We're looking for a recommendation for a free VPN that will allow us to safely and securely do some limited internet banking while on the road and using wifi hotspots. Are there any of you who use "Hotspot Shield" or similar services like "Free VPN", and what kind of results are you experiencing? Thanks in advance for any suggestions.

A VPN is a private connection between two or more computers you control. I'm not sure how it could be made to work unless it's between your traveling computer and your stationary one back home.Any financial institution will use a secure website - https - for on-line transactions. The chances of having that compromised are almost nil.Of course, if you're going to use a "community" computer like those at a public library while you're on the road, then all bets are off.al

A VPN is an excellent idea and should be taken seriously whenever you travel and use public WIFI. If you are using a MIFI hotspot I would be less concerned. Using public WIFI is very dangerous even when using SSL. I use a number consistently when doing Penetration Testing at work, so many exploits that can be leveraged and they are so easy to do on public internet. You can do a Man in the middle attack by pretending to be the campground WIFI. This will gain large amounts of data secure and non secure that can be either used to break into your banking or to harvest enough info to other sites to be able to build a profile to be able to guess common passwords, common "forgot password" answers etc. As part of a man in the middle attack, you can do deep packet inspection by providing the end user with a legitimate certificate (just not the one for the bank and they likely won't notice) to decrypt their data inline. There are many SSL flaws floating around right now, SHA1 has been end of life'd by all the Certificate authorities due to its insecurity and there are still a large majority of sites that have not yet upgraded to SHA2 because they are waiting for their current Cert to expire before doing it. This is just a small number of the many exploits that can be leveraged against you today with minimal skill, as so many exploits are already in hacker toolkits like the Metasploit Framework.I would not rely on SSL alone, there are too many ways to compromise it.I user CyberGhost. It has a free option as well as some premium options that are pricy. I managed to get a deal several times for about $20/year for a "basic premium" package. Their service has been rock solid. No need to worry about stability or security of "free" services. Remember free always costs someone, weather it is advertising, selling your surfing habits to third parties etc. Identity privacy is far more important that saving a few bucks on a free service. I would go with a service at a minimum offers both a free and paid option, their free option is far more likely to be trustworthy.

aslakson wrote:A VPN is a private connection between two or more computers you control. I'm not sure how it could be made to work unless it's between your traveling computer and your stationary one back home.Any financial institution will use a secure website - https - for on-line transactions. The chances of having that compromised are almost nil.Of course, if you're going to use a "community" computer like those at a public library while you're on the road, then all bets are off.alI agree. The security provided by a secure website is more than adequate to protect the common banking transaction from a public wifi system. Sure, there are many theoretical ways to defeat that security, but campgrounds, McDonalds, Starbucks and the like are hardly target rich environments. As Willie Sutton famously responded when asked why he robbed banks "That's where the money is". The same can be said for hackers. Public wifi connections are mostly a gaggle of photos, personal messages, facebook, videos, sports scores, news, Hollywood gossip and Porn. Just not the pond the professional data fisherman is going to be fishing in.

As I have pointed out before... using a VPN that entails trusting an intermediate service provider - whether free or paid - is still a trust thing. In both cases the VPN provider not only can collect every bit of information a bogus open wifi network can, but in the case of a paid-for service, they also know your name and probably your credit card information. It really is a matter of who you trust. Personally I would prefer to ask the library, Starbucks, McDonalds or wherever for the exact name of their free wifi service and then connect to that and trust SSL (https) to provide end-to-end protection.Dave

VE3ESN wrote:We're looking for a recommendation for a free VPN that will allow us to safely and securely do some limited internet banking while on the road and using wifi hotspots. Are there any of you who use "Hotspot Shield" or similar services like "Free VPN", and what kind of results are you experiencing? Thanks in advance for any suggestions.I have a few thoughts on this.1. Free.. you get what you pay for.2. Remember that you have to be able to trust your VPN service. The encryption is only to them. They decrypt the info and then pass it on. The VPN provider is "able" to see all of the raw non-https traffic that you are trying to protect by using a VPN. 3. They only thing you are protected from is others on the hotspot site being able to see your traffic with a sniffer. Remember that any sites you connect to using HTTPS are already encrypted traffic and yes using a public wifi and if it has been compromised you could become a victim of a man-in-the-middle attack where your encrypted https traffic is decrypted by the bad guy read and then forwarded on without you knowing it.4. If you are truly concerned then I would use my phone's data plan and a wifi hotspot. You control who else is using that connection and I find that the speeds I get on the internet is faster than using the local campground wifi. I would trust that better than a 3rd party free vpn provider.5. You are more likely to be compromised by an e-mail with an attachment. For example it is well known that the hackers craft e-mails that look official from banking, shipping and even co-workers at your company.. with an attachment or link that looks real. BUT once you click on it your system is compromised and your antivirus will not help you. Many many people have been victim to this and don't even know it. Every keystroke is sent to the bad guy and they may even have remote control of your computer and be able to turn on the camera without your knowledge. Just my thoughts and I'm sure others have their opinions.

Virtual Private Network (VPN) - Free if possible

27 Replies

Chris_Bryant
Explorer II
May 08, 2015
FWIW, if you have a high speed connection at home, and you just want a VPN for traveling, you could always use a Raspberry Pi to make your own VPN. Other than the few bucks spent on the Pi, it is free.
rwbradley
Explorer
May 08, 2015
magicbus wrote:
rwbradley wrote:
bwanshoom wrote:
dshinnick, look up a man-in-the-middle attack. If someone controls your connection to the internet (e.g. they own the router) they can make you think you're talking to your bank, but you're not. It's not hard to fake a website that looks like BOA, for example. Phishing attackers do this all the time. And most people wouldn't know a good certificate from a bad one. There have been numerous cases of certificate authorities (someone your browser trusts implicitly by default even though you've never heard of 99% of them. Do you trust the Chinese government? Your browser did...until last month) being hacked and issuing bogus but perfectly valid certificates.

There are malicious hotspots that do this kind of thing. Someone on this forum mentioned they owned a WiFi Pineapple which does everything I just mentioned.

As has been noted numerous times in this thread, the likelihood of this occurring is quite small but it's non-zero. Depending on how paranoid or cautious you are you might care or you might not.

Well described. I think you stated it far more clearly than my feeble attempts.

Well now hold on... you can't have it both ways! You agree 100% that hacking certificates is occurring all the time and Man In the Middle attacks are easy BUT not where it applies to VPN's?

rwbradley wrote:

1) Paid VPN services are based on a model of trust, just like Certificate Authorities who issue the SSL certificates to the banks, or even the Banks themselves. They would go out of business if they are not trustworthy.

So it's OK to trust certificates for a VPN but not for banks :? You wholeheartedly agree that a MIM attack could make me think I am talking to BOA but the same MIM attack can't pretend to be my VPN service? I must be missing some subtle difference!

Dave

Please reread your quote, the answer is right there. What I agreed to is his description including but not limited to "the likelihood of this occurring is quite small but it's non-zero" Nowhere in any of the previous posts did I or anyone say it is happening all the time, we explained how easy it is to do in various different wordings. Just because your house has never been robbed and you keep your doors unlocked every night does not mean you are secure, it just means you live in a safe neighborhood or have been lucky so far. My house or none of my neighbors that I speak to have ever been robbed, but I am not about to leave my doors unlocked because it makes it too easy for some bored 16 year old. And yes I understand that a lock will not stop a robbery, but it will mean the thief will most likely move on to the next house and look for an easier target.

Re VPNs. I am not about to write pages of information on VPN's and how IPSEC works vs SSL. Hint the difference is massive, the types of encryption used, the methods of sharing keys etc. IPSEC VPN's are significantly more secure and have no known exploits to them unless using an older less secure encryption algorithm and use an entirely different trust model than a secure website does. I will concede that you cannot trust anything fully on the internet, but you sure can trust some things more than others, IPSEC VPN's are one that you can trust more than the SSL encryption your Bank uses. The technical aspects of this is significant and I will loose most of the readers if I try to explain it. The point of mine an other responses was to illustrate in laymen terms to those who are not a CISSP and CEH like myself, so that others can benefit from the years or decades of experience that some who have responded have, without needing a Phd in Computer Science to understand it.

At this point the OP has thanked everyone for their responses and made a decision based on the recommendations. The topic has been explained numerous times, in different ways, by a number of different people. So this thread does not continue to go around in circles 6 more times, I suggest we agree to disagree and move on with our lives. I will be unsubscribing to this thread and will have no further comments on the topic.
magicbus
Explorer II
May 08, 2015
rwbradley wrote:
bwanshoom wrote:
dshinnick, look up a man-in-the-middle attack. If someone controls your connection to the internet (e.g. they own the router) they can make you think you're talking to your bank, but you're not. It's not hard to fake a website that looks like BOA, for example. Phishing attackers do this all the time. And most people wouldn't know a good certificate from a bad one. There have been numerous cases of certificate authorities (someone your browser trusts implicitly by default even though you've never heard of 99% of them. Do you trust the Chinese government? Your browser did...until last month) being hacked and issuing bogus but perfectly valid certificates.

There are malicious hotspots that do this kind of thing. Someone on this forum mentioned they owned a WiFi Pineapple which does everything I just mentioned.

As has been noted numerous times in this thread, the likelihood of this occurring is quite small but it's non-zero. Depending on how paranoid or cautious you are you might care or you might not.

Well described. I think you stated it far more clearly than my feeble attempts.

Well now hold on... you can't have it both ways! You agree 100% that hacking certificates is occurring all the time and Man In the Middle attacks are easy BUT not where it applies to VPN's?

rwbradley wrote:

1) Paid VPN services are based on a model of trust, just like Certificate Authorities who issue the SSL certificates to the banks, or even the Banks themselves. They would go out of business if they are not trustworthy.

So it's OK to trust certificates for a VPN but not for banks :? You wholeheartedly agree that a MIM attack could make me think I am talking to BOA but the same MIM attack can't pretend to be my VPN service? I must be missing some subtle difference!

Dave
rwbradley
Explorer
May 08, 2015
The timing could not be more perfect...
Here is some "paranoia" for you. Yes he maybe one of the most talented hackers in the world, but if you view the actual demonstration, it was not to show how easy it was for Kevin Mitnick to do, but how easy it is for anyone to do.

http://www.businessspectator.com.au/news/2015/5/7/technology/kevin-mitnick-shows-hacking-childs-play-cebit-keynote

The people you need to be afraid of are not the ones who have a back door to core network infrastructure as they are government and we really cannot do anything about it anyway so what is the point. What you need to be afraid of is the 16 year old next door, who has too much free time, knows how to google and has not fully developed a sense of right vs wrong yet.
bwanshoom
Explorer
May 08, 2015
joebedford wrote:
There just plain isn't enough paranoia in this thread. The people you REALLY have to be afraid of have backdoors into network backbone routers, record all your traffic and can defeat puny 256 bit encryption in an instant.
When your adversary has over 30,000 employees and a $10 billion budget your only hope is a legal avenue.
joebedford
Nomad II
May 08, 2015
There just plain isn't enough paranoia in this thread. The people you REALLY have to be afraid of have backdoors into network backbone routers, record all your traffic and can defeat puny 256 bit encryption in an instant.
rwbradley
Explorer
May 08, 2015
bwanshoom wrote:
dshinnick, look up a man-in-the-middle attack. If someone controls your connection to the internet (e.g. they own the router) they can make you think you're talking to your bank, but you're not. It's not hard to fake a website that looks like BOA, for example. Phishing attackers do this all the time. And most people wouldn't know a good certificate from a bad one. There have been numerous cases of certificate authorities (someone your browser trusts implicitly by default even though you've never heard of 99% of them. Do you trust the Chinese government? Your browser did...until last month) being hacked and issuing bogus but perfectly valid certificates.

There are malicious hotspots that do this kind of thing. Someone on this forum mentioned they owned a WiFi Pineapple which does everything I just mentioned.

As has been noted numerous times in this thread, the likelihood of this occurring is quite small but it's non-zero. Depending on how paranoid or cautious you are you might care or you might not.

Well described. I think you stated it far more clearly than my feeble attempts.
bwanshoom
Explorer
May 07, 2015
dshinnick, look up a man-in-the-middle attack. If someone controls your connection to the internet (e.g. they own the router) they can make you think you're talking to your bank, but you're not. It's not hard to fake a website that looks like BOA, for example. Phishing attackers do this all the time. And most people wouldn't know a good certificate from a bad one. There have been numerous cases of certificate authorities (someone your browser trusts implicitly by default even though you've never heard of 99% of them. Do you trust the Chinese government? Your browser did...until last month) being hacked and issuing bogus but perfectly valid certificates.

There are malicious hotspots that do this kind of thing. Someone on this forum mentioned they owned a WiFi Pineapple which does everything I just mentioned.

As has been noted numerous times in this thread, the likelihood of this occurring is quite small but it's non-zero. Depending on how paranoid or cautious you are you might care or you might not.
dshinnick
Explorer
May 07, 2015
I taught computer networking for 20 years, and I've never understood the concern about using SSL over a public network. If the site you're connecting to (ie, bank) has a valid certificate from a reliable certificate server, and the connection between your pc and the bank is fully encrypted with reasonably current technology, like 256bit AES and such, what's the concern? It gets kinda involved, but your pc encrypts data with the bank's public key, and can ONLY be decrypted with the bank's private key, which the bank NEVER releases. It's encrypted from my pc all the way to the bank. The encryption actually creates my own little private encrypted "tunnel". So what if the packets go over a public network just loaded with hackers running sniffers? They'll get packets full of garbage, whether my wifi connection (ie, Starbucks) is encrypted or not. If the encryption techniques used by banks today don't provide secure, reliable encrypted connections, then there's nothing we can do, and we'd better just use the phone or snail-mail from now on.
VE3ESN
Explorer
May 05, 2015
Thank you all for the interesting and "varied" replies. After doing a bit of further research, I've decided to use the free version of Cyberghost. As PC Magazine stated: :"If you are looking for a free VPN service, CyberGhost VPN is by far the best one I've seen." I do agree with rwbradley that a VPN having both a free as well as a paid service is the best choice.