Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VPN Question


  • Please log in to reply
6 replies to this topic

#1 Deviatorz

Deviatorz

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 25 January 2015 - 06:30 PM

My university has a VPN service for student use. Of course its always a good idea to use it in public wifi's. However, after reading the fine print apparently my university only encrypts data going to their server but the data coming back is not encrypted (they support SSL and IPSec). My question is, do other paid VPN services like cyberghost encrypt the data coming back from their server to my computer? Or is my university's VPN service sufficient?

Thanks in advanced.

 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 26 January 2015 - 01:39 PM

I know that you can configure SSL and IPSec to operate without encryption (only authentication), but this works both ways. I've never heard of SSL or IPSec encrypting in one direction but not the other.

Maybe you can copy/paste the fine print here.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Deviatorz

Deviatorz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 27 January 2015 - 11:33 AM

 

Without encryption, anyone can intercept private information such as usernames, passwords, and email messages. VPN encrypts your data and provides security when sending data to the campus network. We recommend that all students, faculty, and staff use VPN when connecting to the UBC network off-campus, and when using non-secure wireless. Note that althought the UBC VPN service provides a secure communications channel from your computer all the way back to the campus network, data sent once it leaves the VPN server is insecure from the campus network to its final destination (unless you are using a other layers of security like a secure website).

 
You can use the VPN when you connect from wireless networks at coffee shops, airports, conference areas, or at home. UBC VPN supports SSL and IPSec.
 
It isn't always necessary to connect to the VPN when on campus - but we recommend it whenever you use a non-secure wireless network. VPN also allows you to access some UBC services from off-campus, such as the Management Systems Portal.

 

 

I might be interpreting this wrong, but I assumed that when it said that the data leaving the VPN server is insecure it means its not encrypted.

 

 

Thanks for the reply!



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 27 January 2015 - 05:27 PM

Correct, it means that is not encrypted, but to the webserver, not to your computer.

When you use a VPN, your computer ( C) connects to the VPN server (V) which connects to the webservers (W) on your behalf.
What they warn you about is that the connection between V and W is not encrypted (unless you use HTTPS).
So the connection between C and V is always encrypted, but the connection between V and W is not always encrypted.

Edited by Didier Stevens, 27 January 2015 - 05:28 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Deviatorz

Deviatorz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 29 January 2015 - 02:10 AM

Correct, it means that is not encrypted, but to the webserver, not to your computer.

When you use a VPN, your computer ( C) connects to the VPN server (V) which connects to the webservers (W) on your behalf.
What they warn you about is that the connection between V and W is not encrypted (unless you use HTTPS).
So the connection between C and V is always encrypted, but the connection between V and W is not always encrypted.

 

Ok so the data coming back from the VPN V to my computer C is encrypted. Just the data V gets from W (a website I choose to point to) is not. I hope I got this correct.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 29 January 2015 - 02:49 AM

Correct. This is when you use HTTP. If you use HTTPS, it's encrypted all the way.

Edited by Didier Stevens, 29 January 2015 - 02:49 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Deviatorz

Deviatorz
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 02 February 2015 - 09:23 PM

Correct. This is when you use HTTP. If you use HTTPS, it's encrypted all the way.

awesome, thanks for the help






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users