Ask Leo! #648 – How Does a VPN Protect Me?

Before the articles...

Two friends and acquaintances reached out to me this week with two security-related items I'd like to pass along.

Wordfence, a Wordpress website security company, has published an article: Thousands of Hacked Home Routers are Attacking WordPress Sites. What's notable is that they've created a utility you can use to check to see if your router is vulnerable. (Thanks to my friend David for the heads-up.)

From Jeff: "I've been receiving a new phone scam on the landline where a 'computerized' voice tells you 'Your Windows License is about to expire, call our 800 number immediately.' I thought you would like to hear about this so you can warn more people than I ever could."

Remember, if THEY call YOU with dire warnings or technical issues you supposedly have it's almost always a scam. If you're at all uncertain, hang up. Then reach out to someone you already know and trust for help.

Coincidentally, this came across my desk this weekend: "Inside the Tech Support Scam Ecosystem," a fascinating look at the tech support scam landscape, and why the problem's not going away any time soon.

In other news, I've made a (hopefully) minor technical change in the formatting of the newsletter. Ideally you won't notice a thing-- unless you're on a mobile device, in which case things will hopefully wrap a little more sensibly.

As always, thanks for being here!

Leo

How Does a VPN Protect Me?

(skip)

So there's a lot of talk about using a VPN to hide what we do from our ISPs, and you've mentioned using it when using open WiFi. So just how and what are the protections of this versus just connecting through my ISP? What limitations does this have? Can they "see" what I'm doing (like using a BitTorrent), and that is coming from my account?

A VPN, or Virtual Private Network, is one approach to securely connect to a remote resource. Depending on the VPN, that privacy can extend from one end of the connection to the other, or it can protect you only for a certain portion.

I'll describe the different scenarios and how you are, and perhaps are not, protected by a VPN.

No VPN at all

I'll use this scenario as the base: you're in an open WiFi hotspot, connecting to a remote resource like your email, or your bank.

Open Wi-Fi Data Path

All the connections are unencrypted. That includes:

  • The connection from your laptop to the wireless access point (aka hotspot).
  • The connection from the wireless access point to the ISP providing the internet connection.
  • The connection from that ISP to the rest of the internet.
  • The connection to the specific service you're using.

The largest area of concern is the connection from your laptop to the WiFi access point. That open WiFi signal traveling through the air can be "sniffed" (or read) by anyone in range with a laptop and the appropriate software.

Open Wi-Fi Vulnerability

Lately, however, there's been concern about the fact that your ISP can monitor what you're doing. Specifically, they can see every remote site or service you connect to, and can examine all data not otherwise encrypted you exchange with those servers.

WPA encryption

The traditional approach to protect yourself from open WiFi sniffing is to use WPA1 encryption built into the WiFi specification.
WPA Encrypted Wi-Fi Path

This secures the path between your computer and the WiFi's access point. Hopefully, it's how your home WiFi is configured, so as to prevent nearby homes or others from connecting to your WiFi, and through it, to your network, without the appropriate encryption password.

There are problems with this approach:

  • Most open hotspots at coffee shops, airports, and elsewhere don't use encryption; the password requirement would confuse their customers more than it's worth. That's why these hotspots are called "open".
  • When WPA is used, it protects only the connection between your computer and the WiFi access point. Everything past that point in the diagram above remains "in the clear".

That last point becomes important because all the traffic is visible to the hotspot's owner, should he or she care to peek, and to the internet service provider to which that hotspot is connected.

A VPN service

To protect yourself further, a VPN is a common solution.

A VPN securely encrypts the entire path from your computer to the VPN provider. No one along that path can see your data: not other WiFi users, not the people managing the hotspot, and not the hotspot's ISP.

For open WiFi, or other situation with questionable security (such as connecting to the internet at your hotel), a VPN can be a great solution.

But it's not perfect.

There are some things to note:

  • The connection is only secured up to the VPN's servers; the connection from the VPN provider's servers to the final destination is once again unencrypted. That means the VPN provider, as well as any other networking equipment along the rest of the way, may be able to see your data, and can at least see which servers you're connecting to.
  • You're adding steps between your computer and the server you're accessing. The practical effect of this is that your connection becomes slower. How much slower varies based on the VPN service you're using, their capacity, and the server you're attempting to access.
  • Not all VPN services support all protocols. For example, your web browsing might work, but your attempts to use BitTorrent might not.
  • Not all remote servers allow connections through VPNs. One non-security-related reason to use a VPN is it can make you appear as if you're located in another country. As a result, many services – such as streaming video services – block connections using VPNs.
  • Not all governments allow VPN connections out of their countries, so as to effectively censor what their residents can view.

The ISP you're connecting through can't see, for example, that you're using BitTorrent, but the VPN service can. Your ISP would still see that:

  • You're using a VPN (and which VPN service you're using).
  • You're sending and receiving an awful lot of data.

End-to-end encryption

The only true privacy is achieved with end-to-end encryption. Unfortunately, that isn't possible in many cases, since it must be supported by the service to which you are connecting.

Https is end-to-end encryption

An https connection

Connections you make via https are completely encrypted along the entire path from your machine to the remote server you're accessing. That's why banks (and other services that allow you to access sensitive data) should use https. Most web-based email providers also provide full https connectivity. In fact, more and more sites — including Ask Leo! — are switching to support https.

Similarly, when configuring a POP3, IMAP, or SMTP connection in your email program, if your email provider supports it, choose SSL or TLS. That's the underlying encryption protocol used by secure connections like https. That way, your email uploads and downloads – as well as your log-in information – is completely encrypted along the entire path to your mail server.

Note, however, that even when using https, your ISP can still see which sites you connect to. Only a VPN can hide that information from them.

Https over a VPN?

Just to complete the picture, if you're using a VPN, and you happen to connect to an https web site, your data is doubly encrypted for part of the trip.

Https on a VPN

  • The VPN protects you between your computer and the VPN service.
  • Https protects you between your computer and the service to which you're connecting.

There's really no practical harm. One benefit is that the VPN prevents your ISP from seeing which site you're connecting to.

Related Links & Comments: How Does a VPN Protect Me?
https://askleo.com/4668

Become a Patron - Get The Ask Leo! Tip of the Day

How Do I Encrypt a Hard Drive Using VeraCrypt?

Some time ago, I realized the external hard drive I carry with me when traveling was an easy thing to lose. Some of the data on that drive is encrypted in various ways, but the vast majority is completely unencrypted.

If that conveniently small, portable drive walked off in someone's pocket, they'd have access to a lot of my stuff.

In a forehead-slapping moment, I realized I was going about this all wrong.

I should encrypt the entire drive.

Continue Reading: How Do I Encrypt a Hard Drive Using VeraCrypt?
https://askleo.com/27408

Get the Windows 10 Creators Update Now, If You Like

The Windows 10 "Creators Update" is slowly rolling out via the normal Windows Update channels.

If you're impatient (like me), here's how to get it now.

Continue Reading: Get the Windows 10 Creators Update Now, If You Like
https://askleo.com/27754

What's the Difference Between Spam and Junk Mail?

I use Thunderbird to download my email. Most of my email addresses are "@aol.com." Each of those addresses have both a "junk" and a "spam" folder. Virtually everything that shows up in the junk folder is spam and everything that's in the spam folder is junk. What's the difference between the two folders? My more important question: for quite awhile I have been marking all my many emails in my spam folder as junk, moving them to the junk folder, and then deleting them. By doing so is Thunderbird and/or AOL "learning" anything ' or am I just wasting my time?

This actually represents a couple of very common points of confusion. One is very easy to clear up; the other, not so much.

First, the easy: the terms junk and spam are synonymous. Some email programs or services call it spam, some call it junk mail, but it's the same thing in either case. What you're seeing in Thunderbird is what happens when those worlds collide.

The confusion about training the spam or junk filters, however, is both important to understand and somewhat more complex. While I'll use your AOL account as an example, this applies to all email services and all desktop email programs1 that have spam filters.

Continue Reading: What's the Difference Between Spam and Junk Mail?
https://askleo.com/27560

12 Steps To Keep from Getting Your Account Hacked

My account has been hacked into several times. If I'm able to recover it, it just gets hacked again. Sometimes I can't recover it, and I have to start all over with a new account. What can I do to stop this all from happening?

I don't get this question a lot. But I really, really wish I did. What I get instead, repeatedly, is "I've been hacked, please recover my account/password for me!" (Which, for the record, I cannot do, no matter how often, or how nicely, or not so nicely, I'm asked.)

The only salvation is in prevention, and this applies to email, social media, and pretty much any password-protected account you might have.

What can you do to make sure your account doesn't get hacked into in the first place?

Continue Reading: 12 Steps To Keep from Getting Your Account Hacked
https://askleo.com/2641

The Ask Leo! Tip of the Day

A feature exclusively available to Ask Leo! Patrons Bronze level & above.

More Ask Leo!

Become a Patron
Books - Business - Glossary
Facebook - YouTube - More..

Leo's Other Projects....

HeroicStories Since 1999, HeroicStories brings diverse, international voices to the world ' reminding us that people are good, that individuals and individual action matter. Stories - new and old - are published twice a week.

Not All News Is Bad - Each day I look for one story in the current news of the day with a positive bent. Just one. And I share it.

leo.notenboom.org - My personal blog. Part writing exercise, part ranting platform, it's where I write about anything and everything and nothing at all.

Help Ask Leo! Just forward this message, in its entirety (but without your unsubscribe link below) to your friends. Or, just point them at https://newsletter.askleo.com for their own FREE subscription!

Newsletter contents Copyright © 2017,
Leo A. Notenboom & Puget Sound Software, LLC.
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC