Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VPNs / hostile network / cloud storage

From: Jim Cheetham <jim.cheetham () OTAGO AC NZ>
Date: Tue, 31 Oct 2017 21:08:40 +0000
Excerpts from Kevin Shalla's message of November 1, 2017 9:44 am:

If I have OneDrive or Box or Google set up and automatically synchronizing my local folders to the cloud, and I connect to a 
hostile network, is that traffic liable to be attacked if I'm not running a VPN? If so, because you need to have an 
active network connection before you can connect to the VPN, it seems that  in order to avoid that attack you would have to 
first halt those synchronization processes, start the network, start the VPN, then restart those processes - quite a bit of 
overhead every time you close and reopen a laptop (which stops our VPN).  Is this a valid concern, or do you think these 
processes are safe over a hostile network?


In general, the synchronising programs will be doing their own encryption with TLS (i.e. in the same way as HTTPS 
websites), and therefore they are encrypted and safe from attack.

However, there will be unencrypted traffic that you depend on first, such as DNS queries; and in a hostile network 
these will be subverted.

If the DNS *content* is signed and this signature is checked by your OS (i.e. using DNSSEC properly) then the hostile 
network will not be able to subvert you; it will be able to block you though (i.e. DoS).

All is not lost; if you have an existing connection in place before switching to the hostile network, you might be just 
continuing the session and not using the hostile DNS at all.

TL;DR version - you're safe in the majority of circumstances. But you are correct that there is a small window of 
opportunity for a hostile network to affect you - check per product and use-case, but it will be difficult for this to be 
leveraged by the average attacker. As usual, all bets are off if you're specifically targetted.

-jim

--
Jim Cheetham, Information Security, University of Otago, Dunedin, N.Z.
✉ jim.cheetham () otago ac nz    ☏ +64 3 470 4670    ☏ m +64 21 279 4670
⚷ OpenPGP: B50F BE3B D49B 3A8A 9CC3 8966 9374 82CD C982 0605

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: