Questions about VPN

I have the impression that VPN is good, but then in How Apple’s New Find My Service Locates Missing Hardware That’s Offline, Matt McCaffrey said , “(using a VPN as a small measure of security)” and it made me wonder. Other threads on TidBITS Talk have mentioned https://encrypt.me, so I visited that site. It seemed to confirm that a VPN is not necessary if one is connecting using HTTPS.

Notwithstanding http://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/ (an interesting article from 2011 that seems to be behind a paywall now, which makes me wonder how I got it), I wonder if using a VPN is worth the bother, time, and cost.

I do have access to a VPN server, and I almost always try to use it when I connect while not at home and not tethering through my iOS devices hotspot. However, the server seems to be down way too often (perhaps 10% of the time I try to connect). Also, the institution is still providing the 32 bit client software for MacOS (Cisco AnyConnect Secure Mobility Client 3.1.13015).

If VPN adds no security to an HTTPS connection and almost every web site I visit uses HTTPS, am I being excessively cautious using VPN? If I need VPN, is there a source for a 64 bit version of Cisco AnyConnect Secure Mobility Client? (I visited the Cisco web site and got the impression that there is a 64 bit version, but could not find a way to download it.) If VPN is a really good thing to have, is Encrypt Me a good company? (It sure seems like the 5 GB per month plan that I can turn on and off would satisfy my needs. On the other hand, my nature is to have as few accounts as possible, and using any commercial VPN provider would mean setting up another account.)

Thank you for any education or advice.

I can’t speak for Encrypt Me, and the topic of VPNs is way too complex to address in a TidBITS Talk thread, but here are a few key points:

  1. Yes, VPNs are a good idea if you’re using unsecured Wi-Fi or doing something shady like torrenting.
  2. HTTPS is a good measure when using unsecured protections, but not all sites support it, though it’s much more common than it used to be.
  3. There are a lot of shady VPN services out there. A recent study found that many of them are owned by China.
  4. A VPN is only as secure as the company that runs it. You’re basically handing off your Internet activity data from your ISP to the VPN provider.

I’ve used NordVPN in the past and it was pretty good. It lets you choose your server from anywhere in the world. Cloudflare offers a free VPN, but I haven’t tried it yet. I have my misgivings about Cloudflare, but they’re a reputable company.

It depends on the VPN service and what exactly you are trying to protect. As just one example, if you do not use a VPN, while your ISP cannot see any TLS/SSL traffic, they probably will see the DNS name requests, so they can capture the metadata of where exactly your device is connecting to. Some VPNs provide DNS services, some just use the normal IP stack DNS service.

I really don’t care if my ISP sees the DNS requests that I am making, but some people may want to protect even that traffic. I use a VPN only when I am using a public WiFi connection, and even that is rare these days, as I have unlimited mobile data most of the time. And I think in that case I am being almost excessively cautious, as most of my data requests are using TLS encrypted connections.

This is all great advice and I’ll just add that VPNs emerged in the era before there was the generally accepted notion that everything should be protected by https (or SSH or other end-to-end secured protocols relying on third-party validation of entities). VPNs were a comprehensive solution to a patchwork situation.

That remains true as Josh and Doug point out. It keeps everything effectively private from the networks between you and the VPN’s data center, and that can be an advantage.

Encrypt.me is the current version of a product developed by a couple of Seattle folks I know, and it’s my go-to VPN because of that connection! And it’s a US-based firm that discloses who they are and has a long track record.

On the Cisco front: how frustrating! I have nothing to add, and I’m sorry whoever is providing it can’t get its act together with regards to up-to-date Cisco software.

Thank you, all. It hadn’t occurred to me that I might want to hide DNS name requests. Maybe I’ll reread that article on Why Privacy Matters and see if I decide that I want to hide DNS name requests.

Unsecured is unsecured, but almost all my public Wi-Fi access is from hotels. I almost never connect in a coffee shop or restaurant, if that matters. I wouldn’t know how to torrent if I wanted to.

Thank you for the sympathy. The long-time director of IT retired recently, and the place does seem to be struggling.

Thanks again for the responses.

The major threat there comes from fake networks setup from adjoining rooms or in the lobby that appear to be run by the hotel, but are actually used to harvest your data streams.

Most likely by the PLA, MSS, and 610 Office.

I use the HTTPS Everywhere extension in Firefox.

Don’t be fooled by the name. It should be called HTTPS Everywhere it’s Allowed. Many browsers already attempt an https connection anyway, but if a site has chosen not to obtain https certification, nothing, including that extension, will be able to make such a connection.

Josh Centers wrote: “something shady like torrenting”

Torrents are no more intrinsically shady than youtube or facebook, and have a large number of legit and practical uses–pretty much anything that needs moving really large files to multiple people/places. This is fairly common in the sciences and some businesses. Standard download protocols aren’t entirely up to the task and are one-sidedly expensive. The distributed nature of torrents makes transfers more robust and spreads the cost. ISP blocking of torrents doesn’t discriminate between legitimate use and ‘shady’ use.

Without torrents, Norwegian TV station NRK wouldn’t have been able to distribute the wonderful 7.5 hour Bergensbanen run (Bergen to Oslo train) that they recorded in HD in 2009 and released under Creative Commons. The full original ProRes file was 246 GB, and even the 720p compressed version was 22GB and took me two weeks to download at home. (The files are still available in a few places as torrents though NKR has apparently removed their own.)

https://nrkbeta.no/2009/12/18/bergensbanen-eng/

Well sure, as a file distribution method, it is much more efficient, but that’s not really the point.

By far the majority of pirate sites use this method of distribution in order to provide anonymity and I feel certain the majority of users who use torrents are attempting to obtain something for free that should be paid for. It’s popularity and shady reputation are the primary reason that industry is jammed packed with malware.

I found Cisco’s AnyConnect Secure Mobility Client v4.x download page but one has to login with a service contract account to use it; i.e. the VPN server owner has to use it then provide the client to users. If the business’s VPN server is similarly outdated, I bet the current client wouldn’t even work with it.

Sure, there are legit uses, but I’d wager that 99% of torrent activity is piracy. In any case, I’m not here to judge, but I will add that some ISPs will throttle your connection if they detect torrent activity, so even if you’re on the up and up, a VPN isn’t a terrible idea if you’re using BitTorrent.

Sorry: PLA? MSS? 610 Office?

Those are three intelligence and security organizations in Red China:
People’s Liberation Army (it either controls or owns outright the vast majority of Red Chinese companies).
Ministry of State Security (think KGB, Gestapo)
610 Office (name derives from the date it was established: June 10, 1999; primarily targets religious and other human rights groups)

You can see how they would want access to VPNs.

It’s a bit off-topic, but what does it mean if a site has not obtained a proper certificate? I sometimes go to a quasi-military site (morale, recreation, and welfare), and Firefox cautions me that the certificate was not issued by a recognized authority (or something like that). I’ve always assumed it’s because the military thinks the world revolves around it and there is no requirement to play by the normal rules. If it is a legitimate site with improper IT administration, does the unverified certificate cause any problem?

I hadn’t thought of that, but it does simplify my life. I’ll stop looking for a source for the new client (which I hadn’t been expending much effort on, anyway).

A “proper” certificate is one issued and signed by a Certificate Authority (CA) recognized by your computer or browser. It’s hard for the vast majority of people to assess the risk when a certificate is not “proper” so browsers have made the warnings to users stronger and stronger over the years. I can think of four main reasons for you to get such a warning from a browser when there’s not a signficant risk:

Self-signed certificate: Sometimes a home-grown web server will use a self-signed certificate, meaning there is no CA vouching for its authenticity. Firefox might call that not a “recognized authority.” When the browser first encounters one of those, if you tell the browser to trust it, you’re telling it that you trust that you’re connecting directly to the server you think you are, that there isn’t some other server in between (perpetrating a man-in-the-middle attack). Once the browser trusts that self-signed certificate it won’t complain again until the the certificate’s expiration date is reached, until the server replaces the certificate with a newer self-signed one, or if another server is pretending to be the one you think it is.

Poor configuration: It’s unfortunately all too common for for a server to have a certificate signed by a CA but they failed to have it issued to cover every domain name they use it for. A simple example is if they have a certificate issued for “example.com” but they also make the site available at “www.example.com;” a single certificate can be valid for multiple domain names but it’s not unusual, even at larger companies, for people to pay attention to all the details.

Certificate expiration: Certificates have to be renewed, 1-2 years are common terms, and even Internet giants like Microsoft sometimes forget to renew them on time. When a browser warns you about a certificate, you can look at the details to see why; some reasons are hard to fathom but a recent expiration is not hard to see. If the certificate long expired, don’t trust it any more than an unencrypted sever.

Organizational CA: I don’t know what “quasi-military” means but another reason you might get such a warning is if the server uses a certificate signed by a CA but not a CA your browser knows. You can run your own CA and install your own “root” certificate on your own devices. Firefox would call that a not recognized authority if you don’t have the “root” certificate installed. Managing the installation of such “root” certificates on lots of devices is a hassle so you need to have a good reason to do so. I expect militaries do run their own CAs for use on private networks but it would be odd to use one to issue a certificate to a public or semi-public server.

For whatever reason, the military insists on providing their own root certificates which must be downloaded and installed from a DoD site. I don’t have that information in hand at the moment, but if someone feels a need, I’ll post when I have time.

Thanks, Curtis. In this context, “quasi-military” means a non-appropriated fund activity, and I expect that a NAF web server got configured by “real” military IT folks who set it up in the same fashion as other (non-public facing) servers.

Thanks, Al. I do not feel the need to download and install a root certificate from a DoD site. I’ll just tell Firefox to trust the site for this visit, which is what I have been doing for my infrequent visits for several years. (Actually, now that you jogged my memory, I seem to recall doing just that long ago. It wasn’t worth it.)