Thursday, April 13, 2017

Protecting your data in transit

Data In Transit – Data At Rest

I recently received this question from a user:

Especially given the new anti-privacy laws. Is there a way to encrypt your data to avoid it getting sold to the highest bidder. I already have everything on Google drive, for the most part. It makes it easy since I have so many computers where I do my work and I travel a lot, which increases the likelihood that I lose a laptop or tablet.

Someone mentioned a VPN. I have one for work. Is it worth getting a VPN for personal use to guard my privacy?

Here's my response:

First of all, congratulations on being aware of these issues.

Second question first:
Protecting your data in transit.

The world as of 1/1/17:

When you interact with websites over HTTPS (such as financial, shopping, legal, and more every day), your communications are encrypted both ways between your browser and the remote servers. The encryption is good (and evolves as the attacks grow more capable) such that anyone tapping the communication can’t read your credit card number. This is why some industries such as health care and legal, by their professional ethics rules, can use email only to alert you to go to your account on a secure portal to read any substantive communication.

The risk is if an untrusted party controls a segment of the communication pathway between you and your destination. This “Man In The Middle” can then feed you a bogus certificate that encrypts your data so he can read it as it goes by. The most common scenario for the MITM is to offer public WiFi in a situation that you should be expecting it. He could create his own hotspot named “coffeeshop” or “hotel” sitting at the next table or nearby room and induce you to use it rather than the authentic hotspot.

The world today:

Recent rumblings in Washington imply that any US internet provider (ISP) will be allowed to act as an MITM. Previously they have at least been on their honor to read and record only the information required to pass your communication on its way towards its destination. Now they may track the contents of your communication and sell what they learn about you to whatever market is interested in it. This can be particularly valuable, or noxious, depending on your viewpoint because they already have a lot of personal information about you such as your name, address, telephone, and creditworthiness and can attach that to your browsing details.

Even worse, they could attach to their terms of service that you must install their master certificate to your system so they can even look into your HTTPS communications. Presumably, you could opt out of this tracking for an additional cost.

This is where the VPN comes into play. When you install a VPN on your computer, you originally received their certificate through a reliable channel. By contrast, when you browse to an HTTPS site you receive a certificate on the fly and would have to examine it in detail every time to ensure its validity. Updated browsers will alert you if there seems to be a problem with the cert, but few people understand what the problem might be or how to validate it so they just accept it anyway.

Having made a verified connection to the VPN, you then send your data directly through an encrypted link to the VPN’s connection to the internet whence it continues to its destination. This method is comparable to handing a letter to the agent in the post office rather than clipping it to your door and hoping that the person who picks it up is a trusted mail carrier. (When you use a VPN to your office, the endpoint is the office network and you are able to function as though you were sitting at your desk in the office.)

The Opera browser includes the ability to connect directly to a VPN for all your browsing. (Enable it from the Settings menu in the Privacy & security section. You then turn it on or off and choose the location of the exit point from a button in the address bar.) This VPN only protects your data that is going through the Opera browser. If you use another browser, an email client, or other app such as messaging, file sharing, or media streaming; you are not protected.

To protect all your internet traffic you need to use a VPN that is installed in the operating system like any other program. You may set it to start at your computer’s boot up or turn it on whenever you are away from a trusted internet connection. If you have a company VPN you can probably access the internet through it and not need another installed VPN. (Be aware, though, that the company VPN, especially from a company computer, means they are a trusted MITM if you use it for personal communications. Even if they don’t decrypt all of your traffic [which is the case frequently to protect their computers and network from malware], they are still seeing your metadata such as that a large file was transmitted to their competitor.)

Using a VPN may impose a degradation of your communication speed or latency. This would be most noticeable when transferring large files or with real-time applications such as gaming, voice or video chat, or remote computing. Such issues should be less significant with a paid service. The only installed VPN I’m familiar with, which came highly recommended, is proXPN at

Aren’t you glad I answered the easy question first?

Next comes …
Protecting your data at rest.

No comments: