8

While in Germany, I want to keep using my Netflix account, watch PBS, CNBC. I have found following services:

A VPN: https://hidemyass.com/vpn/promo/1/5/

A DNS: http://www.unotelly.com/unodns/

I an concenred about someone stealing my data trough a man-in-the-middle attack. Should I use any of these services?

I know that HTTP traffic is fair game. What about HTTPS? Would anyone be able to steal my online banking password or Gmail credentials?

Dmitry Chornyi
  • 183
  • 1
  • 1
  • 5
  • Why waste time worrying if you can trust them or not? Just turn those services off before doing anything involving sensitive data. – Graham Hill Apr 05 '12 at 10:32
  • I think the chances of a man-in-the-middle attack are very low. The chances of your government monitoring your internet habits during VPN usage varies among VPN providers. Here is a good article on this subject: [http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/](http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/) – Jim In Texas Apr 05 '12 at 15:51

5 Answers5

5

What about HTTPS? Would anyone be able to steal my online banking password or Gmail credentials?

You shouldn't worry about this unless you make it a habit of installing forged certificates.

Furthermore....

If you are on a wireless connection which has a password and the proper security modes enables ( WPA, WPA2) the only way to hijack your information is to connect to somebody else pretending to be said access point.

If you are viewing a https page you are safe.

Ramhound
  • 496
  • 4
  • 9
  • HTTPS can be hacked in this MITM scenario if the CRL or OCSP response is cached or replayed. That would assume that another trusted CA was hacked. It has happened before, see http://security.stackexchange.com/a/2273/396 – makerofthings7 Jun 12 '12 at 12:58
  • @makerofthings7 - I indicated that is the one weakness of WPA and WPA besides brute force of course, is that IF you connect to forged access point, you are vulerable. – Ramhound Jul 05 '12 at 18:34
  • Please note, that instant proxy services (such as HMA) see all traffic in clear-text. If you have a look at the URLs of instant-proxies, you will see: `https://anon-service/https/real-server/real-url`. So your browser has an encrypted connection to the anon-service and the anon-service has an encrypted connection to the real server. Using a traditional proxy will ensure an encrypted connection from the browser to the real server, unless the browser accepted untrustworthy certificates. – Hendrik Brummermann Dec 31 '12 at 17:13
2

As long as the certificates turn out to be correct you have nothing to worry about. On HTTP it is as insecure as any normal routing services. Everyone that owns a routing node can sniff the traffic if they want to.

SSL strip is possible for some sites but there is a protection against it built into browsers (see this question Options when defending against SSLstrip?).

Community
  • 1
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • 2
    A question on SSLStrip has been answered before if you're interested in more information. http://security.stackexchange.com/questions/2113/options-when-defending-against-sslstrip Alternatively the EFF's HTTPS Everywhere tool is quite nice. https://www.eff.org/https-everywhere/ – SomethingSmithe Apr 05 '12 at 14:15
2

Anything sent over HTTPS is secure unless you leave compromised certificates installed, or manually install untrusted certificates. If you never install certificates yourself, and keep your OS up-to-date, you don't need to worry about HTTPS traffic.

Note, however, that even though such a VPN service cannot see the contents of your SSL traffic, they can see which servers you contact - this means that they will be able to tell that you did visit your online banking site, etc., but they won't be able to tell what you did there.

This may or may not be an issue; if it is, consider using Tor, tunneling through your home network, or simply turning the VPN off when you do things you don't want them to know.

tdammers
  • 1,776
  • 9
  • 14
2

I highly recommend UnoDNS. I have been running it since January and no issue so far. You can check out their privacy policy if you are concerned about security.

Honestly, nowadays, you are probably losing more information to Facebook and Google than any other companies combined. These smaller players can't really do much with your data unlike the big guys...

About your actual HTTPS question:

No, unless they are really good enough to break the SSL encryption which is nearly impossible for anyone other than a state-sponsored organization. These small time players have no incentive to hack you or whatever because remember, their goal is to provide you with a service and in-exchange, get few bucks a month from you. However, I would be more alert if the service was free instead of Paid.

Austin
  • 21
  • 1
-1

Nothing is 100% secure. However, you can use a few technologies together. For example: using VPN over Tor. Hidemyass is known for privacy issue. You can read it here:http://invisibler.com/lulzsec-and-hidemyass/

HTTPS is mature and secure to use.

user28522
  • 107
  • 1
  • Hi and welcome to the Security StackExchange! Unfortunately, your answer does not really explain why using a VPN over Tor would answer the concerns of Dmitry, and it mostly consists of an external link. Please take some time to read the [answer] page, and consider developing your answer further. – Steve Dodier-Lazaro Jun 04 '15 at 12:22