What Questions Should You Ask A VPN Service?

Discussion in 'privacy technology' started by DasFox, May 12, 2011.

Thread Status:
Not open for further replies.
  1. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    This post isn't about recommendations so have you looked at this post and read through some people's recommendations and thoughts?

    https://www.wilderssecurity.com/showthread.php?t=285780

    Please make a post there for a recommendation and what you are looking for in the way of a VPN...


    THANKS
     
    Last edited: Jun 14, 2011
  2. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,310
    Location:
    Here, There and Everywhere
    Respectfully, that means nothing. What would you have to complain about? Connectivity and support. These other things that Steve and DasFox are talking about are precautions that anybody serious about a VPN would need to know. Without knowing the answers to these other questions, you wouldn't "know" all the bases were protected in a way to say, "I can't complain." I don't feel like I'm making my point very well - but do you see what I mean?
     
  3. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    I did post the questions that people normally ask about a service. It was suppose to be with that post by my network bombed out when I was editing it.
    Yf is not a VPN its a connectivity service btw.
    Asking too many technical questions about a VPN provider leave that gap for them to bs you. So I believe ask them short and simple questions eg like I posted.
    What does it do?
    What is it?
    What can I use it for?

    Such questions you can see by the reply. If they explain and elaborate in detail to such questions

    Example
    Is it secure? Is it anonymous? Does it compromise my security?
    Normally they will tell you and ham on about encryption and such. That's not a answer one wants.
    A answer one wants will be yes its more secure unless you configure a server port forward no one can connect to you. But your connecting to the internet and you will be using different applications and will be downloading data which means there is a certain amount of risk still. It cannot protect you from your own mistake and flaws in applications and protocols.

    That's a answer I would expect from a good provider.

    SSL. Yes its secure. But the certificate exchange is still visible? Dns leaks? Its there's.
    Client software? Do they tell you about that java got a restriction to the key used?
    Stuff like that. If your a big company then your IT guys should know already what to ask if they have to look on the web to know what to ask then get rid of him. He will end up costing your company more problems than he would fix things.
     
  4. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    ^Don't you think that contacting a VPN provider sales/customer dept. and then asking them "What does it do?", equals walking into a motorcycle store, pointing at a motor cycle and then ask the employee; "What is it, what does it do?"
    Wouldn't that be just testing their nerves?
     
  5. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    And how does one know their answers to all those questions are the truth o_O Ahhhh - therein lies the problem as all your doing is shifting your "trust" from your ISP to the VPN provider!

    Also keep this in mind - you would have to be completely "naive" to not assume that some (how many i have no idea) of these vpn services are setup and run by "government" :eek:. They have unlimited resources and as we all have seen, "laws" just don't apply to them any longer :mad:
     
  6. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,352
    Location:
    Oz
    I think you made your point very clearly and it's a good one.
     
  7. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    you don't have to they all got support forums or most of them do. And the people at sales are the last persons to ask those questions.
     
  8. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    And all the above is actually a response to my reply?

    Then what is the goal you're trying to achieve, with asking basic questions at a VPN provider tech support, as you previously stated;
    As I wrote in my previous post, that sounds as if you'll only trust a motorcycle store if an employee is actually willing to tell you that a motorcycle is primarily a transportation vehicle with a combustion engine...
     
    Last edited: Jun 18, 2011
  9. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    No. The key is to play dumb. Let them tell you even if you already know it.

    Lets go back to to these

    Where does the name resolution get resolved? On the server or one of my choice? so anonymous or just pseudonymous nope.
    Your dns gives your real ip away


    TLS/SSL, traffic can be recognized as being TLS/SSL easily, and an observer could see the certificate exchange. Thats not anonymity technologies. SSL/TLS is a standard protocol for encrypting Internet traffic. DNS leaks?

    You cannot change the laws of physics." Speed are determined by your underlying network. VPNs require encryption/decryption of traffic and that takes CPU cycles. One of the important measures of a VPN is its throughput or the amount of data is can pass before it is unable to keep up with the decrypt/encrypt activities. With hardware VPNs this is an easy number to find, but with software products like
    OpenVPN, your throughput will depend a lot on your hardware

    Concurrent Streams? Only 2 connections?

    Geographic proximity usually has no relation to Internet proximity. A server in the same city as you but on a different Internet-backbone provider could be as far away from you in Internet distance (hops) as a server on the other side of the continent. This difference in Internet proximity can make the difference between a VPN with 30 ms latency and one with 80+ ms latency.


    I think he asked there if you scan outgoing mail for malware or have any anti spam mechanisms. Also yes its your servers but whos data is on there?


    You mean you use a certificate authority (CA). A certificate authority looks
    over an entity’s credentials and certifies that they are who they say they are.
    Once an entity is certified, the certificate authority will sign the entity’s public key with the CA’s private key.

    no refer to 25

    What about the ones praying on your network?

    In the United States, phone and broadband networks are already required to have interception capabilities, under a 1994 law called the Communications Assistance to Law Enforcement Act. It aimed to ensure that government surveillance abilities would remain intact during the evolution from a copper-wire phone system to digital networks and cellphones.

    Often, investigators can intercept communications at a switch operated by the network company. But sometimes — like when the target uses a service that encrypts messages between his computer and its servers — they must instead serve the order on a service provider to get unscrambled versions.

    Like phone companies, communication service providers are subject to wiretap orders. But the 1994 law does not apply to them. While some maintain interception capacities, others wait until they are served with orders to try to develop them.

    The F.B.I.’s operational technologies division spent $9.75 million last year helping communication companies — including some subject to the 1994 law that had difficulties — do so. And its 2010 budget included $9 million for a “Going Dark Program” to bolster its electronic surveillance capabilities.
    http://www.nytimes.com/2010/09/27/us/27wiretap.html?_r=1

    A foundation of solid cryptography is that you change your encryption keys on a “regular” basis. The definition of “regular” is pretty broad. I have seen
    philosophies that say the lifespan of a key should be less than the time it takes to break that key. The literal interpretation of this strikes me as kind of silly.
    Imagine an attacker had a system that could break a DES key in 1 hour (not that far from reality). If you change your DES key every hour, all this means is your attacker needs to archive your traffic and get to work breaking it. They will begin seeing unencrypted traffic one hour after that traffic is sent, so all you’ve really one is add a one hour delay to the compromise of your data.

    You have half a dozen servers in the US and what does UK law states? They can seize your logs without a warrant if theres probable cause.

    Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes provisions for the decryption requirements, which are applied differently based on the kind of investigation underway.


    Now dont take this the wrong way up Im not attacking him or anything. Im just using it as a example and we can look at it from both sides of the fence

    1. He is a support IT or rep or whatever for his company. He is not a lawyer. Hes not a fighter for privacy. Hes part of a company that obides the law. They cant go fight the authorities. If a person is so worried about authorities then one got to ask are you going to use the service with criminal intent. They are no money launders for the mob. If you do nothing illegal then you dont have to worry about. You have to look up UK law to get your answer there.

    2. Security of a VPN service and how strong it is is not dependant on how strong the key is or hows encrypted or they have a shoot to kill policy on anyone coming near the servers. The user can make all that encryption worthless by what he is transferring thru the service. They cant help you with that. It would be lovely if he can advise the customers about securing their own pcs. They cant protect flaws in applications that you are going to use.

    One thing HMA must look at is when you get disconnected from the network for whatever reason you will be surfing with your real IP and the VPN client makes no attempt whatsoever to warn you, instead it tries to reconnect, there is a good chance your real IP will be exposed during that time. Please ask the guys in the coding department to fix it
     
    Last edited: Jun 19, 2011
  10. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Quoting from online sources should always be made clear imo. Preferably with italics and a source link.
    And DES is from the holocene period of encryption. Folks know that. Or they should.

    -edit; removed comment on SteveTX/Xerobank-
    Encryption levels are important I'd say, however, the shoot-paintballs-to-kill policy shouldn't be taken too seriously.

    That said, my replies don't offer much of a contribution to the goal of this thread so I'll leave it at that.
     
    Last edited: Jun 20, 2011
  11. nix

    nix Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    257
    Location:
    Miami
    Wow, what a mashup. Spooony's answers provided to 24, 39, 40 - both in quotes and the "corrected answers" are just incomplete and wrong. The legal situation involving privacy, and when laws will be applied, enforced, and capabilities in surveillance and avoiding/ inducing compliance in relation to, are far too complex to summarize in such a short space. In short, it is very unclear what a private provider can be prevailed upon to do, even in the absense of jurisdictional questions, in order to further government ends, when push comes to shove. Pending cases also suggest that U.S. citizens are both aware of, and disgusted by, warrantless government surveillance such as that done by both the FBI and NSA. The government might risk heavy resistance if they were to force further intrusion into private communication, regardless of the stated security concerns, in this environment. We're at a crossroads.

    I'm not sure how the conversation morphed into an indictment of SteveTX either. Please cite the appropriate thread that supports the "anonymity would be out the window" contention.
     
  12. x942

    x942 Guest

    Ah the old DNS "leak" issue = VPN must suck. Why not read a bit first and see how to fix this "issue" (only present in windows with openVPN).

    SSL/TLS can also be used to authenticate with a server (AKA as a secure handshake) Secondly SSL and TLS are TWO COMPLETELY different things. SSL is the predecessor to TLS. Again read a little bit.

    What does this have to do with anything? A VPN is for security, anonymity, remote access or any combination of those. Speed has nothing to do with a VPN unless they are throttling bandwidth or protocols. Speed is, 99.9% of the time, determined by your ISP and the number of hops between you and the VPN and the VPN and the server you are connecting to.

    Finally something you said made some sense :/


    Umm.. If they can scan out going mail (or anything for that matter) that means they can/could be logging your data (of course any VPN can do this as, like TOR, the data HAS to be unencrypted at one point or another). Who's data's on there? Probably the data of anyone using the VPN (unless they don't log anything.)


    [/quote]

    This is the same as the whole SSL argument. SSL is used as a secure authentication mechanism (IOW to connect to the VPN without the risk (or less risk) of a MITM against the VPN tunnel (Microsoft's PTPP can be crack do to such an attack). Who cares if you can detect SSL as long as no one can crack it.

    Okay. Again what is this to do with anything? Oh no! they can record my phone calls! Now my VPN is doomed! Oh wait! they are NOT the SAME thing. Not to mention anything being told over the phone would be done over a secure/encrypted line (AKA RedPhone and the like). Also add a white noise generator to block any bugs when your at it and that whole thing goes amok.

    So I have a 256-bit symmetric key that can't be cracked any time soon (the sun will burn out first). Now I should change this just in case someone cracks it? Okay I will change it at the half-way point k? (a few million years from now). As for DES - 52 bit key? Who would use that? NIST is even killing off the use of 80 bit keys (1024 bit asymmetric keys) by 2012. Read HERE and HERE. A DES key can be crack with relative ease with modern computers. throw a CUDA GPU at. No one would (or should) ever use it.

    UK yes. US no. USA you need a warrant. Same with Canada.

    Why would I want a lawyer to sell me a VPN? He wouldn't be trained in the field and thus would be of no relevance. Next most people using a VPN are abiding the law and as such those who aren't should be caught. (with no compromise to the VPN though).

    US severs defeat UK law.

    Well actually just like AES being open to the public if you are secure someone walking up and having access should mean nothing and compromise you in no way. Now the next part is the users own fault. If the user sends a photo with the GPS EXIF data attached than why is it the VPN's fault? And no they can not protect flaws in applications that you use. Only each of those dev's can do so. Why is it the VPN's fault?

    /rant
     
  13. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514


    This is the same as the whole SSL argument. SSL is used as a secure authentication mechanism (IOW to connect to the VPN without the risk (or less risk) of a MITM against the VPN tunnel (Microsoft's PTPP can be crack do to such an attack). Who cares if you can detect SSL as long as no one can crack it.



    Okay. Again what is this to do with anything? Oh no! they can record my phone calls! Now my VPN is doomed! Oh wait! they are NOT the SAME thing. Not to mention anything being told over the phone would be done over a secure/encrypted line (AKA RedPhone and the like). Also add a white noise generator to block any bugs when your at it and that whole thing goes amok.



    So I have a 256-bit symmetric key that can't be cracked any time soon (the sun will burn out first). Now I should change this just in case someone cracks it? Okay I will change it at the half-way point k? (a few million years from now). As for DES - 52 bit key? Who would use that? NIST is even killing off the use of 80 bit keys (1024 bit asymmetric keys) by 2012. Read HERE and HERE. A DES key can be crack with relative ease with modern computers. throw a CUDA GPU at. No one would (or should) ever use it.


    UK yes. US no. USA you need a warrant. Same with Canada.


    Why would I want a lawyer to sell me a VPN? He wouldn't be trained in the field and thus would be of no relevance. Next most people using a VPN are abiding the law and as such those who aren't should be caught. (with no compromise to the VPN though).

    US severs defeat UK law.



    Well actually just like AES being open to the public if you are secure someone walking up and having access should mean nothing and compromise you in no way. Now the next part is the users own fault. If the user sends a photo with the GPS EXIF data attached than why is it the VPN's fault? And no they can not protect flaws in applications that you use. Only each of those dev's can do so. Why is it the VPN's fault?

    /rant[/QUOTE]
    I'm not going to quote everything but let me explain something to you.

    1 a VPN is not a connectivity service. VPN stands for virtual private network. A VPN is a site to site tunnel. Let me say this one more time. A VPN is a site to site tunnel. There is a terrible misunderstanding in the industry right now that pigeon holes ssl VPNs into the same category with ssl enabled web servers and proxy servers. People hear ssl and immediately think of a protocol that encrypt traffic for a application or for several applications, one at a time via proxying, application translation or port forwarding. This is NOT a VPN. A Virtual Private Network refers to simulating a private Network over the public internet by encrypting communications between two private end points. This provides the same connectivity and privacy you would find on a typical local private network. A VPN device is used to create an encrypted non application oriented tunnel between two machines that allows these machines or the network they service to exchange a wide range of traffic regardless of the application protocol. This exchange is NOT done on a application to application basis. Its done on the entire link between the two machines or networks and arbitrary traffic maybe passed over it.

    Then the IETF has taken over the development and management duties for SSL and have rename it TRANSPORT LAYER SECURITY (TLS)

    SSL is the default security Solution application to application needs but has never need implemented to handle arbitrary multiple protocols.

    Can anyone tell me what thing made it possible? OpenVPN.

    "OpenVPN is user space SSL-based VPN that illustrates the ease and simplicity of SSL VPNs while providing the protection and function equivalent and in some cases superior to IPSec"

    So if you are worried about your data and you want to connect to another private network securely then doing it over a proxy is not a VPN. Its a connectivity service. You don't need to hide your ip on a private network. The internet are also not part of a private network.

    You want to see how secure your data is over a provider that uses open VPN then go look what chryptography OpenVPN make use of to see how your protected.

    I will help them out by saying this. OpenVPN makes use of a message digest function and then get the fixed length of block of cipher text. That cipher text gets sent along with the message. When it gets received on the other end they will run the message digest function on the text of data and compare it to the result of the attached message. If its not the same then there's data tampering involved tunnel disconnected. Now if they add a key before the message digest theres even better protection. So yes your data is pretty safe.

    Question is do you need a VPN or a connectivity service?
     
  14. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Hi Nix,
    That remark about SteveTX shouldn't be understood as an 'indictment', at least that was not what I meant to say.
    I remember having read in the 'Xerobank questions' thread, that SteveTX mentioned he and/or Xerobank were not above the law and if presented a court order, he'd be obliged to cooperate.
    That's what I wanted to convey towards 'Spoooney'.
    However, I've searched old posts from the Xerobank thread and I can't find the post containing that info. Perhaps it was in another thread, perhaps my memory is simply not correct.
    I didn't and I don't care much for the whole 'SteveTX-is-the-messiah vs SteveTX-is-the-devil-in-disguise' kind of atmosphere in some VPN threads so my remark shouldn't be read in that kind of fashion.
    I'll remove my remark though as I can't substantiate it with the appropriate post quote...

    ↓edit; Read my PM nix, we're miscommunicating here...
     
    Last edited: Jun 20, 2011
  15. nix

    nix Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    257
    Location:
    Miami
    Messianic or devilish qualities? I'm just wondering why we're coming back to this conversation. Again. I came here two years ago, and we were covering the same ground. In this very thread, SteveTX must have spent hours answering questions posed by someone who frankly looks like an obsessive in half his posts here. Then there's the anonymous Greek chorus that chimes in when someone feels like pitching some drama.

    This is a person who's showed you how he's armed to defend his property. He is clearly well-versed in his area of expertise. His vpn is set up across several jurisdictions, and his policy on logging and compliance with LE is clear. What else do you want from him? A blood oath?

    Let's just use the service or use something else already. Unless it's not about that. And I suspect it isn't. But if it's not, it's dishonest to come here and pretend that it is.
     
  16. x942

    x942 Guest

    Now let me explain somoething to you:

    1) go back and READ my post. I clearly said SSL was used to establish (authenticate ) the VPN tunnel to prevent MITM attacks. Now FTR you can make a tunnel using several technologies (VPN,SSH, SSL). Each for its own purpose (SSH and VPN allow for LAN communications and for bridging Internet conections, SSL can be used the same way but is often used for secure communications)

    2) No SSL replaced TLS - read the links I supplied. (questionable - Wikipedia agrees with Spoony other sources disagree. )

    3) a VPN is used as a link that forces ALL Internet traffic through it. All data is encrypted and passed over a "private" network (basically a LAN over the WAN). VPN's can also bridge Internet from one computer to the other allowing secure browsing. What does "application basis" have to do with anything? All traffic is going through the VPN.

    4) to your OpenVPN claims: GIVE LINKS TO SOURCES! (links supplied below - thanks Spoony)

    5) (REDACTED - Came across as attacking spoony. My apologies.)
    /rant back on topic.
     
    Last edited by a moderator: Jun 20, 2011
  17. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Why must I google for something I already know? Why can't you google for it because you don't know what they are? Have you provided one link to what you posted?
    If you look into and do a little bit of research the providers use you can instantly find out

    What sort of encryption they used.
    How many routes is possible
    How the encryption is done
    What the strongest it support.
    (Remember cpu cycles? Yes OpenVPN use you cpu)
    What protocols are used eg SSL/TLS, Ipsec etc etc
    Regarding TLS. Its ssl renamed with a couple of fixes that's all. The name changed because someone else took control over it.
    Please no reason to get hyped up and start attacking one or another. Prove me wrong if you don't agree and no reason to get upset.

    http://en.wikipedia.org/wiki/OpenVPN
    http://www.howstuffworks.com/vpn.htm
    http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/what_is_a_vpn.html
     
    Last edited: Jun 20, 2011
  18. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    my apologies I wasn't attacking steve or aimed anything towards him. But the questions that was asked was more like a person worried about a government or authority going to catch him whatever he was doing rather than to ask questions about their service. I dunno where this bank issue come from and never seen the thread or anything. They there to provide anonymity from the bad guys who want your real ip to do nasty stuff with your pc and to encrypt the data of sites you visited on the web. So if a person want to look at lovelygirls.com and your worried someone is seeing it don't worry its encrypted at their end coming in. Are the fbi going to see and care if they raid the servers demanding log that you been visiting lovelygirls.com? I don't think so. (lovelygirls.com is just a made example btw)
     
  19. x942

    x942 Guest

    1) my apologies too. I wasn't meaning to attack you either but merely point out links are important and reading up on posts from google is important too.

    2) I never trust VPNs for anonymity. Let's face it to much luck in that. I use TOR and tunnel a VPN through it. VPN sees TOR ip (nothing linked to me) and TOR can't read the traffic as its encrypted. I use openVPN with free providers ;)
     
  20. x942

    x942 Guest

    Thanks for the links to open VPN ;) I asked for those because I couldn't find what you refered to. I did post links in my first post please refer to that over SSL TLS. According to sites I found its the other way around. That said Wikipedia agrees with you.


    I did posts links but the second posts was via cell phone and I didn't want to waste time. Redacted last comment from that posts however.
     
  21. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    online sources? Its a old saying everyone knows that. Btw I was on a phone typing that. You can see it with the not so spelling mistakes predictive text! About 500000000 people have said that. 500000001 including me know. Should the next guy quote all 500000001 of us?
     
  22. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    grrrr hate ze cellphone on the net only saw this post after posting ^one all the pages don't show lol

    Ok basically its this.

    If you have a private network or a workstation or pcs around you are in a internal network and you want to expand that to your home or a other branch of your company which is also on a private network then a straight tunnel through to it is the best option. Its almost like Ssh just a bit different. In a situation like that you looking to protect your data not hiding your ip. So you virtually extended your network across the internet with that tunnel. Now your pc at home or your business other branch is connected to this one securely over the internet via a VPN. Then you don't need a provider because you don't need to hide your ip. Its your own private networks.

    People seem to confuse a VPN with a connectivity service. A connectivity service hides your ip. Some do it better than others and they encrypt the data you browse on the web and send it back to you. Now the thing is secure proxies like that is hard to find and not free. Free ones is slow. You want speed you have to pay them for that. My connectivity service provider sell packages according the streams and speed Plus additional features.

    If you want to test OpenVPN you can make your own keys everything with it and tunnel your pc through to another pc that you have. You can use a vm and connect with it provided that you made the server and client keys.
     
  23. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Yes, online sources.
    You've copy/pasted information from online sources and wrote it down as if it were your own ideas.
    "I have seen philosophies that say the lifespan of a key should be less than the time it takes to break that key." is a quote, from a SANS Institute paper. link
    Not some 'saying' expressed by millions, or your own.
    But I see you've edited your posts and specified quotes, so apparantly you agree, somewhat.
     
    Last edited: Jun 21, 2011
  24. nix

    nix Registered Member

    Joined:
    Sep 22, 2010
    Posts:
    257
    Location:
    Miami
    Baserk, if you'd like the courtesy of a reply to your pm, you need to open up your buddy list to me.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.