| 1 |
On Sun, Jun 12, 2016 at 8:57 AM, Dale <rdalek1967@×××××.com> wrote: |
| 2 |
|
| 3 |
> Howdy, |
| 4 |
> |
| 5 |
> I ran up on a video website that had some info on it. I found it |
| 6 |
> interesting and was curious about what it said and another question I |
| 7 |
> been wondering about. It mentioned using a VPN so that the NSA, my ISP |
| 8 |
> and others couldn't "see" what was going on. So, my first question, |
| 9 |
> does that work and does it require the site on the other end to have it |
| 10 |
> set up as well? Bonus question, is it easy to use on any site if it |
| 11 |
> doesn't require the other end to use it? I'm thinking of using this for |
| 12 |
> my banking/financial sites as well if it is a good idea. |
| 13 |
> |
| 14 |
|
| 15 |
Firstly I suggest you dont consider the NSA your adversary, because; |
| 16 |
1. They're probably not interested in you |
| 17 |
2. If they are interested in you, just adding a VPN is not going to make |
| 18 |
much difference. |
| 19 |
|
| 20 |
So lets just consider an employee at your ISP. |
| 21 |
|
| 22 |
There's typically no need to use a VPN when accessing an HTTPS website, as |
| 23 |
the SSL/TLS already provides most of the privacy that a VPN would supply. |
| 24 |
The extra that the VPN gives you in this case is to hide which websites |
| 25 |
you're visiting. So the data is protected in both instances, but the VPN |
| 26 |
also hides the connection metadata. So if you use just SSL/TLS then your |
| 27 |
ISP can deduce which bank you have an account with. If you use the VPN as |
| 28 |
well, then cant even tell that. |
| 29 |
|
| 30 |
There are issues with SSL/TLS that could allow someone in the path between |
| 31 |
you and the bank to decrypt your traffic, and if they can do that they |
| 32 |
would be able to log into your account if the bank uses simple |
| 33 |
password/passphrase style auth. The two main SSL/TLS issues are; |
| 34 |
1. Improperly issued certificates |
| 35 |
2. Older/weaker crypto |
| 36 |
|
| 37 |
The trust system around certificates can be summarised as "you trust any |
| 38 |
certificate as much as you trust the least trustworthy certificate |
| 39 |
authority in your trusted certificate store". Your browser ships with many |
| 40 |
CA certificates in its trusted certificate store. Any of these CAs can |
| 41 |
issue cryptographically valid certificates for any domain. So, if I manage |
| 42 |
to fool a CA that I am bigbank.com then i can buy a certificate to |
| 43 |
bigbank.com. Or, I can just find a staff member of a CA in a very poor |
| 44 |
country and offer them a big bag of sweet cash to have them issue the |
| 45 |
certificate for me. Certificate pinning reduces this exposure significantly |
| 46 |
so use a browser that supports it like chrome or firefox. |
| 47 |
|
| 48 |
Weak crypto? Turn off all SSL, TLS 1.0 and 1.1 in the browser, and disable |
| 49 |
RC4 crypto. That might block you out of some sites with weak crypto that |
| 50 |
you may still want to use. Assuming your bank has good crypto, use chrome |
| 51 |
or firefox with the weak crypto disabled for your banking, and another |
| 52 |
browser for everything else. |
| 53 |
|
| 54 |
This is something I been wondering about and I've seen a few posts here |
| 55 |
> that bump around the edges of this question. As most here know, I use |
| 56 |
> Gentoo. It's a older install but I keep it up to date. I sit behind a |
| 57 |
> DSL modem, a older Westell one, and a Linksys router, the old blue nosed |
| 58 |
> one. Neither modem or router has wireless stuff included. Is that |
| 59 |
> hardware and my Gentoo install pretty secure for most hackers? |
| 60 |
|
| 61 |
|
| 62 |
If one of those devices is PATing your IP, then that effectively blocks all |
| 63 |
inbound sessions, so it will prevent anyone on the internet scanning your |
| 64 |
system, and attempting inbound connections. This makes you much more |
| 65 |
secure. |
| 66 |
|
| 67 |
If there's no PAT, then you need to turn off all unneeded network services |
| 68 |
(use netstat to show what ports are open), and harden any services you |
| 69 |
leave on. For example, you could run sshd with only the stricter crypto |
| 70 |
enabled (this stops most bots as they havent implemented those functions), |
| 71 |
and run fail2ban to lock out any IPs that are running password guessing |
| 72 |
attacks. |
| 73 |
|
| 74 |
|
| 75 |
> In other |
| 76 |
> words, since I don't keep the formula to run car/truck engines on water |
| 77 |
> here, would this stop most since there is nothing worth stealing here? |
| 78 |
> I'm not interested in a NSA based hardened install here, just reasonably |
| 79 |
> secure. |
| 80 |
> |
| 81 |
|
| 82 |
Ok - ignore previous comment on NSA :) |
| 83 |
|
| 84 |
> |
| 85 |
> Basically, I'm just wanting to make sure I'm reasonably secure here. |
| 86 |
> |
| 87 |
> |
| 88 |
With regular patching and the above, you should be in pretty good shape. |
| 89 |
Next step after that would probably be to look at gcc's stack protector. In |
| 90 |
gcc 4.9.0+ -fstack-protector-strong is enabled by default. And in the |
| 91 |
kernel .config set CONFIG_CC_STACKPROTECTOR_STRONG=y. |
| 92 |
|
| 93 |
Then after that take a look at hardened sources and PaX (still on my todo |
| 94 |
list) |
Archives