[ale] OT have some questions about vpn security

Sun Jul 14 08:27:39 EDT 2013

Inline.

On 07/14/2013 01:53 AM, Ron Frazier (ALE) wrote:
> Hi JD,
> 
> I think hotspotvpn is a good vendor.  I've been with them for several years,
> and always like to turn on a vpn when I'm away from the house.  They support
> port 443, tcp; port 443, udp; port 53, tcp; and port 53, udp.  I think they
> can do PPTP but I always use the Open Vpn setup.  They have a few exit points
> here in the states and some others in other countries.  Their staff is
> minimal and pretty much works only by email as far as I know.  But, it works.
> Their website is at hotspotvpn.com.

Those are all the ports that basically can't be blocked and still allow people
on the internet.  Even if a proxy server is involved, VPNs can work.

Knowing a vendor only comes from their actions that we learn about. If we never
hear they are cooperating with entities we'd rather they didn't, there is little
chance of discovery.  I'd rather hear them refuse stock law enforcement requests
and demand a court order for all access. Is that there method of operation?

Not using PPTP for anything seems smart.

> Using the tunnel via udp is supposed to be faster, when you can use it.  I
> suppose, if there is lots of interference on the network, tcp might be
> faster.

I'd never heard that. I'd always assumed that UDP was faster and since the
tunneled packets already have TCP overhead, any lost packets would cause a
retransmit request to the source.  Double overhead with tcp/tcp just doesn't
make sense, but if there isn't any other choice ... something is better than
nothing.

> My main objective is to get the in the clear data away from the hotspot.  My
> email and my https traffic (like banking) has it's own ssl encryption anyway
> regardless of the tunnel, so I'm not too worried about what the vendor might
> see.

I think a vendor being paid a fair price for their services is the ideal VPN
provider. This should prevent a conflict of interest with customer happiness
being the primary goal for the company.

<snip>

> In regards to what was working and B&N, it wasn't working well, with the
> frequent disconnections.  But, I was able to establish the tunnel via either
> 443 udp or 443 tcp.  I don't think I tried 53.  The android Open Vpn client
> has an option to disallow internet access while the client is paused or
> connecting.  This eliminates in the clear traffic unless the system just
> gives up completely or you cancel it.  I think it did just give up once, but
> I had it working intermittently most of the time.
> 
> I was at office max the other day and couldn't get it to work at all.  I
> don't know why.

If UDP is blocked, it won't work on UDP.

> I've been considering upgrading my vpn solution so I can encrypt all 5 pc's
> from home, just because I can, in light of the NSA stuff.  Not sure I want to
> pay 5X the monthly fee though.  I'm not sure if anyone allows simultaneous
> logins and I'd have to research that.  Sure, NSA can still monitor choke
> points, but at least Comcast couldn't monitor everything I do.

You know, routers will do this and you can specify certain subnets to be routed
through a VPN and others are not. This handles the entire network. I've seen
how-to guides on the internet.

Researchers have been working on determining the type of traffic inside tunnels.
Seems there are specific patterns to the traffic. They can't see the exact
content of the traffic of course.

I believe that HTTPS has been hacked through different techniques involving DNS,
CA corruption, or just having governments demand that CAs create certs with the
desired credentials to enable proxies or spoofing of websites. For online
purchases, I don't worry about it.

We often forget that if DNS is compromised, **NOTHING** on the network can be
trusted and we've already lost the war.  Using a VPN with non-public keys and
IP-based connections (not DNS/hostname) should mitigate any remote network
tampering.