There's also #3, connecting to a network so you can access its internal resources. For example, OpenVPN can be installed on the router in an office or a server in AWS, and then employees working from home can access the machines in that office's LAN or AWS virtual network. However, this is not a scenario relevant to the particular patron described! I agree with the other comments that a VPN isn't necessary for the use case of just paying bills. It would be more helpful for her to learn how to check that a connection is secure with a valid certificate, and how to check domain names to make sure she hasn't landed on a scammer's webpage from an email she thought was a bill from her bank. -Tamara On Fri, Oct 6, 2023 at 9:13 AM Cary Gordon <[log in to unmask]> wrote: > In regard to the description of use #2, *When you want the server that > you’re connecting from to not be able to trace where you really are, or > specifically think that you’re somewhere else*, there are actually a couple > of sub-uses. > > If you are in a hotel in Paris and want to appear to be in Omaha so that > you can get to Netflix, then a good VPN service will likely work fine. > > If you are at home, presuming that you don't live on campus, and you want > to appear to be on campus so that you can get to a campus-only resource, > you will need a machine on campus that you can reach and tunnel to your > resource. This is one of the OG models of VPN. > > A systems administrator, nobody I know, might be able to access the > resources they manage from their workstation, so they might want to set up > a VPN on that workstation and tunnel through it when they are on their > yacht in Izbiza (some systems administrators do well) or in their neighbors > hot tub. > > Cary > > On Fri, Oct 6, 2023 at 6:42 AM Joe Hourclé <[log in to unmask]> wrote: > > > > > > > On Oct 5, 2023, at 9:19 PM, charles meyer <[log in to unmask]> > > wrote: > > > > > > My esteemed listmates, > > > > > > Patron on living on modest Social Security alone is exploring if > there’s > > any free to low cost ($5-10 a month) VPN for her once a month electronic > > payment of her bank credit card from her checking account using a free > > library hotspot. > > > > (tl;dr: VPNs may not do what you think; video link at the end) > > > > I think that it’s important to talk about what exactly VPNs do: > > > > They take your traffic, and send it out through a different endpoint. > > Between you and the VPN’s endpoint, there is an extra layer of > encryption, > > but there isn’t anything extra between the VPN and final destination > (like > > the bank). > > > > There are two main uses for VPNs: > > 1. When you’re starting out on an untrusted network > > 2. When you want the server that you’re connecting from to not be able to > > trace where you really are, or specifically think that you’re somewhere > > else. > > > > Some of the issues with #1 were because some of the early wireless > > standards were pretty bad, and there were issues with devices > automatically > > to ‘known’ wireless networks based solely on their name (so if someone > set > > up a network named ‘xfinitywifi’, your device might connect to it if you > > had ever used a network named ‘xfinitywifi’). Then the network owner > could > > see all of your traffic. > > > > As most websites have converted over to use encrypted protocols, as have > > many other services such as mail, this is less of a problem now, although > > someone who controls the network can see what servers you’re connecting > to > > (at least the IP address, which might have multiple names associated with > > it). They shouldn’t be able to see what messages you’re actually sending > > to that server, at least not in real time. > > > > (But that’s not to say that they couldn’t capture all of the packets > > specifically going to an IP address of a bank, and then take the time to > > decrypt those specific packets) > > > > #2 I was originally used for stuff like ‘everything now looks to the > > servers that I connect to like I’m inside my company’s network’ and the > > academic community used it a lot for when buying access to databases that > > were restricted to the company’s IP range, so someone from home could > > effectively ‘connect from work’. > > > > Today, people use it a lot for pretending to be coming from a different > > country so they can watch streaming movies that aren’t available in their > > area. > > > > … > > > > So, why do I mention this? > > > > The main thing is that some of the problems that VPNs ‘solved’ have now > > been fixed with other mitigations (like encrypting most traffic > end-to-end). > > > > You then get the question as to whom you trust more—- the network that > > you’re currently attached to, or the VPN owner. In some cases, networks > > did crazy things (like some wireless and cable providers inserting extra > > info to make it easier for websites to track people), but do we know > enough > > about these VPN operators to trust them? > > > > Could they be just sitting around watching for specific types of traffic > > (connections to known banks or crypto exchanges), and then attempting to > > decrypt it? Obviously, if they did and it was known, they would lose all > > credibility immediately… but what do they have to gain by doing it for > free? > > > > TOR (the onion router) was specifically developed so that journalists and > > people in repressed countries could communicate without being traced, > and I > > think it even switches endpoints so no one person can easily recombine > all > > of your packets… but there were concerns that if one group ran enough of > > the servers, they might still be able to get enough packets to undo the > > security. > > > > … > > > > So, unless your patron is trying to hide from the servers they’re > > connecting to (which usually isn’t the case for banking), and their hope > is > > to just encrypt their local traffic, they might just be shifting their > > risk, not actually mitigating it. > > > > They might just be trying to bypass some filtering on your network (my > > local branch has blocked my ISP, so I can’t connect to their webmail > server > > to pull down files to print), and it will work for that > > > > … but much of the hype about VPNs doesn’t quite hold true any more. > > > > Even Tom Scott, who for many years received funding for his YouTube > > channel from a VPN company created a video saying that the hype is > > overblown: > > > > https://m.youtube.com/watch?v=WVDQEoe6ZWY > > > > -Joe > > > > > -- > Cary Gordon > The Cherry Hill Company > http://chillco.com > -- Tamara Marnell Program Manager, Systems Orbis Cascade Alliance (orbiscascade.org <https://www.orbiscascade.org/>) Pronouns: she/her/hers