VPN Questions

[aem123]

How does a person be as anonymous as possible on the internet? Do VPNs do the trick? Are there other ways? What is a VPN anyway?

[gottabekd]

So assuming you are talking about a personal VPN. A corporate VPN is a different application of the same technology, but isn't about being anonymous.

As an analogy, let's say you wanted to subscribe to a naughty magazine like Playboy (is that still a thing?). But for privacy reasons, you don't want your neighbours to see you walking back from the community mailbox with it under your arm. And in your house, you don't want your kids or even your wife to see the magazine. So Playboy ships the magazine in a special locked envelope that only you (and the sender) have the key to. If someone like your mailman, wife, kids tries to open the envelope, they won't be able to.

So a VPN does something similar. But are you anonymous? Well, Playboy has to know what address to send the magazine to, so they know about you. Maybe they implement policies to minimize how much personal data they store from you, and delete it often, but there is still the chance some intern forgot to shred the subscriber list. And say they store the addresses on a computer system and it gets hacked or raided by law enforcement, your name and address are now theirs. And your mail carrier (and every postal worker up the chain)? Maybe he doesn't know what's in the secure envelope, but the return address is from the publisher for Playboy (amongst other magazines), so anyone who handles the package could maybe guess at what's inside, but can't prove it.

So the contents of the package can be considered secure, but it isn't 100% anonymous because they still have to know where to send it, and someone still has to deliver the mystery package to your address.

Another thing you might use a VPN for is to fake your address. Let's say Playboy stops shipping to Canada, but you really need those articles. You could ship it to some postal handling facility in the US, and they are instructed to package up the magazine in a new envelope and ship it to your house in Canada. This 3rd party postal forwardeer knows your real address, but the magazine doesn't need to. In the VPN realm, this can be used to bypass geoblocking restrictions, where content is only available to certain regions. Even if you are in Canada, if your VPN service lets you connect through a US server, you might be able to trick the service into letting you watch the georestricted content. For example, this used to work with Netflix, but they have mostly stopped it by banning any traffic coming from a known VPN service.

For more anonymity than a VPN can provide, there is TOR, which I understand is used primarily for criminal activity. I'm not familiar with it, but I understand that naturally it can't be considered 100% anonymous either.

[gottabekd]

On second thought, maybe I did a poor job explaining the anonymity aspect of a VPN, which is what you were after.

Let's say you want to ####post on the Oilers subforum of a message board where you have an existing account "Flames4Eva". You don't want your account banned, so you want to create a "ConnorIsTheBest" account for trolling purposes, but don't want the message board to know that both accounts are coming from the same Telus IP address in Calgary. So you need some anonymity. What do you do? Head to the library to use their computers!

So you visit your Calgary library branch, fire up the web browser, create your ConnerIsTheBest account, and have fun trolling Oilers fans. By using the library computer instead of your own (aka subscribing to a VPN service), there is no way for the message board to trace the trolling back to you. They know it is coming from a "public" address, the library, but obviously can't trace it back to your home Internet connection.

But let's say you post something really egregious like acknowledging that though Connor is good, Crosby might actually be the best. The message board gets law enforcement involved to find the perpetrator of this blasphemy. They raid the library and demand all Internet usage records for the day in question. Now your anonymity depends on how much data (logs) the library has about its patrons' Internet usage.

They could have logs saying Joe Smith sat at this computer at 11:55 AM and visited the message board in question, and was the only person in the library at that time that was trolling an Oilers forum. Or the logs might say that these 12 people were using the Internet at that time. Or they might not have any logs about who was using the Internet, so law enforcement gets a list of all the tens of thousands of members to comb through. But maybe you paid for your library card in cash (when that was a thing), and gave them a fake address, so there really is no personally identifiable information about you on the membership list. It seems this avenue of investigation is a dead end, and the library protected your anonymity effectively.

But what if you messed up, and the next day at the library you logged in to your Flames4Eva account. Now the message board administrators can see that two different accounts were used from the same "anonymous" library computers. Based on the other IP address you have logged in from, they can now link the ConnerIsTheBest account to your Telus IP address, and you are busted. So while using the library computer can protect your anonymity, if you share too much data through this channel, you pierce through this protection.

So back to VPN providers, some claim to do "zero logging". If you trust that this claim is true, then they should be considered fairly good at keeping you anonymous. But it is still up to you when using a VPN to not start sharing your home address to Oilers fans who want to come fight you.

[CaptainCrunch]

Yeah, I thought your first description was awesome

[GoinAllTheWay]

This seems like a good thread to ask this question as I thought I did a pretty good job of keeping my online presence minimal.

I was looking at the Lowes website on my MS Surface the other day using Chrome. Wasn't signed in to Chrome at all. No FB app on this device. Just me signed in to Windows. So I'm looking at a particular floor lamp from Lowes.

Maybe 2 hours later, my g/f is looking at FB on her phone, and what appears in her feed? An ad for the exact same lamp!

HTF does that happen?? It couldn't have been a coincidence.

[aem123]

I really want to know 2 things: 1.) How do I troll nutjobs on the internet without having one of them track me down and burn my house down or something? 2.) How do I protect myself on public WIFI if I wanted to do banking or something on public WIFI? Would a VPN help? And how do I know the VPN administrator wouldn't steal my passwords or get hacked or something?

[gottabekd]

Quote:

Originally Posted by aem123

I really want to know 2 things: 1.) How do I troll nutjobs on the internet without having one of them track me down and burn my house down or something? 2.) How do I protect myself on public WIFI if I wanted to do banking or something on public WIFI? Would a VPN help? And how do I know the VPN administrator wouldn't steal my passwords or get hacked or something?

1. Prevent people from tracking you down
If we are talking about posting on a website, then typically only the website administrator can find your IP address. For example on this forum, no regular members could find out each other's IP address. But anyone who is an admin on Calgary Puck could find your IP address. As long as they don't share the info (or let it get hacked), then you are joe schmoe anonymous as far as other members on the site are concerned.

In other forms of communication, e.g. realtime chat, video games, your IP address might be discoverable by the other party. For video games, this can be done to save the need for setting up a third party server. One player acts as the "host" of the game, and everyone else connects to them. If one of the parties wishes, they could find out your IP address.

What can someone find out with an IP address, and what can they do? Well, generally an IP address can tell someone's physical location, at a level slightly less granular than a postal code. Try it yourself. So they can't find your street address, but could find out at least quadrant of the city you are in. This lookup info isn't all that reliable. It depends on how your ISP is configured and how well the various tools index this information. Your router in your house acts somewhat as a firewall. If someone knows your IP address, that is the address to your router. If your router has an exploitable vulnerability, well, they might very well be able to act as if they are local on your network and do malicious things. I don't think it's a thing most consumers care that much about, but if you are concerned, it might be worth making sure your router has the latest security updates, and that look up the model to see if there are known vulnerabilities.

Finally, your ISP can associate your IP address with your account. If law enforcement comes knocking with a court order/subpoena/warrant, or sometimes if the company asking is a major corporation that is friendly with the ISP, they might reveal who is using that particular IP address. If you use a VPN for privacy when trolling an Oilers forum, then the idea is that no one except the VPN provider could even trace it back to your personal IP address or ISP.

2. Protecting yourself on public WIFI

Ideally, most websites now are served over HTTPS (the little lock icon), which should make your traffic completely secure from your computer all the way to the company that owns the website (e.g. your-bank.com). So if you are banking next to a malicious hacker on the same public WI-FI, HTTPS should protect you fine, without the need for a VPN. However, if you still visit any non-HTTPS (aka HTTP) websites, that hacker sitting next to you could see all the traffic, including things like usernames and passwords you enter into forms. In the last few years web browsers have amped up the warnings about submitting data on a plain old HTTP connection, so this isn't as big a concern, but still could be relevant. Other services like an email client might be connecting over an unsecured channel, and sniffing out passwords from this type of traffic is taught in hacker school 101. So over HTTP, a using a VPN for any public WI-FI browsing is absolutely necessary if you care about privacy.

But over HTTPS, does a VPN help make things more secure? Back to my locked envelope analogy. If HTTPS is one locked envelope, a VPN is putting that locked envelope inside another locked envelope. If somehow a third party got a key to either envelope, they still couldn't see what's inside the package since it has been locked twice. So yes, it ads some security, with just a little bit of overhead to manage fiddling around with two keys to open the package. But more importantly, when you are on a public network, there isn't a firewall preventing a hacker from directly targeting your computer. I suspect some commercial public WI-FI systems have something in place to prevent this, but most consumer routers this is a desired feature. For example, your computer might be configured to share a directory of files with anyone else on the network. At home this is great. In public this is probably not desirable. Even if you aren't meaning to share anything, there might be vulnerabilities on your system. Without that firewall in place, there are more ways for a hacker to target you. I believe running VPN software on your computer should lock down this access, so you only receive messages via the VPN, not the guy sitting next to you.

And about the VPN provider stealing your passwords, again back to the envelope analogy. If you are visiting your bank website over HTTPS, via your VPN connection, all your traffic is being wrapped in two secure envelopes. The VPN provider only has the key to one envelope. They unwrap the outer envelope, and send the inner envelope on to your bank. The VPN has no means to unwrap that inner envelope (e.g. read your banking credentials).

Now, because all your traffic is going through them, they could try something malicious. They could set up a fake "your-bank.com", and when you ask them "what is the IP address for your-bank.com?", they could reply with the address to their fake server. This is known as a man-in-the-middle attack. However, HTTPS is supposed to thwart such attempts. The real your-bank.com has a "certificate" verifying that they are the real owners of "your-bank.com". Your web browser has a collection of certificates and the means to verify that the website is giving you a real, valid, trusted certificate. Your malicious VPN provider should not be able to acquire a trusted certificate for "your-bank.com", because the company issuing the certificate is supposed to verify that the company asking for the certificate actually owns the rights to that domain name. Your malicious VPN provider running the fake your-bank.com could also create a fake certificate, but your web browser is supposed to warn you with the big flashy "This website is not secure!" message that requires about 6 clicks to bypass.

So, I think most of the above is generally correct. Hopefully someone can clarify is something is misstated. There are lot more details and caveats. I think in general, security is about making it harder to hack. Nothing will ever be 100% secure. A VPN helps add to your security, but is just one piece.

[GoinAllTheWay]

You can get a browser extension called HTTPS everywhere that forces your browser to go for HTTPS connections only.

https://www.eff.org/https-everywhere

[Fuzz]

Quote:

Originally Posted by GoinAllTheWay

This seems like a good thread to ask this question as I thought I did a pretty good job of keeping my online presence minimal.

I was looking at the Lowes website on my MS Surface the other day using Chrome. Wasn't signed in to Chrome at all. No FB app on this device. Just me signed in to Windows. So I'm looking at a particular floor lamp from Lowes.

Maybe 2 hours later, my g/f is looking at FB on her phone, and what appears in her feed? An ad for the exact same lamp!

HTF does that happen?? It couldn't have been a coincidence.

My first guess is that you both use the same internet at home, right? So your gateway ip would be the same, and they might be using that ip address to link you.

[gottabekd]

Quote:

Originally Posted by GoinAllTheWay

This seems like a good thread to ask this question as I thought I did a pretty good job of keeping my online presence minimal.

I was looking at the Lowes website on my MS Surface the other day using Chrome. Wasn't signed in to Chrome at all. No FB app on this device. Just me signed in to Windows. So I'm looking at a particular floor lamp from Lowes.

Maybe 2 hours later, my g/f is looking at FB on her phone, and what appears in her feed? An ad for the exact same lamp!

HTF does that happen?? It couldn't have been a coincidence.

That's a good start for your privacy. And if you ever do use Facebook, make sure you sign out, otherwise they can track you all over the Internet (along with many other companies).

What you experienced with the ad for the lamp is probably something like this:

The ad company running ads on Lowe's tracked you via your IP address. Since browsing websites is a two-way communication (you ask for the site, they need somewhere to send it), the advertising code on the Lowe's website kept track that "someone at address 111.222.333.444 viewed this lamp at 6:30 PM on Dec. 6". Then later, on a different device, your GF is browsing Facebook which happens to be served by the same ad company that was tracking you on Lowe's. Since you are both at home, from the outside, your IP address is the same. So when the ad code on Facebook runs it looks up "do we have any relevant ads targeting 111.222.333.444?" and finds that just a couple hours earlier that IP address was viewing a particular lamp at Lowe's. So it dynamically creates the HTML code for displaying that lamp in an ad banner and your GF sees this ad.

Or possibly the ad code just tracked "someone from NW Calgary was viewing lamps from Lowe's. Are lamps a big thing in Calgary right now? Let's serve up ads for lamps to anyone else in NW Calgary for the next 8 hours".

And possibly even more sinister, say you agreed to share your location with Lowe's on the store locator page. And no doubt the Facebook app on your GF's phone has her location tracked down to the nearest metre. This could be another way to associate the locations across these devices.

Obviously it's even easier to show such "relevant" ads if you are on the same device since they can just track you with cookies (small bits of data stored on your computer). We all know this experience of browsing a certain product or website, then being bombarded with ads for that site/product for the next two weeks. It could also lead to some embarrassment if you are browsing with someone watching your screen (I only clicked on that Amazon product page for a 55 gallon drum of personal lubricant because someone thought it was funny to link to! Stop showing me ads for it!).


So my advice is to do your engagement ring shopping in person , or else it might spoil the surprise. And what could be fun/scary is to start testing out how these ads are working. Hit up Lowe's again for some random product, and see if that is advertised on your GF's phone again.

[CaptainCrunch]

How did your girlfriend react when that ad came up featuring midget clown pron?

[GoinAllTheWay]

Quote:

Originally Posted by CaptainCrunch

How did your girlfriend react when that ad came up featuring midget clown pron?

She asked when and how many.