>
> On Oct 5, 2023, at 9:19 PM, charles meyer <[log in to unmask]> wrote:
>
> My esteemed listmates,
>
> Patron on living on modest Social Security alone is exploring if there’s any free to low cost ($5-10 a month) VPN for her once a month electronic payment of her bank credit card from her checking account using a free library hotspot.
(tl;dr: VPNs may not do what you think; video link at the end)
I think that it’s important to talk about what exactly VPNs do:
They take your traffic, and send it out through a different endpoint. Between you and the VPN’s endpoint, there is an extra layer of encryption, but there isn’t anything extra between the VPN and final destination (like the bank).
There are two main uses for VPNs:
1. When you’re starting out on an untrusted network
2. When you want the server that you’re connecting from to not be able to trace where you really are, or specifically think that you’re somewhere else.
Some of the issues with #1 were because some of the early wireless standards were pretty bad, and there were issues with devices automatically to ‘known’ wireless networks based solely on their name (so if someone set up a network named ‘xfinitywifi’, your device might connect to it if you had ever used a network named ‘xfinitywifi’). Then the network owner could see all of your traffic.
As most websites have converted over to use encrypted protocols, as have many other services such as mail, this is less of a problem now, although someone who controls the network can see what servers you’re connecting to (at least the IP address, which might have multiple names associated with it). They shouldn’t be able to see what messages you’re actually sending to that server, at least not in real time.
(But that’s not to say that they couldn’t capture all of the packets specifically going to an IP address of a bank, and then take the time to decrypt those specific packets)
#2 I was originally used for stuff like ‘everything now looks to the servers that I connect to like I’m inside my company’s network’ and the academic community used it a lot for when buying access to databases that were restricted to the company’s IP range, so someone from home could effectively ‘connect from work’.
Today, people use it a lot for pretending to be coming from a different country so they can watch streaming movies that aren’t available in their area.
…
So, why do I mention this?
The main thing is that some of the problems that VPNs ‘solved’ have now been fixed with other mitigations (like encrypting most traffic end-to-end).
You then get the question as to whom you trust more—- the network that you’re currently attached to, or the VPN owner. In some cases, networks did crazy things (like some wireless and cable providers inserting extra info to make it easier for websites to track people), but do we know enough about these VPN operators to trust them?
Could they be just sitting around watching for specific types of traffic (connections to known banks or crypto exchanges), and then attempting to decrypt it? Obviously, if they did and it was known, they would lose all credibility immediately… but what do they have to gain by doing it for free?
TOR (the onion router) was specifically developed so that journalists and people in repressed countries could communicate without being traced, and I think it even switches endpoints so no one person can easily recombine all of your packets… but there were concerns that if one group ran enough of the servers, they might still be able to get enough packets to undo the security.
…
So, unless your patron is trying to hide from the servers they’re connecting to (which usually isn’t the case for banking), and their hope is to just encrypt their local traffic, they might just be shifting their risk, not actually mitigating it.
They might just be trying to bypass some filtering on your network (my local branch has blocked my ISP, so I can’t connect to their webmail server to pull down files to print), and it will work for that
… but much of the hype about VPNs doesn’t quite hold true any more.
Even Tom Scott, who for many years received funding for his YouTube channel from a VPN company created a video saying that the hype is overblown:
https://m.youtube.com/watch?v=WVDQEoe6ZWY
-Joe
|