A couple of security questions ...

[pibbuR]

.. which some of you, unlike me, know the answers to.

1. Open WIFI networks.
Yes, I know that they are unsafe, so on hotels I connect to the net via my cell phone. Question: if I use VPN (currently NordVPN), can I then safely use open networks? What about the time from booting my PC until the VPN connection has loaded?

2. VPN at home.
Should I always use VPN on my home LAN/WLAN? Does the answer depend on whether I use WIFI or cabled connection to the router? I'm asking for security/privacy reasons. I don't use VPN to watch Australian Netflix.

3. VPN on my cell phone.
Same question as above.

4. Password managers.
I use the Nordpass manager (paid multiuser version). Works very well methinks. But lately I've read about other password manager systems being hacked. Should I be worried?

5. Ransomware.
Bitdefender offers ransomware protection, which I've enabled. Don't know how good it is. In addition, I have a disk which is only connected to my PC (USB) when I backup files to it, that one should be safe.

For cloud storage, I use OneDrive. How secure is that with respect to ransomware attacks? If I'm attacked, will the rus... eh ... perps also be able to destroy files there? I guess the answer is yes for files syncronising with Onedrive, but perhaps not if I only upload files manually?

p****R

 

[Ripper]

1. Open WIFI networks.
Yes, I know that they are unsafe, so on hotels I connect to the net via my cell phone. Question: if I use VPN (currently NordVPN), can I then safely use open networks? What about the time from booting my PC until the VPN connection has loaded?

Starting with the assumption your VPN provider is trusted, yes, a VPN essentially creates a strongly encrypted tunnel between your device and their server, making it very hard for any party in the middle to spy or do nefarious things.

During boot, the OS will connect to the network before the VPN is established, and in theory could leak information. One way round that in hotels is a little travel router. That connects to the open WiFi, establishes a VPN connection, and provides a new WiFi hotspot for you, that can only pass through the VPN.

2. VPN at home.
Should I always use VPN on my home LAN/WLAN? Does the answer depend on whether I use WIFI or cabled connection to the router? I'm asking for security/privacy reasons. I don't use VPN to watch Australian Netflix.

I have a permanent VPN connection on my home router, and all traffic is routed through that. The nature of the LAN isn't too significant - it's to ensure that all household connections are forced through it.

3. VPN on my cell phone.
Same question as above.

Yes. I have a VPN configured on the phone, and Android can be set to only allow connections through that.

4. Password managers.
I use the Nordpass manager (paid multiuser version). Works very well methinks. But lately I've read about other password manager systems being hacked. Should I be worried?

Not really a clear answer to that one. If you're using strong unique passwords, you'll probably need something to keep track of them. Trouble is, that creates a target, and though the encryption algorithms may be strong, the password manager software is as prone to flaws as any other. I do use one, but then make sure that any important services have 2FA set up, to minimise any breach.

5. Ransomware.
Bitdefender offers ransomware protection, which I've enabled. Don't know how good it is. In addition, I have a disk which is only connected to my PC (USB) when I backup files to it, that one should be safe.

For cloud storage, I use OneDrive. How secure is that with respect to ransomware attacks? If I'm attacked, will the rus... eh ... perps also be able to destroy files there? I guess the answer is yes for files syncronising with Onedrive, but perhaps not if I only upload files manually?

p****R

The key thing with ransomware is to ensure that everything is backed up, but in a way that a compromised PC cannot destroy. I believe that happened when the Watch was hacked a few years ago, and some data was lost, because they could get at the backups.

One way is to do pull backups - your backup server runs rsync or such to pull data from your PCs, but they have no permission to write to the server. Another way is to set things up so that a certain number of backups are archived by a separate server, which can't be reached by compromised devices.

For cloud services, every one is different. I know on Google business plans you can set up what is essentially a recycle bin for all user data - when users delete or overwrite data, copies are kept which the admins can retrieve if needed. Not sure about One Drive, tbh

 

[Redglyph]

I'm never using online password managers, because some passwords are used to set the connection and so it seems to defeat the purpose (I know most of them by heart, except some that I don't use often, for example when I'm traveling). More importantly, I find it very hard to trust a single external location with all my passwords. Even though in this case they seem to know what they're doing, you never know what can happen internally (real motives behind the service, buy-out, disgruntled employee, ...) or whether a bug may allow a leak.

As for using a VPN all the time... I suppose you'd be on the safe side but personally I don't have anything so secret that I feel it worth the extra hassle and cost. It really depends on your personal feelings about it, and the sensitivity of your communications.

And I don't trust OneDrive, MS isn't known for their security or their privacy concern. So when there's something personal I encrypt it before storing it - but I'd do it for any cloud storage. (PS: I'm usually relying on Google Drive for storage, so I'm making sure to encrypt everything sensitive too).

 

[notdart]

I'm never using online password managers, because some passwords are used to set the connection and so it seems to defeat the purpose (I know most of them by heart, except some that I don't use often, for example when I'm traveling). More importantly, I find it very hard to trust a single external location with all my passwords. Even though in this case they seem to know what they're doing, you never know what can happen internally (real motives behind the service, buy-out, disgruntled employee, ...) or whether a bug may allow a leak.

As for using a VPN all the time... I suppose you'd be on the safe side but personally I don't have anything so secret that I feel it worth the extra hassle and cost. It really depends on your personal feelings about it, and the sensitivity of your communications.

And I don't trust OneDrive, MS isn't known for their security or their privacy concern. So when there's something personal I encrypt it before storing it - but I'd do it for any cloud storage. (PS: I'm usually relying on Google Drive for storage, so I'm making sure to encrypt everything sensitive too).

For linux user there is a 'package' to use fuse to make a virtual disk drive to your cloud storage that will encrypt data prior to copying it over the inet; and decrypt it upon download.

 

[danutz_plusplus]

About using the internet on public wifi without a VPN, theoretically that's only vulnerable if you're talking with the server over an unsecure channel. Or an improperly implemented secure channel. Generally speaking, if implemented properly, if you're talking with the server over an https/SSL/TLS channel, you should be ok even without a VPN tunnel. So using a VPN server, in that case, just means you're basically "double-securing" the channel (usually superfluously, and also incurring performance penalties) and implicitly hiding the identity of the server you're talking to. If you need that, then yeah, go for it.

The general recommendation of using a VPN when on public wifi was generally for a time when https/TLS weren't as predominant. And if the end-server you're talking to can only support non-secure channels, using a VPN only protects your communication between you and the VPN server. When the VPN server passes your packets along to talk to the end-server, that communication is unsecure, just like yours would be if you were talking directly. So it's more of a balancing of where do you think you're more vulnerable. Between you, the wifi node and the end-server or between you, the VPN server and the end-server. Normally, that would indeed be at the wifi-level. But again, all of this is only if you're talking over an unsecure channel. If you're already talking over a secure channel, using a VPN at best hides who you're talking to. Which again is another issue. You might have a secure channel in terms of integrity and privacy, but talking with a malicious server. You also need authentication with the end-server, to make sure you're talking with who you expect to be talking to.

As others have said, with all of this in mind, you also have to be very careful about the VPN server/service you're using. To not fall from the frying pan into the oven. When at home especially, you're basically trading if you trust your ISP more than the VPN server, or the other way around. If you're talking with a secure server over a secure channel, that doesn't matter as much (since neither the ISP nor the VPN provider should break that channel), only if you want to hine from your ISP who you're talking to. But then your VPN server knows who you're talking to. And if doing shady things, you're definitely taking a chance there also. If faced with prosecution or fines, you can bet your ass your VPN provider will not risk going to jail to protect you for your 10 dollars a month subscription.

 

[Redglyph]

About using the internet on public wifi without a VPN, theoretically that's only vulnerable if you're talking with the server over an unsecure channel. Or an improperly implemented secure channel. Generally speaking, if implemented properly, if you're talking with the server over an https/SSL/TLS channel, you should be ok even without a VPN tunnel. So using a VPN server, in that case, just means you're basically "double-securing" the channel (usually superfluously, and also incurring performance penalties) and implicitly hiding the identity of the server you're talking to. If you need that, then yeah, go for it.

Yes, I think the concern was probably more about privacy than security. It's not uncommon to have people posing as WiFi hotspots in airports and public locations, analyzing the traffic. It's also possible to use custom SSH tunnelling without paying for a VPN, if you can setup a server of your own, but then it better be well protected.

There's also the traffic that is not related to browsing, but I'm not sure how much of it goes through the VPN. Then some company VPNs are not even set to pass the HTTP/HTTPS traffic, they are limited to the communication between the intranet and the remote computer, which is good to keep in mind.

 

[Pladio]

I don't connect using a vpn at all. I don't see much point in doing so unless I'm trying to hide who I am fro. I have something. Overall to me it's a hassle more than anything.

I am what some here might term a sheep though but at the same time, I use the Internet as a commoner not a security specialist. I've given all my jnfor to the big tech companies already

 

[Ripper]

The situation has much improved with the widespread use of SSL, but there are still classes of attacks that are possible, and the caution that everything must be properly configured and up to date is a big one. Personally, I think wrapping everything in a VPN, also protecting privacy, makes sense.

I'll give you an example from my situation. I have a server, which runs various VMs and Dockers, providing my own web services. This is not quite as crazy or difficult as it sounds, and there's a big community rolling their own clouds. But, there's no way I'd be confident that all those services are securely configured and maintained to an internet-facing standard - that would be a full time job. So, I keep them behind a VPN, which has one job, and is simple to maintain.

For a general purpose VPN to prevent ISP snooping and so on, we can also roll our own - get a cheap VPS instance, and set up Algo VPN.

 

[pibbuR]

Thanks to all of you. Some things are still a bit confusing, but I'll work it out.

A couple of things/questions (correct me if I'm wrong).

1. Using unsecured networks and VPN
The connection between my PC and the VNC server is as I understand it encrypted? Connection from the VPN-server and the end-server is not. But I assume that a serious VPN-provider won't use open/unsecured networks for that. But I may still be vulnerable to false hotspots. (probably more likely in Oslo, our capital, than in the much smaller cities Hamar and Lillehammer).

I use NordVPN (they have servers in Norway). Regarding performance, it is affected, of course, but from a practical point of view not too much. Installing Death Stranding, downloading at 38 MB/S, witch is around 70% of the maximal bandwidth I can get without VPN. It won't affect watching TV or playing MMO's.

I can of course use my cell phone if that's more secure, but unlimited data will cost me 40-50 USD per month.

2. Protection against ransomware.
Here's what I do. I have 2 6 TB disks and a couple of 3 TB's I don't use. And an(a?) USB Docking station which will be connected to my PC only when needed (for backup purposes). By switching between them at least one of them should be OK if I'm attacked while taking a backup.

I'll use Onedrive for storing backups outside the house. And maybe compress data as suggested by the red one.

BTW: Can anyone recommend good backup software (for windows)? Preferably without proprietary storage format. One option which I have used before is a script using Robocopy, but I suppose dedicated software will be easier to maintain.

3. Password managers.
I'm usually able to remember passwords, or at least reconstruct them. But the wife is not. Are there password managers that doesn't store passwords on line? I assume I have to manually synchronise password data between our computers and cell phones, but I can live with that.

pibbuR who is not backed up yet.

PS. Just for fun, I calculated how long it would take my, at the time (mid eighties), top speed 2400 bpm modem to download the game: 263 days. And I would have to switch disks (I had a 70 MB at the time) 4 times a day. ( DS

PPS. Uninstalled the game and reinstalled without VPN. I get 62 MB per second, which means that the VPN connection operates at 60% of the no VPN bandwidth. DS.

 

[Ripper]

1. Using unsecured networks and VPN
The connection between my PC and the VNC server is as I understand it encrypted? Connection from the VPN-server and the end-server is not. But I assume that a serious VPN-provider won't use open/unsecured networks for that. But I may still be vulnerable to false hotspots.

Yes, with that type of VPN the encrypted tunnel terminates at a VPN provider's server, usually hosted in a data centre. It emerges from there as normal traffic - the final leg from there to the webserver you're interacting with relies on the standard SSL protections, as mentioned.

I don't quite understand what you mean by still being vulnerable to false hotspots?

2. Protection against ransomware.
Here's what I do. I have 2 6 TB disks and a couple of 3 TB's I don't use. And an(a?) USB Docking station which will be connected to my PC only when needed (for backup purposes). By switching between them at least one of them should be OK if I'm attacked while taking a backup.

I'll use Onedrive for storing backups outside the house. And maybe compress data as suggested by the red one.

Sounds reasonable to me. You'd need a lot of simultaneous bad luck for that to go wrong.

3. Password managers.
I'm usually able to remember passwords, or at least reconstruct them. But the wife is not. Are there password managers that doesn't store passwords on line? I assume I have to manually synchronise password data between our computers and cell phones, but I can live with that.

pibbuR who is not backed up yet.

I self-host a Bitwarden server. But their cloud service also seems pretty strong - all the encryption code is executed client-side, and is designed so that unencrypted passwords never touch their server.

For a more manual option, there's things like Keepass syncing.

Synchronization - KeePass

keepass.info

 

[pibbuR]

I don't quite understand what you mean by still being vulnerable to false hotspots?

What Redglyph said: "It's not uncommon to have people posing as WiFi hotspots in airports and public locations, analyzing the traffic".

pibbuR

 

[Ripper]

What Redglyph said: "It's not uncommon to have people posing as WiFi hotspots in airports and public locations, analyzing the traffic".

pibbuR

Right, but you shouldn't be vulnerable to those with a strong VPN. If the hotspot allows you to reach and establish a secure connection to your VPN server, it could be an evil hotspot, but it would be very difficult for them monitor or interfere with your traffic.

EDIT: Perhaps a misunderstanding? I read your point 1 above, and took it to mean you'd still be vulnerable to bad hotspots even with a VPN.

 

[danutz_plusplus]

I'll give you an example from my situation. I have a server, which runs various VMs and Dockers, providing my own web services. This is not quite as crazy or difficult as it sounds, and there's a big community rolling their own clouds. But, there's no way I'd be confident that all those services are securely configured and maintained to an internet-facing standard - that would be a full time job. So, I keep them behind a VPN, which has one job, and is simple to maintain.

Yeah, I can very much understand that, when it comes to needing to expose your own stuff to the internet. Setting up a reverse proxy like that sounds like a good idea, if you trust your VPN provider.

What I said above was more-so speaking when it comes being a client on the internet. And even so, you still need to be careful and make sure the clients you use do a good job of being sufficiently paranoid.

 

[Redglyph]

And an(a?) USB Docking station which will be connected to my PC only when needed (for backup purposes).

"a USB", because you pronounce "You", which is a consonant sound. It would be "an usher" though - I know, there's no relationship with the docking station. Anyway, for once, it's easier in French.

BTW: Can anyone recommend good backup software (for windows)? Preferably without proprietary storage format. One option which I have used before is a script using Robocopy, but I suppose dedicated software will be easier to maintain.

I have the same question here. I have tried a few but never found anything satisfactory.

 

[pibbuR]

"a USB", because you pronounce "You", which is a consonant sound. It would be "an usher" though - I know, there's no relationship with the docking station. Anyway, for once, it's easier in French.

This is why i hate English (or would if I hated languages) (which I don't): The letters that can't decide whether to be (consonants) or not to be (consonants). We don't have those in Norwegian. 'U' and 'Y' are always wovels. (along with good ol' 'A','E,'I','O','Æ','Ø' and 'Å'). We don't have the 'a'/'an' single point of failure either.

pibbuR som fortsatt snakker og skriver norsk bedre enn engelsk, men er like eksponert for trykkfeil i begge språk.

 

[SveNitoR]

About using the internet on public wifi without a VPN, theoretically that's only vulnerable if you're talking with the server over an unsecure channel. Or an improperly implemented secure channel. Generally speaking, if implemented properly, if you're talking with the server over an https/SSL/TLS channel, you should be ok even without a VPN tunnel. So using a VPN server, in that case, just means you're basically "double-securing" the channel (usually superfluously, and also incurring performance penalties) and implicitly hiding the identity of the server you're talking to. If you need that, then yeah, go for it.

The general recommendation of using a VPN when on public wifi was generally for a time when https/TLS weren't as predominant. And if the end-server you're talking to can only support non-secure channels, using a VPN only protects your communication between you and the VPN server. When the VPN server passes your packets along to talk to the end-server, that communication is unsecure, just like yours would be if you were talking directly. So it's more of a balancing of where do you think you're more vulnerable. Between you, the wifi node and the end-server or between you, the VPN server and the end-server. Normally, that would indeed be at the wifi-level. But again, all of this is only if you're talking over an unsecure channel. If you're already talking over a secure channel, using a VPN at best hides who you're talking to. Which again is another issue. You might have a secure channel in terms of integrity and privacy, but talking with a malicious server. You also need authentication with the end-server, to make sure you're talking with who you expect to be talking to.

As others have said, with all of this in mind, you also have to be very careful about the VPN server/service you're using. To not fall from the frying pan into the oven. When at home especially, you're basically trading if you trust your ISP more than the VPN server, or the other way around. If you're talking with a secure server over a secure channel, that doesn't matter as much (since neither the ISP nor the VPN provider should break that channel), only if you want to hine from your ISP who you're talking to. But then your VPN server knows who you're talking to. And if doing shady things, you're definitely taking a chance there also. If faced with prosecution or fines, you can bet your ass your VPN provider will not risk going to jail to protect you for your 10 dollars a month subscription.

That's why I chose a good VPN provider which accepts cash or pre paid cards without ID or user name. Then they only have my IP and don't have to store any logs.

Not that I recommend doing anything shady, but it feels nice to know very little of my activity is traceable without a lot of effort.

 

[pibbuR]

Right, but you shouldn't be vulnerable to those with a strong VPN. If the hotspot allows you to reach and establish a secure connection to your VPN server, it could be an evil hotspot, but it would be very difficult for them monitor or interfere with your traffic.

EDIT: Perhaps a misunderstanding? I read your point 1 above, and took it to mean you'd still be vulnerable to bad hotspots even with a VPN.

I thought that a fake hotspot, even if taking you nowhere could be used to infect your computer with malware. I remember back in 2002, when I got my first broadband connection (ADSL). The first computer i connected (foolish me) didn't have a firewall. Within 10 seconds it was infected by the blaster worm, before I actually used the connection for anything.

pib buR

 

[Tony]

I just read an article the big corps and websites are now using "unique identifiers" to track people, and all security measures such as VPNs and browser extensions just help them do it, and the more you try to protect your identity the more it helps them track you. I'm guessing this will move to the "scammer" sector soon, and until something new comes along we'll all be screwed for a little while. But don't know or understand much about modern technology beyond the basics, and hopefully I'm wrong.

 

[Ripper]

I thought that a fake hotspot, even if taking you nowhere could be used to infect your computer with malware. I remember back in 2002, when I got my first broadband connection (ADSL). The first computer i connected (foolish me) didn't have a firewall. Within 10 seconds it was infected by the blaster worm, before I actually used the connection for anything.

pib buR

I would think that's more a case of connecting to a potentially hostile network (be it the local wifi or the open internet) without a firewall, and being quickly attacked. I'd expect there are some conceivable attacks purely through the wifi connection mechanism, but I think the main risk from a bad hotspot, rather than the open internet, is that you're part of a small target group.

 

[notdart]

If you use ssl then an open wifi isn't horrible and most email/web site default configuration require ssl - though some older configs might not; but not that ssl itself has a large number of security issues over the years and you it is critical have the latest patches; the biggest security issue with vpn is trust of the vpn server - typically the traffic from vpn server to the destination server is encrypted but the vpn can allow for middle man attack esp if the vpn itself is not a trust worthy entity or has been compromised.

Btw phones have their fair share of security issues (i believe from what i've read overall apple is worse than android on samsung and pixel in that core apple programs take longer to patch and have had more serious flaws; not to mention icloud issues - remember all those leaked nudes of the famous - that was because icloud security was exceptionally weak and folks didn't realize their images were being stored on the 'cloud') but this is always a moving target and if you install a lot of third party apps you are asking for a trojan.

As a general rule even if using ssl assumed that if someone wants to watch your activity they can - even if the probability is extremely low.

FYI: ssl data is by nature compressed since it is part of the protocol so double compressing encrypted data has diminishing returns.

Thanks to all of you. Some things are still a bit confusing, but I'll work it out.

A couple of things/questions (correct me if I'm wrong).

1. Using unsecured networks and VPN
The connection between my PC and the VNC server is as I understand it encrypted? Connection from the VPN-server and the end-server is not. But I assume that a serious VPN-provider won't use open/unsecured networks for that. But I may still be vulnerable to false hotspots. (probably more likely in Oslo, our capital, than in the much smaller cities Hamar and Lillehammer).

I use NordVPN (they have servers in Norway). Regarding performance, it is affected, of course, but from a practical point of view not too much. Installing Death Stranding, downloading at 38 MB/S, witch is around 70% of the maximal bandwidth I can get without VPN. It won't affect watching TV or playing MMO's.

I can of course use my cell phone if that's more secure, but unlimited data will cost me 40-50 USD per month.

2. Protection against ransomware.
Here's what I do. I have 2 6 TB disks and a couple of 3 TB's I don't use. And an(a?) USB Docking station which will be connected to my PC only when needed (for backup purposes). By switching between them at least one of them should be OK if I'm attacked while taking a backup.

I'll use Onedrive for storing backups outside the house. And maybe compress data as suggested by the red one.

BTW: Can anyone recommend good backup software (for windows)? Preferably without proprietary storage format. One option which I have used before is a script using Robocopy, but I suppose dedicated software will be easier to maintain.

3. Password managers.
I'm usually able to remember passwords, or at least reconstruct them. But the wife is not. Are there password managers that doesn't store passwords on line? I assume I have to manually synchronise password data between our computers and cell phones, but I can live with that.

pibbuR who is not backed up yet.

PS. Just for fun, I calculated how long it would take my, at the time (mid eighties), top speed 2400 bpm modem to download the game: 263 days. And I would have to switch disks (I had a 70 MB at the time) 4 times a day. ( DS

PPS. Uninstalled the game and reinstalled without VPN. I get 62 MB per second, which means that the VPN connection operates at 60% of the no VPN bandwidth. DS.