On Saturday 11 Jun 2016 21:04:27 Dale wrote: > Dutch Ingraham wrote: > > On Sat, Jun 11, 2016 at 05:57:11PM -0500, Dale wrote: > >> been wondering about. It mentioned using a VPN so that the NSA, my ISP > >> and others couldn't "see" what was going on. So, my first question, > >> does that work and does it require the site on the other end to have it > >> set up as well? Bonus question, is it easy to use on any site if it > >> doesn't require the other end to use it? I'm thinking of using this for > >> my banking/financial sites as well if it is a good idea. > > > > I tried a VPN for banking; as many different source IPs were showing as > > attempting to log into my online account, the bank thought I was being > > hacked and locked my accounts. Took many trips to the bank to create > > all new accounts, etc. > > > > As to VPNs in general, see: > > > > http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-> > > > the-state-of-vpns-in-2016/ > I sort of have a vague idea of what a VPN is but maybe some reading will > do me some good. Heading over to this link. > > Thanks. > > Dale > > :-) :-)
A VPN connection is nothing more than an encrypted network connection between two end points (local & remote peers). You set up an encrypted tunnel and your application data travels through it. Both peers' network configurations have to be set up for this purpose. The VPN tunnel could be set up with another peer for the purpose of communicating securely with that peer alone, or to another device the remote peer will forward your packets to. In the latter case the VPN peer is acting as a VPN gateway to whatever lies beyond. Site to Site VPN connections behave like this. There are a number of different types of VPN, each employing different methods to exchange encryption keys between the peers securely and then to set up a secure network tunnel using these keys. L2TP+IPSec, OpenSSL, IKEv1/2+IPSec, etc. are all different VPN types. VPNs can be deployed for different use cases: Typically you set up a VPN to achieve site-to-site secure network communications - e.g. between your own LAN and your brother's, between a company's head office and a satellite office, etc. You would normally set this up between two edge routers which have a compatible VPN capability. Your Linksys may have VPN in its firmware, or if you flush it with dd- wrt/openwrt/tomato/etc. you will have VPN capability at your end at least. VPNs are also used to achieve PC-to-site secure communications, e.g. between a employee's laptop, iPhone, EPOS, et al., and the company's LAN. This is also known as a roadwarrior configuration and you could use it if you had a laptop and wanted to e.g. access some files on your home server. If you combine VPN tunnelling with packet forwarding then you could use the remote VPN gateway or another forwarding server in the LAN behind it, as a proxy server for your general Internet connections. Your connection to the VPN gateway will be encrypted and therefore your connection to the VPN gateway will be secure, even if you happen to be using an unsecured WiFi connection to the Internet at your local Starbux. The connection forwarded from the proxy server to the Internet may or may not be secure, depending on the application level encryption (e.g. HTTPS) that you are using at the time. This is one of the purposes Public VPN services cater for, allowing you to connect to the Internet securely. For a fee they allow you to connect to their VPN gateway and then forward your packets from there to any site on the Internet your application wants to connect to. The other purpose of Public VPNs is that their use achieves anonymity of your real IP address, as long as they have configured their forwarding correctly and the application running on your PC is not leaking your real IP address. This VPN-forwarding set up can be used to by-pass geo-blocking and is often used for this purpose too. Regarding your stated use case, it is highly unlikely your bank is offering a public VPN connection for its customers, for the purpose of online banking. What banks offer to customers is Layer 5 secure connectivity via HTTPS, which is configured/managed via the customer's browser and the bank's webserver. Since this connection is encrypted, the use of a VPN only offers redundancy and could be considered superfluous. Regarding the security of it all (VPN, SSH, or HTTPS) it is now common knowledge that NSA has cracked, compromised and pre-computed[1] a lot of the secure keys being used by many network security appliances, if the vendors hadn't already offered these to the NSA in the first place[2]. If you are using software configured to only use strong ciphers, then you are probably quite secure for a little while longer.[3] YMMV. :-) REFERENCES: =========== [1] https://www.schneier.com/blog/archives/2015/10/breaking_diffie.html [2] http://www.reuters.com/article/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331 [3] https://bettercrypto.org/static/applied-crypto-hardening.pdf -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
