Infatuas Posted July 7, 2013 Share Posted July 7, 2013 (edited) Why does adding vpn under https add more security? To my knowlege you cannot read ssl encrypted traffic, or the encapsulated packets of ssl headers. This is why firewalls offer deep ssl inspection where the firewall proxies traffics and uses its own ssl cert so it can then read the ssl headers. Edited July 8, 2013 by Infatuas Quote Link to comment Share on other sites More sharing options...
newbi3 Posted July 7, 2013 Share Posted July 7, 2013 Encrypting your packets doesn't encrypt your IP address. It encrypted the payload of the packet. So if you are browsing the net for example going to google.com people can still tell what site you are visiting but if they try to look at the content of the page they can not see that. You should preform a man in the middle attack while you're connected to your VPN, open wireshark and follow the packet flow you should see that you cannot read the contents of the packets if you can read the packets I suggest you get a different VPN service! Hope this helps you! Quote Link to comment Share on other sites More sharing options...
Infatuas Posted July 8, 2013 Author Share Posted July 8, 2013 I understand IP isn't encrypted but since my exit node is no longer my personal firewall my IP is "masked" because I'm NATing through a different firewall. Why does adding vpn under https add more security? To my knowlege you cannot read ssl encrypted traffic, or the encapsulated packets of ssl headers. This is why firewalls offer deep ssl inspection where the firewall proxies traffics and uses its own ssl cert so it can then read the ssl headers. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 8, 2013 Share Posted July 8, 2013 Why does adding vpn under https add more security? To my knowlege you cannot read ssl encrypted traffic, or the encapsulated packets of ssl headers. This is why firewalls offer deep ssl inspection where the firewall proxies traffics and uses its own ssl cert so it can then read the ssl headers. Correct, you can't read SSL encrypted traffic. But with the right software and hardware, it's possible to read SSL encrypted traffic. Now, the reason why adding a VPN under HTTP(s) add more security, is because you are adding an additional layer of encryption. You now have two different layers of encryption. Even if an attacker manages to break through the first layer, he still have to break through the second layer, which therefore increases your overall security but reduces your throughput and system performance. Quote Link to comment Share on other sites More sharing options...
Infatuas Posted July 8, 2013 Author Share Posted July 8, 2013 So it is useful and necessary, because I'm adding another layer to the onion. The problem I have with that is if I just use my personal exit node I'm a small target, I can control my own internal security and even build ssl/tls tunnels to my own firewall internally. I am forced to trust a network and company I know nothing about, technically. They could all be honey pots for all we know. Not to mention when using OpenVPN or like products, once I leave their exit node my packets enter plain text internet anyhow. so I may be adding another layer of security. 1 for https and 1 for vpn = 2; I have to trust my isp 1 and now trust another provider whos network I don't control 1 = 2. seems to cancel out 2 pros 2 cons. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 9, 2013 Share Posted July 9, 2013 (edited) So it is useful and necessary, because I'm adding another layer to the onion. The problem I have with that is if I just use my personal exit node I'm a small target, I can control my own internal security and even build ssl/tls tunnels to my own firewall internally. I am forced to trust a network and company I know nothing about, technically. They could all be honey pots for all we know. Not to mention when using OpenVPN or like products, once I leave their exit node my packets enter plain text internet anyhow. There is just one more challenge. Your traffic will only remain encrypted from point A (yourself) to point B (VPN server). Once your traffic leaves point B, it will once again become clear-text. So all the effort, you went through to ensure your traffic was heavily encrypted, will once again be travelling in clear-text. If you're going to be transmitting data, just make sure you encrypt it before hand. This will make sure, that your data remains safe. You could then use PGP to self-sign it and even if it gets tempered with, you will know something happened along the way. Edited July 9, 2013 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Infatuas Posted July 9, 2013 Author Share Posted July 9, 2013 So now I have protected from taps off my ISP/mitm, one would have to track/connect the dots from vpn to my real ip and decrypt data. This raises two more questions: I've been successful in creating a 2 headed proxy chain by using my main os to connect to a paid/no log vpn then using vbox to spin up a vm and run a separate paid vpn (diff provider) through that. I cannot think of a way to use a third other than taking over a remote host through the second proxy to establish a 3rd. Any other ideas? Also, what kind of encryption software could I use that requires use of private key? I know truecrypt can do this and it's proven open source code. Anything better? What about just using 7zip with aes-256 to encrypt files? No key though.. This is all for study btw. Quote Link to comment Share on other sites More sharing options...
newbi3 Posted July 9, 2013 Share Posted July 9, 2013 I have an openvpn running on a server at my house I use this when I am on unstrusted networks. No I do not trust my ISP and no I do not trust any other ISP anymore than mine. However my reason for doing this is because I trust that at my house no one is sniffing the wire. I don't trust that at a coffee shop no one is sniffing the wire. If someone where to be running ssl strip for example on the coffee shops network I wouldn't be effected by that because my traffic is encrypted with another layer. Between my home and my ISP, my isp can still see all of my traffic but there really is no way to get around that. I could move my end point to a remote server but I don't trust them anymore then I trust my ISP. It is all a matter of who to trust really. I say the less people looking at my traffic the better. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 9, 2013 Share Posted July 9, 2013 (edited) I don't trust any service provider, not even my own ISP. Don't forget they could be working along side with any government la w agency. So running your own SSH, or OpenVPN server from your own house, and then tunnelling your traffic through it, makes it very safe. Because you own it and have control over it. Your ISP on the other hand, can only see the IP addresses you access, but not the traffic itself. Edited July 9, 2013 by Infiltrator Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 9, 2013 Share Posted July 9, 2013 I don't trust any service provider, not even my own ISP. Don't forget they could be working along side with any government la w agency. So running your own SSH, or OpenVPN server from your own house, and then tunnelling your traffic through it, makes it very safe. Because you own it and have control over it. Your ISP on the other hand, can only see the IP addresses you access, but not the traffic itself. Which will encrypt anything between yourself and your house, once it leaves your house, then the isp can see it. I know you know that, just trying to highlight that for the OP. The only true way to use the internet anonymously is not to use it. Quote Link to comment Share on other sites More sharing options...
newbi3 Posted July 9, 2013 Share Posted July 9, 2013 I don't trust any service provider, not even my own ISP. Don't forget they could be working along side with any government la w agency. So running your own SSH, or OpenVPN server from your own house, and then tunnelling your traffic through it, makes it very safe. Because you own it and have control over it. Your ISP on the other hand, can only see the IP addresses you access, but not the traffic itself. Once the traffic leaves my server and goes out to the internet my ISP can see that. All I am being protected from is easedropping in the middle between where I am and my home. The encryption provided by your vpn only stretches to the end point of the vpn not all the way to the web server you are requesting information from. Now if the web server is on the same network as you are with your vpn you are fine. The encryption goes like this: ME ----------------- COFFEE SHOPS ISP ------- HOME VPN ------ HOME ISP gets encrypted ---------> encrypted ---------> gets decrypted --> plain-text gets decrytped <-------- encrypted <--------- gets encrypted <---- plain-text Quote Link to comment Share on other sites More sharing options...
Infatuas Posted July 9, 2013 Author Share Posted July 9, 2013 Yeah, I get all of that. Just trying to determine my own method is what is interesting. Security is way too dependent on trusting others. From software development, to ISP to VPN servers. My two last questions still stand. :) Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 10, 2013 Share Posted July 10, 2013 Also, what kind of encryption software could I use that requires use of private key? I know truecrypt can do this and it's proven open source code. Anything better? What about just using 7zip with aes-256 to encrypt files? No key though.. This is all for study btw. Look into this one, http://www.gnupg.org/ if you haven't heard of. Quote Link to comment Share on other sites More sharing options...
Infatuas Posted July 10, 2013 Author Share Posted July 10, 2013 (edited) Oooh. I'll test it out a bit. Thank you all. Edited July 10, 2013 by Infatuas Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.