VPN

[waytomany?s]

Good, bad, worth paying for?

[Lightning]

I'd be interested too but I'm not very educated in the area..

[Rob R.]

It depends what you are doing and what you want to achieve.

[snuffy]

I signed up for a year at $96 with Proton VPN a Swiss provider last night. I'll use it for our business.

Proton has some nifty services included, that I'm sure I'll start understanding over the next few years:) I was using their emailing service for about two years with no problems except hitting the storage limit.

The plan includes high speed VPN and other protections. How I'll know that, I don't know. The old days of watching files load and unload over the modem was helpful because you could see file names going by, now it all happens in seconds making it impossible to humanly see files wizzing by.

[waytomany?s]

It depends what you are doing and what you want to achieve.

I guess that's really the question. When are they beneficial, when are they necessary? Is the cost worth it?

[Rob R.]

IMO - For an average home user I don't think a VPN is worth it just for added security.

Good use cases for a VPN at home are if you are downloading stuff that you don’t want traced to you, or if you have two homes that you want connected on a single network.

I run a small firewall appliance at home that is setup to use encrypted DNS. I also use a DNS provider (Quad 9) that filters out malware sites. If you guys want to learn more about it I can post some info.

[Richard S.]

The first thing to understand is HTTPS, when you are viewing a site over HTTPS the only thing exposed is the domain you are viewing and your IP address. Your ISP or someone else that captures that traffic can ascertain someone using that IP address is viewing something on coalpail.com. Specific pages and content is unavailable.

More precise information can be gathered through cookies but the imporatant thing to understand is only the domain that sets a cookie can access it. I don't utilize any type of resources from other sources with the exception of embedded Youtube videos and the occasional embedded image. When you a view a page on here with Youtube video they can access any cookies they set.

Also note anytime your browser makes a request for a resource from a page here or you click a link on here to another site the browser sends a referrer in the header which is the page it was referred from. You can block this behavior in any browser.

A VPN can hide your activity from your ISP but you are just transferring that exposure to the VPN. A VPN also hides your origin IP from the site you are visiting but your IP itself is already relatively anonymous without direct information from the ISP.

[snuffy]

Rob,

I for one like learning so fire away. I use to teach computer sciences in a business school about 25 years ago. The volume of new programs and services is like being an avalanche; having actual users helps filter the useful from the useless.

The scariest thought I have is someone planting a file(s) somewhere in incoming data files that contains arrestable information I know nothing about i.e. porno. As I stated earlier, at one time one could see incoming data, now fogetabowit.

[waytomany?s]

The first thing to understand is HTTPS, when you are viewing a site over HTTPS the only thing exposed is the domain you are viewing and your IP address. Your ISP or someone else that captures that traffic can ascertain someone using that IP address is viewing something on coalpail.com. Specific pages and content is unavailable.

More precise information can be gathered through cookies but the imporatant thing to understand is only the domain that sets a cookie can access it. I don't utilize any type of resources from other sources with the exception of embedded Youtube videos and the occasional embedded image. When you a view a page on here with Youtube video they can access any cookies they set.

Also note anytime your browser makes a request for a resource from a page here or you click a link on here to another site the browser sends a referrer in the header which is the page it was referred from. You can block this behavior in any browser.

A VPN can hide your activity from your ISP but you are just transferring that exposure to the VPN. A VPN also hides your origin IP from the site you are visiting but your IP itself is already relatively anonymous without direct information from the ISP.

So does that mean a VPN is not necessary or beneficial? I know what all the words you're saying mean, but I can't put the correct amount of apprehension with it. I don't need to worry about getting hacked because I'm not doing anything nefarious?

[snuffy]

You don't need to do anything nefarious, just have attractive assets or weak safety protocols. Consider the number of 2F identification requirements on many sites. If you don't have a smart phone or text access and spreadsheet pages of pass codes/passwords you can be essentially screwed. I track all my past passwords used on each site. Just to register for a new prescription plan I was required to abandon any reference to anything about my name. It even accessed and denied associated names or variations I used for my Mother and my wife. The process took nearly 40 minutes as I needed to access multiple email and phone texts. I know there are password managers. What happens, God forbid, a mini stroke happens to someone and a keep piece of information on a neuron is lost forever. There has to be an easier way to all these password/code madness without parting with an eyeball or finger. Sorry just venting at this moral madness!

[Richard S.]

So does that mean a VPN is not necessary or beneficial?

It ads some privacy especially for what your ISP is tracking and these large companies that are tracking activities through an IP. Residential IP's change and how often depends on the ISP. Unplugging your modem for X amount of hours is going to change your IP in most cases.

Look at it in the context of mail. If you send a letter to Bob the postal service would know you sent a letter to Bob. When Bob replies he knows your address and sends it through the postal service, they know Bob sent you a letter.

If you sent a letter first to Tom(VPN) who then hand delivers the letter to Bob the postal service does not know the final destination and Bob has no idea where it came from. When Bob replies he's going to give his reply to Tom who will then send it to you.

I don't need to worry about getting hacked because I'm not doing anything nefarious?

The VPN does not necessarily secure from malicious activities. Generally speaking if you are staying out of the bad neighborhoods on the internet you are less likely to encounter any problems. However if for example someone hacked this server and it was serving a malicious script you might get compromised.

[Richard S.]

and spreadsheet pages of pass codes/passwords you can be essentially screwed.

Try keepass. It's localized and uses encrypted file. You only need to remember one password and it will create very strong passwords.*

https://keepass.info/

As far as death you need to trust someone. For example you could create keepass file with one entry for your password. Hide or store it somewhere, give a trusted relative instructions on where to find it and the password for it. Then they can obtain the password for the full file.

Strong passwords are important. Your password here is stored in a hash, a complex mathematical formula is applied. There is also what they call salt which is a value added to the password so the final values are different from site to site. That is what is stored in the database. When you login the password entered goes through same process to see if there is match with stored value in the database.

If a malicious actor is able to obtain the user table in the database they are going to run the same mathematical formula with the salt value. They are going after the low hanging fruit first with a list of commonly used passwords. Next they will run a dictionary attack. Including obsolete words there is only a little over 200K words in the English language. With today's computers it's trivial matter to try every word and multiple combinations.

Since so many people use poor passwords they will be able to crack a significant percentage of them giving them an associated username, email address and password they can try on other sites and services.

[hank2]

A VPN can hide your activity from your ISP but you are just transferring that exposure to the VPN. A VPN also hides your origin IP from the site you are visiting but your IP itself is already relatively anonymous without direct information from the ISP.

Thank you for that information, Richard. I've been a VPN user for many years. I had always heard, maybe incorrectly, that your ISP can still see traffic that's passing through them when using a VPN. Is there a difference between seeing origin and destination of ISP's and actual traffic? I have also read, more recently, that your ISP cannot see VPN traffic.

My VPN service used to offer anonymous purchase via gift cards. Maybe anonymous if you bought the cards with cash. They no longer do. Urban legend was if you shopped for privacy and/or bought a US based VPN that was not good for privacy. Supposedly, my VPN was subpoenaed for traffic info once, a few years ago and could only provide some useless info. All of my 27 years online are nothing but pretty bore-azz stuff, just unwilling to succumb completely.

The claim years ago for VPN's was to protect you using the public wi fi networks rather than cell signals at many places. Burger joints, restaurants, motels etc. We haven't been on a vacation in over 4 years, so I haven't been using that so much of late.

[Richard S.]

I had always heard, maybe incorrectly, that your ISP can still see traffic that's passing through them when using a VPN.

Your browser is going to encrypt the data between it and coalpail.com. The only data exposed is that you are viewing something on coalpail.com. The VPN adds additional privacy by encrytpting this again so the ISP only knows you are communicating with the VPN.

The claim years ago for VPN's was to protect you using the public wi fi networks.

This is relative to HTTP traffic. First I need to elaborate more on HTTPS. Public and private keys are created on the server. The public key/certificate is certified by trusted authority. When you request a page here the browser receives the public certificate and then checks the certificate authority to see if it is in fact the public certificate for coalpail.com.

If you have ever received that browser warning about invalid certificate it's typically because the certificate has expired. Communication is still encrypted if you proceed but you can't be 100% sure you are communicating with that domain.

The public certificate can only be used to encrypt data, once the browser has validated the private certificate it will be used to encrypt a communication to send to the server. Only the private key can be used to decrypt this data. The only people with access to that private key would be the site owner or hosting services. Once the server receives this communication and decrypts the message there is a few steps including the browser and the server agreeing on random key for communication.

Now.... with http there is two problems, firstly there is no way to validate the domain. If you were using public wi-fi and typed in http://yourbank.com they could spoof the banks site and you may never even notice it wasn't over https. This can't be done with https because they can't certify a public certificate and even if they are using the sites valid public certificate they have no way to decrypt the message. The second issue is when you are logging into a site over http they can capture that login data or anything else you are communicating. In general this applies to any http traffic a third party has access to including the VPN.

The VPN can help prevent domain spoofing and secure your connection for HTTP requests at least between your computer and their network. They cannot secure HTTP traffic between their network and the server.

This is largely irrelevant now because most sites are using https. As long as you see that lock it's secure.

[waytomany?s]

So, is the short answer that it's not cost effective or necessary for a VPN at this point in time?