In response to my recent cookie theft blog a reader asked the following questions:
What is VPN, what is SSL and what is the significance of https?
What precautions can we take if we need to do Internet banking from a public computer, Internet café for example?
VPN, SSL and https are all about encryption. Encryption is what keeps private information private.
When you read the news online, the data can be intercepted and read by others. Nobody cares about that because the information is public anyway. When you send email using Yahoo or Live mail it also can be intercepted and read. If you upload or download a file it can be intercepted and the contents can be viewed. The way you protect against other people being able to read your data is by using encryption. SSL stands for Secure Sockets Layer and is a standard method for implementing encryption. When you go to a web site that starts with https it is using SSL to encrypt your data. When you type in your username and password on an https web page it is first encrypted, and then sent and the computer on the other end then can decrypt it. If I am capturing your traffic I will not see what your user name and password are. The trick is that the other web site has to support https. Yahoo mail for example will encrypt my username and password, but then reverts to normal http so that anyone could read my mail if I am using unsecured public WIFI. I don’t use Yahoo mail on unsecured WIFI.
A VPN is a virtual private network. VPNs are commonly used by businesses so that workers can securely access the company computers when they are not at the office. In the typical situation there is a server inside of the company that has VPN server software and the worker’s computer has VPN client software. When the worker connects to their company network all of their data is encrypted before it is sent out and then decrypted by the VPN server and directed to where it was intended to go. It doesn’t matter if the connection is http or the wireless network is not encrypted, the VPN will encrypt the data. This can create a false sense of security however. In many cases it is only the data that goes between the company and the computer that is “tunneled” (encrypted). So if I VPN into ESET then all of my data between my computer and ESET is encrypted, but if I go to Facebook it is not encrypted. Some companies will encrypt all traffic, but most don’t.
There are companies that provide VPN solutions. There are both free and paid VPN solutions and these will encrypt all of your data as it leaves your computer or when it is sent. The way it works is that the company has a VPN server. When you use the VPN client and go to Facebook, the data is encrypted and sent to the VPN server where it is decrypted and then sent to Facebook. All of the data from Facebook will then go back to the VPN server, get encrypted and sent to your computer. If you have a full VPN solution like this then using public WIFI isn’t as risky as your data is not in the clear. If web sites, like Facebook, Yahoo, LinkedIn, etc. used https all of the time it wouldn’t be a problem, but they don’t. Gmail does use https all of the time, however if you have had an account for a long time then it may not be set up to use https and you need to go into your settings and verify it is set to use https always.
As for Internet banking it is never safe to use a public computer. You do not know if there is malicious software installed on it. You always need to use your own computer and take precautions to prevent your computer from getting infected. Never use a public computer for anything that requires a password that you don’t want someone else to know. If you use the same password everywhere then giving your password to log onto your local news web site means someone may know your password for your banking and email too. Public computers are fine for searching for information, reading the news, and playing games, but always assume someone else is capturing everything you do.
Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC
