Is a Personal VPN safe enough?

Discussion in 'Mac Basics and Help' started by doubledee, Apr 17, 2013.

  1. doubledee macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #1
    This thread is an extension of an old thread with a new problem...

    What I would like to know is, "Is using *just* a Personal VPN like Witopia or HideMyAss safe enough to securely surf the Internet??"

    I had a drop-down, drag-out fight today in the local Verizon store and I have never been more offended, dismayed, or made to feel powerless as I do tonight.

    Short version of a long story is Verizon's Credit Dept told me, "Cough up your SSN, or fax us your Driver's License and Utility Bills - both of which must have a physical address on them - or no service for you!"

    Funny, both my friend and I have a P.O. Box on our Driver's License, and our State DMV's allow it, so why is Verizon discriminating against us and our home states?

    I wouldn't fax or e-mail anyone a gov't issued ID if my life depended on it. That is more dangerous than giving an SSN.

    Anyways, enough of that drama.

    Looks like I've never be a Verizon customer, and so if I am reduced to using Free Wi-Fi while away from home, how much am I losing just relying on a "Personal VPN"?

    From what we discussed before, it sounds like a lot of you think just using a Personal VPN alone is safe enough?!

    To me, in an ideal world it would seem safer to be first connect to Verizon private and presumably secure network, AND THEN connect to WiTopia.

    What do you think??

    Sincerely,


    Debbie
     
  2. snberk103 macrumors 603

    Joined:
    Oct 22, 2007
    Location:
    An Island in the Salish Sea
    #2
    Actually, faxing your documents if very safe.... if you are using real fax machine. Fax machines make a direct connection - device to device - like an old fashioned telephone. Which is unlike the internet, where packets get bounced from server to server and you don't where.

    Faxes are considered safe enough for lawyers and doctors and hospitals to use to ensure client/patient confidentiality.

    Though I would never send a SSN (Canadian equivalent is SIN)... I've never understood why Americans tolerate the misuse of the SSN. It was designed to help US government keep your tax returns and social benefits straight. Nothing else. The Canadian SIN can not be demanded by anyone except an employer (after you have started the job, not still looking) for tax deductions, banks if they are paying you interest (tax implications) and only certain departments of the federal government - and then only if you are applying for federal benefits. The department that issues you the number can't even ask you for your SIN unless you applying for benefits.

    But faxes are pretty safe. Or you could courier copies of a driver's license and utility bill to the department.
     
  3. flynz4 macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #3
    I think that connecting through a public hot spot is secure once you have established the VPN connection. When I am traveling and connecting to a public hotspot (typically in a hotel room... but there are other cases such as at a conference)... then I configure Witopia to automatically connect to the VPN as soon as the WiFi connection is made.

    Hence... I do not type anything into my machine... nor do I even launch a browser until I am connected through the VPN.

    Once connected to the VPN... you are secure on the local area network. Of course... there are other security breaches that can occur... but you have protected yourself from the most insecure part... your public local area network.

    /Jim
     
  4. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #4
    The fax isn't the issue...

    The fact that someone has an EXACT COPY of a Gov't issued ID with my Picture, Name, Address, Driver's License #, Signature, Date-Of-Birth, Physical Description and so on is B *** SH * T in the Nth degree!!!!!!!!!!!!

    (When I opened my current bank account and when I got a copy of my Birth Certificate recently nobody asked me to copy anything.)

    What Verizon is trying to get away with is criminal. Of course when 99% of the U.S. population will bend over backwards to give anything and everything they can as far as personal info, no wonder Verizon can be such a BULLY.

    At any rate, unless it is for a Job with Clearance, I'm not letting anyone copy my Driver's License.

    -----
    I don't understand why I can go online and buy a $3,000 laptop from Apple.com and all I need is an account and credit card, and I have to give everything short of a DNA sample to get a $70 damn Jet Pack?! :mad:

    A few weeks ago, Verizon reassured me that if I went into a store, and paid the $400 deposit, that meant no SSL or DL had to be given out, and all they needed was to *see* my Driver's License and a Utility Bill both of which could have a P.O. Box on them, which mine do.

    Today I was told a Driver's License without a physical address on it was "invalid". (What, should I go drive 2,000 mils back home and get a new Driver's License with a physical address on it to appease Verizon?)

    U.S. Telecom companies have always gotten away with murder, and I'm sure there are no laws that prevent them from demanding anything they want.

    ----
    So anyways, what do you think about just using a Personal VPN?

    Is that secure enough?

    I ultimately need *something* that is secure enough so I can Email, Surf, do Ecommerce, possibly Banking, and eventually managing my Webserver on my VPN while I am away from home and using Free Wi-Fi from wherever?!

    I would gladly fork over the $400 deposit, the $35 Activation Fee, the $70 for the Jet Pack, and $50/month for the Data Plan, but I sure as hell am not photocopying or faxing any Gov't issued ID, nor am I giving out an SSN for such an insignificant purchase. And I am also not going to get a new ID with a physical address on it or change my Billing Addresses to a physical address to appease Verizon!!! :mad:

    Sad thing is, I bet you AT&T, Sprint, and T-Mobile are just as nasty...


    Debbie
     
  5. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #5
    Is there anything obvious that could go wrong that wouldn't if I had a Wireless Plan?


    I thought I read somewhere that allowing your Personal VPN to connect automatically is dangerous because someone could trick you somehow into doing something insecure... I dunno...

    (BTW, can mouse and touchpad movements be seen and hacked over an unsecured wifi connection??)


    And with something like Witopia or HideMyAss that would be a client-side application that is presumably safe, right?


    So if I needed to do something like manage my web-server while traveling, how would I make sure that I have "end-to-end security"?

    And would having a JetPack really add any more security in such a situation?


    Debbie
     
  6. snberk103 macrumors 603

    Joined:
    Oct 22, 2007
    Location:
    An Island in the Salish Sea
    #6
    They don't... they have a low rez black & white copy. Including information that they already have, except for the DL#.
    Probably not criminal... and I actually do agree with you here generally. People give up far too much personal info. In this case I don't see a DL as being too far. The SSN - yes.
    Are you out of your home state? It's possible that they have different rules in different states depending whether the state itself allows PO boxes on the DL. I'm pretty sure BC doesn't allow PO boxes addresses on it's DLs.
    I guess the question is... How secure is "secure enough" for you? For me, I don't bother with any of that stuff. I just keep my free WiFi surfing sessions limited to innocuous news sites (like MacRumours) and I feel secure enough. You obviously feel you need a higher level... ;) but how secure is 'enough' for you? If the CIA was actively tracking you and was willing to throw considerable resources into hacking your communications - do you need something so secure that you'll defeat that? Or do you just want to keep the nosy snotty kid sitting the corner with the duct-taped receiver from listening in? BTW if the CIA is interested in you then they will point a directional microphone at your keyboard and 'listen' to your keystrokes to read what you type. Or they can place a small pinhole camera hidden in a bag or purse on a table next yours to 'read' your screen and watch what you type. A personal VPN ain't gonna help if a security service has taken interest in you. Heck... if you are a target, half the people in that coffee shop you like may be operatives. :)
    I agree about the SSN - that is a bogus requirement. Don't hand it over for any purchase - period. Banks, employers, some federal government departments are the only ones who need your SSN.

    Make sure that the DL copies are low rez B&W copies. I bet the person doesn't even look at it... they just tick off a box that says "received" and processes the application. If there just happened to be piece of debris that obscured one of the numbers, I wonder if they'd even notice, eh?
     
  7. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #7
    I don't mind if people have the key info off of my DL - possibly even the DL # - but I do have a problem with even a low res of my picture, signature, etc.

    Why isn't enough for the Verizon employee in the store to verify he/she saw a valid DL and check off the box without having to copy, fax, and store this info.

    There is the difference.


    How secure? (I thought I said above?)

    Secure enough so I could *ethically* manage a server hosting a website I am building which would have people's information on it. (User info like MacRumors in the beginning, and e-commerce in the near future, but NEVER storing credit card info.)

    Could I ethically go to McDonalds, log into there UN-secure Free WI-Fi, then connect to WiTopia - or whatever the sequence is - and then log into my Server and start sending server credentials and feel secure less the CIA hacking stuff??



    I agree.


    True...

    Sincerely,


    Debbie

    ----------

    P.S. I am so upset that I feel like throwing up this morning... :(

    I feel so hopeless when it comes to standing up for my rights and well-being against multi-billion $$ companies like Verizon, or the mega-banks on Wall Street, or whatever.

    Every year in the U.S. it seems like we have less and less "freedom"...
     
  8. snberk103 macrumors 603

    Joined:
    Oct 22, 2007
    Location:
    An Island in the Salish Sea
    #8
    I thought about this for a second, and then realized what a stupid requirement it is by Verizon. To confirm your identity they are asking you to send in a copy of document that they can't actually confirm is you. You could go to one of those joke ID places and get a DL for your cat and fax that in.

    Though I wonder if they have an arrangement with the DL bureau that lets them check to see if the DL you sent matches a real DL. Which actually protects you from ID theft. If I had your name and address, I could fake up DL and send that in and get you billed for my Verizon services because Verizon would have no way to check that the applicant was the person at the address.

    ----

    Have you checked out using those office services you can rent by the hour? Sorry, I don't know the official name. But in most cities I believe there are 'offices' where you can rent a cubicle and have all the services of an office - phone, internet, printers, coffee, etc while you work. They should allow you to plug into the internet with an ethernet cable eliminating the WiFi weak point. Plus, the prying eyes since you have some privacy. And peace and quiet. And some security... enough you could leave a laptop (though locked of course) while you went to the loo. I'd never leave a laptop - locked or not - out at a Starbucks or a McDonalds while I made a pitstop. I may be casual but I ain't stupid.
    ---
    Many hotels also offer ethernet connections (vs WiFi) in their rooms... again it eliminates one weak point. And offers much better privacy and physical safety. In our experience the cheap hotels offer free internet, it's the 'better' hotels that charge for internet. BTW when a hotel charges for internet it can track your activities back to you and your credit card. The "free" internet hotels (though most don't offer ethernet connections) tend to route your activities through hubs that service multiple rooms. Which means that anyone outside tracking your activities could only track you to a particular hotel - not a room. But of course you'll want to use encryption because the WiFi signals spill into several rooms.

    I'm always amazed when I'm in a hotel room how many people on the network have left their computers wide open. That's why I don't worry. If someone was randomly looking for computers to exploit, they'd go for the easy fruit. They'd have to know ahead of time that I'm there, and that I had something they wanted. Which I don't.
     
  9. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #9
    snberk103,

    All interesting thoughts and comments, but you didn't address my #1 concern...

    Assuming that I cannot get a wireless plan with someone like Verizon - and things look abysmal after yesterday - Is using a Personal VPN secure enough to do things like Online Banking or manage the Web Server for a website I am working on?

    From what others have said in this and earlier threads, when you use a service like Hide My Ass, it creates an "encrypted tunnel" between my MacBook and the Personal VPN Service, so that should in theory eliminate nearly all threats at McDonalds or Motel 7 or whatever.

    And since I would always be managing my Web Server over something like Secure FTP, that should provide another layer of an "encrypted tunnel" between my MacBook and my Virtual Private Server with GoDaddy, right?

    So, as I see it, unless it is easier for a hacker to hack into a Personal VPN versus a Verizon Wireless Plan, then using something like Hide My Ass would be sufficiently secure...

    Of course one thing that a Personal VPN subscription would not provide is free access to the Internet, any time, any where...


    Debbie
     
  10. flynz4 macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #10
    No... as soon as you are on the network... Witopia just connects. It is no different than if you were to click to connect... except you do not have to click.

    You do not need anything to do your online banking... that will most definitely be an encrypted tunnel to your bank without even using a VPN. The VPN helps you when you are connecting to non-encrypted sites... especially those that use HTPPS to initially validate your identity... and then just unencrypted cookies afterwards over normal HTTP pages.

    The VPN does NOT give you end-to-end security. It gives you an end-to-VPN server encrypted connection. This kills the threat on your local server... and essentially gives you the same protection as if you surfed from your home, work, or other secure location. End-to-end encryption needs to be negotiated with the server on the far other end. That is what happens (for example) when you connect to your bank.

    /Jim
     
  11. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #11
    If I am able to get a Data Plan from some carrier, then what is the sequence of connecting?

    Would I connect to Verizon first, and then connect to WiTopia?

    Or is it the other way around?


    So you are saying I could connect to the Free Wi-Fi at Motel 6 1/2 and do online banking with no fears of negative repercussions?!



    Again, so if I am connecting to a website that remains in HTTPS mode the entire visit, then you make it sound as if I am basically safe over any connection - secure or not?


    So are there any other precautions I need to take so I can safely and securely manage my web server when I am away from home?


    Debbie
     
  12. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #12
    So if I wanted End-to-End Security, then I would have to only connect to websites that use HTTPS throughout my entire visit, right?

    (And if that is correct, then I would never have complete say over that unless I owned the server, right?)


    Debbie
     
  13. flynz4 macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #13
    Security is not a 100%/0% thing. There are many security threats... irrespective of how you compute... so always be weary of anyone who says anything is 100% safe. I try my best to not do that.

    By far... the biggest threat when using public hotspots comes from anyone on your immediate local network. They have direct access to your machine... and also can look at every transaction over the network.

    When you connect to your bank... you start an HTTPS connection... and it remains encrypted. Yes... anyone can see your transactions... but they are encrypted... so it is "harmless" (depending on how you define harmless)

    When you connect to a VPN... you are setting up an encrypted tunnel between your machine, and a server someplance on the backbone. Everything to/from that server is encrypted... so anyone on your local area cannot decode your data... hence... it is as secure as HTTPS on your local network. It is not necessarily HTTPS between the VPN server and the final site. That is up the policy of the final site. The big win for you is your data is encrypted on the most vulnerable segment... that local network.

    /Jim

    ----------

    Yes... VPN only works once you have an established connection. Once you connect to verizon, or macdonalds, or starbucks... you click the VPN tool and select "connect".

    You can also set it up to auto connect. I think this is better... because you do not have to remember to click.

    /Jim
     
  14. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #14
    flynz4,

    So I was able to work something out with AT&T and got a Mobile Hotspot from them instead. (No way I was going to give Verizon everything they asked for!!)

    Since I have a Hotspot now, I guess that solves one issue (i.e. Not having a secure and reliable way to access the Internet).

    Now if I want to step up my *privacy* I can get Witopia, which I probably will.

    Wow, all of this research is *exhausting*!!!

    Thanks to you and everyone else for all of your advice!!

    Sincerely,


    Debbie
     
  15. Mandee macrumors newbie

    Joined:
    Apr 26, 2013
    #15
    It depends on which VPN you use.

    They have different security levels and features. The free ones usually will not cut it. :( You want an SSL based OpenVPN for the best security.
    I rely on ExpressVPN to secure everything because I'm on different devices in different places all the time. So far, so good.
     

Share This Page