-1

Tunnelbear is a VPN with an easy interface to choose your country IP - https://www.tunnelbear.com/

On installation it installs a network service.

When the app is turned off would it be able to access any passwords etc? I dont know what the network service does or can do.

When using the VPN is it secure to use passwords? Tunnelbear say they encrypt data but do they themselves have the ability to decrypt this data?

Jon
  • 115
  • 1
  • 1
  • 3
  • possible duplicate of [What are the pros and cons of a VPN for privacy](http://security.stackexchange.com/questions/11382/what-are-the-pros-and-cons-of-a-vpn-for-privacy) – Simon Sep 16 '13 at 14:24
  • 11
    You can trust anything that has a [bear](http://meta.security.stackexchange.com/a/884/) in its title or logo. – Adi Sep 16 '13 at 14:33
  • Thanks for the link on VPN privacy, but my question is security not privacy. I dont see any answers about security of sending credit card details over VPN etc, or more specifically what this VPN does with its network connection – Jon Sep 16 '13 at 14:45
  • @Jon While you're using VPN, you're securely sending data from your computer to the VPN server. In most cases, VPN is pretty secure, the problem is with the VPN provider; do you trust them? Thus, your question is a dupe. – Adi Sep 16 '13 at 14:56
  • well maybe someone knows tunnelbear and says they are trustworthy? Or has installed & investigated their software? – Jon Sep 16 '13 at 15:04

1 Answers1

3

The application which you "install" to use the VPN service is local code. If that code is hostile, then you have lost: as soon as you run malicious code on your own machine, that malicious code can more or less hijack your whole machine.

Theoretically, if you run the code as a non-privileged user, and your operating system ensures perfect isolation against non-privileged local users, then you might recover from running malicious code without reformatting your complete hard drive. However, this is not a reasonable foundation, because no practical OS succeeded at enforcing such an isolation. All OS have local privilege escalation holes. Moreover, a VPN must hook itself in the OS network subsystem, which will require some non-trivial privileges, so the point is moot.

Assuming that the TunnelBear's application is not malicious, then the VPN, being a VPN, protects data only in transit, between your machine and the VPN exit point, on TunnelBear's servers. These servers, by construction, see all your data unencrypted. A VPN (when done properly) is like an armoured steel tube between your machine and the exit point; it does nothing whatsoever for traffic beyond that exit point.

If you want to protect your data against inspection by the VPN maintainers, then you must use end-to-end security with whatever machine you are trying to contact, which basically means SSL (i.e. HTTPS). This begs the question of why you would want a VPN in the first place, of course.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I was not so concerned about running the exe. It is a commercial program tested for ware etc. This program offers a simple interface to change your IP location, which is handy for me in certain situations. But if I send CC info, or login to email or amazon with password while using the VPN what risks am I looking at? – Jon Sep 16 '13 at 15:20