Cookies, Personas, and Passwords <<
I have questions about general security with a VPN...but it's in several parts.
The cookie question has been discussed fairly well here not long ago, but I'd appreciate more thoughts on a couple of things. Cookies do concern me as possibly a huge insecurity for VPN's in general if one site can read the cookie(s) of other sites and end up with enough info to pretty well identify you. For that matter, if your ISP stores any info in a cookie to help them identify you, then just maybe someone could identify users by looking for ISP's cookies..ug. Not sure if that's realistic, but there are spooks who get paid for thinking up things like this
As for leaving the VPN connected, it seems to me that having it always on is the better option, if only to be sure it IS on when you go online. I have the killswitch set after realizing one time that the PIA service had mysteriously dropped and I wasn't going out over the VPN at all. I also have browser addons to kill cookies at specific times or on closing the tab, and another that sets policies for how and when web objects, scripts, etc. are allowed to run. I'm not trying for over-killing, just being prudent about the things I've read that should be done (stopping DNS and IpV6 leaks, WebRTC leaking, blah, blah.) Unfortunately, you need cookies and such on some sites, like banking, and if you check the bank over the VPN then there's the persona thing to worry about, and what about the banks cookies?? @#$
So, might a better option be to occasionally, or often, switch the VPN connection to anywhere else you can connect for a while? Romania is a bit slow for me, but in the US I've had some blazing speeds from sites on the opposite coasts, which is nice. I just worry that connecting to the same nearest city/server all the time, while fast, may actually not be a good practice. Of course, if VPNs have been hacked by the intel types as some rumors suggest, maybe we should just take the blue pill and go back to sleep..or was that the red one?
Last thing, if someone gets your VPN username/password combination, is that knowledge in itself any help to anyone in exploiting or decrypting your VPN connection. What about a man-in-the-middle attack where your ISP shunts your connection to a bogus server, so you think you have a PIA vpn going when you're really connected to Fohrt Meade.
-JT
The cookie question has been discussed fairly well here not long ago, but I'd appreciate more thoughts on a couple of things. Cookies do concern me as possibly a huge insecurity for VPN's in general if one site can read the cookie(s) of other sites and end up with enough info to pretty well identify you. For that matter, if your ISP stores any info in a cookie to help them identify you, then just maybe someone could identify users by looking for ISP's cookies..ug. Not sure if that's realistic, but there are spooks who get paid for thinking up things like this
As for leaving the VPN connected, it seems to me that having it always on is the better option, if only to be sure it IS on when you go online. I have the killswitch set after realizing one time that the PIA service had mysteriously dropped and I wasn't going out over the VPN at all. I also have browser addons to kill cookies at specific times or on closing the tab, and another that sets policies for how and when web objects, scripts, etc. are allowed to run. I'm not trying for over-killing, just being prudent about the things I've read that should be done (stopping DNS and IpV6 leaks, WebRTC leaking, blah, blah.) Unfortunately, you need cookies and such on some sites, like banking, and if you check the bank over the VPN then there's the persona thing to worry about, and what about the banks cookies?? @#$
So, might a better option be to occasionally, or often, switch the VPN connection to anywhere else you can connect for a while? Romania is a bit slow for me, but in the US I've had some blazing speeds from sites on the opposite coasts, which is nice. I just worry that connecting to the same nearest city/server all the time, while fast, may actually not be a good practice. Of course, if VPNs have been hacked by the intel types as some rumors suggest, maybe we should just take the blue pill and go back to sleep..or was that the red one?
Last thing, if someone gets your VPN username/password combination, is that knowledge in itself any help to anyone in exploiting or decrypting your VPN connection. What about a man-in-the-middle attack where your ISP shunts your connection to a bogus server, so you think you have a PIA vpn going when you're really connected to Fohrt Meade.
-JT
Comments
Thank you for your questions. I'd have to think that the Cookies issue might be possible, but it does seem like we're getting into hypothetical territory on that one. As cookies are maintained by the browser and on the system, you should be able to control what you allow to be placed and how long it stays. You're correct in that if you use our VPN to access something you've already identified yourself to, it could take note of the Shared IP you appear online with. This is something to be considered.
With regards to the credentials, they shouldn't help in decrypting the connection between your client and our server, at most whoever has them could use them to connect and use your account from their side, but we don't log, connected devices can't interact/communicate outside of normal means in network connections, and you should be secured so long as the culprit is prevented from accessing your email where password resets are sent. For Man In The Middle attacks we actually prevent against these, but as you well know considering what might be possible in the future is how you really protect against such things. If you've any further questions, or if I've failed to properly answer you to your satisfaction, I'd have to suggest that you email [email protected] so that we can track your ticket and ensure you're properly addressed!
That said, if a cookie can be set and contain information that is used to identify a user, or a number of cookies might be aggregated in a way that can be used to create a fairly unique 'fingerprint', that's essentially like using metadata in emails to profile or identify users and/or their activities. So, deleting cookies quickly (if you can be sure they're deleted) seems like a must. Of course, simple human error, like missing that the VPN is off, can undermine almost everything...ug.
That said, beyond deleting cookies and avoiding a highly unique set of addons, it seems to me that randomizing the VPN connection, which I presume would give a different shared IP, may be the most effective way to be 'impossible to track' so to speak. If that's mistaken on my part, please let me know.
I realize this may all seem a bit paranoic, and I don't actually have any concerns to speak of. I'd simply rather think things through ahead of time and learn from others experiences, and get into a habit of best practices from the start.
Thanks,
JT