Printable View
And if they really want to, your ISP can still monitor what you do - they're your gateway to the Internet, and they can see the encryption handshake/SSL negotiation which easily enables a middleman attack.Quote:
Originally Posted by B18C5
Of course, the vast majority of providers will never do this, and depending on your country's laws you may even be able to sue them if caught, but nothing is enough for the truly paranoid.
Uh....no.Quote:
Originally Posted by anon-sbiAnd if they really want to, your ISP can still monitor what you do - they're your gateway to the Internet, and they can see the encryption handshake/SSL negotiation which easily enables a middleman attackQuote:
Originally Posted by B18C5
The SSL connection is, with a VPN, encapsulated WITHIN the VPN. There is, if the VPN is of the PPTP variety and using older handshaking (VERY old, say circa 1990's), it could be attacked in a way that would cause the VPN connection to drop, but no actual data stream would continue, however.
But VPN utilizing OpenVPN, no, not even that. The encryption code sequence is way too large, and it was specifically coded to completely resist those types of PPTP attacks (updates to PPTP circa y2000 did render PPTP much harder if not impossible to disrupt).
Certainly if one utilized SSL over an 'open' circuit, disruptions of many types are possible, most obviously since the destination IP address is 'in the clear', the 'circuit' can be disrupted. Again, however, SSL encapsulated within OpenVPN only lists the VPN companies destination IP.
Most news servers are using self signed certs too. At least it used to be that way.
Unless I misunderstood you, I'm talking about initially connecting to a VPN, not establishing an SSL connection to another host when you've already connected to it (the virtual private network).Quote:
Originally Posted by Beck38
That would fall on the category of your third paragraph, SSL over "open" circuits, as far as my knowledge goes, if we're talking about an OpenVPN server.
I interpret his comment as saying that the VPN itself doesn't use SSL to establish and maintain a secure tunnel to the exit point. So, it's not vulnerable to the same man in the middle attacks that SSL is. Then if you SSL through the VPN tunnel, you have both the encryption of the VPN which protects the secure tunnel AND SSL encryption through the VPN to basically give 2 layers of encryption. A Man in the middle attack would then have to be someplace between the exit point of the VPN and the endpoint (news server).
So, the scenario of the ISP using a Man in the Middle to attack the SSL connection couldn't happen if you were using the VPN too. It also secures the connection from the VPN exit point to the news server.
Wonder if my router could establish the VPN connection so, my whole network would be both behind a router and encrypted to the VPN exit point? Using the PC to VPN seems to put the PC on the open internet which I think is a bad idea.
OpenVPN uses SSL as far as I know, but there are other protocols as well.Quote:
Originally Posted by B18C5
I think some routers were able to do that, maybe with custom firmware? It depends on which one you have. About putting your PC on the open Internet, you can destroy the routing tables for it after you connect, and add a single one just for the VPN server so that you can reconnect. That also prevents programs from "leaking" your real address in the event of a drop-out.Quote:
Wonder if my router could establish the VPN connection so, my whole network would be both behind a router and encrypted to the VPN exit point? Using the PC to VPN seems to put the PC on the open internet which I think is a bad idea.
I'm more thinking I don't trust Windows enough to put a windows box on the open Internet.
Wonder if it's possible to the attacker to handle two layers of MITM attack. Haha. Hack the outer connection, then hack the inner SSL connection.Quote:
OpenVPN uses SSL as far as I know, but there are other protocols as well.
VyperVPN supports PPTP for the "free" version.
"VPN Passthrough (IPSec, PPTP, and L2TP)" My router does this. Need to dig up the manual I guess.
Unless they really want to snoop on you, I doubt someone would already bother to do one middleman attack - it's merely a possibility.Quote:
Originally Posted by B18C5
I think the passthrough only temporarily forwards a port that must be reachable in order to connect.Quote:
"VPN Passthrough (IPSec, PPTP, and L2TP)" My router does this. Need to dig up the manual I guess.
DD-WRT is the s/w that can morph a router to encrypt an entire network; there are several 'flavors' that work with a wide variety of router types, depending on the amount of ram and cpu types that the h/w has.Quote:
Originally Posted by B18C5
Over the past few years, as the router manufacturers have upgraded their boxes, DD-WRT has increased it's capability as well. As that has happened, many 3rd party folks (including VPN vendors themselves) have offered routers already modified to work with either their systems or particular VPN's as well.
Nice. Thanks.