Root Causes 263: Secure Connection Methods Roundup

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

December 20, 2022

In this episode we discuss the three methods a user might choose for secure remote communications: VPN, SSH, and TOR. For each we discuss the reasons you might choose them and the pros and cons of each.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanThis is a “Jason picks the topic day” today. Jason, what is our topic?

Jason SorokoOur topic is about choosing security controls and this is one of our year-end podcasts. One of our year-end type of discussions where I tend to find that, as an enterprise computer user, especially with respect to security, we kind of straddle two worlds at the end of the year. Right around the holidays, Christmas, etc. because you are around family, you are also being a diligent enterprise employee and, quite often, people get in position of new technologies, new computers, new mobile devices, etc. and sometimes you are quite often gonna end up playing IT staff for family, and sometimes you are making even new decisions about, hey man, I’m doing some of this shadow IT stuff at work and should I be doing it, how should I be doing it? And I just want to bring up three topics that I promised I’d bring this up before.

The topics are VPN, SSH and TOR. And the idea being when do you select them and why. So, there’s really three different properties - -

Tim Callan…properties for let’s say, call it secured confidential remote communications. Yes.

Jason SorokoExactly. I’m not calling them out specifically because they are means of authentication or things that we usually talk about. These are basically ways to to securely communicate. To securely sometimes even just administrate and you might be doing these things with family or with your enterprise. Tim, for each of these I’m going to be bringing up - - so, if you are using one of these it means you are distrusting something.

So, we are gonna ask the question then – who are you distrusting and are you shifting trust from one place to another? The other question I’m gonna be asking is what are you actually protecting and what are you potentially putting at risk? And then I’m gonna call out alternatives and other ways to think about these technologies.

And the reason why I’m bringing it up like that, Tim, is because I think for all three of these things – VPN, SSH and TOR – it’s almost like they’re complete ideas upon themselves that people think, ah, I’m just gonna use this and I’m safe. And that’s true sometimes for you might be giving advice to a family member. Oh, just, you know, here, let me help you use a VPN.

Tim CallanLike, let me make it easy for you. This is what I always say to you, Jason, because we are always constantly struggling with technical issues getting our audio correct and what I always say is just tell me very specifically what to do. So, this is your family member saying this to you at Christmas and they just got their new tablet. They say, “just tell me very specifically what to do.”

Jason SorokoRight on.

Let’s start with VPN first just because it’s the one everybody knows and it’s the one that’s probably universally applicable whether it’s family, you know, or Uncle Tom or whether it’s at the enterprise. You might be using VPN everywhere. And we said this before and, Tim, I believe it was – I’m gonna go up to my notes – it was Podcast 80 where we talk quite a bit about VPNs. So, I’m not gonna get into detail about it except to answer the three questions that I asked – Who are you distrusting and how are you shifting trust? Well, with VPN, Tim, you know this. When you are using VPN it’s because you distrust the ISP. You distrust your internet service provider.

Tim CallanThe public internet in general.

Jason SorokoWell, the public internet in general is true for all of these. Absolutely. It’s true for all of these. So, the distrust is somewhere but the distrust with VPN is specifically with the ISP. So, then you have to ask yourself, alright, well do I distrust my ISP. Well, if you are at home, well, I personally don’t distrust my ISP at home. And so, therefore, I actually trust my ISP more than I trust a VPN provider at home.

Tim CallanRight. Because you are shifting your trust. Right? You are shifting your trust to that VPN endpoint because there is still somewhere where it comes out of the secure tunnel.

Jason SorokoSo, Tim, this would be a great topic for a studio audience. Like I would love to have kind of a raising of hands of how many people operate a VPN at home and I would remove anybody who is using a VPN at home for enterprise purposes because that’s one I understand. So, the thing is, of course, now what are you protecting? What are you putting at risk? Well, for a VPN home user, a lot of people might be using VPN at home and also browsing a website that is protected with an SSL certificate.

Tim CallanYeah. You think you are protecting your logins, your PII, your confidential information that you wouldn’t want just anybody in the world to know. That’s what you think you are protecting. But you are right. The SSL certificate provides that tunnel.

Jason SorokoExactly right. So, there might be other things that your computer is communicating over the VPN but if you are just browsing, there’s probably not a ton of reason to be using that VPN – especially when you consider that VPN has just as much risk, if not more risk potentially, at the endpoint than the actual ISP itself.

So, the next question of course, for the enterprise user what are you protecting? Well, what you actually have done now with the enterprise is you are now trusting the enterprise. That’s typically a very good idea. The enterprise is asking you to use VPN. Great. But remember, the second part of my question is what are putting at risk and remember now that by creating that VPN, basically that privilege of being able to open that door to the network, you now have a privileged credential sitting out in the world somewhere that can access your network.

So, the alternatives, Tim, and I’m working through this very quickly but the alternatives are I think that if you are a home user and you just have your standard internet that you trust from your ISP or if you are a mobile user and you are just on cellular data, I don’t think there’s a lot of real big necessity to turn on VPN if you are, of course, using your enterprise.

Tim CallanIf you are in your home in Ontario or Indiana, like I am. If on the other hand, you live in Kazakhstan, you may decide you don’t trust your ISP.

Jason SorokoBeautiful point, Tim. It just goes right back to what I said at the beginning – who do you distrust? Well, if you distrust your ISP, VPN is a good idea period. And you are shifting the trust to your VPN endpoint exit node more than you trust the actual ISP itself. Therefore, what I would say is for the enterprise user, there’s a big alternative out there. I know that the term zero trust kind of has gone out of fashion, but there was a really good idea within it, which is let’s get away from network authentication and move towards app authentication. So, for those of you who are hardcore enterprise admins who RDP into multiple systems, and you’ve already done a really, really good job of locking down isolating your network and if it’s not a flat network, then VPN away because that’s gonna be the most convenient way of you navigating your network. Terrific. The problem is though, is that if you have – just as an example – an HR user or finance user who is very specialized in what they do and you are forcing them to VPN to an application on an internal network, I do not really truly believe you’ve increased security compared to having strong authentication to that application itself outside of the VPN.

Tim CallanBecause once you control both ends, if they are using your assigned device – say a laptop – and they are going to your network that you control then, yeah, you can just plain use strong PKI.

Jason SorokoYou got it. And so, therefore, Tim, you know, why am I bringing this up? This is a big summary of VPN. VPN can be great, but it’s absolutely not a catch-all. The thing I want to warn people about is you are absolutely not protecting your endpoint. You can still crawl across some malware and be infected at your mobile device or on your laptop and also, your endpoint – your endpoint for your internet is somewhere, and you are choosing where that is. I would have to say that some of these really crummy VPNs that are out there are probably less trustable than your own ISP. That is my main point today.

Tim CallanGotcha.

Jason SorokoSo, Tim, let’s ask our original question. With SSH, who do you distrust and are you shifting trust?

With SSH, typically you are going to be an enterprise user. You are going to be some sort of administrator. But I think there are also a lot of internet hobbyists out there, especially now with cloud adoption. I know a lot of people who are not enterprise users and still using SSH.

Tim CallanA public cloud account.

Jason SorokoThey are remotely administrating all kinds of things. And, in fact, even with the next topic with TOR, we will even get into how some of this mixes. But what you are distrusting, of course, is what you said earlier, Tim, the general internet, the hostile public internet, and what you are shifting trust to is essentially an authentication control.

The problem with SSH, of course, and we’ve talked about this before, Tim. I believe that podcast 224 or 226 and we talked at length about the problems with unmanaged cryptographic keys that are the heart of SSH, and I think for those of you who are hardcore enterprise administrators, I don’t need to drill down at all. You already know the risks that that opens up and I do want to mention though for everybody else who is a little bit less experienced, you absolutely need to be taking better care of your crypto keys. Otherwise you may have created more problems that you are solving.

Tim CallanWe hear about that all the time, right? The keys that basically never get handled because part of the problem with SSH, of course, is that the keys don’t expire. And so, we often hear about somebody does some kind of audit and they discover that SSH keys from people who haven’t worked at the company for 8 years are still active. And things along those lines. You hear about this all the time.

Jason SorokoSo, Tim, that was my question of what are you putting at risk? There’s all kinds of risk. I think though there’s even one more or two more for SSH and that is, you’ve opened up Port 22 now. Right?

In order to be able to get to your remote server. It’s fantastic that you can remotely administrate it, but keep in mind that you have opened up Port 22 to the hostile public internet. And not only that, but these crypto keys are a pain in the butt. We detailed that quite a lot in Episode 266 of this podcast. So, what I’m gonna offer then is an alternative and this is for those of you who are either home users or enterprise users. But that whole problem with the Port 22 means wouldn’t it be great if basically the main server you are trying to get to you, you got to it indirectly through a jump server. A server that you were less concerned about and so, therefore, you could open up say a Port 22 on a jump server and then have a dedicated connection between your jump server and your final destination server. It’s a slightly advanced topic.

Tim CallanBy kind of firewalling – I don’t know if that’s quite the right word – but firewalling the jump server you basically decrease the exposure and risk that you have from having Port 22 open because in the event that that gets exploited, the subsequent exploit is harder. Is that correct?

Jason SorokoEspecially because Port 22 would be closed on the final server that you are trying to get to. Yes. And so really one of the main points to be made there is check it out. There are technologies that are out there to help you do that jump server and, Tim, one of the main reasons I’m bringing this up is a lot of these jump servers will not just use SSH passthrough, but they will actually tunnel SSH through a TLS connection.

So, it’s not necessarily a VPN. It’s similar in idea to VPN but there is an actual TLS connection where you can hold the keys. You can hold the keys and actually make a TLS connection between you and those two other servers – the jump server and the destination server, and then your SSH session occurs inside that TLS encrypted network connection. And I like that idea, Tim. And that’s a very modern idea that’s now out there. There are some startups that have those capabilities, and I just wanted to mention on this podcast because when we are choosing between VPN and SSH and any other of these kinds of connection technologies, it’s not often recommended to have a connection with a connection within a connection because a really smart operator can unravel all of that rather rapidly if the connections are weak. But one reason I like SSH within TLS is because TLS certificates can be managed very, very carefully. SSH less so.

If you were to come up to Tim and I and ask how can I protect my SSH keys vs. my TLS certificates, we could have a lot to say about using the two together. There is, of course, Tim, the topic of SSH certificates in itself, was a whole other idea, Podcast 226, if you want to hear about that, but I just wanted to bring it up here just to complete the thought of the alternatives for SSH. It is so readily used and so poorly used I wanted to spell it out.

Tim CallanAnd, Jason, just pragmatically speaking, SSH certificates are a great concept but – I don’t have a number on this – but I would have to say that probably well less than one percent of the actual SSH usage in the actual world is SSH certificate-based. Right?

Jason SorokoCorrect.

Tim CallanSo it’s a great idea but it’s not what people are doing.

Jason SorokoWhich is why I do like the idea of traditional TLS and traditional SSH working together. You kind of get the best of both worlds.

Tim CallanYeah. I see that.

Jason SorokoAnd, Tim, of course, one of our favorite topics we have talked about in the past, Podcast 105 – TOR.

Tim CallanYeah. Now TOR is a little bit of a different beast, right though? Because TOR has to connect to a designated TOR server.

Jason SorokoThere’s technically at least three servers. Typically many more than that but there’s gonna be at least three TOR servers you are dealing with, and one is you’re entering TOR and the TOR server that you are initially connecting to, and then there’s gonna be I guess what we call the middle of the TOR communication, which is the bouncing around servers, and then there is gonna be the exit node server as well. So, there’s at least three within any TOR connection.

Tim CallanAnd so why do you use TOR?

Jason SorokoTim, I’ll leave that you because this is one that you are gonna give a far better answer than the average person, but I think that it’s one of these things I like to ask everybody because everybody seems to have a different impression of it.

Tim CallanYeah. I think people use TOR because they’re doing something that they think is going to blow back and harm them. The classic example is I’m in an oppressive country and I’m attempting to communicate with other people who want to, let’s say, be members of political opposition or lobby for human rights or stuff, and I’m using this as a way to ensure that ultimately the people I don’t want to aren’t watching me and seeing what I’m doing. And not just that they are not getting my communications because, again, that can be solved within an encrypted tunnel, but they don’t even know who I’m communicating with and that’s why I believe people use TOR.

Jason SorokoSure, Tim. I will tell you, here’s a problem. When we are asked a question who do you distrust, the problem is that when using TOR, unless you are doing VPN over TOR you are trusting your ISP to some degree. And so, therefore, if you are in an oppressive regime - -

Tim CallanBut hold on. My ISP knows that I am connecting to a TOR server, but my ISP can’t trace where it comes out.

Jason SorokoThat’s what it cannot do, but it does know you are on TOR.

Tim CallanRight. It knows I am on TOR, but it doesn’t know what I’m doing on TOR. It doesn’t know who is on the other end.

Jason SorokoThat is correct. And it doesn’t know anything about what’s happening over at the exit node at all. That’s absolutely true.

Tim CallanRight.

Jason SorokoBut there’s that chicken and egg problem of if you are in a regime where you really are distrustful of the regime, then the regime probably has some control over the ISP and probably is blocking TOR anyway.

Tim CallanBy that line of reasoning might they be blocking my VPN?

Jason SorokoYou got it, Tim. So, TOR, to me, there’s two different lines of thought for TOR in my head. I guarantee in reality there’s a ton more than this but there’s a ton more subtlety to this. But I break it down to two things.

I think, Tim, in the spirit of an end of year podcast – and this is why I bring this up – I think there’s a lot of people who might have a spare ten minutes or like, hey, I’m gonna download a TOR browser and check it out. Just play with it and see what’s going on. And they might come to the conclusion, hey, this is a really good way for me to anonymize stuff I’m doing on the internet. Maybe there’s some shopping I want to keep away from family. I don’t want them to know what I’ve been shopping for. Maybe I just want to avoid internet marketers and just get a little privacy into my life in terms of I don’t want to be cookie tracked. I don’t want to have, you know, all the things we’ve talked about previously on this podcast about browsing privacy, Tim.

And then, of course, there’s other folks who are using TOR in order to engage in other stuff on the dark web. Some of which is no big deal and some of which is just really, really, really perhaps bad. Right? And I’ve gotten not a lot of comment about that. It’s just that’s what some people are using it for.

So, let’s get into the brass tacks. What are you protecting and what are you putting at risk? And I think even before we get into that I do want to mention, Tim, VPN over TOR in terms of the question who do you distrust, VPN over TOR is when you don’t trust your ISP but you still want to do TOR and believe it or not, there is a concept of TOR over VPN. You know, you might ask the question, well, why would you do that? That’s if you don’t trust the exit node of TOR, which is kind of a strange topic. I’m sure some people have reasons why they’d want to do that, but I’ve never understood why you would distrust the exit node of TOR because I don’t believe that exit node is gonna give up a lot of information about you. If you are doing TOR over VPN compared to say VPN over TOR. TOR over VPN actually deanonymizes you in a way that you are giving up a lot of information to your VPN provider. So, that’s just something to keep in mind.

So, what are you protecting? With TOR, there’s really bad stuff sometimes going on over TOR. Let’s just face it. Right? On the entire public, hostile public internet, it’s hostile out there.

Tim CallanIsn’t the main point of TOR to obfuscate who is communicating with whom? To make it impossible to say, you, this client is connecting with that server. Isn’t that the big thing that TOR accomplishes?

Jason SorokoThat’s it. You got it. Absolutely, Tim. When would you need to do that?

Tim CallanWhen you are buying illegal things on a website that sells illegal things.

Jason SorokoTim, there are a lot of privacy advocates who are champions of TOR and probably for really good reasons. For me and my purposes and for whenever I’m talking to family who are curious about it, the way I like to explain TOR is that really the advantage to a person who doesn’t already know exactly why they need to anonymize their internet connection, really, we talked about this in a very recent podcast about privacy browsers. And what I would say then to anybody curious about TOR is take some of that curiosity… Indeed. Go ahead and get ahold of the TOR browser and have fun. Just realize though that you are getting mixed up with some stuff that might not be totally savory. It’s not like you are automatically gonna see it. It’s just your traffic is mixed with it.

And I think if your purpose is really about anonymizing from a privacy standpoint then I would suggest as an alternative check out some of the privacy browsers that are out there. DuckDuckGo and Brave and there’s a few other good ones out there. I think that’s my suggestion.

Tim CallanThere’s also a little more of an abstract privacy discussion which goes as follows:

We don’t know exactly how the clever malicious people are gonna figure out how to exploit information and we won’t know until it’s been exploited. This is how exploits work. And the more we mask this stuff, the more we reduce the opportunity for those people to do that. A good example is if you go back to Snowden and the NSA, nobody – I don’t want to say nobody – but lay people did not have any idea that that was going on until it was exposed. And so, what else is going on or could go on that we are not aware of? If we harden our privacy, this is what people like Electronic Frontier Foundation are all about, right? If we harden our privacy everywhere, then the opportunities for very clever, educated people with malicious intention to exploit the mechanisms of the digital world, those opportunities go down.

And that would be the other reason you would do it, is almost for ideological reasons. To say, I just want the chance for somebody to find information they are not entitled to to be as low as it possibly can because I cannot forecast how everybody in the world is gonna figure out a way to use that maliciously. And there is an aspect of that I think for sure among a subset of people. A pretty small subset of people but a subset of people who think in those terms. They are usually pretty educated about computers, and again, they usually have a little bit of an ideological bent when it comes to this sort of thing.

Jason SorokoThat’s a perfect way to segue into what I was gonna mention next, Tim, because we’ve reached the end of our podcast and I’m sorry to everybody who was paying close attention because you might realize I was really just verbalizing what could be in a flow chart, but I wanted to actually speak it out in the spirit of a year-end podcast. But there are two other technologies, Tim, that I think we can talk about earlier in next year, 2023, and that is PGP because it’s related to everything we just talked about.

Tim CallanWe’ve been threatening to do that for about two years.

Jason SorokoWe are mentioning the new PGP and then I think we should do a roundup on instant messaging services, like Signal, WhatsApp and even what’s going on in the Apple world, what’s going on in the Android world and talk about what’s out there, what’s good, what’s end to end encrypted, what’s not. Let’s do a roundup on that, Tim.

Tim CallanYeah. We’ve certainly touched on the messaging apps a couple times in the past with news articles that were directly related but you are right, we never really covered that topic properly and I think that’s a good one to talk for sure.

Jason SorokoAlright, Tim. Thanks a lot.

Tim CallanAlright. That’s great. I look forward to that. This is our first of our year-end episodes. We do this every year and there will probably be one or two more this year and either way, this was a great one, Jason, so thank you very much.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!