VPN security vrs Internet Security

I think I'm missing something really obvious and simple, but I can't work 
this out, and I can't work out why I don't know. I've been listening to GRC 
podcasts (14 & 15) on VPN , very interesting. But I can't grasp a very 
simple issue.

You talk about the insecurity of wifi in hotels, cafes etc and suggest a VPN 
to your home router as the solution. In the wifi location people could sniff 
your passwords to email, ftp account, banking, etc ... but VPN your 
connection to home and it's safe from there.

Why is it any safer from your home router ... when you're working on a PC, 
surely basic encryption is done before it leaves your PC. Therefore surely 
if your surfing at home, the same vulnerablitiy is true .... that anyone 
could sniff out all your details from the net once it leaves your home 
router outbound  ... in fact anyone could sniff out lots and lots of private 
stuff by sniffing traffic passing over the net.

So why, if surfing at wifi hotspots is not safe ... why is it any safer if 
you VPN to your home router and it is sent out decrypted from there? I know 
it knocks the hotspot out of the equation but what about as your traffic 
passes from your home router, around the net?

I think I'm going to be embarrased when I get the answer, as I'm basically 
saying the whole internet is insecure from people sniffing any info from the 
packets that pass by?

Thanks 


0
keewaa
12/2/2005 4:27:38 PM
grc.security 16608 articles. 3 followers. Follow

12 Replies
887 Views

Similar Articles

[PageSpeed] 19
Get it on Google Play
Get it on Apple App Store

"keewaa" <jdjdjd1@gmail.com> skrev i meddelandet 
news:dmpso9$mtm$1@news.grc.com...
>I think I'm missing something really obvious and simple, but I can't work
> this out, and I can't work out why I don't know. I've been listening to 
> GRC
> podcasts (14 & 15) on VPN , very interesting. But I can't grasp a very
> simple issue.
>
> You talk about the insecurity of wifi in hotels, cafes etc and suggest a 
> VPN
> to your home router as the solution. In the wifi location people could 
> sniff
> your passwords to email, ftp account, banking, etc ... but VPN your
> connection to home and it's safe from there.
>

>
> So why, if surfing at wifi hotspots is not safe ... why is it any safer if
> you VPN to your home router and it is sent out decrypted from there? I 
> know
> it knocks the hotspot out of the equation but what about as your traffic
> passes from your home router, around the net?
>
> I think I'm going to be embarrased when I get the answer, as I'm basically
> saying the whole internet is insecure from people sniffing any info from 
> the
> packets that pass by?
>

Well a cable bound internet is much harder to sniff.
They have to have access to a switch or router thats in your way to your
destination.



0
Bengt
12/2/2005 6:35:26 PM
[for the unabridged version, see Bengt-Arne Fjellner's post 
above]

> Well a cable bound internet is much harder to sniff.

Much. Cable traffic has been encrypted for many many years.

-- 
________________________________________________________________
Steve.
0
Steve
12/4/2005 12:01:43 AM
[for the unabridged version, see keewaa's post above]

> I think I'm missing something really obvious and simple, but I
> can't work this out, and I can't work out why I don't know.
> I've been listening to GRC podcasts (14 & 15) on VPN, very
> interesting. But I can't grasp a very simple issue.

You're not missing anything.  We all know that security by 
obscurity is not true security, but when it's all you've
got (and all you can have), it's better than not having any 
obscurity at all.

We also all know that security is not perfect.  So we're always 
trying to do the best job we can.  For example, even if you had 
a perfectly secure connection -- encrypted end-to-end -- to an 
eCommerce site, somewhere within their organization are 
employees who have access to your eCommerce data.  Or if not 
there, then at the bank that issued your credit card.  (I've had 
some horrifying telephone conversations with the employees of my 
credit card company.)

So my point is, all we can do is ... all we can do.  A wireless 
network is a high-vulnerablity target -- and it's an OBVIOUS 
high vulnerability target, meaning that the word is out about 
it.  Similarly, any large and uncontrolled LAN environment (such 
as in a hotel setting) is a high-vulnerability target.

(In a few weeks I'll be explaining how it doesn't matter whether 
your LAN is switched or hubbed (e.g. in a hotel setting) ... 
since just two ARP Reply packets dropped onto the LAN can insert 
a malicious machine into your connection to create a logical 
ARP-based man-in-the-middle attack.)

So the security goal here is to encrypt AS MUCH OF our packets' 
travel as we can, and to (hopefully) have the packet becoming 
decrypted and entering into the rest of the Internet's traffic 
at a point where our traffic won't stand out.  In other words, 
our own traffic will be obscured by the sheer volume of similar 
traffic.

It's true that at that point we'll have NO security, but that 
point is at a much lower vulnerability location than other 
places where our traffic was traversing highly suspect and high 
vulnerability network neighborhoods.

-- 
________________________________________________________________
Steve.
0
Steve
12/4/2005 12:16:05 AM
"Steve Gibson" <news2005@grc.com> wrote in message 
news:MPG.1dfbd1c7900f94294bc@4.79.142.203...
> [for the unabridged version, see Bengt-Arne Fjellner's post
> above]
>
>> Well a cable bound internet is much harder to sniff.
>
> Much. Cable traffic has been encrypted for many many years.
>
> -- 
> ________________________________________________________________
> Steve.

This wouldn't prevent though ISP from being nosy - correct?  Wouldn't than 
be better to tunnel to perhaps some free online VPN instead of home router 
as it would grant more privacy - or would that be just to hard to make it 
all work by this method - what am I missing?


-- 
Robert K
rkroute2000-forum@yahoo.com 

0
Robert
12/4/2005 12:36:40 AM
"Robert K" <rkroute2000-forum@yahoo.com> wrote in message 
news:dmtdoe$v8g$1@news.grc.com...
> "Steve Gibson" <news2005@grc.com> wrote in message 
> news:MPG.1dfbd1c7900f94294bc@4.79.142.203...
>> [for the unabridged version, see Bengt-Arne Fjellner's post
>> above]
>>
>>> Well a cable bound internet is much harder to sniff.
>>
>> Much. Cable traffic has been encrypted for many many years.
>>
>> -- 
>> ________________________________________________________________
>> Steve.
>
> This wouldn't prevent though ISP from being nosy - correct?  Wouldn't than 
> be better to tunnel to perhaps some free online VPN instead of home router 
> as it would grant more privacy - or would that be just to hard to make it 
> all work by this method - what am I missing?
>
>
> -- 
> Robert K
> rkroute2000-forum@yahoo.com

Ohh I think I've got it (posted almost same time). Reasons behind are that 
is it VPN or ISP someone always will be able to monitor - correct?


-- 
Robert K
rkroute2000-forum@yahoo.com 

0
Robert
12/4/2005 12:44:47 AM
On Sat, 3 Dec 2005 19:36:40, Robert K wrote:

>what am I missing?

ipV6?

-- 
Jim Crowther.    "Life is not a journey to the grave with the intention of
arriving safely in a well preserved body, but rather to skid in broadside,
thoroughly used up , totally worn out and loudly proclaiming;
WOW!!! What a ride."                           "It's MY computer" (tm SMG)
0
Jim
12/4/2005 12:46:22 AM
"Jim Crowther" <Don't_bother@blackhole.do-not-spam.me.uk> wrote in message 
news:5sMC9NbexjkDFwDA@nospam.at.my.choice.of.UID...
> On Sat, 3 Dec 2005 19:36:40, Robert K wrote:
>
>>what am I missing?
>
> ipV6?

Doesn't getting point, are you saying that I should switch from Ipv4 to 
Ipv6? What would be advantages of this?


-- 
Robert K
rkroute2000-forum@yahoo.com 

0
Robert
12/4/2005 1:27:05 AM
On Sat, 3 Dec 2005 19:44:47, Robert K wrote:

>Ohh I think I've got it (posted almost same time). Reasons behind are 
>that is it VPN or ISP someone always will be able to monitor - correct?

'Monitor' and 'Understand' are two, very, very different things.  Anyone 
at your ISP can monitor where you go 'surfing', if they so chose.  They 
might not be able to interpret the interchange - after all, it might be 
written in Latin, but using phraseology of playground Taiwanese, and 
then PGP encrypted.

So don't ever worry about monitoring, that's part of being a node on the 
Internet, live with it, and be grateful actually...  Do be sensible 
about where you decide to explore however.

-- 
Jim Crowther.    "Life is not a journey to the grave with the intention of
arriving safely in a well preserved body, but rather to skid in broadside,
thoroughly used up , totally worn out and loudly proclaiming;
WOW!!! What a ride."                           "It's MY computer" (tm SMG)
0
Jim
12/4/2005 1:51:40 AM
On Sat, 3 Dec 2005 20:27:05, Robert K wrote:

>"Jim Crowther" <Don't_bother@blackhole.do-not-spam.me.uk> wrote in 
>message news:5sMC9NbexjkDFwDA@nospam.at.my.choice.of.UID...
>> On Sat, 3 Dec 2005 19:36:40, Robert K wrote:
>>
>>>what am I missing?
>>
>> ipV6?
>
>Doesn't getting point, are you saying that I should switch from Ipv4 to 
>Ipv6? What would be advantages of this?

If your ISP is capable of it (native that is, without tunnels), direct 
node-to-node interchange.  AFAIK (BICBW) (yuk!) this is pretty damn 
secure - a middle-man would have to be rather sophisticated and prepared 
for your particular personal transaction...

Don't worry, it's no big deal, those who use it will, those who won't 
won't.

-- 
Jim Crowther.    "Life is not a journey to the grave with the intention of
arriving safely in a well preserved body, but rather to skid in broadside,
thoroughly used up , totally worn out and loudly proclaiming;
WOW!!! What a ride."                           "It's MY computer" (tm SMG)
0
Jim
12/4/2005 1:59:23 AM
"Jim Crowther" <Don't_bother@blackhole.do-not-spam.me.uk> wrote in message 
news:3Kgh0KesukkDFwRS@nospam.at.my.choice.of.UID...

>'Monitor' and 'Understand' are two, very, very different things.  Anyone at 
>your ISP can monitor where you go 'surfing', if they so chose.  They might 
>not be able to interpret the interchange - after all, it might be written 
>in Latin, but using phraseology of playground Taiwanese, and then PGP 
>encrypted.

What I was trying to say if I would for instance connect through SSL tunnel 
from hot spot to my home router, communication from router to final 
destination would be unencrypted - therefore my ISP would be able to tell 
whom I connecting to, also read context of plain text packets in my 
communication (unless I am misunderstanding something).

If I would connect from hot spot directly to VPN service that wouldn't 
happen, however VPN would be able tell where I connecting and read context 
of my packets.

Therefore first or second scenario -results are the same - there will always 
be someone who can monitor me, I can only choose who.

What is little bit confusing is what Steve just wrote (that cable 
communication is encrypted from long). Would that mean that between first 
ISP server (or perhaps even my router) to final destination communication 
becomes encrypted? I always thought that ISP has capacity of reading 
packets,.

-- 
Robert K
rkroute2000-forum@yahoo.com 

0
Robert
12/4/2005 5:30:19 AM
Steve Gibson wrote:

>
> 
> (In a few weeks I'll be explaining how it doesn't matter whether 
> your LAN is switched or hubbed (e.g. in a hotel setting) ... 
> since just two ARP Reply packets dropped onto the LAN can insert 
> a malicious machine into your connection to create a logical 
> ARP-based man-in-the-middle attack.)
>

an opportunistic, malicious proxy of sorts that spoofs the apparent 
endpoints?

==
tk
0
tk
12/4/2005 8:32:56 AM
"tk" <nothokea@pacbell.net> wrote in message 
news:dmu9jp$1kei$1@news.grc.com...
> Steve Gibson wrote:
>
>>
>>
>> (In a few weeks I'll be explaining how it doesn't matter whether your LAN 
>> is switched or hubbed (e.g. in a hotel setting) ... since just two ARP 
>> Reply packets dropped onto the LAN can insert a malicious machine into 
>> your connection to create a logical ARP-based man-in-the-middle attack.)
>>
>
> an opportunistic, malicious proxy of sorts that spoofs the apparent 
> endpoints?
>
> ==
> tk

Here is a good Flash tutorial about how ARP spoofing works

http://www.oxid.it/downloads/apr-intro.swf

Regards

Leccy 


0
leccy
12/4/2005 4:09:27 PM
Reply:

Similar Artilces:

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

F Secure internet Security 2013
someone is asking for an opinion on this one and I have no experience with it. Just wondering if anyone here uses it, likes it, how well it behaves, anything...thanks..Mike ...

Secure By Design: How Guardian Digital Secures EnGarde Secure Linux
"EnGarde Secure Linux is not just another "repackaged" Linux distribution, but a modern open source system built from the ground up to provide secure services in the threatening world of the modern Internet."... http://www.linuxsecurity.com/content/view/125195/171/ ...."The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are freely available with GDSN registration."... http://www.engardelinux.org/modules/index/index.cgi -- js ...

Schneier on Security: The Doghouse: Internet Security Foundation
Schneier on Security: The Doghouse: Internet Security Foundation http://www.schneier.com/blog/archives/2004/12/the_doghouse_in.html *********************************************************** Quote *********************************************************** This organization [http://www.internetsecurityfoundation.org/] wants to sell their tool to view passwords in textboxes "hidden" by asterisks on Windows. They claim it's "a glaring security hole in Microsoft Windows" and a "grave security risk." Their webpage is thick with FUD, and warns that ...

Norton Internet Security vs. F-Secure
Norton Internet Security vs. F-Secure can you compare? BOB <rodaru@hotmail.com> wrote: > Norton Internet Security vs. F-Secure can you compare? Try grc.security.software. http://grc.com/nntpquickref.htm -- Robert List of Lists - http://lists.gpick.com/ Eric Howe's Privacy and Security Site - http://www.staff.uiuc.edu/~ehowes/main-nf.htm ...

VeriSign Releases Internet Security Intelligence Briefing Reporting Year-End Trends in Internet Usage, Security, and Fraud
Quarterly Briefing Compiles Unique Data From VeriSign's Critical Infrastructure Services Including Domain Name System, Authentication Services, Managed Security Services and Payment and Fraud Protection Services MOUNTAIN VIEW, Calif., Feb. 9 /PRNewswire-FirstCall/ -- VeriSign, Inc. the leading provider of critical infrastructure services for the Internet and telecommunications networks, today released the second edition of the quarterly VeriSign Internet Security Intelligence Briefing. This quarter's briefing displays clear and dramatic growth in secure online commerce w...

Web resources about - VPN security vrs Internet Security - grc.security

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Committee on National Security Systems - Wikipedia, the free encyclopedia
The National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive ...

COP21: Security crackdown in Paris sees climate change protesters under house arrest
French climate change activists are placed under house arrest ahead of the opening of the UN climate change conference in Paris.

Taking enterprise security to the next level with two-factor authentication
... technology seriously. Seemingly every week there is a widespread data breach hitting news headlines. In fact, recent research of some 692 security ...

Security flaw can expose your real IP address when using a VPN
... activity to enhance privacy protection. However, a discovery has revealed that VPN services aren’t as secure as you’d think, as a huge security ...

BlackBerry is leaving Pakistan for 'security reasons'
BlackBerry has pulled out of Pakistan, a country with a population of 180 million, citing "security reasons," according to a blog post . The ...

A $2.25 billion fintech startup almost used horoscopes for security
Swedish payments startup Klarna once considered a novel approach to dealing with fraud: Asking "high-risk" customers to enter their horoscopes. ...

More stabbings, deaths in Israel as security operations widen
Israeli police have taken to shutting down Palestinian radio stations they say are inciting violence; Netanyahu draws link to Paris attacks

Resources last updated: 11/30/2015 4:23:39 PM