VPN True Or Fake Secure Connection ?

shop deals on amazon
Advertise with us
Shop deals on ebay
GroupDIY Audio Forum

Help Support GroupDIY Audio Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
R

r2d2

Well-known member
Joined
Jan 16, 2011
Messages
614
Location
A-rea 51
Hi to All
just to talk about if the VPN  is a True Or Fake Secure Connection  ,

it is possible that the VPN services companies
are financed  by  the power holders "Dart Vaders"  on duty    :eek:
using as advertising the Secure Connection as "bait"
to monitor the data
keeping an eye closed  on minor offenses
in order to make it credible
to those who use it convinced that it is really "safe" ?
protected also from the eye of the big "brother"  on duty ?

peace and cheers










 
Of course both options are possible.

Probably a good idea to use an open source VPN without major commercial interest. I would assume most of the "free VPNs" harvest data.
 
Any connections made through VPN's to SSL encrypted endpoints cannot be spied upon by the VPN provider, other than to note a connection was made.  It merely serves to relay traffic through a different IP address in some other region.  However un-ecrypted traffic can be snooped, however such traffic can also be snooped by every intermediate computer in the chain as well.

This isn't really a problem when using paid VPN services from reputable companies.  Free VPN services are pretty much worthless across the board.
 
Matador said:
Any connections made through VPN's to SSL encrypted endpoints cannot be spied upon by the VPN provider, other than to note a connection was made. 
Click to expand...

SSL decrypting routers have been on the market for at least a decade.

It merely serves to relay traffic through a different IP address in some other region.  However un-ecrypted traffic can be snooped, however such traffic can also be snooped by every intermediate computer in the chain as well.
Click to expand...

There are no computers in the chain. Only routers. Of course, these are a kind of computer too. But consider this remark as unimportant, because you can connect a computer to the router to tap traffic, if you can get into the network.

This isn't really a problem when using paid VPN services from reputable companies.  Free VPN services are pretty much worthless across the board.
Click to expand...

Quite the contrary.

More than half of the commercial VPN services are owned by an Estonian company that's the biggest data aggregator in the world. Hardly any of the big names run their own VPN. They just rebrand one of the specialised providers.

Most gratis VPN's are run by universities or other research institutions. These can be hard to find and/or configure. An easy and fast one is offered by Proton, the Swiss secure mail host. Free is limited to 3 exit servers, IIRC. If you want all of them, you need to pay.

Last time I looked, I couldn't find a commercial one that wasn't somehow dodgy.

I use several VPN's on a daily basis. All are free. Some are reasonably fast, even if they are on the other side of the planet. Some are slow. But there's plenty to choose from. Be forewarned that it's an ongoing job to keep a list, because sooner or later, abuse will lead to the service no longer being public, or stopped altogether.
 
SSL is supposed to be secure for now, but computers capable of cracking it are on the near horizon (decade?).

All major powers are working on this. Not sure they would tell us when they do crack it, without an effective alternative.

JR
 
As long as the VPN is the kind where you install a client that creates what looks like a new network (not sure if there is even any other kind since that would not be a real VPN) then, as long as you're doing HTTPS with the target server (or the tunneled communication is protected in some other way), it is not be possible for the VPN server to see that traffic. If you're not using HTTPS between the browser and the end target, then yes the VPN server would be able to see the content. But the end targets will always see the IP of the VPN server and not the IP of your local Internet connection.

As for cracking TLS connections, that is quite difficult (AFIAK not possible at all if you're using current recommended algos / key sizes).
 
cyrano said:
SSL decrypting routers have been on the market for at least a decade.
Click to expand...
Perhaps for ancient sites not adhering to modern TLS implementations using 2k+ key lengths, a brute force decryption might be possible.  For contemporary 2K key lengths and AES 128bit (or higher) encryption then there's no way for a VPN to snoop traffic without extremely sophisticated certificate spoofing procedures (which even most modern browsers can detect reliably).
 
squarewave said:
As for cracking TLS connections, that is quite difficult (AFIAK not possible at all if you're using current recommended algos / key sizes).
Click to expand...
Definitely next generation computer technology that isn't here yet AFAIK, but getting closer every year.  8)

I'm not trying to be scary, but I pay attention to stuff like this (probably not as much as I should). Website payments security maintenance used to be a lot harder before I moved it all over to paypal. They handle the secure transactions for me so I don't have to jump through all the hoops. 

I am not aware of solutions for the next gen computers, but I trust smarter people than me are working on it.

JR
 
Man ya'll are men of many hats.  I just use a blocklist and pray I'm not the low-hanging fruit  ;D. 

If you really want to be secure, onion route that data, and deal with the caramelized throughput.
 
ruffrecords said:
Are you saying SSH can be decrypted without the private key?
Click to expand...

SSL can't be decrypted (fast/easily) without a key.

But it's fairly easy for some to get a key, either by impersonating the key owner, or by making sure the sender is using a key supplied by the decrypting router operator. It's easier if you can replace keys in transit and make sender and receiver use different pairs.

Turkey, fi smuggled their TURKTRUST keys into almost all OSes. These were supplied by the Turkish key supplier, who is in the hands of the army.

Maybe Google's new quantum computer could break the encryption in a reasonable amount of time, but that's science-fiction until further notice.

Not really a problem for an average user, but a dissident in the wrong country better not suppose the govt can't intercept because it uses SSL.

GPG/PGP otoh still provide ample security, but it comes at a price. It requires extra care and effort. And it's still noticeable. You could combine it with some form of steganography to hide it.
 
Matador said:
Perhaps for ancient sites not adhering to modern TLS implementations using 2k+ key lengths, a brute force decryption might be possible.  For contemporary 2K key lengths and AES 128bit (or higher) encryption then there's no way for a VPN to snoop traffic without extremely sophisticated certificate spoofing procedures (which even most modern browsers can detect reliably).
Click to expand...

Nothing ancient about it.

If you have "your" certs in place for everyone to use, it's easy enough. And who of us has vetted all those certs our OS comes with? Who can guarantee the cert authority hasn't been fooled or broken into? Remember Diginotar in Holland? Their wifi network wasn't properly secured, so someone broke that and possibly got access to all certs. Was a big problem for the Dutch govt, as Diginotar was their main cert auth. There's also the case of Symantec, who were a bit more than sloppy not so long ago.
 
cyrano said:
But it's fairly easy for some to get a key, either by impersonating the key owner, or by making sure the sender is using a key supplied by the decrypting router operator. It's easier if you can replace keys in transit and make sender and receiver use different pairs.
Click to expand...
Not sure what you mean by that since TLS uses PKI which means the private key never leaves the server. The public key is signed by a CA and given to the client. Anything encrypted with the public key can only be decrypted with the private key which, again, never leaves the server (or a secure set of machines). That is used to exchange a new key used for conventional symmetric key encryption / decryption because it's faster. Note that the browser does not have it's own private key [1] so the user simply has to look at the domain in the address bar and that the browser trusts the certificate issued by a trusted CA. So security of client info isn't as good since they can only look at the domain and green lock and decide to trust or not. Maybe that's what you mean.

So it is very difficult to recover the private key necessary to decrypt TLS communication. The state-of-the art brute force techniques as of today is to use large arrays of GPUs. GPUs are special because of their parallel processing capability (instead of computing one thing in a certain number clock cycles a GPU can compute thousands of the same thing in the same time). Computing keys using an array of GPUs is now quicker than looking up a pre-computed value on a disk.

[1] Clients can use a private key and send a cert up to the server during the TLS handshake. This is done in corporate Intranets like with Windows AD acting as it's own CA and installing certs on servers / devices.
 
I'm not in on how the decrypting routers work. They're only sold to "law enforcement" and governments. No documentation.

I'm sure it's not really a threat to you and me. As I said, it's a real threat to dissidents in countries that have a culture of "no privacy". Like the Turkish example. And it is a (maybe minor) threat to people who aren't aware their data is leaking.

It's not the SSL system an sich. It's that the average user only knows to look at what his browser tells him. And there ways to circumvent that. Like start your own CA. Or find a sloppy CA and ask them to sell you a google.com cert. Or...

In the case of VPN, it's not that it's not possible to build a secure one. Most of the corporate solutions are safe. But the consumer solutions often aren't, because their main purpose is data collection.

I also have no real stats about how many of the consumer/commercial VPN's are data collectors. It's just that every time a new one appears on my radar and I have the time to look into it, the company has ties to that one data aggregator.

When you're an aggregator, even tiny bits of data are worth adding to the profile. And today, that's at least two ip's and an associated domain name, until DNS goes over TLS by default. And that's still a few years away, as the first ones have just appeared.

In the end, it boils down to "there's no ROI for security".
 
cyrano said:
I'm not in on how the decrypting routers work. They're only sold to "law enforcement" and governments. No documentation.
...
And there ways to circumvent that. Like start your own CA. Or find a sloppy CA and ask them to sell you a google.com cert. Or...
Click to expand...
In theory I suppose a government could force people to use a browser with their own CA cert (maybe intercept a download of chrome or whatever browser and substitute their own version with their CA in it). Then they could change DNS for sites and use their own certs.

Otherwise, browsers would just remove a "sloppy" CA and then it wouldn't work.
 
just a "stupid"  part-frame of the case    ::)

VPN connection line  IP -------o----------IP---------------IP---------o---------IP
                                                                  I                                                                        I
parallel spy connection              I---------sniffer-decripter-----------I   
 
squarewave said:
In theory I suppose a government could force people to use a browser with their own CA cert (maybe intercept a download of chrome or whatever browser and substitute their own version with their CA in it). Then they could change DNS for sites and use their own certs.

Otherwise, browsers would just remove a "sloppy" CA and then it wouldn't work.
Click to expand...

There are also the cases of CA's gving out certs without checking who they are going to. A few years ago, a researcher obtained google.com certs from Symantec, fi.

And then there are the cases of badly configured servers. Ones that still accept older versions of SSL that can be decrypted on-the-fly or offline.

You could also install your own root cert on a device you'd like to monitor. With today's proliferation of DIY USB attack kits, it's a jiffy if you have physical access to the machine. Even if you haven't got access, you'd only need to visit a Starbucks or such where the victim uses the procided Wifi to get in and do your thing. Hotel/airport wifi comes to mind.

Besides, there's a lot of other trickery too. It's like NAT traversal. Not easy, no commercial products around, afaik, but fi Skype has been doing it for years, circumventing firewalls. And there are some github projects to DIY. Of course, NAT traversal isn't encryption, it's just a way into your (home) network.

It's usually not one thing, but a number of exploits to get into a system...

And SOHO routers are often the starting point.

For those interested, here's a Network World article about it:

https://www.networkworld.com/article/2163739/what-s-lurking-in-your-network--find-out-by-decrypting-ssl.html

And Moxie Marlinspike's take on the subject:

https://moxie.org/blog/ssl-and-the-future-of-authenticity/

It's not as if PKI/SSL an sich are so bad, security-wise, it's just that we, the user, aren't really informed. And that opens many avenues to attack.
 
CAs are definitely a weak point. But TLS is pretty secure as long as the list of CAs in your client are good. Any decryption like what is described in that networkworld article require controlling the entire network which is either a company that has system access to all devices or maybe a government that can intercept all traffic such that anything downloaded can be modified. If someone has system access on a machine, any discussion of security and protocols becomes completely pointless.

cyrano said:
And Moxie Marlinspike's take on the subject:

https://moxie.org/blog/ssl-and-the-future-of-authenticity/
Click to expand...
This is actually a really good article. It really describes the faults in the current CA system well.
 
Several things are being confused here.

SSL "can't" be quickly cracked unless you are already a high profile Suspect.

The outfit who runs a VPN can see "all" your traffic. With the rise of encryption for email and now web surfing, they can't easily see inside your packets, but they know the servers you connect to.

I would imagine that any "Free VPN" is tempted to sell whatever data they collect, to anybody with money.
 

Similar threads

pucho812
brief history of audio excerpt from my buddys book.
2
Replies
23
Views
6K
Barry Hufker
Barry Hufker

Latest posts

Back
Top