[conspire] VPN

[Rick Moen]

Quoting Paul Zander (paulz at ieee.org):

> Some years ago, I needed to access my work computer network from
> home.  For security reasons, I had to use a VPN between my computer
> and the work computer network.  That seemed very reasonable at the
> time.  

I'm glad you mentioned that, because it's something I considered
covering in my earlier posting:  Above, you're talking about the _other_
common use-case for something called a "VPN" -- an encrypted software
tunnel you are able to raise for transporting a variety of network
traffic between you and a remote network -- usually that of your
employer.

That is a different use-case from "VPN services", discussed earlier,
whereby you raise an encrypted software tunnel for transporting a
variety o traffic between you and one of (usually) a number of the
commercial service's public IP addresses at which your Internet
presences appears to originate (outbound) and terminate (inbound).

One of those, say, NordVPN, might permit you to raise a tunnel to IPs in
the UK, so that your queries out to bbc.co.uk appear to be coming out
from, and being answered to, an IP address in the British Isles, hence 
you should be permitted to watch/listen to BBC-licensed content under
the assumption you're a Briton who pays the televison/radio tax.

> I suppose if I went around using whatever Wi-Fi happened to be available, 
> a VPN might be helpful.  

{shrug}  

People often say that, but it doesn't honestly make _nuch_ sense.  
All it does is cause your traffic to attempt to go out encrypted on the
first hop to your VPN provider's endpoints and then back into the
Internet at that point, at the cost of a whole lot of speed loss and
latency because of having to loop everything out through Finland or
wherever.  But you're still passing out through the WiFi gateway and
router you are apparently afraid is messing with you.  

My own attitude is:  A situation where you cannot/should not trust the
network is what one properly calls "normal life".  It's a mistake to
trust the network.  Practically all of the details of how we attempt to
have security and privacy despite using dodgy and suspect network
transport are designed to contend with that base reality, so when I hear
someone say "Gee, I don't trust this network", I think "Really?  And you
trust all of the other ones?  How's life in 1978?"

> Only I don't do my banking at the local coffee shop.

Why not?  I would.

I have reasonable faith in the SSL cert verification (well, enough
faith, with reservations), and everything I say to the bank would be
over https.  Wouldn't that be the case with you?

The whole purpose of the CA infrastructure is to ensure that you can do
trustworthy communication over untrustworthy networks.  Of course, the
CA infrastructure is in its finer details a dismal failure, but that's a
different discussion.

> Hadn't thought of spoofing my location so I could access certain
> websites that restrict their content to certain geography.

Well, that's a larget part of what use-case VPN _services_ (as opposed
to "VPN" as in "I'm VPNing into my corporate network") are paid to
accomplish.

Think, for example, about sportsball games that are available to see
online but are subject to blackout in the teams' home areas.  That
blackout is enforced by geoIP checking.  And, obviously, if your IP
presence is changed by a VPN service to be in some tactical choice of 
remote location, maybe you can watch the game anyway.

Of course, the more money's involved, the more the cat-and-mouse game
gets played, e.g., Major League Baseball tries to map out a list of
known VPN service IP addresses, so their security checking can say "No,
you can't fool us by bouncing off NordVPN in Poughkeepsie."