An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#42874 - 11/26/16 02:23 PM How can I trust I have a secure connection when tr
kevs Offline


Registered: 12/07/09
I took a two months trip through many countries a couple of years ago and went onto Citibank many times. I can't remember if I was on a secure connection at the hotel, but now I worry. You cannot type in your user/ pass unless you are sure it's 100% secure correct? Would be madness in today's hack world right?

Top
#42880 - 11/27/16 09:22 AM Re: How can I trust I have a secure connection when tr [Re: kevs]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
There is no absolute guarantee of safety or privacy. Whatever security measures can be created by humans can be subverted by humans. Paper checks can be stolen from the mail or forged, debit card number and PINs can be captured from an ATM or gasoline pump, your data can be captured through a third party network server, cash can be stolen from your pocket. A friend had his passport, all of his identification, money, credit cards, and a laptop filed with lots of very valuable proprietary information stolen by thieves who pumped sleeping gas into the Russian railroad car he was traveling in and cleaned out every passenger in the coach.

The absolute best you can hope for is to reduce the risk to an acceptable level and what is acceptable is a personal decision. The risk of logging on to WiFi networks in hotels, airports, on airlines, in coffee shops is statistically greater than logging on at your home or office, but probably not that much greater — provided you use common sense and a modicum of caution. But again it all depends on how paranoid you are and your personal comfort level. NOTE: being a little paranoid is probably wise.

If you are seriously concerned about security for whatever reason, willing to spend some money, can accept slower data transfer rates, and can tolerate some inconvenience you can get a significant security increase by using a VPN (Virtual Private Network). There are a number of VPN clients available through the App Store and most are available for MacOS, iOS, and many even support WatchOS. As an example VPN Unlimited is available on all three platforms, is highly rated, and costs $5 a month ($25 a year) and a subscription covers five devices. There are free VPN services, but like most things, you get what you pay for.


Edited by joemikeb (11/27/16 09:33 AM)
Edit Reason: URL did not work
_________________________
joemikeb • moderator

Top
#42883 - 11/27/16 01:07 PM Re: How can I trust I have a secure connection when tr [Re: joemikeb]
kevs Offline


Registered: 12/07/09
Thanks Joe, nice post. I traveled 2 months 3 years ago and was continuously logging onto Citi, my bank without a thought. But now, I'm thinking.

VPN, how slow/ laborious is that? Can I just by a month before going on a trip?

What is the "common sense and a modicum of caution", I provide at my hotel or coffee shop?

When I type in citicards.com, I see in firefox, a green padlock and says verified secure by symantic. And it says https. Will I see that abroad too? Of course I'm seeing that before even logging in, and it the wifi is compromised it wont matter right? Someone can be looking at my keystrokes. How can one know no one is looking at my keystrokes?

Top
#42885 - 11/27/16 04:01 PM Re: How can I trust I have a secure connection when tr [Re: kevs]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
How much a VPN will slow you down depends on the hosting company, which of their servers scattered around the country and around the world you are hitting, time of day, network load, server load, in other words typical network speed considerations but there is/are added links in the chain.

Laboriousness depends on the particular VPN provider and the design of their client on your MacOS or iOS device. Again depending on the VPN provider there are a number of different payment options. VPN Unlimited even offers a three week "vacation" option.

HTTPS (Hyper Text Transfer Protocol Secure) which you will see in the URL and confirmed by your "green padlock" does provide for encrypting traffic both directions. But as I said previously
Originally Posted By: joemikeb
Whatever security measures can be created by humans can be subverted by humans.
and a sufficiently determined thief can break that encryption. Using VPN would not replace HTTPS but would add another layer of security and encryption.

Back in the heyday of mainframe computers, it was thought the volume and complexity of their data was sufficient protection. That evolved to a security philosophy that you were secure if it would cost more to break the security than the value of the protected information was worth. Today the use of thousands and tens of thousands of slaves (computers owned and operated by unwitting users) and bots spawned from those slave computers constantly roaming the internet looking for any vulnerable computer, breaking security costs next to nothing. In fact Ransomeware has emerged as a highly profitable enterprise.


Edited by joemikeb (11/27/16 04:10 PM)
Edit Reason: $*&# Spell check
_________________________
joemikeb • moderator

Top
#42886 - 11/27/16 04:23 PM Re: How can I trust I have a secure connection when tr [Re: joemikeb]
kevs Offline


Registered: 12/07/09
I'm sure I have some follow up answers percolating, but for now I'll ask Joe:

For travel, a few weeks, month, what do you do Joe or recommend?

Do you bother with the VPN or just take calculated risk at the hotel or Starbucks? And there is no way to know if prying eyes are there?

Top
#42891 - 11/28/16 05:22 AM Re: How can I trust I have a secure connection when tr [Re: kevs]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
In most cases, the SSL (via HTTPS) that financial websites use will provide adequate protection. SSL has two useful features. The first is the encryption - it uses asymetric public key encryption to insure that anyone with access to the data as it passes between you and your bank is unreadable by them.

The second and less known feature is the chain of trust on the SSL certificate. OS's (and some web browsers) ship with a small collection of "root" / "anchor" certificates, usually from registrars and big companies. (version, apple, microsoft, etc) Everyone that purchase SSL certificates (so they can use HTTPS) have them signed by someone's root certificate, so your browser will automatically accept and use them. If you browse to a HTTPS site that sends you a certificate (to use to start the SSL encryption) that is NOT signed by one of the root certificates on your computer (or signed by someone else who themselves is signed, that's why it's a "chain of trust") then you will receive a warning and asked if you want to trust this dubious certificate. Just don't ignore that warning - you will receive it when the page first loads, BEFORE you have entered any information on the page. You may also receive a warning after entering information when you click Submit, look for your browser to warn you that you're submitting information insecurely, which it should NEVER do on something like a bank page. If it's any site you're used to going to, that warning popping up is virtually guaranteed to indicate an attempt to eavesdrop. These actions are usually done on a very local level, i.e. the router you are connected to is under someone's control and is orchestrating the attack on your computer, it's not just some random nut job in Pakistan doing it.

But as others have said, all of this is subject to exceptions. It doesn't MAKE you secure, it makes you MORE secure than you would be otherwise. A properly configured VPN is a little better because it can provide a higher grade of protection against spoofing of certificates (by state level actors that may have control over a registrar and can thus bypass all of the protections of SSL/HTTPS) and also makes it much more difficult (but NOT impossible) to tell what URLs you are visiting. There's a reason China doesn't like VPNs, it makes their state-level dragnet surveillance a lot more difficult.

If someone wants you bad enough, they're going to get you, it's just that simple. Most businesses that send execs to China give them rigorous training on security while they're there, they use VPN 100% of the time, and the laptops and cell phones are all wiped and disposed of when they get back. Bigger companies also use rotating sets of SIM cards for their phones to help secure their communications while abroad. Every week your IT guy will hand everyone a pillbox with a sim card in each day compartment. Every morning everyone changes sims (and thus phone numbers), and everyone will have the correct contact list for everyone else for that day. Is that bulletproof? NO, see above. But it's better than not.

See also: evil maid attack "It's just really hard to defend against an attacker who has physical access to your device."
_________________________
I work for the Department of Redundancy Department

Top
#42892 - 11/28/16 09:31 AM Re: How can I trust I have a secure connection when tr [Re: kevs]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: kevs
For travel, a few weeks, month, what do you do Joe or recommend?

Do you bother with the VPN or just take calculated risk at the hotel or Starbucks? And there is no way to know if prying eyes are there?

There is no simple single answer to your question. It depends on where I am traveling for how long and where I will be using someone else's WiFi.

Some background effecting my choices/recommendations: I am retired and have no classified or proprietary information to protect but I have been hit with significant fraudulent credit card transactions every year or so (for example a $10,000 first class airline ticket from Dubai to Berlin). My bank and credit card accounts have very sensitive triggers to signal me of questionable or in some cases any transactions, and I have never lost any money, but neither have I been able to identify a source of the fraudulent transactions. I have no reason to suspect the internet as the source of the fraudulent transactions.

However, your questions make me wonder if I am more sanguine than I should be. On reflection I have to ask if I am any less vulnerable on my WiFi network at home than I am at the local Starbucks or a resort at Walt Disney World? Which raises the question, "should I be using VPN all the time from everywhere?" IF...
  • I had a reasonably priced VPN subscription and
  • my various devices were configured to use it and
  • it were virtually transparent in operation and
  • it did not impose a significant performance hit
I might use VPN all the time, even on my computer at home. To the extent any of those IFs is less true the less I would use VPN.

If I am out for the day and using the internet at the local Starbucks, the Apple Store, the Cafe at the local museum, etc. or if I am on the road and using WiFi in major hotels, resorts that have a vested interest in protecting their guest's privacy I will verify whose WiFi network I am connecting through and trust HTTPS to provide adequate security. (On reflection if I were looking to exploit someone else's online transactions exploiting a WiFi network at a Starbuck's would offer a rich supply of tempting targets. I will have to think more about that. 😒 )

If I am on an extended trip away from home where I might be using questionable WiFi networks such as at Airports, camp grounds, roadside motels, even highway rest stops. the extra protection offered by VPN would probably be enough to override any additional cost and inconvenience, but that is a situational judgement call.

Traveling overseas I would use VPN for many reasons beyond simple information security.
_________________________
joemikeb • moderator

Top
#42897 - 11/28/16 10:45 AM Re: How can I trust I have a secure connection when tr [Re: joemikeb]
freelance Offline


Registered: 08/05/09
Loc: London, UK
I have been using Opera's browser for some time now. It recently started offering a free VPN service from within the browser. Open a private browsing window, select VPN and choose from a list of locations.

I have no idea if it works, except that Opera vouches for it.

Does anyone have any experience using the service?
_________________________
Mac Pro dual-2.4 GHz, 10.13.6, 24 Gb RAM, 250 Gb Samsung EVO SSD/Velocity Solo PCIe card, 2x3Tb Seagate HD, 1x3Tb Hitachi HD, Dell 2408WFP; Canon PIXMA iX6550; CanoScan 8800F; MacBook Air 1.8 Ghz, 8 Gb RAM, 10.14.1, 256 Gb SSD; BT Home Hub 6/Wi-Fi Extender.

Top
#42919 - 11/28/16 06:05 PM Re: How can I trust I have a secure connection when tr [Re: joemikeb]
kevs Offline


Registered: 12/07/09
Thanks Virtual/ Joe.

So if you have the https and padlock, and you go to bank, or Facebook etc, even from a random cafe in Senegal, you don't need the VPN correct? You are 99.99 % safe? You see https and a padlock.

Other than sites like my bank, and my Facebook passoword, and a few other site, I don't think I care if people see what sites I'm browsing on, I just don't want my password nabbed. That is my chief concern.

I can't imagine anyone in my apartment building looking into my browsing history, and I'm a paranoid guy generally speaking!
I just don't see that happening. But who knows?

I have not used Opera in a while, and did the update, but after that was done, it did not restart as it said it would and asked to update again, so I'm not bothering. Sounds nice though.

PS for maid scenario, I set up laptop to ask for password immediately, so if she opens it after I leave she wont be able to get in.



Edited by kevs (11/28/16 06:29 PM)

Top
#42922 - 11/29/16 05:14 AM Re: How can I trust I have a secure connection when tr [Re: kevs]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: kevs
So if you have the https and padlock, and you go to bank, or Facebook etc, even from a random cafe in Senegal, you don't need the VPN correct? You are 99.99 % safe? You see https and a padlock.

Assuming your computer hasn't been physically compromised, no government or law enforcement is after you, and your bank/site you are visiting (and their registrar) hasn't been hacked, you're safe without needing a VPN. The prior requirements are what make up the remaining 0.01%.

VPN will provide substantially improved protection vs everything above except physical compromise of your computer, or legal/hacking action against your VPN provider.
_________________________
I work for the Department of Redundancy Department

Top
#42938 - 11/29/16 11:15 AM Re: How can I trust I have a secure connection when tr [Re: Virtual1]
kevs Offline


Registered: 12/07/09
Thanks Virtual, what else would you want VPN for?

And agree is set to require password immediately, that should eliminate the maid or anyone else ever getting in.

Top
#42940 - 11/29/16 01:41 PM Re: How can I trust I have a secure connection when tr [Re: kevs]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Another advantage of a VPN is that it gets around ISP-level blocks or geographical blocks.

Say you're using an ISP that filters certain "bad" Web sites, like sites that deal with adult materials or radiator repair shops. (Not kidding on this; because filtering software is prone to error and misclassification, it tends to be overbroad in its blocking--in one well-publicized event from about ten years ago, several supposed "porn filters" ended up blocking a place called A1 Radiator Repairs in upstate New York, much to the consternation of the owner).

Using a VPN will get around these blocks. If I'm on the Amtrak train from Portland to Vancouver BC, a route I travel often, the train's Internet aggressively blocks sites (including sites that have nothing to do with 'adult' material), and sometimes these are sites I need to get to. Like a technical support site for Parallels virtual machine software, for instance.

When you use a VPN, you get around these blocks. Amtrak won't make a connection to the blocked sites, but it will make a connection to the VPN server. The VPN server then goes to the blocked site, fetches it, and sends it back.

I run a VPN server in Portland. When I'm in Canada, I occasionally use it to deal with sites that look at my IP address, see that I'm in Canada, and either try to reroute me to their Canadian server or deny access to Canadian users altogether.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#42947 - 11/30/16 04:57 AM Re: How can I trust I have a secure connection when tr [Re: kevs]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: kevs
Thanks Virtual, what else would you want VPN for?

Sometimes it's a bit the reverse, it's possible that some things won't work on VPN. Some region-locked services (or services that charge different amounts depending on the region) recognize that people are using VPN to get around the restrictions, and may refuse to work while you are using it. Many online services won't let you sign up with them while using a proxy or sometimes a VPN, but you're fine to use it on the VPN once you've signed up. So make sure you have all your subscriptions set up before traveling. (like for netflix etc) You can test your VPN before you depart, the service won't be able to tell where you are when you're using it. So it should look the same to them when you're connecting from your home as it does when you're in Brazil. Other services will region-lock you based on where the bank your billing credit card was issued from. If you use a visa card with a billing address in the USA, your services (and prices!) may be based on the USA region regardless of where you are when you're online. (I've seen several examples of where airfares were displaying different prices for the same origin/destination ticket, depending on weird factors like where you were browsing, cookies set in your browser, or even WHICH browser you were using)

But getting more back to your original question, there are quite a few uses for VPN. Some people use it to get around web page restrictions while they're at work or somewhere else that's got "childproofed web browsing" on their router. I know several people that use it when running bittorrent, to prevent their ISP from receiving DMCA notices and threatening to cancel their internet service as a result. In the past, VPNs have been a bit slow and high latency, since you're bouncing your connection off a site that's say, in Norway when you and the web page are both in the USA, but lately speed has been a big selling point with VPNs so they tend to be pretty fast, and not too noticeable even when running something like bittorrent. (I've also heard of people running bittorrent from their campus dorm via VPN because the campus router blocks P2P services, very common)

Paranoid people that want to post an anonymous complaint on their company's own website often use VPN or some other sort of proxy to provide a better guarantee of anonymity. But take care, where your VPN provider is physically located will dictate which laws they have to follow. You'll notice there aren't a lot of VPNs based in the USA, for obvious reasons. Legally speaking, the USA is becoming quite a surveillance state, in part due to the laws on the books and in part due to the snoops (NSA etc) flaunting and outright ignoring the privacy laws that do exist. So if your VPN is based where you live or where you are connecting, there's almost certainly legal authority to retrieve your records. All the "good" VPNs are based in countries with strict privacy laws, and will not keep logs, so that in the event the court does toss a subpoena at them they'll just say "okay, here's your big fat nothing!"

The UK however, has taken great strides recently in becoming the ultimate surveillance state. Not only will they rifle through your bits, but they're now legally obligating providers to keep all logs for a year, insuring they have lots of your bits readily available to dig through at their leisure:
https://www.theguardian.com/world/2016/n...te-surveillance
Clearly there won't be any VPNs based there! Several countries have already restricted or banned use of VPNs, it's only a matter of time before the number of countries that can host a VPN or you can legally use one will be in the minority.

it's all a bit depressing. This is not how I'd envisioned my future. Technology was supposed to make it all get better, not worse...
_________________________
I work for the Department of Redundancy Department

Top
#42974 - 11/30/16 07:00 PM Re: How can I trust I have a secure connection when tr [Re: Virtual1]
kevs Offline


Registered: 12/07/09
Thanks Tacit/ Virtual, good info. I'm leaning towards not bothering with VPN, as I think https will suffice, but good to know. Does it slow down surfing web a lot?

A good friend call all the imposition you get at the airports post 9/11, the "Bin Laden" tax. Hence applies to everything you are saying.

Top
#42982 - 12/01/16 06:52 AM Re: How can I trust I have a secure connection when tr [Re: kevs]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: kevs
Thanks Tacit/ Virtual, good info. I'm leaning towards not bothering with VPN, as I think https will suffice, but good to know. Does it slow down surfing web a lot?

The encryption overhead technically does slow down your computer and the server a little bit, but they've worked hard to optimize that so it's not too bad, and you're already dealing with a lot of latency over the internet, so you won't be able to notice any delay.

Quote:
A good friend call all the imposition you get at the airports post 9/11, the "Bin Laden" tax. Hence applies to everything you are saying.

Yeah I don't think blaming any one specific person or event really is justified. It seems to me that the problem isn't so much the "contributing factors" as it is the "response". If you're walking down the street and pass me and I suddenly yell "BOO!" and you drop your phone on the ground and break it, is it my fault? Well, technically if I hadn't don that you probably wouldn't have dropped your phone. You might even blame me. But it was your reaction that caused you to drop your phone. It's unreasonable to assume that anyone I say BOO to is being forced to drop whatever it is they are carrying. Now you walk down the street wearing earplugs, "because I forced you to"? Is this keeping you safer? I take this view of Security Theatre. If you're going to do something, do something that's effective. Go over to Israel and check out their airports. Guards standing all over the place with UZIs etc. They don't bother so much with X-ray machines, they stick you in a blast-resistant box and press a button, that EMP's you. Got a bomb in your underpants? Either it fries the radio and detonator (so it can't blow up later) or it blows up IMMEDIATELY. That's how you react to a threat. Those guys have been on the front line of terrorism for decades, and they're not hindered by theatrics, they just do what works.

And I still love watching this: https://www.youtube.com/watch?v=J-QE80Sn9AE
_________________________
I work for the Department of Redundancy Department

Top
#42994 - 12/01/16 02:17 PM Re: How can I trust I have a secure connection when tr [Re: Virtual1]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: Virtual1
... Go over to Israel and check out their airports. Guards standing all over the place with UZIs etc. They don't bother so much with X-ray machines, they stick you in a blast-resistant box and press a button, that EMP's you. Got a bomb in your underpants? Either it fries the radio and detonator (so it can't blow up later) or it blows up IMMEDIATELY. That's how you react to a threat. Those guys have been on the front line of terrorism for decades, and they're not hindered by theatrics, they just do what works.

Snopes put that claim under the microscope and debunked it last year. See Blast Rites.

If there's any 'real news' in that regard, a source would be nice to have.

Top
#43006 - 12/02/16 09:37 AM Re: How can I trust I have a secure connection when tr [Re: grelber]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: grelber
Snopes put that claim under the microscope and debunked it last year. See Blast Rites.

If there's any 'real news' in that regard, a source would be nice to have.

Aww that's too bad! Such a good idea.
_________________________
I work for the Department of Redundancy Department

Top
#43097 - 12/09/16 12:09 PM Re: How can I trust I have a secure connection when tr [Re: Virtual1]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Here's a nice article that summarizes many points: Tips for Travelers: Staying Safe on Public Wi-Fi Networks
_________________________
Jon

OS 10.14.2, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top

Moderator:  alternaut, dianne, MacManiac