PDA

View Full Version : Wondering About VPN & E Mail



PGB1
11-22-2017, 08:58 PM
Hi To All!

Once in a while, I'll have my MacBook Pro (10.11.6) at a public WiFi place. I've never gone on line in one of those locations, but may someday wish to. My OS X firewall is set to ON & Sharing is OFF. As I understand it, the correct thing to do is also use a VPN. (My phone does not have a data plan, so that's out.)

I was wondering if I use a VPN in public and want to check my e-mail, will the Mail program on the MacBook Pro be protected by the VPN or should I go to the provider's web site with a browser & log in there? I sure couldn't figure this one out on my own. (Like usual...)

Thanks Much for your advice!
Paul

Interesting Side Note- I was having some trouble with the Mail application today & went to the ISP's "new" web e-mail site. It no longer has "https" or the padlock icon. I didn't log in. I went to my home page (about:blank), cleared Safari's history & cache & quit Safari. Yikes!

Raz0rEdge
11-22-2017, 09:58 PM
When you employ a VPN, it works at the lowest possible level of the networking stack, so everything you do on the Internet (through a browser or stand-alone application) will be going through the VPN. So your Mail program will be protected, just as much as using the browser to check your email or do anything else.

Firewall is primarily used to avoid intrusion into your system, the same goes for sharing.

However, and for your edumification, the reason people say not do things on public WiFi without a VPN or other secure means of communication is what's known as a Man In The Middle attack. This basically means that anyone else can get onto the WiFi just like you and sniff EVERY packet that is on the network and snoop out passwords and other sensitive data. Once a VPN comes into play, it creates a tunnel that employs a level of security that means that your data even if sniffed can't be understood since it's secure.

Next, as far as your new ISP site goes, every site should be using HTTPS, especially sites that provide billing, email and other stuff. However, a lot of them don't. There are extensions you can install on your browser so force it to try to use HTTPS everywhere (that's the name of the extension as well..:) )

However, you might notice that many sites, even Mac-Forums here, doesn't employ HTTPS (which is a shame).

PGB1
11-23-2017, 10:53 AM
Thank You Ashwin for your great reply.
You explained things in a manner far easier to understand than any of the many, many web articles I'ver read on the subject.

Thanks for the mention of HTTPS Everywhere. I got the extension to try on the ISP's site, but the ISP's user site is down today. (Ironic, isn't it?)

Thanks Again for your much appreciated explanation.
Enjoy This Day!
Paul

Cr00zng
11-26-2017, 09:56 AM
There are actually three types of VPN connections; depending on the type, different levels of the OSI layers are utilized:


Data link layer (site-to-site)
Network link layer (client-to-site)
Application link layer (SSL/TLS based VPN)

http://www.cathayschool.com/VPN-Types-Based-on-OSI-Model-Layer-a1716.html

The chances are that most, if not all VPN apps work in the OSI application link layer.

Trusting an unknown network and its gateway is risky, regardless of the type of connection made to websites, email servers etc. The unknown network is a perfect candidate for man-in-the-middle attacks, be that Starbucks access point, or the hacker's access point masquerading as Startbucks' access point.

My email client is configured with SSL/TLS connection on both my iPhone and MacOS for my email accounts. In my view, it's sufficient for securing both incoming and outgoing emails in LTE network. Previously, my data plan was 2GBs per month, but the Wi-Fi connection was disabled prior to leaving my home. Old routines die hard, even with the current unlimited data plan I do the same...

PGB1
11-26-2017, 11:37 AM
Thanks for the information & link to the interesting article, Cr00zng. I am learning quite a bit as I explore the subject.
After reading your information & the linked article, I looked deeper into a VPN I have from Opera. I can see now that it only acts as a VPN while using their browser. I found that interesting, to say the least.

I'm curious about the SSL/TLS setting on the Mac Mail. At present, all of my accounts have SSL checked and authentication is Password. In the drop down I can change them to "External TLS Client Certificate". If I make the switch, will that provide more security if I'm on a public network and will the change cause the mail server to stop delivering & sending?
Thanks Again!
Paul

Cr00zng
11-27-2017, 10:22 AM
Thanks for the information & link to the interesting article, Cr00zng. I am learning quite a bit as I explore the subject.
After reading your information & the linked article, I looked deeper into a VPN I have from Opera. I can see now that it only acts as a VPN while using their browser. I found that interesting, to say the least.
While Opera calls it VPN, the more accurate name should be secured proxy connection. The browser basically establishes a TLS/SSL connection to the Opera internet gateway for your internet access. Your internet access between the browser and Opera VPN server is secured via TLS/SSL, effectively preventing local networks to capture your internet access. Keep in mind, that the proxy server can capture all of your internet access that is in plain text. It could capture access to TLS/SSL sites as well, but that connection is encrypted on top of the proxy gateway encryption. The Opera VPN gateway could actually terminate your SSL connection to a website and re-establish it with the actual website on your behalf, similarly to what BlueCoat proxy server does. I am not saying that it does, but the possibility is there, there's no way for you to control what the Opera VPN does. Your only option is enable/disable....

For example...

When you use Opera VPN to access this forum, your UID/PWD is encrypted between the browser and the VPN server. One the connection leaves the Opera VPN server and conects to the forum server, the UID/PWD is in plain text. As such, both the Opera VPN server and any points between the VPN server and this forum server can capture your UID/PWD. Depending on your (or Opera VPN server) and this forum's physical location, there might be 10-15 hops, or routers that your connection traverses through. Any one of them could capture your UID/PWD in plain text.

PS: Opera browser had been bought by a Chinese company, about a year ego...

Cr00zng
11-27-2017, 10:29 AM
I'm curious about the SSL/TLS setting on the Mac Mail. At present, all of my accounts have SSL checked and authentication is Password. In the drop down I can change them to "External TLS Client Certificate". If I make the switch, will that provide more security if I'm on a public network and will the change cause the mail server to stop delivering & sending?
Thanks Again!
Paul
The short aswer is yes, the "External TLS Client Certificate" will provide more security, provided that the email server support this type of authentication.

If you make the switch, you'll need to select the your TLS certificate for this purpose. If the email server does not support it, your connection to the email server may just proceed with the SSL/TLS connection, or may just drop the connection. You can always switch back to "SSL checked", if it does not work.

There aren't many email servers available to the general public that support this additional layer of authentication, the chances are that there is none. iCloud, or Apple's Mail servers do not use a TLS Client Certificate for authentication. The corporate email servers, where the additional layer of security required, may use TLS Client Certificate as a TFA before the UID/PWD authentication.

The TLS Certificate option only appears if you have a valid certificate in your OS X Keychain that could be used for this purpose. You may have a TLS Client Certificate, also called Personal ID Certificate, installed on your system. If you have a corporate email account on your system, it may have been configured by your IT department to use this type of authentication.

PGB1
11-28-2017, 08:48 PM
Thank You, Cr00zng, for the information about Opera's VPN and e-mail security settings.

After reading your explanation of Opera's VPN & how it works as a proxy server, it seems I probably should not rely on Opera when I am on a public WiFi and should subscribe to a real VPN to be safest.

Thanks, too, for the explanation of the TLS certificates. For fun, I tried changing my Apple Mail's setting to TLS Certificate and saving the changes.
I tried sending & receiving some test messages. At first I thought it worked fine, but a re-visit to Preferences showed Apple Mail changed them back to Authentication = Password.
I repeated the settings changes & Mail changed them back again after I sent & received some messages. These were all POP accounts at two different servers (Wowway & sbcglobal)
But...

One of the two G Mail accounts that I have was already TLS Client Certificate. The other G Mail account was Password. They are both IMAP
When I changed the second one to TLS & saved the changes, Mail changed it back to Password after I sent a test message.

I wonder how Apple Mail knows to change them back to "Password" and why one G Mail account is TLS and the other isn't?

Cr00zng
11-29-2017, 09:12 AM
Thank You, Cr00zng, for the information about Opera's VPN and e-mail security settings.

After reading your explanation of Opera's VPN & how it works as a proxy server, it seems I probably should not rely on Opera when I am on a public WiFi and should subscribe to a real VPN to be safest.

I apologize for giving you the wrong impression. The Opera VPN (or proxy) will reasonably protect you while you're connected to public WiFi. The real VPN isn't different from Opera's, both will reasonably protect your connection on public WiFi. The issue is that both Opera and other VPNs can monitor/log your internet access, collect information about your system and you on the actual VPN server. For most people, this will be just fine. If you're not, you could look in to ToR browser that does not log/monitor your access. Well, for the most part...

I was pretty certain that the Apple mail client would be smart enough to fall back to UID/PWD authentication, if TLS cert authentication is not available or the cert is wrong. I've just never tried it....

PGB1
11-30-2017, 10:47 AM
Thanks Cr00zng for clarifying how the VPN works. This is a very interesting subject to learn about. Personally, I don't mind if the VPN collects data about me & where I go on the web, it's just keeping the passwords & account numbers private that concerns me. I'll certainly do my best to only do any banking or other financial stuff while on a public WiFi if it is something that cannot wait until I am at home.

That was pretty cool how Apple Mail knew to change my setting back to "Password". I'm still a bit puzzled why one G-Mail account uses TLS & one doesn't, but maybe that is part of how I set them up when they were new. Neither one ever has sensitive information, like account numbers, so I suppose it isn't terribly important.

Thanks Again!
Paul

Cr00zng
12-02-2017, 11:49 AM
I don't trust public WiFi with my financial stuff, or even my standard home PC/MacBook on my home WiFi. I have a separate system, connected to wired network, that only started up for financial stuff and system/apps updates. No browsing, emails, etc., on this system. It's a bit overboard, but I prefer that way..

The TLS certificate authentication works on a per email account basis and they are not interchangeable. The chances are that one of your Gmail account has a TLS cert, while the other does not, or you just did not save it on your machine

PGB1
12-03-2017, 01:22 PM
Your idea of having a separate computer on a wired network sounds like a good plan. After reading your post, I realized that every bit of my wife's & my financial life is somehow accessible on line. That's convenient, but kind of scary at the same time. We had our identity stolen once and the after effects were not pretty!

Thanks for the explanation about the TLS question for the Google accounts. One is very old and one is newer, so maybe the TLS wasn't available when I set up the first one, or I missed it & didn't know to save it. (More likely, knowing me)

Thanks Again & Enjoy Today!
Paul

pitbull60077
01-01-2018, 08:41 PM
while we are on the subject of VPN i have a friend who is telling me i should be using one on all my computers and phone. i never have and am wondering is it worth using

chscag
01-01-2018, 09:15 PM
A VPN is a good idea if you do a lot of mobile computing away from your home network. Most good VPNs offer a measure of protection against hackers and give you much better privacy than you would have by using the network at Starbucks or McDonalds.

MacInWin
01-02-2018, 10:49 AM
I have found one called TunnelBear that seems to be really good. There is a free version with a small data limit for you to try, if you want. One of the features I really like is that you can have "trusted" networks in which TB won't VPN. So my setup is that I have TB set to tunnel all the time, unless I'm on a trusted network, have my home network set as the only trusted one. So, when I take my MBP anywhere, TB automatically connects to the default site on my MBP, my iPhone and my iPad. Sweet.

chscag
01-02-2018, 05:57 PM
I second Jake's suggestion for using TunnelBear. I have it loaded on my iOS devices which are the only ones I do mobile computing with. My iMac stays at home. :)

Rod Sprague
01-02-2018, 07:13 PM
Tunnel Bear is pretty good. I tried it some time back and I imagine it has improved since then. Unfortunately it did not suit my needs. As I am overseas a lot I needed a VPN that would allow me to connect to a server in my home country. This the other function of a VPN. If you are in say India and you don't want to receive “Unexpected activity" security alerts from your email server which may lock you out of your account until you verify it was you or you want to access sites that are not available in that country such as the Australian News services a VPN will allow you to appear to be at "home".
Speed can be another factor. Some smaller, cheaper or free VPN services can be rather slow. So if you want to stream live content a better, paid VPN service may be required.
I have tried most of the top rated VPN's and have chosen ExpressVPN as the best for my purposes. It is about $100.00 AU per year but it allows me to use up to 4 devices which includes my iPhone, two MBP's and my Android TV box enabling me to watch Australian live media while overseas.
They also have great 24/7 live chat support and an extremely easy set up on any device.
So your choice is also affected by what you want a VPN for.

MacInWin
01-02-2018, 09:50 PM
You can tell Tunnel Bear where to connect when you are not on your home network. And that can then be changed if you want to connect to a different location. So that factor is not an issue. (I have no interest in TB, just like it.)

Rod Sprague
01-02-2018, 11:26 PM
You can tell Tunnel Bear where to connect when you are not on your home network. And that can then be changed if you want to connect to a different location. So that factor is not an issue. (I have no interest in TB, just like it.)

Does it have a server in Victoria, Australia?

MacInWin
01-03-2018, 12:11 AM
There is a node in Australia, but I don’t know where. Try the free version for yourself. Maybe you can find out where.

Rod Sprague
01-03-2018, 12:32 AM
Cool, I'll give it another try out of interest.