1 |
On Sun, Jun 12, 2016 at 8:57 AM, Dale <rdalek1967@×××××.com> wrote: |
2 |
|
3 |
> Howdy, |
4 |
> |
5 |
> I ran up on a video website that had some info on it. I found it |
6 |
> interesting and was curious about what it said and another question I |
7 |
> been wondering about. It mentioned using a VPN so that the NSA, my ISP |
8 |
> and others couldn't "see" what was going on. So, my first question, |
9 |
> does that work and does it require the site on the other end to have it |
10 |
> set up as well? Bonus question, is it easy to use on any site if it |
11 |
> doesn't require the other end to use it? I'm thinking of using this for |
12 |
> my banking/financial sites as well if it is a good idea. |
13 |
> |
14 |
|
15 |
Firstly I suggest you dont consider the NSA your adversary, because; |
16 |
1. They're probably not interested in you |
17 |
2. If they are interested in you, just adding a VPN is not going to make |
18 |
much difference. |
19 |
|
20 |
So lets just consider an employee at your ISP. |
21 |
|
22 |
There's typically no need to use a VPN when accessing an HTTPS website, as |
23 |
the SSL/TLS already provides most of the privacy that a VPN would supply. |
24 |
The extra that the VPN gives you in this case is to hide which websites |
25 |
you're visiting. So the data is protected in both instances, but the VPN |
26 |
also hides the connection metadata. So if you use just SSL/TLS then your |
27 |
ISP can deduce which bank you have an account with. If you use the VPN as |
28 |
well, then cant even tell that. |
29 |
|
30 |
There are issues with SSL/TLS that could allow someone in the path between |
31 |
you and the bank to decrypt your traffic, and if they can do that they |
32 |
would be able to log into your account if the bank uses simple |
33 |
password/passphrase style auth. The two main SSL/TLS issues are; |
34 |
1. Improperly issued certificates |
35 |
2. Older/weaker crypto |
36 |
|
37 |
The trust system around certificates can be summarised as "you trust any |
38 |
certificate as much as you trust the least trustworthy certificate |
39 |
authority in your trusted certificate store". Your browser ships with many |
40 |
CA certificates in its trusted certificate store. Any of these CAs can |
41 |
issue cryptographically valid certificates for any domain. So, if I manage |
42 |
to fool a CA that I am bigbank.com then i can buy a certificate to |
43 |
bigbank.com. Or, I can just find a staff member of a CA in a very poor |
44 |
country and offer them a big bag of sweet cash to have them issue the |
45 |
certificate for me. Certificate pinning reduces this exposure significantly |
46 |
so use a browser that supports it like chrome or firefox. |
47 |
|
48 |
Weak crypto? Turn off all SSL, TLS 1.0 and 1.1 in the browser, and disable |
49 |
RC4 crypto. That might block you out of some sites with weak crypto that |
50 |
you may still want to use. Assuming your bank has good crypto, use chrome |
51 |
or firefox with the weak crypto disabled for your banking, and another |
52 |
browser for everything else. |
53 |
|
54 |
This is something I been wondering about and I've seen a few posts here |
55 |
> that bump around the edges of this question. As most here know, I use |
56 |
> Gentoo. It's a older install but I keep it up to date. I sit behind a |
57 |
> DSL modem, a older Westell one, and a Linksys router, the old blue nosed |
58 |
> one. Neither modem or router has wireless stuff included. Is that |
59 |
> hardware and my Gentoo install pretty secure for most hackers? |
60 |
|
61 |
|
62 |
If one of those devices is PATing your IP, then that effectively blocks all |
63 |
inbound sessions, so it will prevent anyone on the internet scanning your |
64 |
system, and attempting inbound connections. This makes you much more |
65 |
secure. |
66 |
|
67 |
If there's no PAT, then you need to turn off all unneeded network services |
68 |
(use netstat to show what ports are open), and harden any services you |
69 |
leave on. For example, you could run sshd with only the stricter crypto |
70 |
enabled (this stops most bots as they havent implemented those functions), |
71 |
and run fail2ban to lock out any IPs that are running password guessing |
72 |
attacks. |
73 |
|
74 |
|
75 |
> In other |
76 |
> words, since I don't keep the formula to run car/truck engines on water |
77 |
> here, would this stop most since there is nothing worth stealing here? |
78 |
> I'm not interested in a NSA based hardened install here, just reasonably |
79 |
> secure. |
80 |
> |
81 |
|
82 |
Ok - ignore previous comment on NSA :) |
83 |
|
84 |
> |
85 |
> Basically, I'm just wanting to make sure I'm reasonably secure here. |
86 |
> |
87 |
> |
88 |
With regular patching and the above, you should be in pretty good shape. |
89 |
Next step after that would probably be to look at gcc's stack protector. In |
90 |
gcc 4.9.0+ -fstack-protector-strong is enabled by default. And in the |
91 |
kernel .config set CONFIG_CC_STACKPROTECTOR_STRONG=y. |
92 |
|
93 |
Then after that take a look at hardened sources and PaX (still on my todo |
94 |
list) |