PDA

View Full Version : Wondering About VPN & E Mail



PGB1
11-22-2017, 08:58 PM
Hi To All!

Once in a while, I'll have my MacBook Pro (10.11.6) at a public WiFi place. I've never gone on line in one of those locations, but may someday wish to. My OS X firewall is set to ON & Sharing is OFF. As I understand it, the correct thing to do is also use a VPN. (My phone does not have a data plan, so that's out.)

I was wondering if I use a VPN in public and want to check my e-mail, will the Mail program on the MacBook Pro be protected by the VPN or should I go to the provider's web site with a browser & log in there? I sure couldn't figure this one out on my own. (Like usual...)

Thanks Much for your advice!
Paul

Interesting Side Note- I was having some trouble with the Mail application today & went to the ISP's "new" web e-mail site. It no longer has "https" or the padlock icon. I didn't log in. I went to my home page (about:blank), cleared Safari's history & cache & quit Safari. Yikes!

Raz0rEdge
11-22-2017, 09:58 PM
When you employ a VPN, it works at the lowest possible level of the networking stack, so everything you do on the Internet (through a browser or stand-alone application) will be going through the VPN. So your Mail program will be protected, just as much as using the browser to check your email or do anything else.

Firewall is primarily used to avoid intrusion into your system, the same goes for sharing.

However, and for your edumification, the reason people say not do things on public WiFi without a VPN or other secure means of communication is what's known as a Man In The Middle attack. This basically means that anyone else can get onto the WiFi just like you and sniff EVERY packet that is on the network and snoop out passwords and other sensitive data. Once a VPN comes into play, it creates a tunnel that employs a level of security that means that your data even if sniffed can't be understood since it's secure.

Next, as far as your new ISP site goes, every site should be using HTTPS, especially sites that provide billing, email and other stuff. However, a lot of them don't. There are extensions you can install on your browser so force it to try to use HTTPS everywhere (that's the name of the extension as well..:) )

However, you might notice that many sites, even Mac-Forums here, doesn't employ HTTPS (which is a shame).

PGB1
11-23-2017, 10:53 AM
Thank You Ashwin for your great reply.
You explained things in a manner far easier to understand than any of the many, many web articles I'ver read on the subject.

Thanks for the mention of HTTPS Everywhere. I got the extension to try on the ISP's site, but the ISP's user site is down today. (Ironic, isn't it?)

Thanks Again for your much appreciated explanation.
Enjoy This Day!
Paul

Cr00zng
11-26-2017, 09:56 AM
There are actually three types of VPN connections; depending on the type, different levels of the OSI layers are utilized:


Data link layer (site-to-site)
Network link layer (client-to-site)
Application link layer (SSL/TLS based VPN)

http://www.cathayschool.com/VPN-Types-Based-on-OSI-Model-Layer-a1716.html

The chances are that most, if not all VPN apps work in the OSI application link layer.

Trusting an unknown network and its gateway is risky, regardless of the type of connection made to websites, email servers etc. The unknown network is a perfect candidate for man-in-the-middle attacks, be that Starbucks access point, or the hacker's access point masquerading as Startbucks' access point.

My email client is configured with SSL/TLS connection on both my iPhone and MacOS for my email accounts. In my view, it's sufficient for securing both incoming and outgoing emails in LTE network. Previously, my data plan was 2GBs per month, but the Wi-Fi connection was disabled prior to leaving my home. Old routines die hard, even with the current unlimited data plan I do the same...

PGB1
11-26-2017, 11:37 AM
Thanks for the information & link to the interesting article, Cr00zng. I am learning quite a bit as I explore the subject.
After reading your information & the linked article, I looked deeper into a VPN I have from Opera. I can see now that it only acts as a VPN while using their browser. I found that interesting, to say the least.

I'm curious about the SSL/TLS setting on the Mac Mail. At present, all of my accounts have SSL checked and authentication is Password. In the drop down I can change them to "External TLS Client Certificate". If I make the switch, will that provide more security if I'm on a public network and will the change cause the mail server to stop delivering & sending?
Thanks Again!
Paul

Cr00zng
11-27-2017, 10:22 AM
Thanks for the information & link to the interesting article, Cr00zng. I am learning quite a bit as I explore the subject.
After reading your information & the linked article, I looked deeper into a VPN I have from Opera. I can see now that it only acts as a VPN while using their browser. I found that interesting, to say the least.
While Opera calls it VPN, the more accurate name should be secured proxy connection. The browser basically establishes a TLS/SSL connection to the Opera internet gateway for your internet access. Your internet access between the browser and Opera VPN server is secured via TLS/SSL, effectively preventing local networks to capture your internet access. Keep in mind, that the proxy server can capture all of your internet access that is in plain text. It could capture access to TLS/SSL sites as well, but that connection is encrypted on top of the proxy gateway encryption. The Opera VPN gateway could actually terminate your SSL connection to a website and re-establish it with the actual website on your behalf, similarly to what BlueCoat proxy server does. I am not saying that it does, but the possibility is there, there's no way for you to control what the Opera VPN does. Your only option is enable/disable....

For example...

When you use Opera VPN to access this forum, your UID/PWD is encrypted between the browser and the VPN server. One the connection leaves the Opera VPN server and conects to the forum server, the UID/PWD is in plain text. As such, both the Opera VPN server and any points between the VPN server and this forum server can capture your UID/PWD. Depending on your (or Opera VPN server) and this forum's physical location, there might be 10-15 hops, or routers that your connection traverses through. Any one of them could capture your UID/PWD in plain text.

PS: Opera browser had been bought by a Chinese company, about a year ego...

Cr00zng
11-27-2017, 10:29 AM
I'm curious about the SSL/TLS setting on the Mac Mail. At present, all of my accounts have SSL checked and authentication is Password. In the drop down I can change them to "External TLS Client Certificate". If I make the switch, will that provide more security if I'm on a public network and will the change cause the mail server to stop delivering & sending?
Thanks Again!
Paul
The short aswer is yes, the "External TLS Client Certificate" will provide more security, provided that the email server support this type of authentication.

If you make the switch, you'll need to select the your TLS certificate for this purpose. If the email server does not support it, your connection to the email server may just proceed with the SSL/TLS connection, or may just drop the connection. You can always switch back to "SSL checked", if it does not work.

There aren't many email servers available to the general public that support this additional layer of authentication, the chances are that there is none. iCloud, or Apple's Mail servers do not use a TLS Client Certificate for authentication. The corporate email servers, where the additional layer of security required, may use TLS Client Certificate as a TFA before the UID/PWD authentication.

The TLS Certificate option only appears if you have a valid certificate in your OS X Keychain that could be used for this purpose. You may have a TLS Client Certificate, also called Personal ID Certificate, installed on your system. If you have a corporate email account on your system, it may have been configured by your IT department to use this type of authentication.

PGB1
11-28-2017, 08:48 PM
Thank You, Cr00zng, for the information about Opera's VPN and e-mail security settings.

After reading your explanation of Opera's VPN & how it works as a proxy server, it seems I probably should not rely on Opera when I am on a public WiFi and should subscribe to a real VPN to be safest.

Thanks, too, for the explanation of the TLS certificates. For fun, I tried changing my Apple Mail's setting to TLS Certificate and saving the changes.
I tried sending & receiving some test messages. At first I thought it worked fine, but a re-visit to Preferences showed Apple Mail changed them back to Authentication = Password.
I repeated the settings changes & Mail changed them back again after I sent & received some messages. These were all POP accounts at two different servers (Wowway & sbcglobal)
But...

One of the two G Mail accounts that I have was already TLS Client Certificate. The other G Mail account was Password. They are both IMAP
When I changed the second one to TLS & saved the changes, Mail changed it back to Password after I sent a test message.

I wonder how Apple Mail knows to change them back to "Password" and why one G Mail account is TLS and the other isn't?

Cr00zng
11-29-2017, 09:12 AM
Thank You, Cr00zng, for the information about Opera's VPN and e-mail security settings.

After reading your explanation of Opera's VPN & how it works as a proxy server, it seems I probably should not rely on Opera when I am on a public WiFi and should subscribe to a real VPN to be safest.

I apologize for giving you the wrong impression. The Opera VPN (or proxy) will reasonably protect you while you're connected to public WiFi. The real VPN isn't different from Opera's, both will reasonably protect your connection on public WiFi. The issue is that both Opera and other VPNs can monitor/log your internet access, collect information about your system and you on the actual VPN server. For most people, this will be just fine. If you're not, you could look in to ToR browser that does not log/monitor your access. Well, for the most part...

I was pretty certain that the Apple mail client would be smart enough to fall back to UID/PWD authentication, if TLS cert authentication is not available or the cert is wrong. I've just never tried it....

PGB1
11-30-2017, 10:47 AM
Thanks Cr00zng for clarifying how the VPN works. This is a very interesting subject to learn about. Personally, I don't mind if the VPN collects data about me & where I go on the web, it's just keeping the passwords & account numbers private that concerns me. I'll certainly do my best to only do any banking or other financial stuff while on a public WiFi if it is something that cannot wait until I am at home.

That was pretty cool how Apple Mail knew to change my setting back to "Password". I'm still a bit puzzled why one G-Mail account uses TLS & one doesn't, but maybe that is part of how I set them up when they were new. Neither one ever has sensitive information, like account numbers, so I suppose it isn't terribly important.

Thanks Again!
Paul

Cr00zng
12-02-2017, 11:49 AM
I don't trust public WiFi with my financial stuff, or even my standard home PC/MacBook on my home WiFi. I have a separate system, connected to wired network, that only started up for financial stuff and system/apps updates. No browsing, emails, etc., on this system. It's a bit overboard, but I prefer that way..

The TLS certificate authentication works on a per email account basis and they are not interchangeable. The chances are that one of your Gmail account has a TLS cert, while the other does not, or you just did not save it on your machine

PGB1
12-03-2017, 01:22 PM
Your idea of having a separate computer on a wired network sounds like a good plan. After reading your post, I realized that every bit of my wife's & my financial life is somehow accessible on line. That's convenient, but kind of scary at the same time. We had our identity stolen once and the after effects were not pretty!

Thanks for the explanation about the TLS question for the Google accounts. One is very old and one is newer, so maybe the TLS wasn't available when I set up the first one, or I missed it & didn't know to save it. (More likely, knowing me)

Thanks Again & Enjoy Today!
Paul