3

I recently came across this answer here https://security.stackexchange.com/a/17860 and was surprised that VPN traffic could apparently be monitored.

I am new to this subject and am trying to better understand how it all works. I have zero interest in doing anything illegal, but I am highly paranoid and don't like the idea of being monitored (I grew up with enough of that already).

So I became interested in security, but I don't understand it very well. Conventional wisdom suggests a VPN is the answer, but then answers like the one above confuse me. It seems like traffic coming from you is encrypted, but not the traffic coming back?

Is a VPN really enough? If I log into Gmail from my normal IP address, but then log into that same account with a VPN, is this considered a security hazard? Is the only way to use a VPN safely is to basically be a completely different person from your non-VPN self? Different accounts, different mannerisms, different everything? What information is accessible by someone monitoring my traffic (either a malicious person or the building that owns the routers / local network or the ISP, etc)? Is it wise to use a VPN and then activate a Tor browser? Can we really assume the VPN is not logging you? Does it matter if you use PayPal? Does it matter what email address you use to sign up? Does it matter if you use a credit card associated with your real name?

I am operating on the fundamental assumption here that it is never fully possible to achieve 100% security, anonymity, and privacy, because at some point security through obscurity is part of the equation, and at some point we have no choice but to trust something or assume we're being logged and monitored, and so on. But I'd still like to do all that I can.

When is a VPN not safe? What are the best practices for using one?

Community
  • 1
user121389
  • 31
  • 3

3 Answers3

4

A VPN just moves the point of entry of your unencrypted data to a different network provider. It's great if you don't trust the network provider you're actually connected to, maybe because it's a public wifi network or because you think your government might be monitoring it, but you have to trust the VPN provider's network instead. If you don't want to trust any network provider, you have to use encrypted connections only and just give up on browsing websites that don't support TLS and on other unencrypted protocols.

Mike Scott
  • 10,134
  • 1
  • 28
  • 35
  • How do you know if you are "using encrypted connections only"? How do you know if a website doesn't support TLS (whatever this is)? – user121389 Aug 13 '16 at 19:27
  • 3
    TLS is the updated version of SSL, and your web browser will usually show you a padlock or similar if the web site is using it. But otherwise, I'm afraid that in the current state of the Internet there's no alternative to having a reasonably detailed understanding of the protocols you're using, on a protocol-by-protocol basis. There's no quick and easy answer. – Mike Scott Aug 13 '16 at 19:29
  • This very website, for example, does not seem to use TLS, right? (no padlock) – user121389 Aug 13 '16 at 19:32
  • Yes, that's right. It seems to support a TLS connection but then forward you to an unencrypted http connection. – Mike Scott Aug 13 '16 at 19:35
  • 1
    [Stackexchange does support TLS](https://security.stackexchange.com). – Philipp Aug 14 '16 at 01:16
  • Technically, a VPN does not need to be encrypted, since its _real_ purpose has nothing to do with protecting from your ISP (but rather connecting two systems together so they see each other as if they were locally connected). For example, the GRE protocol is unencrypted, but is still a type of VPN. Just because OpenVPN and IPSec support optional (albeit recommended) encryption does not mean VPNs are by definition encrypted. – forest Dec 11 '17 at 03:50
1

In addition to shifting the trust further down the line, as Mike Scott explained, governments have had pretty good success correlating public-facing, unencrypted traffic with privatised encrypted traffic just by the timestamps of the two packets; a government doesn't even need to ask the VPN provider for unencrypted traffic if they can make those deductions based on logs the VPNs ISPs have given them.

autistic
  • 734
  • 6
  • 17
1

I am going to try to give you a practical answer..

The answer that you mention in your question makes a large number of unlikely assumptions, that essentially boil down to someone having a reason to commit that much time and analysis into tracking you.

Provided you ..

  • Share sensitive information strictly using a secure connection (green lock beside the address bar)
  • Utilize well known services. These typically have encryption implemented correctly
  • Utilize an up to date, serious browser (Chrome)
  • Utilize a reputable VPN vendor based in a jurisdiction that reasonably supports privacy
  • Have a non-compromised, up-to-date system

  • Have no reasonable basis to assume anyone will profit from performing highly sophisticated timing/behavioral based attacks specifically on you

    You are good.

Much like the entire cities on several countries that are plagued with surveillance equipment, means for governments/companies/hackers exist to potentially leverage design attributes and/or vulnerabilities in order to track specific individuals, but it is a very costly endeavor and needs justification.

There are many considerations when choosing the VPN service that is right for you. There are moral, technical and practical considerations. Check out this comparison chart:

https://thatoneprivacysite.net/simple-vpn-comparison-chart/

I hope this helps.

dotproi
  • 346
  • 1
  • 5