Google+ Reader question, answered: If I have https, do I need a VPN? By David Gewirtz ~ High Tech House Calls
Expert Computer Consulting for Homes and Small Businesses

Let there be hope...

Life has changed there is no doubt and we wanted to reach out to see how you are doing.

As we go through this interesting time, we are trying to look at this as an opportunity to focus on our family and on friends like you. Let us use this extra time to catch up and talk more. Let us cook food that is not fast, but interesting and satisfying. Let us learn to enjoy a time to try new things. Let us find ways to enjoy time at home!

Computer Security

If my client base is any experience, anyone can be a victim of a Ransomware, Malware or Virus attack.

What can you do about it?

I conduct audits of your entire computer infrastructure and apply best practice solutions to plug the security holes on your computers, Smartphones and networks.

Now offering consultations to give you the best protection possible:


404.229.0839
carlthorne@hthcatlanta.com

Jack of All Trades, Master of Many

Jack of All Trades, and Master of Many

We provide technical support for:


Homes and small businesses

Windows and the Mac OS platform

iPhones and Android Smartphones

Wireless and wired networks

New device setup

Old device upgrade or repair

One-on-one training

Remote assistance


How To Stop Malware

Monday, February 17, 2020

Reader question, answered: If I have https, do I need a VPN? By David Gewirtz

I recently got another letter from a reader that can serve as a great foundation for an article. Our reader asks:
Is not the encryption provided by my browser on the data I exchange with an https: site sufficient to protect the data? My understanding has been that it is. If so, a VPN is not needed for this purpose. Furthermore if so, it's perfectly safe for me to exchange private data (say, account info with my bank or stock broker) over any public, open network.
Of course, VPN's provide several other valuable functions, but as I understand it they do NOT provide any additional security to the actual data exchanged. VPN providers would likely not want to highlight this.
There's a lot to unpack in our reader's letter. Let's dig into each question/statement one-by-one.

EXECUTIVE GUIDE

VPN services: The ultimate guide to protecting your data on the internet
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

PERFECTLY SAFE

Separate from the technical questions, our reader makes an assertion I think deserves an immediate and somewhat forceful correction. Our reader states:
It's perfectly safe for me to exchange private data (say, account info with my bank or stock broker) over any public, open network [using https].
Let's get this out of the way: It is never, ever, in any way, ever "perfectly safe" to exchange data over the internet, whether via a public, open network (shudder) or even from your home or office.
If reading ZDNet regularly tells you anything, it's that there are security breaches and security flaws throughout our networks that occur with constant, never-ending, and pretty much overwhelming regularity.
ADVERTISING
I'm not going to go into either all the breaches or even all the ways message traffic can be intercepted while in motion. Suffice to say, our data is never "perfectly safe," and so we must always take action to protect ourselves, our data, and by extension, our financial and physical security.
Just because you're not paranoid doesn't mean they're not out to get you.
Because of this reality, we often practice a belt-and-suspenders approach to all of our security practices. That means, even though we may have one level of security, it's never enough. That method of security may be cracked or buggy, or there may be some other reason it's leaky. It's always best to have multiple approaches to keeping safe.

IS HTTPS ENOUGH?

Let's start with what https does. It secures (through encryption) an http connection between a website and your browser. That means that the contents of what you're transmitting are unlikely to be read or changed between your browser and the website.
But you are not in control of this connection. It's up to the website operator (and any associated services it calls on) to be sure to properly set up and operate the secure connection.
Not all websites use https, so anything you do on an unencrypted connection is visible. What's actually of far greater concern with unencrypted traffic is that an attacker (usually called a Man in the Middle attack) can modify what is sent, injecting tracking bits -- or worse, malware -- into the stream.
The most visible of these are Great Cannon-style attacks that inject JavaScript and HTML payloads into unprotected web traffic. These payloads then conduct denial of service attacks (hence: cannon) against targets of interest to the hackers.
No one wants their web browser unwittingly turned into a denial of service weapon.
Another thing to consider about https encryption is it only encrypts your web traffic. Any other internet activity is not touched by the https protocol and therefore requires its own encryption. Examples of other activity include web-based video games that might send your account, password, and even credit card information in the clear; an e-mail program; or even a locally run accounting program.
So, yes, https does help. But it's only one security accessory in a belts-and-suspenders-security ensemble.

WIRELESS ROUTER ENCRYPTION

There's another encryption element that sometimes comes into the chain. That's the Wi-Fi encryption you get when you use a Wi-Fi router with a password.
Of course, here's another point of risk: You have no way of telling if the Wi-Fi router has been spoofed, and you're really sending all your data through a pineapple or some other data spoofing device.

ON CNET

Best VPN services
The CNET VPN Directory lists many of the most popular VPN Services available.

VPN ENCRYPTION

This statement by our reader is a little tough to unpack: "VPN's provide several other valuable functions, but as I understand it they do NOT provide any additional security to the actual data exchanged."
I think what our reader is saying that VPNs provide other services, but they don't provide any other data security services. But VPNs do. They also encrypt data.
VPNs absolutely do provide data security services. Packets are encrypted from the local browser to the VPN service provider. All packets.
Now, it's important to understand where this encryption helps and where it doesn't. If you're on your web browser in a coffee shop and you're talking to your bank's web interface, your traffic is encrypted in your browser, goes from your device to a local router, to the local ISP, across a whole bunch of hops, and then to your bank, where it's decrypted.
Https will encrypt that entire pipe, but only if everything is set up correctly.
Now, if you're using a VPN (with https or not), your data is encrypted on your computer. If you're using https, the https-encrypted data is encrypted again by the VPN. That data then travels over the usual hops to a VPN server, is decrypted once (the VPN's layer is removed), and sent on to your bank.
The benefit of VPN encryption is from your device to the VPN provider on the internet. This protects nearly all coffee shops, airports, and hotel lurkers who might try to snag your data in motion.

THINKING ABOUT SECURITY

When it comes to thinking about mobile security, it's important to keep in mind the endpoints and what's being encrypted. Let's look at the last three we discussed:
  • https: Encrypts web traffic between the web browser and the webserver.
  • Wi-Fi: Encrypts all network traffic between the mobile device and the Wi-Fi router in your local coffee shop, hotel, airport, etc.
  • VPN: Encrypts all network traffic between your mobile device and the VPN service provider on the internet.
Can you see how these different elements encrypt and decrypt at different points? Also, keep in mind that any one (or more) of these security services may be compromised. Plus, of course, there are other levels of encryption, like encrypted SSL and TLS tunnels between websites and payment providers.
By using multiple layers of encryption, each unable to see into the other, you're reducing the chance that any one compromised network will compromise you.

OTHER VPN SERVICES

As we've discussed in our various VPN reviews and guides, different commercial VPN services provide different added value. Some mix in anti-virus. Some mix in some identity protection services.
But all VPNs provide another very important security service: IP address obfuscation.
If you use a VPN, you get an IP address from the VPN provider. This is the IP address recorded by various services on the web. This allows you to protect your identity in terms of where you're located, what ISP you're using, or even what country you're in.
For some of us, this is a less critical service. For others, especially those dealing with stalking or other personal protection worries, VPN location protection services are essential.

BOTTOM LINE

So, in answering my reader's question, do they need a VPN? It's up to them. But is https the be-all and end-all of internet security? Oh, hell no.
What tools do you use to protect your security? Let me know in the comments below.