Educause Security Discussion mailing list archives
Re: VPNs / hostile network / cloud storage
From: Jim Cheetham <jim.cheetham () OTAGO AC NZ>
Date: Tue, 31 Oct 2017 21:08:40 +0000
Excerpts from Kevin Shalla's message of November 1, 2017 9:44 am:
If I have OneDrive or Box or Google set up and automatically synchronizing my local folders to the cloud, and I connect to a hostile network, is that traffic liable to be attacked if I'm not running a VPN? If so, because you need to have an active network connection before you can connect to the VPN, it seems that in order to avoid that attack you would have to first halt those synchronization processes, start the network, start the VPN, then restart those processes - quite a bit of overhead every time you close and reopen a laptop (which stops our VPN). Is this a valid concern, or do you think these processes are safe over a hostile network?
In general, the synchronising programs will be doing their own encryption with TLS (i.e. in the same way as HTTPS websites), and therefore they are encrypted and safe from attack. However, there will be unencrypted traffic that you depend on first, such as DNS queries; and in a hostile network these will be subverted. If the DNS *content* is signed and this signature is checked by your OS (i.e. using DNSSEC properly) then the hostile network will not be able to subvert you; it will be able to block you though (i.e. DoS). All is not lost; if you have an existing connection in place before switching to the hostile network, you might be just continuing the session and not using the hostile DNS at all. TL;DR version - you're safe in the majority of circumstances. But you are correct that there is a small window of opportunity for a hostile network to affect you - check per product and use-case, but it will be difficult for this to be leveraged by the average attacker. As usual, all bets are off if you're specifically targetted. -jim -- Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z. ✉ jim.cheetham () otago ac nz ☏ +64 3 470 4670 ☏ m +64 21 279 4670 ⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605
Attachment:
_bin
Description:
Current thread:
- VPNs / hostile network / cloud storage Kevin Shalla (Oct 31)
- Message not available
- Re: VPNs / hostile network / cloud storage Jim Cheetham (Oct 31)
- Message not available