3DSC Day 14: Virtual Private Network

Today is going to be a little bit different that most because today I am going to ask you to spend a little money.  Today’s task is to purchase a virtual private network service.  A virtual private network (VPN) is one of those things that I just could not live without.  After using one for so many years it feels like wearing a seatbelt – I can go on without it, but I’m going to have a nagging feeling the whole time.

So what exactly is a VPN?  A VPN works like this: you install a program on your computer and smartphone.  When activated the program will create an encrypted “tunnel” to a remote server, also owned and/or operated by the VPN provider.  Your traffic will be encrypted to and from this remote server.  This has two benefits:

  • Security:  If you are worried about your local traffic being captured and analyzed, worry no more.  All of your traffic will be encrypted and protected from hackers, internet service providers, nosy owners of public Wi-Fi hotspots, and your company IT guy.  Your VPN will also defeat trackers like Verizon’s supercookies.  It is hard to overstate the security benefits of using a VPN, especially when you are connected to an untrusted network.
  • Privacy:  VPNs also offer you a great deal of privacy.  When you connect to a VPN server your traffic appears to originate from that server.  This means that websites that are attempting to track your physical location and browsing history (via your IP address) will have a much harder time doing so.  Additionally, all your traffic that exits the VPN server exits alongside the traffic of other users, making it less distinct and not obviously yours.

Although there are tons of free VPN services available, there are lots of good reasons NOT to use a free virtual private network.  Running a VPN service is expensive business with a lot of overhead, and free ones have to be financed in some way.  Some free VPNs are little more than data collection mechanisms for gathering subscribers’ data.  For example Facebook paid $120,000,000.00 for Onavo, a company that offers a free VPN and data compression app.  One imagines Facebook did so to serve the needs of Facebook and will receive a return on that investment, probably in data collected from users.   One free VPN even sold user bandwidth that was subsequently used in botnet and DDoS attacks.

Buy VPN

The virtual private network service that I recommend is Private Internet Access.  Private Internet Access (PIA) has a lot of things going for it that I really like.  First, PIA has over 3,000 servers.  Though you are only allowed to choose what region you would like to connect to (US Midwest, US Texas, US East, etc.) there are numerous servers in each “region”.  This allows PIA to load balance so traffic is not slowed by heavy use on any single server.  Next, PIA uses the OpenVPN encryption protocol which offers the best VPN encryption currently available.  A single PIA subscription offers unlimited bandwidth and allows you to connect up to five devices simultaneously.  This is enough for many small families to connect most of their devices with a single plan.  Finally, PIA is extremely user friendly and available for Android, iOS, Mac OS X, and Windows devices.

To use Private Internet Access (or many other paid VPNs) follow the steps below:

  • Purchase a subscription.  A year is only $39.95 which averages out to $3.33 per month.  You can pay for your PIA subscription with all major credit cards, PayPal, BitCoins, or even with major retailer gift cards.  Have an old, half-used REI gift card from last Christmas?  It’s probably worth at least a month or two of PIA service.  After you have purchased a subscription you will be emailed your login credentials.
  • Download the PIA app on your computer, phone, and other devices you wish to protect (I have previously written specifically about PIA for iOS).
  • Enter your credentials on the app and connect.  That’s it.

PIA does offer some advanced user settings, like the ability to change encryption, SHA, and handshake protocols as shown in the screen grab below, but the default options are solid.

Virtual Private Network

FULL DISCLOSURE: this blog has an affiliate relationship with PIA.  This means I receive a small commission for every subscription sold through this site.  However, I do not push PIA because of this; I push PIA because I believe in the product and use it myself.  There are numerous other VPN providers with which I could partner but I do not because they have yet to earn my trust.  That being said, there are many very good, reputable VPN providers out there.  If you are uncomfortable with PIA I encourage you to do your own research.  Some other virtual private networks that I have experience with and would personally recommend (and DO NOT have an affilate relationship with) include AirVPN, blackVPN, and CyberGhost.

3DSC Day 09: Browser Security

Yesterday we began to shift our focus outward when we began changing online account passwords.  Today we will continue this shift by installing Firefox and modifying some of its settings.  Browser security and privacy settings play a big role in how easily websites can track you.  Firefox gives you the maximum flexibility to control these settings to your benefit.  It also has one other huge benefit that other browsers do not, and we will discuss this later tomorrow.

The first step in this process is to download Firefox if you do not already use it.  Next, install the program on your computer. Once it is up and running, open “Preferences”.  To access Preferences click on the “hamburger icon” in the upper left of the interface. The Preferences menu will have eight tabs listed down the left-hand side of your screen.  This tutorial will only deal with those that are most relevant to improving your browser security and privacy.

Privacy Settings:  This is where most of the real work will happen to increase browser security and privacy.  First, under Tracking, uncheck the box labeled “Request that sites not track you”.  Though checking this box would allow Firefox to send a Do Not Track request to websites, the sites you visit have no obligation to honor this request.  I do recommend that you leave the Tracking Protection box checked.  Tracking protection is provided by Disconnect, a company we will see again later this week.

Next, go to the History section.  The changes made here are incredibly important.  After modifying these settings, Firefox will not save anything between browsing sessions.  This makes it much more difficult for sites to track your browsing behavior, and minimizes the browsing history that is stored locally on your computer.  Under “Firefox will:” drop-down, select “Use custom settings for history”.  This will allow you to choose exactly what Firefox “remembers” or purges when you close it.  Choose the settings that mirror those shown in the image below.

Browser Security

Next, click the “Settings” outlined in red in the above image.  This will open an additional dialogue allowing you to choose specific items to be purged when you close Firefox.  I recommend that you check all of these options as shown below.

Browser Security

Security Settings:  Set up these settings to mirror the image shown below.  Ensure to check “Warn me when sites attempt to install add-ons” (add-ons will be discussed tomorrow).  Uncheck both “Block reported attack sites” and “Block reported web forgeries”.  Both of these protections require that your browsing data be available to Mozilla for review.  I do not feel that this is in the best interest of your privacy.

Next, uncheck “Remember logins for sites” and “Use a master password”.  Because we now use a password manager it is unnecessary for Firefox (or any other browser) to remember our logins.  Firefox does not store this information securely.  If you have used this feature in the past you may wish to click “Saved Logins” button.  This will allow you to view these logins and migrate them into your password manager.  Once you have done so, delete all of them from Firefox.

Browser SecurityToday you have taken huge steps to increase your internet browser security and privacy.  Over the next two days we will take some additional steps to increase this even further, making you much more secure and private online.

Private Internet Access for iOS

During the writing of Your Ultimate Security Guide: iOS I had the opportunity to work with a lot of products that I probably wouldn’t have otherwise considered.  One of these is Private Internet Access for iOS (affiliate link).  Though over the years I have used a virtual private network on my iPhone and other mobile devices, and I have used Private Internet Access rather heavily, I had never used the two together until recently.  The Private Internet Access app for iOS is one of the most convenient VPNs I have used to date and the VPN that I will continue to rely on for my phones.

Private Internet Access for iOS
The iOS app’s homescreen. The PIA app is incredibly easy to use.

The PIA app is a certificate-authenticated VPN which means that installing the app also installs an authentication certificate on your device.  VPNs of this nature can be set to be always on, rather than credential based VPNs which must be manually reconnected each time you unlock the phone.  Though certificate-based VPNs are notorious for draining batteries rapidly, PIA has found a rather ingenous solution to this.  Rather than remaining always connected to the VPN server (which is the reason “always on” VPNs are notorious for killing batteries) PIA does not always remain connected.  Rather, it drops the connection when the device goes to sleep.  Upon unlocking the device, though, data connections are blocked until the connection is automatically reestablished.  Though your battery will not last as long as it would with a very judiciously used credential (username and password) authenticated VPN, the security PIA provides is well worth the shortened battery life.

Private Internet Access for iOS
Some of PIA’s exit server options from the iOS app.

I have written previously about the security and privacy benefits of using a VPN.  Private Internet Access provides all of these benefits, including encrypted traffic to and from the VPN server and mulitple exit servers in mulitple countries to choose from.  As I have also written before, PIA also allows you a number of anonymous payment options including BitCoin and redeeming store gift cards.  Yes, store gift cards, meaning if you have an old Starbuck or Home Depot gift card with a balance on it you can cash it in for VPN service.  Not only does this give you a way to use those small balances left on those gift cards at the bottom of the junk drawer, it also allows even the low-tech a way of purchasing VPN service anonymously.

Private Internet Access stores NO logs, allows unlimited bandwidth and five devices connected simultaneously, and costs just $40/per year.

Why YOU Need a Virtual Private Network

Using a virtual private network (VPN) is an important part of strong digital security.  A VPN can accomplish several tasks.  First, it creates an encrypted tunnel to a remote server through which your traffic transits.  This means that anyone inspecting your traffic (from internet service providers to malicious hackers) will capture nothing but unusable, encrypted data.  For best security I recommend using the OpenVPN or IPSec encryption protocols.  Next, because your traffic appears to originate from a remote server your IP address is not correlated with your browsing.  This is important: if you visit a website that logs your IP address they can use the IP address to find your geographical location, your internet service provider, and all your visits to that site.  Using a VPN server that hundreds of other people also use makes you less distinctive and protects your physical location.  Lastly, VPNs can be used to help bypass geographical restrictions.  If you are in a country that blocks certain content you can use your VPN to connect to a server in another country, bypassing geographical restriction.

IPv6 Test

I recommend strongly against using free VPN services.  The recent story about a free VPN known as Hola! last week is an excellent reminder of why paying for a VPN is worth it: Hola! was selling the bandwidth of anyone who had their plugin installed, sometimes to malicious users who conducted botnet activity.  This opens users up to a number of security risks.  Free VPN providers have also been known to monetize by collecting and selling user information which defeats much of the raison d’être for a VPN.

To determine if your VPN is leaking information about you or how much information you are leaking if you are not using a VPN, Private Internet Access (with which I am an affiliate) has some helpful links.  They will test whether your DNS is leaked, if your IP address is leaked when you send an email, and if your IPv6 address is leaked.

Though I like Astrill, Private Internet Access, and WiTopia, there are pleny of great VPN options out there.  Most are under $100 per year and offer a great many features.  This is a very small price to pay for the disporportionate level of security and privacy they provide.

Fixing Firefox’s WebRTC Vulnerability

Earlier this year a major vulnerability called the WebRTC vulnerability was discovered in Windows machines running Chrome and Firefox.  This vulnerability can compromise your privacy by allowing websites to see your true IPv6 address despite the use of a VPN.  When using a VPN any site you visit should only see the IP address of the VPN’s exit server.  This prevents them from correlating you with your visit with your geographic location, and building profiles based on your IP address.  To test your system and see if your IP is leaking you can visit https://ipleak.net/.

Thankfully this vulnerability is very easy to correct in Firefox but it cannot be corrected through the “Options” dialogue.  To correct it go to your URL bar in Firefox and type “about:config.”  This will open a menu where power-users can make many adjustments to the application (many of these adjustments can be made through the Settings, but many cannot).  Bypass the warning and scroll down to “media.peerconnection.enabled.” This setting is “true” by default.  Double-click this line which will toggle the value to “false.”  This is all that is required to turn off WebRTC and secure this vulnerability.

WebRTC Vulnerability

There are add-ons for Chrome (WebRTC Leak Prevent and ScriptSafe) that are intended to defeat the WebRTC vulnerability.  It has been reported that these add-ons can be bypassed by a malicious adversary and should not be relied on.  However, if you must use Chrome you should enable one of these add-ons.

For full protection use Firefox and adjust as described above.  Using NoScript may also help mitigate this vulnerability.