Ubiquiti Edgerouter X VPN Setup
-
@Dashrender said:
If the OP uses a VPN to leave the coffee shop before getting on the internet, he doesn't have to worry about the local coffee shop hacker. Just the rest of the hackers who don't have local network level access.
You've just made my point brilliantly. He still has to worry about the same attacks, just not from the coffee drinker that he can see. So the illusion has caused him to not to end to end security because he felt "safe enough" from the illusion and now he is being less safe than he should be. If the data is worth protecting, it's worth more than this level of effort.
Now I agree, this is "real security", it really does prevent that one attack vector but it does create another point of Internet entrance with its own security concerns and path and makes the overall path longer, but it is a trivial addition of security but a lot of illusion, which is my concern.
I have an article about this very thing and even with VPNs that has already gone to publisher, hopefully we see it soon.
-
@scottalanmiller said:
@anonymous said:
@scottalanmiller However people in the same coffee shop can't access it.
Is that a concern? I've never understood that one. People in the same coffee shop you protect against but not people elsewhere? What's the specific threat in the coffee shop versus the threat from everywhere else?
Really? OK I must really be over complicating something then, because I agree with the OP.
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
It's much more difficult if not impossible for someone on the internet to get that kind of access on the internet at large, vs the local LAN segment.
-
Also, in my case, I want to be able to use connect to my NAS, and do other things that are not going to be public
-
@anonymous said:
Also, in my case, I want to be able to use connect to my NAS, and do other things that are not going to be public
For the NAS you could possibly get a Free Let's Encrypt certificate installed on the NAS and publish it through your firewall, with passwords, etc.
-
@Dashrender I could, but if I have OpenVPN working, why?
-
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
-
I see both sides of this.
I'm wondering if VPN is really needed? it will slow you down performance wise.
A lot of sites use full time encryption now, so even if a hacker like the one in my linked story does manage to hijack you onto this network (should only be possible if you have other open WIFI networks that you have attached to listed in your device), the websites that use TLS you don't have to worry about. Sure they know where you are going, but who cares about that. They can't get inside the tunnel unless they can hack your OS, which maybe they can.
In which case, the VPN doesn't help you anyhow. -
@Dashrender said:
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?
-
@anonymous said:
@Dashrender I could, but if I have OpenVPN working, why?
Far more flexible, less exposure. Have an article on this sent to press too. LOL
-
@Dashrender said:
I see both sides of this.
I'm wondering if VPN is really needed? it will slow you down performance wise.
A lot of sites use full time encryption now, so even if a hacker like the one in my linked story does manage to hijack you onto this network (should only be possible if you have other open WIFI networks that you have attached to listed in your device), the websites that use TLS you don't have to worry about. Sure they know where you are going, but who cares about that. They can't get inside the tunnel unless they can hack your OS, which maybe they can.
In which case, the VPN doesn't help you anyhow.Easy when to think of it is that a TLS connection is an application specific, end to end VPN tunnel. Far safer than a traditional VPN because of the limited exposure. As long as you have TLS, the VPN is just redundant. OpenVPN is nothing but a TLS connection itself.
-
Exactly.
@scottalanmiller said:
@Dashrender said:
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?
Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.
-
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
-
@scottalanmiller less exposure? How so?
If I do it via a VPN, then the device is only accessible from my local network and anyone on the VPN connection (hopefully just me)
If I open to the world, everyone can bang on it 24/7.
-
@Dashrender said:
Exactly.
@scottalanmiller said:
@Dashrender said:
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?
Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.
Okay, so the fear is that people are going to go on places like MangoLassi in the short term before Let's Encrypt takes over nearly all sites and that they will post as you?
I'm trying to understand that people are actually worried about this. I'm not saying it can't happen, it certainly can. I'm wondering why we are concerned about it.
ML is going to lock that down in the nearish future, so this will go away as a threat here, but in general I've never felt that this was something that I really had to worry about.
-
@anonymous said:
@scottalanmiller less exposure? How so?
If I do it via a VPN, then the device is only accessible from my local network and anyone on the VPN connect (hopefully just me)
If I open to the world, everyone can bang on it 24/7.
I don't follow. How are you securing your OpenVPN any differently? They are both TLS connections. Can't they bang on either one equally?
-
Or in other words, how do you make one TLS connection invisible to outsiders and expose the other? VPNs are points of exposure the same as anything else.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
I don't follow FB security closely. Is that something that is a threat there?
-
Now we have all this talk about a VPN from our client.
What about using a hardware wireless bridge device to protect ourselves like we do at home and work?
It would be a device that we carry with us that we have a wireless connection directly to from our phone/laptop/tablet/etc. Using a console of some type, we have the device make a connection to the open WiFi AP. The device then can be limited to only join the network we pick at the time in question (unlike Windows desire to hope around to the random list of places we've been that consumers never curate) and act as a hardware firewall like home.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
I don't follow FB security closely. Is that something that is a threat there?
FB was vulnerable to Firesheep back in the day. They aren't any longer because they use TLS all the time, just like Google.
As far as I know, FB does a pretty good job of securing it's network and it's users (from an FB point of view).
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
I don't follow FB security closely. Is that something that is a threat there?
FB was vulnerable to Firesheep back in the day. They aren't any longer because they use TLS all the time, just like Google.
As far as I know, FB does a pretty good job of securing it's network and it's users (from an FB point of view).
Oh I totally get that this used to be a big deal and that people did not understand it. Historically it mattered a lot.