Using a VPN while traveling

[GetawaysRus]

Doubtless there are some here who are far more computer-sophisticated than I. Please chime in.

I have a secure computer network at home. But I have long been concerned about accessing password protected websites while away from home. What if I needed to access my bank or brokerage account while using a hotel network? What if I needed to access one of my frequent flyer accounts or hotel programs?

I know that there are paid VPN services. But I've been hoping to find something free that would work well.

I first found free VPN apps for my Android phone. The Opera VPN had an Editor's choice symbol, so I installed that and have been using that.

And I have just learned that the Opera browser for Windows computers added an in-browser VPN service in May 2016. I'm traveling this week within the USA, and so far this looks to be pretty slick. It is easy to toggle on or off using the program Settings. When on, you see a small blue VPN icon in the address bar, just to the left of the URL. (I don't know yet how well this will work when abroad.)

So I'm curious:
1. Am I secure using a VPN, or am I fooling myself?
2. Are there other VPN services, or other approaches, that others use and that might be superior?

 

[italdesign]

based on my understanding, for ~99.99% of cases you don't need a VPN as long as you're going thru HTTPS.

 

[Cmonman76]

I paid for a few months from privateinternetaccess just to test out finding higher amex offers. Then I used it once in Japan.
I think if you are in the USA then any free version would be fine. In China you will find some won't always work correctly.

And like italdesign says, for the most part the HTTPS might be sufficient. That I don't really know.

 

[Matt]

I'm not an expert at this either, but think everyone should have a VPN.. and even with one it isn't flawless, because information can be viewed during the handshake period, same with HTTPS.

The other big concern out there for us travelers is that open Wifi (think Hotel with a name/room number log in) or guest wifi is, I believe, quite susceptible to breaches.

I don't know whether Opera fixes this, it might, but then there is (conceptually to me) a risk of having the secure pipe through the browser only and inadvertently launching a different app, like Mail/Outlook that sends unsecured.

 

[jumpyshoes]

It depends how paranoid you are. Most people are fine with just HTTPS.

Generally, you should set up two factor authentication (2FA) for all your sensitive services and use a password manager. There's another thread with password manager recommendations (I recommend 1password).

If you're traveling abroad, a VPN can be useful anyway (e.g. in China). Open wifi (e.g. hotels) are more dangerous. Sometimes, I tether to my phone to avoid this. Up to you how paranoid you want to be.

 

[M L]

Actually most VPN services and HTTPS use the same foundational security technology (SSL/TLS) so I don't think the protocol's handshake period vulnerability etc is really a major difference. Encryption wise, they are roughly equivalent. Question is when does the encrypted session begin (everything before that could be viewed across an open wifi connection). Most sites will start encrypting when entering sensitive data (passwords, credit card numbers etc) or when downloading the content. Which means with HTTPS, there is a chance that someone may be able to view which URL you went to (e.g. a certain product page on an ecommerce site) before it begins the encrypted session, even though they may not be able to view its content. With VPN services since you begin encryption at the point of starting the VPN service, everything after that would be part of the encrypted session including the request for a particular URL. (Perhaps this is what Matt meant by the handshake being visible with HTTPS).

But aside from that small difference in whether the initial URL request is secured or not, unlike HTTPS, VPN services can also help by appearing to initiate/terminate your session at a different point from where you actually are (since the sessions are initiated/terminated at the VPN server). This can make a difference to sites that exhibit different behavior based on your location, IP address etc (e.g. I know a friend who uses a VPN just to watch his streaming NFL package available only to US viewers, when he is overseas, appearing to be connecting from the US). This can also be helpful to bypass country gateway firewalls etc.

And of course, if you were using a site that uses plain HTTP (not HTTPS) you surely are protected by a VPN service but completely unprotected if not using one (over say, Open Wifi or even wired connections that could be sniffed by an intruder).

Also, I am not including in the above discussion, a VPN connection to your own corporate or home network (those usually run IPsec VPNs rather than SSL/TLS ones, which is a different beast but similar in terms of security, etc, but loosely speaking, requires more pre-setup).

HTH

 

[FullMoonMadness]

Lots of great advice here.

...but think everyone should have a VPN.. and even with one it isn't flawless, because information can be viewed during the handshake period, same with HTTPS.

The other big concern out there for us travelers is that open Wifi... quite susceptible to breaches.

I don't know whether Opera fixes this, it might, but then there is (conceptually to me) a risk of having the secure pipe through the browser only and inadvertently launching a different app, like Mail/Outlook that sends unsecured.

I'm not sure either, but my guess is that only your browser traffic is encrypted.

Generally, you should set up two factor authentication (2FA) for all your sensitive services and use a password manager. There's another thread with password manager recommendations (I recommend 1password).

Frankly, I'm amazed more sites don't use 2FA. I also find a password manager to be so incredibly important given the number of loyalty accounts we all have. It's a must. The alternative to not using one is 1) an amazing memory for different passwords, 2) using the same password over and over again (bad monkey!), and 3) storing the passwords in plain text (Word document or written on paper) -- all of which are horribly flawed.

Most sites will start encrypting when entering sensitive data (passwords, credit card numbers etc) or when downloading the content. Which means with HTTPS, there is a chance that someone may be able to view which URL you went to (e.g. a certain product page on an ecommerce site) before it begins the encrypted session, even though they may not be able to view its content. With VPN services since you begin encryption at the point of starting the VPN service, everything after that would be part of the encrypted session including the request for a particular URL. (Perhaps this is what Matt meant by the handshake being visible with HTTPS).

But aside from that small difference in whether the initial URL request is secured or not, unlike HTTPS, VPN services can also help by appearing to initiate/terminate your session at a different point from where you actually are (since the sessions are initiated/terminated at the VPN server). This can make a difference to sites that exhibit different behavior based on your location, IP address etc (e.g. I know a friend who uses a VPN just to watch his streaming NFL package available only to US viewers, when he is overseas, appearing to be connecting from the US). This can also be helpful to bypass country gateway firewalls etc.
HTH

The all-around protection/hiding my traffic, including URL requests, is why I like VPNs. I have yet to need access to content not allowed where I am traveling, but there is definite value there too.

 

[TProphet]

A lot of Web sites and banks freak out if you pay with a credit card and you're doing it from a foreign IP. I use VPNs to avoid that.

VPNs can help protect your privacy and security. SSL doesn't protect you against Blue Coat: https://www.bluecoat.com/products-and-solutions/encrypted-traffic-management - many hostile networks use this or other similar technologies in order to strip the privacy from SSL.

VPNs also get around regional content locks, such as not being able to watch Netflix from the location where you're physically present.

Finally, VPNs can improve performance to US sites from abroad in some scenarios. This is more useful when traveling in far-flung locations such as Myanmar.

 

[FullMoonMadness]

FYI: I just discovered that Southwest apparently doesn't like the use of PIA as a VPN. Every time I try to login I get sent to a maintenance page. Pretty annoying if you're trying to buy something securely.

 

[EddieLV]

I always use VPN when using a wifi AP that is not managed by me - hotels, airports, inflight. I've heard good things about PIA vpn services. FWIW I signed up for TigerVPN when they offered a lifetime VPN service for $29.

 

[cheztir]

FYI: I just discovered that Southwest apparently doesn't like the use of PIA as a VPN. Every time I try to login I get sent to a maintenance page. Pretty annoying if you're trying to buy something securely.

Had a similar issue in the past, I was able to use the PIA SOCKS5 proxy instead. While it's not a true VPN it does provide encryption to keep your information safe.