It might very well choose to isolate you from all the other clients on the network; that’s not just a possibility, it’s actually one of VPN’s most important, most useful features.
Those commercial VPN providers offer you a fully encrypted tunnel that you can route all your network traffic through if you wish. It’s just that people don’t generally use it as anything more than just a proxy. Still, the connection is a textbook VPN connection, it’s there, and it’s capable of things a regular proxy is not, if you choose to make use of them.