Log in
Register
Menu
Log in
Register
Home
What's new
Latest activity
Authors
Forums
New posts
Search forums
What's new
New posts
Latest activity
Members
Current visitors
New posts
Search forums
Menu
Log in
Register
Install the app
Install
Forums
Miscellaneous Sections
Tech Head - The Technology Section
Broadband Internet and internet providers
VPN Chat
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Captain Jack" data-source="post: 1008764" data-attributes="member: 243342"><p>My 2c from someone who works with this stuff day-in and day-out. While using a VPN for 'banking' (or whatever information sensitive site you choose) can, on paper, provide extra security, in reality it doesn't really do anything in home situations, except slow down your connection.</p><p></p><p>What's most important is that the site in question uses up-to-date SSL encryption (https in the address bar) with appropriate/secure ciphers. There have been many advances to crack various SSL incarnations but the likes of banking sites have been quick to plug those holes by using secure versions. By 'secure versions', I mean using certificates with long length keys (2048 bits and up together with SHA256) and nothing other than TLS - preferably version 1.2. SSL v2 and v3 are no longer considered secure and TLS v1.0 and 1.1 have some weaknesses (but are generally OK). You can either check your site's encryption protocol within your browser or, better, use something like <a href="https://www.ssllabs.com/ssltest/analyze.html" target="_blank">SSL Server Test (Powered by Qualys SSL Labs)</a> to test your target site.</p><p></p><p>A little background: HTTPS works by encrypting your data using a public SSL certificate that is sent by the site - the longer the key length of the certificate (along with SHA256 cipher), the more secure your data is. Encryption is done by your browser, so all communication to the server is encrypted from this point forth (a so-called 'secure channel' is set up during initial handshakes - this is why there's a short initial delay when accessing secure sites for the first time) and is pretty much immune to any attacks. If someone manages to read the stream of data between your browser and the server (man in the middle attack), they won't see anything other than gobbledy gook. This encryption is far more secure than your satellite encryption due to key-lengths employed. At the server end, the data is decrypted by the private key, which is a counterpart of the public certificate. Both are created at the time of the initial certificate/key/CSR generation routine (a CSR, or Certificate Signing Request, is used by signing authorities to sign your cert). Think of it as a lock and key - both are matched and both are useless without the other.</p><p></p><p>It would take maaaaany years to crack encrypted data, should someone get hold of it, and with typical certificate validity periods of 1 year, the chances of it happening are very slim.</p><p></p><p>Now, the VPN tunnel is also encrypted, so when accessing an HTTPS site, you are essentially applying encryption over encryption. Sounds good but what does it really do? VPN has to terminate somewhere - typically your VPN service provider. So, your encrypted *encrypted* data leaves your computer to a remote location beyond your ISP, who then decrypt VPN traffic to further forward it on... From that point on, it's no more secure than it is without VPN - you're just adding additional hops for your data to jump through. And if you're not visiting a secure site, your VPN provider can read all your traffic - in plain text.</p><p></p><p>Who do you trust more - your ISP or your random VPN provider? I know who I'd rather send my data to.</p><p></p><p>So what does it do for security? Nothing. It just shifts it to another organisation. If someone installs a sniffer on your computer, no VPN will help you. But what if they hack your Wi-Fi? Well, if you use WEP or simple passwords, it's your own fault. Further, if your VPN connection is handled by your router then all traffic between your computer and your router/Wi-Fi point remains the same as it is without the VPN.</p><p></p><p>The *only* time I would use a VPN is to visit blocked or geo-blocked sites, doing something dodgy (to hide my identity) or if I was on a potentially untrusted network, such as open public Wi-Fi spots. In reality, I do none of those - most sites these days are SSL encrypted so all traffic is likely to be encrypted anyway. And if I was to use VPN, it would be a VPN back to my home - a location that I trust and not some 3rd party VPN vendor.</p><p></p><p>None of this applies in case of a bog-standard home network, connected to a UK ISP, accessing satellites.co.uk, so there's absolutely no need for it. Unless you're trying to hide...</p></blockquote><p></p>
[QUOTE="Captain Jack, post: 1008764, member: 243342"] My 2c from someone who works with this stuff day-in and day-out. While using a VPN for 'banking' (or whatever information sensitive site you choose) can, on paper, provide extra security, in reality it doesn't really do anything in home situations, except slow down your connection. What's most important is that the site in question uses up-to-date SSL encryption (https in the address bar) with appropriate/secure ciphers. There have been many advances to crack various SSL incarnations but the likes of banking sites have been quick to plug those holes by using secure versions. By 'secure versions', I mean using certificates with long length keys (2048 bits and up together with SHA256) and nothing other than TLS - preferably version 1.2. SSL v2 and v3 are no longer considered secure and TLS v1.0 and 1.1 have some weaknesses (but are generally OK). You can either check your site's encryption protocol within your browser or, better, use something like [URL='https://www.ssllabs.com/ssltest/analyze.html']SSL Server Test (Powered by Qualys SSL Labs)[/URL] to test your target site. A little background: HTTPS works by encrypting your data using a public SSL certificate that is sent by the site - the longer the key length of the certificate (along with SHA256 cipher), the more secure your data is. Encryption is done by your browser, so all communication to the server is encrypted from this point forth (a so-called 'secure channel' is set up during initial handshakes - this is why there's a short initial delay when accessing secure sites for the first time) and is pretty much immune to any attacks. If someone manages to read the stream of data between your browser and the server (man in the middle attack), they won't see anything other than gobbledy gook. This encryption is far more secure than your satellite encryption due to key-lengths employed. At the server end, the data is decrypted by the private key, which is a counterpart of the public certificate. Both are created at the time of the initial certificate/key/CSR generation routine (a CSR, or Certificate Signing Request, is used by signing authorities to sign your cert). Think of it as a lock and key - both are matched and both are useless without the other. It would take maaaaany years to crack encrypted data, should someone get hold of it, and with typical certificate validity periods of 1 year, the chances of it happening are very slim. Now, the VPN tunnel is also encrypted, so when accessing an HTTPS site, you are essentially applying encryption over encryption. Sounds good but what does it really do? VPN has to terminate somewhere - typically your VPN service provider. So, your encrypted *encrypted* data leaves your computer to a remote location beyond your ISP, who then decrypt VPN traffic to further forward it on... From that point on, it's no more secure than it is without VPN - you're just adding additional hops for your data to jump through. And if you're not visiting a secure site, your VPN provider can read all your traffic - in plain text. Who do you trust more - your ISP or your random VPN provider? I know who I'd rather send my data to. So what does it do for security? Nothing. It just shifts it to another organisation. If someone installs a sniffer on your computer, no VPN will help you. But what if they hack your Wi-Fi? Well, if you use WEP or simple passwords, it's your own fault. Further, if your VPN connection is handled by your router then all traffic between your computer and your router/Wi-Fi point remains the same as it is without the VPN. The *only* time I would use a VPN is to visit blocked or geo-blocked sites, doing something dodgy (to hide my identity) or if I was on a potentially untrusted network, such as open public Wi-Fi spots. In reality, I do none of those - most sites these days are SSL encrypted so all traffic is likely to be encrypted anyway. And if I was to use VPN, it would be a VPN back to my home - a location that I trust and not some 3rd party VPN vendor. None of this applies in case of a bog-standard home network, connected to a UK ISP, accessing satellites.co.uk, so there's absolutely no need for it. Unless you're trying to hide... [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Miscellaneous Sections
Tech Head - The Technology Section
Broadband Internet and internet providers
VPN Chat
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…
Top