LISTSERV 16.5 - CODE4LIB Archives

There's also #3, connecting to a network so you can access its internal
resources. For example, OpenVPN can be installed on the router in an office
or a server in AWS, and then employees working from home can access the
machines in that office's LAN or AWS virtual network.

However, this is not a scenario relevant to the particular patron
described! I agree with the other comments that a VPN isn't necessary for
the use case of just paying bills. It would be more helpful for her to
learn how to check that a connection is secure with a valid certificate,
and how to check domain names to make sure she hasn't landed on a scammer's
webpage from an email she thought was a bill from her bank.

-Tamara

On Fri, Oct 6, 2023 at 9:13 AM Cary Gordon <[log in to unmask]> wrote:

> In regard to the description of use #2, *When you want the server that
> you’re connecting from to not be able to trace where you really are, or
> specifically think that you’re somewhere else*, there are actually a couple
> of sub-uses.
>
> If you are in a hotel in Paris and want to appear to be in Omaha so that
> you can get to Netflix, then a good VPN service will likely work fine.
>
> If you are at home, presuming that you don't live on campus, and you want
> to appear to be on campus so that you can get to a campus-only resource,
> you will need a machine on campus that you can reach and tunnel to your
> resource. This is one of the OG models of VPN.
>
> A systems administrator, nobody I know, might be able to access the
> resources they manage from their workstation, so they might want to set up
> a VPN on that workstation and tunnel through it when they are on their
> yacht in Izbiza (some systems administrators do well) or in their neighbors
> hot tub.
>
> Cary
>
> On Fri, Oct 6, 2023 at 6:42 AM Joe Hourclé <[log in to unmask]> wrote:
>
> > >
> > > On Oct 5, 2023, at 9:19 PM, charles meyer <[log in to unmask]>
> > wrote:
> > >
> > > My esteemed listmates,
> > >
> > > Patron on living on modest Social Security alone is exploring if
> there’s
> > any free to low cost ($5-10 a month) VPN for her once a month electronic
> > payment of her bank credit card from her checking account using a free
> > library hotspot.
> >
> > (tl;dr: VPNs may not do what you think; video link at the end)
> >
> > I think that it’s important to talk about what exactly VPNs do:
> >
> > They take your traffic, and send it out through a different endpoint.
> > Between you and the VPN’s endpoint, there is an extra layer of
> encryption,
> > but there isn’t anything extra between the VPN and final destination
> (like
> > the bank).
> >
> > There are two main uses for VPNs:
> > 1. When you’re starting out on an untrusted network
> > 2. When you want the server that you’re connecting from to not be able to
> > trace where you really are, or specifically think that you’re somewhere
> > else.
> >
> > Some of the issues with #1 were because some of the early wireless
> > standards were pretty bad, and there were issues with devices
> automatically
> > to ‘known’ wireless networks based solely on their name (so if someone
> set
> > up a network named ‘xfinitywifi’, your device might connect to it if you
> > had ever used a network named ‘xfinitywifi’).  Then the network owner
> could
> > see all of your traffic.
> >
> > As most websites have converted over to use encrypted protocols, as have
> > many other services such as mail, this is less of a problem now, although
> > someone who controls the network can see what servers you’re connecting
> to
> > (at least the IP address, which might have multiple names associated with
> > it).  They shouldn’t be able to see what messages you’re actually sending
> > to that server, at least not in real time.
> >
> > (But that’s not to say that they couldn’t capture all of the packets
> > specifically going to an IP address of a bank, and then take the time to
> > decrypt those specific packets)
> >
> > #2 I was originally used for stuff like ‘everything now looks to the
> > servers that I connect to like I’m inside my company’s network’ and the
> > academic community used it a lot for when buying access to databases that
> > were restricted to the company’s IP range, so someone from home could
> > effectively ‘connect from work’.
> >
> > Today, people use it a lot for pretending to be coming from a different
> > country so they can watch streaming movies that aren’t available in their
> > area.
> >
> > …
> >
> > So, why do I mention this?
> >
> > The main thing is that some of the problems that VPNs ‘solved’ have now
> > been fixed with other mitigations (like encrypting most traffic
> end-to-end).
> >
> > You then get the question as to whom you trust more—- the network that
> > you’re currently attached to, or the VPN owner.  In some cases, networks
> > did crazy things (like some wireless and cable providers inserting extra
> > info to make it easier for websites to track people), but do we know
> enough
> > about these VPN operators to trust them?
> >
> > Could they be just sitting around watching for specific types of traffic
> > (connections to known banks or crypto exchanges), and then attempting to
> > decrypt it?  Obviously, if they did and it was known, they would lose all
> > credibility immediately… but what do they have to gain by doing it for
> free?
> >
> > TOR (the onion router) was specifically developed so that journalists and
> > people in repressed countries could communicate without being traced,
> and I
> > think it even switches endpoints so no one person can easily recombine
> all
> > of your packets… but there were concerns that if one group ran enough of
> > the servers, they might still be able to get enough packets to undo the
> > security.
> >
> > …
> >
> > So, unless your patron is trying to hide from the servers they’re
> > connecting to (which usually isn’t the case for banking), and their hope
> is
> > to just encrypt their local traffic, they might just be shifting their
> > risk, not actually mitigating it.
> >
> > They might just be trying to bypass some filtering on your network (my
> > local branch has blocked my ISP, so I can’t connect to their webmail
> server
> > to pull down files to print), and it will work for that
> >
> > … but much of the hype about VPNs doesn’t quite hold true any more.
> >
> > Even Tom Scott, who for many years received funding for his YouTube
> > channel from a VPN company created a video saying that the hype is
> > overblown:
> >
> > https://m.youtube.com/watch?v=WVDQEoe6ZWY
> >
> > -Joe
> >
>
>
> --
> Cary Gordon
> The Cherry Hill Company
> http://chillco.com
>


-- 

Tamara Marnell
Program Manager, Systems
Orbis Cascade Alliance (orbiscascade.org <https://www.orbiscascade.org/>)
Pronouns: she/her/hers