Threat Modeling 101: Understanding When to Use or Not Use a VPN

From TCU Wiki
  • Date: Wednesday, November 30, 2022
  • Time: 08:30am to 10am EST / 1:30pm - 3pm UTC (What time is it in my city?)
  • Who: Trinh Nguyen, Director of Safety and Technology, Team CommUNITY
  • Location: Zoom

RSVP: https://digitalrights.formstack.com/forms/vpnvillage2022_5

Threat Modeling 101: Understanding When to Use or Not Use a VPN (Talk and Q&A)

How do I know if I should use a VPN? Across VPN review sites and advertising, VPNs are often marketed as a “one size fits all” solution for nearly any digital safety and security woes. However, downloading and using a VPN is not always the solution that will best address your needs. In this session, attendees will learn about basic risk assessment and threat modeling, VPN use cases, and how to determine when using a VPN may be helpful, or may not be.

Bio:

  • Trinh Nguyen is a holistic security and movement building trainer and oversees the safety and security of the Internet Freedom Festival including its partners and participants. Trinh has over 15 years of training experience, previously working on campaigns for reproductive justice, anti-oppression, Internet Freedom, and pro-democracy efforts in Vietnam. As a movement building trainer, Nguyen incorporates capacity building and cybersecurity tactics to help diverse grassroots pro-democracy and human rights movements achieve digital resiliency and organizational security.

Formerly a member of Viet Tan, a Vietnamese pro-democracy group, Trinh co-founded their Internet Freedom Program that worked to disseminate cybersecurity, anti-surveillance, and circumvention knowledge and technologies inside Vietnam. She is a board member of Horizontal, a technology nonprofit serving human rights defenders through digital security support and tool development, and a co-founder of Vietnam Rise, a movement building organization. She also serves as an advisor for the Ford Foundation’s Cybersecurity Assessment Tool (CAT).

  • Laura Tich is an Information security consultant and founder of SheHacks_KE, a community of women in cybersecurity in Kenya. She is a cybersecurity trainer and digital privacy advocate. Tich works as a cybersecurity advisor to Ford Foundation's BUILD program.

Notes and Resources

Understanding When to Use or Not Use a VPN Slides

It’s impractical and exhausting to try to protect your data from everyone all of the time.

  • So threat modeling / measured risk is key.
  • What framework can you use to analyze your threats and address them?

Measuring Risk / Threat modeling 1. What do I want to protect? (Office, digital profile?) 2. Who do I want to protect it from? (Nation state, competitor, white supremacist groups, trolling groups? Big tech?) 3. What would happen if I failed? (for your livelihood, your work, the data of your interviewees) 4. How likely is it that I will need to protect it? (Depends on your basic digital hygiene habits - Do you use E2E encryption? Data scrubbing and maintenance, secure password maintenance?) 6. How far am I willing to go to protect it? This has to be with your time, mental and financial resources. Convenience too. The more security you put in place, the more complex it is for you to use data or a service. Convenience vs Security.

What is a VPN?
Encrypted connection over the internet from a device to a network.

  • Essentially protects your connection over the internet
  • Hides your IP, and privatizes your traffic, but does not anonymize you.

How a VPN Works

  • Establishes a secure connection between the device and a VPN server, through your internet service provider.
    • This hides your traffic from your ISP, but not from the VPN service
  • A VPN can hide your:
    • IP Address
    • Location
    • Browsing habits
    • Internet traffic
    • Targeted ads (minimizes)
  • A VPN cannot hide:
    • Email you use to register accounts
    • Credit card info used for online purchases
    • Googling when signed into your Google account
    • Information you put on social media

How precise are IP addresses in terms of geo-location etc?

  • They are not exact, but they are relatively accurate.

Types of VPNs

  • Personal VPNs
  • Remote Access VPNs
    • Allows connection to a remote network in a secure manner.
  • Site-to-Site VPN
    • Connection of networks from internets. Use case: Working for a large international org. that has multiple networks that they want individuals to be able to connect to.

VPN Protocols

  • A protocol is a set of rules on how data will be packaged and sent over a private network.
    • Think of mailing a physical package… Depending on the contents, you will have more or less packaging / security to make sure it does not break or is damaged.
  • WireGuard, OpenVPN, SSTP, IPSec
    • Not Secure
      • PPTP: Oldest VPN protocol (over 20 years old)
    • Security Issues
      • L2TP / IPSec: Also an older protocol
      • SSTP
    • Very Secure
      • IKEv2 / IPSec
        • Closed-source
      • WireGuard
      • SoftEther
    • Most Secure
      • OpenVPN
  • You can change the protocol used by your VPN depending on which service you use.

Reasons you may not want to use a VPN

  • Using a VPN is illegal in some countries.
  • Performance Issues (stream a video, rich content browsing)
  • Some VPN monitor your activity and use your data, this happens usually with free VPNs
  • Platform compatibility issues. Maybe the VPN doesn’t work with the hardware like an old or out of date phone.
  • Does not guarantee 100% anonymity. Sometimes is better to use Tor than a VPN

Case Study: India

Q&A

VPN vs DNS over HTTPS (DoH), can you tell me the differences?

Could you talk about the potential risks or concerns with using Tor with a VPN vs not?

Is there any tools that we can use to test what ISP actually can see when we browse on the internet?

  • Browser Leaks Website: browserleaks.com
  • Reflects the data back to you that ISPs can see.

Is Psiphon is the VPN ( I heard some people say that it is just proxy and what is proxy? Is it secure when using Psiphon?

  • Psiphon is a popular service amongst activist groups because it’s free.
  • It’s promoted as a circumvention technology, but not really as a VPN
  • A VPN will usually include the encryption, a proxy will usually just change your location/IP

Who to choose? There are a lot of services out there and I'm curious as to who to trust. I've heard about the Warrant Canary. But, idk. Any guidelines as to what to search for is really appreciated.

  • Since there isn’t a single place to check the quality of the VPN services, Trinh advices to follow the list of things to check depending on your needs

For countries that have banned VPNs, what can users do to not get caught using them?

  • Depends on the country and the law
  • It is difficult to see how a country criminalizes uses of these tools.
  • Zimbabwe charged criminally an activist for using Tor
  • They don’t ban VPN, they criminalize their use

Is there a general thought or consensus on the security of duckduckgo’s vpn service?

Any Linux users here can share your experience with best VPNs to use on desktop in terms of ease of use?

  • ProtonVPN
  • Ghostbear

What about Orbot, is it a Tor service? Vpn? Proxy?

  • It is a proxy app from Guardian Project which runs your traffic over the Tor network.
  • We can use it freely

Some people said that they cannot use a specific app like a mobile banking app when using VPN, why?

Jailbreak should give users the freedom to sideload, right?

Can you share some recommendations for iOS users? I'm Asking before some weeks ago there was proof that iOS was leaking info when the VPNs were active.

Would anyone recommend Opera’s inbuilt VPN?