Sunday, February 17, 2019

VPNs


Recently one of my co-workers sent me this article (archive.is). He asked:
What do you think of his assessment that VPNs are worthless and you are better off with HTTP Anywhere, etc?
That's not going to be a quick answer.

Just before a promotion for a commercial VPN service, the author says:
VPN services don’t make you more secure on the internet. Install HTTPS Everywhere, install an ad blocker and change your DNS settings to Quad9 or Cloudflare’s 1.1.1.1.
There are 3 points in there:
  1. Install HTTPS Everywhere
  2. Install an ad blocker
  3. Change your DNS settings to Quad9 or Cloudflare’s 1.1.1.1
HTTPS Everywhere forces HTTPS connections to any site that supports HTTPS even if the initial request is HTTP. I haven't tried HTTPS Everywhere but that's a good idea. Personally most sites that I use already force me to HTTPS anyway.

Oh, HTTPS can be spoofed. If someone has put a root certificate authority (CA) certificate on your device it could self-sign an HTTPS certificate and take a man-in-the-middle position decrypting your supposedly HTTPS traffic. At that point they could send it as HTTP or just scrape off your confidential information. This has happened more than once.

At one time, Google's Chrome validated the HTTPS certificate in use for Google sites to the one that they had issued and complained it there wasn't a match. I've heard that that is no longer happening.

To mitigate this risk, run sigcheck.exe (my blog) regularly.

And to ad-blockers.

I use uBlock Origin. Here's a comparison of cnet.com without and with uBlock Origin active.

Without

With

Not only does a good ad-blocker block the presentation of ads but it blocks any malware that potentially goes along with it. And it significantly reduces the bandwidth required.

Now to DNS.

While changing your DNS to or 1.1.1.1 or 9.9.9.9 seems like a good idea, it's not that simple.

If your scope of control DOESN'T include the Internet facing router, e.g. in a network that's not YOURS, then you really don't have ANY control over what server resolves your DNS queries. Even if your device sends a DNS request to 1.1.1.1, a malicious router can map that to a malicious DNS server and you'll get the response back from it. It can even NAT the responding IP address back to 1.1.1.1 so you'll never know.

If your scope of control DOES include the Internet facing router, e.g. in a network that is YOURS, then set the DNS server in your router to 1.1.1.1, 8.8.8.8, or 9.9.9.9. I don't really distrust Comcast's DNS servers but why not use one whose goal is to be secure and fast?

But back to the non-owned environment. Since you really can't trust legacy DNS resolution you have a couple of choices.

First, you could use a VPN provider that you trust. You do need to make sure that the VPN sends DNS requests through the tunnel and not just lets the local network (malicious?) resolve them. I'm not sure how to determine that but there's probably a way.

Second, you could use a client app that implements DNS over HTTPS (DoH) or DNS over TLS (DoT). Both of these protocols send DNS requests through an encrypted session so it can't be intercepted in flight. Even then you have to trust the DNS server that is at the end of the encrypted tunnel. There's a deep dive on this here (archive.is). There's a cryptic article from Google here (archive.is).

This is not a simple discussion.

No comments: