In regard to the description of use #2, *When you want the server that
you’re connecting from to not be able to trace where you really are, or
specifically think that you’re somewhere else*, there are actually a couple
of sub-uses.

If you are in a hotel in Paris and want to appear to be in Omaha so that
you can get to Netflix, then a good VPN service will likely work fine.

If you are at home, presuming that you don't live on campus, and you want
to appear to be on campus so that you can get to a campus-only resource,
you will need a machine on campus that you can reach and tunnel to your
resource. This is one of the OG models of VPN.

A systems administrator, nobody I know, might be able to access the
resources they manage from their workstation, so they might want to set up
a VPN on that workstation and tunnel through it when they are on their
yacht in Izbiza (some systems administrators do well) or in their neighbors
hot tub.

Cary

On Fri, Oct 6, 2023 at 6:42 AM Joe Hourclé <[log in to unmask]> wrote:

> >
> > On Oct 5, 2023, at 9:19 PM, charles meyer <[log in to unmask]>
> wrote:
> >
> > My esteemed listmates,
> >
> > Patron on living on modest Social Security alone is exploring if there’s
> any free to low cost ($5-10 a month) VPN for her once a month electronic
> payment of her bank credit card from her checking account using a free
> library hotspot.
>
> (tl;dr: VPNs may not do what you think; video link at the end)
>
> I think that it’s important to talk about what exactly VPNs do:
>
> They take your traffic, and send it out through a different endpoint.
> Between you and the VPN’s endpoint, there is an extra layer of encryption,
> but there isn’t anything extra between the VPN and final destination (like
> the bank).
>
> There are two main uses for VPNs:
> 1. When you’re starting out on an untrusted network
> 2. When you want the server that you’re connecting from to not be able to
> trace where you really are, or specifically think that you’re somewhere
> else.
>
> Some of the issues with #1 were because some of the early wireless
> standards were pretty bad, and there were issues with devices automatically
> to ‘known’ wireless networks based solely on their name (so if someone set
> up a network named ‘xfinitywifi’, your device might connect to it if you
> had ever used a network named ‘xfinitywifi’).  Then the network owner could
> see all of your traffic.
>
> As most websites have converted over to use encrypted protocols, as have
> many other services such as mail, this is less of a problem now, although
> someone who controls the network can see what servers you’re connecting to
> (at least the IP address, which might have multiple names associated with
> it).  They shouldn’t be able to see what messages you’re actually sending
> to that server, at least not in real time.
>
> (But that’s not to say that they couldn’t capture all of the packets
> specifically going to an IP address of a bank, and then take the time to
> decrypt those specific packets)
>
> #2 I was originally used for stuff like ‘everything now looks to the
> servers that I connect to like I’m inside my company’s network’ and the
> academic community used it a lot for when buying access to databases that
> were restricted to the company’s IP range, so someone from home could
> effectively ‘connect from work’.
>
> Today, people use it a lot for pretending to be coming from a different
> country so they can watch streaming movies that aren’t available in their
> area.
>
> …
>
> So, why do I mention this?
>
> The main thing is that some of the problems that VPNs ‘solved’ have now
> been fixed with other mitigations (like encrypting most traffic end-to-end).
>
> You then get the question as to whom you trust more—- the network that
> you’re currently attached to, or the VPN owner.  In some cases, networks
> did crazy things (like some wireless and cable providers inserting extra
> info to make it easier for websites to track people), but do we know enough
> about these VPN operators to trust them?
>
> Could they be just sitting around watching for specific types of traffic
> (connections to known banks or crypto exchanges), and then attempting to
> decrypt it?  Obviously, if they did and it was known, they would lose all
> credibility immediately… but what do they have to gain by doing it for free?
>
> TOR (the onion router) was specifically developed so that journalists and
> people in repressed countries could communicate without being traced, and I
> think it even switches endpoints so no one person can easily recombine all
> of your packets… but there were concerns that if one group ran enough of
> the servers, they might still be able to get enough packets to undo the
> security.
>
> …
>
> So, unless your patron is trying to hide from the servers they’re
> connecting to (which usually isn’t the case for banking), and their hope is
> to just encrypt their local traffic, they might just be shifting their
> risk, not actually mitigating it.
>
> They might just be trying to bypass some filtering on your network (my
> local branch has blocked my ISP, so I can’t connect to their webmail server
> to pull down files to print), and it will work for that
>
> … but much of the hype about VPNs doesn’t quite hold true any more.
>
> Even Tom Scott, who for many years received funding for his YouTube
> channel from a VPN company created a video saying that the hype is
> overblown:
>
> https://m.youtube.com/watch?v=WVDQEoe6ZWY
>
> -Joe
>


-- 
Cary Gordon
The Cherry Hill Company
http://chillco.com