Question

encryption protection

  • 7 August 2019
  • 1 reply
  • 63 views

Badge +1
If I boot up and login in to any browser, open up a website, and then I login to the VPN, will the previously opened browser website be protected, or only if the VPN is opened up first?

1 reply

Userlevel 6
Badge +14
The short answer is that the VPN probably doesn't offer any protection to a website loaded before the VPN is in use.

Loading websites generally involves a request, usually made by your browser, which is followed by a response with the content requested - or a not found page if you gave an invalid address. That response may in turn lead to many further requests for files needed by the page you requested, for example images, adverts, scripts and the stylesheets which help define what the page you should look like.

Once loaded all of that content will sit in your browser until you close the browser tab or navigate away to a new page.

If this happened before you were connected to the VPN then conceptually an attacker or malicious access point could have changed that response - or added additional malicious content to it - which means that it cannot be trusted.

Even navigating to a new page with the site won't remove the risk as malicious scripts could already have been attached, or the links within the page might have been changed.

To ensure that a page is safe after you have loaded it over an untrusted network I would recommend that you close the browser tab and re-open the page in an incogonito or private browsing tab after you are connected. I would also clear the browser history to ensure that any cached assets are purged and not used on the next visit.

Longer answer

The long answer to this is that the actual risk depends on several factors, mostly dictated by the website you are visiting, but some by the capabilities of your browser/device.

The assumption here is that you are on an untrusted WiFi connection and that you are concerned that either the access point is malicious or another malicious party is actively connected to the network and listening to and manipulating traffic.

In this case the website you opened might be completely different from the one you requested - the attacker may have redirected you to a third party server which responds with a fake copy of the website, or have simply altered the response from the website whilst it was in transit to you.

When your computer requests a website using a domain name like webroot.com it connects to a server called a DNS (Domain Name System) and asks it for an address (called an IP address - something like 66.35.53.194) where the computer can request content from that website. The IP address is then used to make a connection to the website's server and request the page you were looking for. This is not unlike looking up the phone number for a business in the Yellow Pages, you are trusting the Yellow Pages to give the correct phone number and not one for - say - a rival.

If a malicious party either owns or is intercepting traffic on the network then one possible attack is simply to respond with a fake address and simply misdirect your browser to talking to a server that isn't owned by the website.

DNS historically hasn't been encrypted in the same way as websites with HTTPS, although there are new standards designed to do exactly this which are slowly being implemented by a small number of providers. Chrome and Firefox are talking about enabling encrypted DNS using a third party provider (Google and Cloudflare respectively) by default, much to the chagrin of ISPs and Governments who currently use DNS filtering to block adult and other illegal or undesirable websites on their websites.

In general computers will be given the address of a DNS server as part of the process of connecting to a new network, and will use that unless told otherwise. This puts a potential attacker in charge of your DNS.

Assuming that you have implemented encrypted DNS either by manually setting your computer to use encrypted servers (and your operating system supports this) or by using a browser which is configured to do this for you then the attacker can still intercept and change the traffic to and from the website unless you explicitly visit a HTTPS version of the webpage. This is because HTTPS was added as a standard after HTTP - and even today not all websites support HTTPS - so HTTP is the default unless overwise specified.

In other words, if you simply type "webroot.com", "google.com", "facebook.com" in your browser then the browser must usually first make a unencrypted connection to that server - which would usually then be redirected to a secure version by the website when it responds. This hop is vunerable to something called SSL strip - where the attacker intercepts the unencrypted request and either proxies the secure connection or returns a fake response as in the DNS example.

This can be mitigated by a technology called HSTS which means that if you've ever visited a website in the same browser before, the website can return a piece of data called a header which instructs the browser to only ever visit the website using HTTPS in the future. Many large websites like Facebook and Google implement HSTS so if you have visited the site using that browser on the computer before, and the browser supports HSTS then conceptually your browser should automatically upgrade a request like "google.com" to use HTTPS. Some large website domains are also on lists distributed with browsers that will force the browser to connect over HTTPS even if you have never visited it in that browser before.

Browsers and standards are improving to mitigate the risks of browsing on untrusted networks but unless you thoroughly understand the standards involved and are extremely careful to only visit sites using encrypted DNS and ensuring that you always use a HTTPS address it is safer to simply connect to the VPN before opening your browser.

Reply