Quote:
Originally Posted by aem123
I really want to know 2 things: 1.) How do I troll nutjobs on the internet without having one of them track me down and burn my house down or something? 2.) How do I protect myself on public WIFI if I wanted to do banking or something on public WIFI? Would a VPN help? And how do I know the VPN administrator wouldn't steal my passwords or get hacked or something?
|
1. Prevent people from tracking you down
If we are talking about posting on a website, then typically only the website administrator can find your IP address. For example on this forum, no regular members could find out each other's IP address. But anyone who is an admin on Calgary Puck could find your IP address. As long as they don't share the info (or let it get hacked), then you are joe schmoe anonymous as far as other members on the site are concerned.
In other forms of communication, e.g. realtime chat, video games, your IP address might be discoverable by the other party. For video games, this can be done to save the need for setting up a third party server. One player acts as the "host" of the game, and everyone else connects to them. If one of the parties wishes, they could find out your IP address.
What can someone find out with an IP address, and what can they do? Well, generally an IP address can tell someone's physical location, at a level slightly less granular than a postal code.
Try it yourself. So they can't find your street address, but could find out at least quadrant of the city you are in. This lookup info isn't all that reliable. It depends on how your ISP is configured and how well the various tools index this information. Your router in your house acts somewhat as a firewall. If someone knows your IP address, that is the address to your router. If your router has an exploitable vulnerability, well, they might very well be able to act as if they are local on your network and do malicious things. I don't think it's a thing most consumers care that much about, but if you are concerned, it might be worth making sure your router has the latest security updates, and that look up the model to see if there are known vulnerabilities.
Finally, your ISP can associate your IP address with your account. If law enforcement comes knocking with a court order/subpoena/warrant, or sometimes if the company asking is a major corporation that is friendly with the ISP, they might reveal who is using that particular IP address. If you use a VPN for privacy when trolling an Oilers forum, then the idea is that no one except the VPN provider could even trace it back to your personal IP address or ISP.
2. Protecting yourself on public WIFI
Ideally, most websites now are served over HTTPS (the little lock icon), which should make your traffic completely secure from your computer all the way to the company that owns the website (e.g. your-bank.com). So if you are banking next to a malicious hacker on the same public WI-FI, HTTPS should protect you fine, without the need for a VPN. However, if you still visit any non-HTTPS (aka HTTP) websites, that hacker sitting next to you could see all the traffic, including things like usernames and passwords you enter into forms. In the last few years web browsers have amped up the warnings about submitting data on a plain old HTTP connection, so this isn't as big a concern, but still could be relevant. Other services like an email client might be connecting over an unsecured channel, and sniffing out passwords from this type of traffic is taught in hacker school 101. So over HTTP, a using a VPN for any public WI-FI browsing is absolutely necessary if you care about privacy.
But over HTTPS, does a VPN help make things more secure? Back to my locked envelope analogy. If HTTPS is one locked envelope, a VPN is putting that locked envelope inside another locked envelope. If somehow a third party got a key to either envelope, they still couldn't see what's inside the package since it has been locked twice. So yes, it ads some security, with just a little bit of overhead to manage fiddling around with two keys to open the package. But more importantly, when you are on a public network, there isn't a firewall preventing a hacker from directly targeting your computer. I suspect some commercial public WI-FI systems have something in place to prevent this, but most consumer routers this is a desired feature. For example, your computer might be configured to share a directory of files with anyone else on the network. At home this is great. In public this is probably not desirable. Even if you aren't meaning to share anything, there might be vulnerabilities on your system. Without that firewall in place, there are more ways for a hacker to target you. I believe running VPN software on your computer should lock down this access, so you only receive messages via the VPN, not the guy sitting next to you.
And about the VPN provider stealing your passwords, again back to the envelope analogy. If you are visiting your bank website over HTTPS, via your VPN connection, all your traffic is being wrapped in two secure envelopes. The VPN provider only has the key to one envelope. They unwrap the outer envelope, and send the inner envelope on to your bank. The VPN has no means to unwrap that inner envelope (e.g. read your banking credentials).
Now, because all your traffic is going through them, they could try something malicious. They could set up a fake "your-bank.com", and when you ask them "what is the IP address for your-bank.com?", they could reply with the address to their fake server. This is known as a man-in-the-middle attack. However, HTTPS is supposed to thwart such attempts. The real your-bank.com has a "certificate" verifying that they are the real owners of "your-bank.com". Your web browser has a collection of certificates and the means to verify that the website is giving you a real, valid, trusted certificate. Your malicious VPN provider should not be able to acquire a trusted certificate for "your-bank.com", because the company issuing the certificate is supposed to verify that the company asking for the certificate actually owns the rights to that domain name. Your malicious VPN provider running the fake your-bank.com could also create a fake certificate, but your web browser is supposed to warn you with the big flashy "This website is not secure!" message that requires about 6 clicks to bypass.
So, I think most of the above is generally correct. Hopefully someone can clarify is something is misstated. There are lot more details and caveats. I think in general, security is about making it harder to hack. Nothing will ever be 100% secure. A VPN helps add to your security, but is just one piece.