Fixing the error "Your connection is not secure" in Firefox. Cons of using a VPN If a custom domain is used
The problem of personal data theft has imperceptibly turned into a scourge of civilization. Information about the user is pulled by all and sundry: someone has previously requested consent (social networks, operating systems, computer and mobile applications), others without permission and demand (attackers of all sorts and entrepreneurs who benefit from the information about a particular person). In any case, there is little pleasant and there is always a risk that, along with harmless information, something will fall into the wrong hands that can harm you personally or your employer: official documents, private or business correspondence, family photos ...
But how to prevent leaks? A foil hat will not help here, although this is undoubtedly a beautiful solution. But total data encryption will help: intercepting or stealing encrypted files, the spy will not understand anything about them. This can be done by protecting all your digital activity with the help of strong cryptography (strong ciphers are called, which will take time to crack with existing computer power, at least longer than a person's life span). Here are 6 practical recipes that will help you solve this problem.
Encrypt web browser activity. The global network is designed in such a way that your request, even to closely located sites (like yandex.ru), passes on its way through many computers ("nodes"), which relay it back and forth. You can see an approximate list of them by entering the tracert site_address command at the command line. The first on such a list will be your ISP or the owner of the Wi-Fi hotspot through which you connected to the Internet. Then some more intermediate nodes, and only at the very end is the server that stores the site you need. And if your connection is not encrypted, that is, it is conducted using the usual HTTP protocol, everyone who is between you and the site will be able to intercept and analyze the transmitted data.
Therefore, do a simple thing: add the character “s” to “http” in the address bar so that the site address starts with “https: //”. This will enable traffic encryption (the so-called SSL / TLS security layer). If the site supports HTTPS, it will allow you to do this. And in order not to suffer every time, install a browser plugin: it will forcibly try to turn on encryption on every site you visit.
disadvantages: The eavesdropper will not be able to find out the meaning of the transmitted and received data, but he will know that you have visited a specific site.
Encrypt your email. Letters sent by e-mail also go through intermediaries before reaching the addressee. By encrypting it, you prevent the eavesdropper from understanding their contents. However, the technical solution here is more complicated: you will need to use additional encryption and decryption software. The classic solution, which has not lost its relevance so far, will be the OpenPGP package or its free analogue GPG, or a browser plug-in that supports the same encryption standards (for example, Mailvelope).
Before starting a correspondence, you generate a so-called public crypto key, which will be able to "close" (encrypt) letters addressed to you, your addressees. In turn, each of your addressees must also generate their own key: using other people's keys, you can "close" letters for their owners. In order not to be confused with keys, it is better to use the aforementioned browser plugin. A letter “closed” by a crypto-key turns into a set of meaningless symbols - and only the owner of the key can “open” it (decrypt).
disadvantages: When starting a correspondence, you must exchange keys with your correspondents. Try to ensure that no one can intercept and change the key: transfer it from hand to hand, or publish it on a public server for keys. Otherwise, by replacing your key with his own, the spy will be able to deceive your correspondents and will be aware of your correspondence (the so-called man in the middle attack).
Encrypt instant messages. The easiest way is to use instant messengers that already know how to encrypt correspondence: Telegram, WhatsApp, Facebook Messenger, Signal Private Messenger, Google Allo, Gliph, etc. In this case, you are protected from prying eyes from the outside: if a random person intercepts the messages, he will only see a jumble of symbols. But this will not protect you from the curiosity of the company that owns the messenger: companies, as a rule, have keys that allow you to read your correspondence - and not only do they like to do it themselves, they will hand them over to law enforcement agencies on demand.
Therefore, the best solution would be to use some popular free (open source) messenger with a plug-in for on-the-fly encryption (such a plug-in is often called "OTR": off the record). Pidgin is a good choice.
disadvantages: As with email, you are not guaranteed against a middleman attack.
Encrypt documents in the cloud. If you use cloud storage like Google Drive, Dropbox, OneDrive, iCloud, your files can be stolen by someone who will spy on (or pick up) your password, or if some vulnerability is found in the service itself. Therefore, before placing anything in the "cloud", encrypt it. It is easier and more convenient to implement such a scheme with the help of a utility that creates a folder on the computer - the documents placed in it are automatically encrypted and sent to the "cloud" disk. This is, for example, Boxcryptor. It is a little less convenient to use applications like TrueCrypt for the same purpose - they create an entire encrypted volume placed in the "cloud".
disadvantages: absent.
Encrypt all (not just browser) traffic from your computer. It can be useful if you are forced to use an unverified open access to the Network - for example, unencrypted Wi-Fi in a public place. It's worth using a VPN here: to make things a little easier, it's an encrypted channel that runs from you to the VPN provider. On the provider's server, traffic is decrypted and sent further to its destination. There are both free VPN providers (VPNbook.com, Freevpn.com, CyberGhostVPN.com) and paid ones, which differ in access speed, session time, etc. The big bonus of this kind of connection is that to the whole world you seem to be connecting from the VPN server, not from your computer. Therefore, if the VPN provider is located outside the Russian Federation, you will be able to access sites blocked within the Russian Federation.
The same result can be achieved if you install TOR on your computer - with the only difference that in this case there is no provider: you will access the Internet through random nodes belonging to other members of this network, that is, persons or organizations unknown to you.
disadvantages: remember that your traffic is decrypted at the exit node, that is, on the server of the VPN provider or on the computer of a random TOR participant. Therefore, if their owners wish, they can analyze your traffic: try to intercept passwords, extract valuable information from correspondence, etc. Therefore, using VPN or TOR, combine them with other encryption tools. Besides, setting up TOR correctly is not an easy task. If you have no experience, it is better to use a ready-made solution: the TOR set + Firefox browser (in this case, only browser traffic will be encrypted) or the Linux distribution Tails (working from a CD or flash drive), where all traffic is already configured to route through TOR ...
Encrypt flash drives and removable media, mobile devices. Here you can also add encryption of the hard drive on the work computer, but at least you do not risk losing it - the possibility of which is always present in the case of wearable drives. To encrypt not a single document, but an entire drive at once, use BitLocker (built into MS Windows), FileVault (built into OS X), DiskCryptor, 7-Zip, and the like. Such programs work "transparently", that is, you will not notice them: files are encrypted and decrypted automatically, "on the fly". However, an attacker who gets into the hands of a flash drive closed with their help will not be able to extract anything from it.
As for smartphones and tablets, it is better to use the built-in functionality of the operating system for full encryption. On Android devices, go to Settings -\u003e Security, on iOS, in Settings -\u003e Password.
disadvantages: since all data is now stored encrypted, the processor has to decrypt it when reading and encrypt it when writing, which, of course, wastes time and energy. Therefore, the drop in performance can be noticeable. How much your digital device actually slows down depends on its specifications. In general, more modern and top-end models will perform better.
This is a list of actions to take if you are concerned about a possible leaking of files into the wrong hands. But beyond that, there are a few more general considerations that should also be borne in mind:
A free privacy app is usually more reliable than a proprietary one. Free is one whose source code is published under a free license (GNU GPL, BSD, etc.) and can be changed by anyone. Proprietary - such, the exclusive rights to which belong to any one company or developer; the source code of such programs is usually not published.
Encryption involves the use of passwords, so make sure your password is correct: long, random, varied.
Many office applications (text editors, spreadsheets, etc.) are able to encrypt their documents on their own. However, the strength of the ciphers they use is usually low. Therefore, for protection, it is better to prefer one of the above universal solutions.
For tasks that require anonymity / privacy, it is more convenient to keep a separate browser configured for "paranoid" mode (like the already mentioned Firefox + TOR set).
Javascript, often used on the web, is a real find for a spy. Therefore, if you have something to hide, it is better to block Javascript in the browser settings. Also, unconditionally block ads (install any plugin that implements this function, for example, AdBlockPlus): under the guise of banners, malicious code has often been sent out recently.
If the notorious "Yarovaya law" nevertheless comes into force (according to the plan, this should happen on July 1, 2018), spare keys for all ciphers in Russia will have to be transferred to the state, otherwise the cipher will not be certified. And for using uncertified encryption, even ordinary smartphone owners can be fined from 3 thousand rubles with confiscation of a digital device.
P.S. Photo by Christiaan Colen used in this article.
If you liked the article, recommend it to your friends, acquaintances or colleagues related to municipal or public service. It seems to us that it will be useful and pleasant for them.
When reprinting materials, a reference to the source is required.
We comprehend the basics of "anonymity" on the network.
The article will help you decide whether you need a VPN specifically for you and choose a provider, as well as tell you about the pitfalls of this technology and its alternatives.
This material is just a story about VPN with an overview of providers, intended for general development and solving minor everyday problems. It will not teach you how to achieve complete anonymity on the network and 100% privacy of traffic.
What is VPN?
Virtual private network (virtual private network) - a network of devices that is created on top of another and inside which, thanks to encryption technologies, secure channels for data exchange are created.
The VPN server manages the user accounts of that network and serves as their entry point to the Internet. Encrypted traffic is transmitted through it.
Below we will tell you about the providers that provide access to VPN servers in different countries. But first, let's figure out why this is needed?
Benefits of using a VPN
1. Change "address"
When does a law-abiding Russian need a different IP?
2. Protection from petty evil spirits
A VPN will not save you from government harassment, but it will protect you from:
- An office network administrator who collects dirt on you or just likes to read other people's letters;
- Schoolchildren who indulge in listening to the traffic of a public WiFi hotspot.
Cons of using a VPN
Speed
Internet access speed when using a VPN provider can be slower than without it. First of all, this concerns free VPNs. In addition, it can be unstable, depending on the time of day or the location of the selected server.
Technical difficulites
The VPN provider may have an outage. Especially if it is small and little known.
Most common problem: vpn disconnected and didn't say anything to anyone. Must trace ensuring that your connection is blocked in case of problems with the server.
Otherwise, it may be like this: you write malicious comments on the article of your flatmate, and the VPN quietly turned off and the real IP was lit up in the admin panel, you missed it, and the neighbor noticed and is preparing a revenge plan.
Imaginary anonymity
Your traffic information is passed on to a third party. VPN providers are often asked in interviews: "Do you keep logs?" They answer: "No, no, of course not!" But nobody believes them. And for good reason.
The license agreements of many VPN providers openly state that the user does not have the right to violate copyrights, run hacker programs, send spam, and in case of violation, his account is blocked without a refund. Example: ExpressVPN Term of Service. It follows from this that the user's actions on the network are monitored.
And some nimble VPN providers, for example Astrill, require SMS confirmation to activate the account (it does not work for Russian numbers). Do you want to hide your IP and encrypt your traffic? Ok, but leave the number just in case.
And the questionnaires when registering accounts are sometimes strained with unnecessary questions. For example, why does a VPN provider need a person's zip code? Send parcels for the New Year?
The identity of the user is also may be identified by bank cards (or through wallets of payment systems through which virtual cards are replenished). Some VPN providers lure users by accepting cryptocurrencies as payment. This is a plus for anonymity.
Choosing a VPN service
VPN providers are a dime a dozen. After all, this is a profitable business with a low threshold of entry. If you ask such a question on the forum, then the owners of the services will come running and flood with their advertising.
To help you choose, the site bestvpn.com was created, where ratings and reviews of VPN providers are published. 
Let's take a quick look at the best VPNs (according to bestvpn.com) that have an iOS app.
ExpressVPN
96 cities in 78 countries. 30-day money-back guarantee in case of service interruptions. There are applications for OS X, Windows, iOS and Android. You can work with 5 devices at the same time.
Price: from $ 9.99 to $ 12.95 per month (depends on the payment period).
Private Internet Access
25 countries. There are applications for OS X, Windows, project website.
Price: from $ 2.50 to $ 6.95 per month (depends on the payment period).
IP Vanish VPN
More than 60 countries. There are VPN clients for iOS , Android, Windows, Mac, Ubuntu, Chromebooks and routers. It is possible to work with several devices at once.
Optimistic paranoid
A very interesting marketing ploy. They propose to run encrypted traffic not through one, but through two or three servers.
My opinion on this is this: if a VPN is needed only to hide which country you are from, then it does not make sense. And if there really is something to hide, then the point is to transmit it through three other people's servers at once?
Alternatives
Own OpenVPN server
Tor
Traffic on the Tor network is transmitted through several independent servers in different parts of the earth in encrypted form. This makes it difficult to determine the original IP address of the user. But the cautionary tale of Ross Ulbricht (owner of Silk Road) reminds us that the American intelligence services are capable of much.
Pros:
- Is free;
- Access to the onion network ("darknet"). There are a number of sites only accessible from the Tor Browser. These are their own search engines (Grams), stores, libraries, cryptocurrency exchanges, contextual advertising systems, the Onion Wiki encyclopedia. But for a law-abiding Russian, there is nothing interesting in this network.
Minuses:
- Slow speed.
What does Roskomnadzor think?
Employees of the department are extremely unhappy with the fact that Russians are striving for anonymity on the Internet. Recently, a spokesman for Roskomnadzor called Tor users "social waste", and the agency itself is in favor of banning anonymizers. But Russians don't listen to such opinions. Egor Minin (founder of RuTracker) claims that half of the users of his resource are able to bypass the blocking.
conclusions
This article has everything you need to get started using VPN providers and have no illusions about them. But how do you achieve complete anonymity online?
Go to the Seychelles, find there a few reliable aborigines with cryptocurrency, who will buy a dozen servers for you in different third world countries, and deploy OpenVPN on each of them? :-)
I think any paranoid will come up with a more interesting scheme :-) In conclusion, an old joke about the elusive Joe:
A small town in the Western American steppe. Saloon. Two cowboys, a local and a foreigner, are sitting at the table, drinking whiskey. Suddenly, someone rushes along the street at great speed, firing in all directions from pistols. In the saloon, no one is leading an ear. Visiting local:
- Bill?
- Yes, Harry?
- What was that, Bill?
“It was the Elusive Joe, Harry.
"Why is his name Elusive Joe, Bill?"
“Because no one has caught him yet, Harry.
- Why hasn't anyone caught him yet, Bill? 5.00 out of 5, rated: 1
)
What can be more important in our time than protecting your home Wi-Fi network 🙂 This is a very popular topic, on which more than one article has already been written on this site. I decided to collect all the necessary information on this topic on one page. Now we will take a closer look at the issue of protecting a Wi-Fi network. I will tell and show you how to protect Wi-Fi with a password, how to do it correctly on routers from different manufacturers, which encryption method to choose, how to guess the password, and what you need to know if you are thinking of changing the wireless network password.
In this article, we will talk exactly about securing your home wireless network... And about password protection only. If we consider the security of some large networks in offices, then it is better to approach security there a little differently. (at least another authentication mode)... If you think that one password is not enough to protect a Wi-Fi network, then I would advise you not to bother. Set a good, strong password according to this guide, and don't worry. It is unlikely that someone will spend time and effort to hack your network. Yes, you can, for example, hide the network name (SSID), and set filtering by MAC-addresses, but these are unnecessary troubles, which in reality will only bring inconvenience when connecting and using a wireless network.
If you are thinking about how to protect your Wi-Fi, or leave the network open, then there can be only one solution here - to protect. Yes, the Internet is unlimited, but almost every house has its own router, but over time, someone will connect to your network. And why do we need this, after all, extra clients, this is an extra load on the router. And if it is not expensive for you, then it simply will not withstand this load. Also, if someone connects to your network, they can access your files. (if local network is configured), and access to the settings of your router (after all, you probably didn't change the standard admin password that protects the control panel).
Be sure to protect your Wi-Fi network with a good password with the correct (modern) encryption method. I advise you to install protection immediately when setting up the router. Also, it would be nice to change your password from time to time.
If you are worried that someone will hack your network, or have already done so, then just change your password and live in peace. By the way, since you will all be entering the control panel of your router, I would also advise which one is used to enter the router settings.
Properly securing your home Wi-Fi network: which encryption method should you choose?
In the process of setting the password, you will need to select the encryption method for the Wi-Fi network (authentication method)... I recommend installing only WPA2 - Personal, encrypted by the algorithm AES... For a home network, this is the best solution, currently the newest and most reliable. This is exactly the kind of protection that router manufacturers recommend.
Only on one condition that you do not have old devices that you want to connect to Wi-Fi. If, after setup, your old devices refuse to connect to the wireless network, then you can set the protocol WPA (with TKIP encryption algorithm)... I do not recommend installing the WEP protocol, as it is already outdated, not secure and can be easily hacked. Yes, and there may be problems connecting new devices.
Combination protocol WPA2 - Personal with AES encryption, this is the best option for a home network. The key (password) itself must be at least 8 characters long. The password must be composed of English letters, numbers and symbols. The password is case sensitive. That is, "111AA111" and "111aa111" are different passwords.
I do not know what kind of router you have, therefore, I will prepare small instructions for the most popular manufacturers.
If after changing or setting the password you have problems connecting devices to the wireless network, then see the recommendations at the end of this article.
I advise you to immediately write down the password that you will be setting. If you forget it, you will have to install a new one, or.
Protecting Wi-Fi with a password on Tp-Link routers
We connect to the router (by cable, or by Wi-Fi), launch any browser and open the address 192.168.1.1, or 192.168.0.1 (the address for your router, as well as the standard username and password are indicated on the sticker below the device itself)... Enter your username and password. By default, these are admin and admin. In, I described in more detail the entrance to the settings.
In the settings go to the tab Wireless (Wireless) - Wireless Security (Wireless Security). Place a check mark next to the protection method WPA / WPA2 - Personal (Recommended)... In the dropdown menu Version (version) select WPA2-PSK... On the menu Encryption (encryption) set AES... In field Wireless password (PSK Password) Provide a password to protect your network.
Setting a password on Asus routers
In the settings, we need to open the tab Wireless network, and make the following settings:
- In the "Authentication Method" drop-down menu, select WPA2 - Personal.
- "WPA encryption" - install AES.
- In the "Pre-shared WPA key" field, write down the password for our network.
To save the settings, click the button Apply.
Connect your devices to the network with a new password.
Protecting the wireless network of the D-Link router
Go to the settings of your D-Link router at 192.168.0.1. You can see detailed instructions. In the settings, open the tab Wi-Fi - Security Settings... Set the security type and password as in the screenshot below.
Setting a password on other routers
We have more detailed instructions for ZyXEL and Tenda routers. See the links:
If you did not find instructions for your router, then you can configure the protection of the Wi-Fi network in the control panel of your router, in the settings section called: security settings, wireless network, Wi-Fi, Wireless, etc. Find I think it won't be difficult. And what settings to set, I think you already know: WPA2 - Personal and AES encryption. Well, the key.
If you can't figure it out, ask in the comments.
What to do if devices do not connect after installation, password change?
Very often, after installation, and especially changing the password, devices that were previously connected to your network do not want to connect to it. On computers, these are usually errors "The network settings saved on this computer do not meet the requirements of this network" and "Windows could not connect to ...". On tablets and smartphones (Android, iOS), errors like "Failed to connect to the network", "Connected, protected", etc. may also appear.
These problems are solved by simply deleting the wireless network, and reconnecting, already with a new password. How to remove the network in Windows 7, I wrote. If you have Windows 10, then you need to "forget the network" by. On mobile devices, tap your network, hold, and select "Delete".
If connection problems are observed on older devices, then set the WPA security protocol and TKIP encryption in the router settings.
In parallel with the development of technologies for protecting Internet traffic from unauthorized access, technologies for intercepting secure traffic are also developing. Intercepting and examining unencrypted user traffic has long been easy, even for an ordinary user. Almost everyone knows the word "sniffer". In theory, secure SSL / TSL connections cannot be intercepted by conventional means. But is it?
In fact, this is not entirely true. Yes, encrypted traffic is theoretically impossible to decrypt, although again, theoretically, with a very great need and desire, such traffic can be decrypted by picking up the key. However, this requires such an expenditure of resources that the relevance of hacking remains only, probably, at the government or military level :)
When working over a secure connection (the simplest example is HTTPS), all traffic between communicating points in the network is encrypted on the sender's side and decrypted on the recipient's side. Traffic going in both directions is encrypted. In order to encrypt and decrypt it, you need a pair of keys (asymmetric encryption). The public key is used for encryption and is transmitted to the recipient of the data, and the private key for decryption, it remains with the sender. Thus, the nodes between which an SSL connection is established exchange public keys. Further, to improve performance, a single key is generated, which is sent already in encrypted form and is used for both encryption and decryption on both sides (symmetric encryption).
How do they do it? Usually - on the same channel through which protected traffic will go further. Moreover, the exchange of keys takes place in an open mode. In the case of HTTPS, the server key is associated with a certificate that the user is prompted to view and accept. And this certificate can be intercepted by any intermediate server, on the path of which there is a certificate in clear text (proxy, router).
To further "read" all user traffic, the intermediate server replaces the certificate with its own. Those. it just connects to the client itself with its own certificate, and at the same time connects to the remote server. The client receives a "left" certificate from a malicious server, and the browser informs the user about the danger (such certificates are always not signed). The user is left with a choice: accept the certificate and work with the site, or refuse to accept it, but then work with the site will no longer work. Sometimes users ignore the contents of the certificates altogether and automatically accept any given to them.
If the user accepts a forged certificate, then the traffic will go as follows:
client<= SSL-соединение => wiretapping server<= SSL-соединение => destination server
Those. the intermediate server will receive all your "secure" traffic in cleartext. It is also worth noting that the transfer of the certificate occurs at the beginning of each HTTPS session.
In the case of secure SSH, the first time you connect to the server, the server key is stored on the client and the client key on the server. These keys are transferred between data client-server only once, on the first connection. If in this case SSH traffic is attempted to be intercepted, then both the client and the server will refuse the connection due to key mismatch. Since the keys can be transferred between the client and the server in a roundabout way (via a secure channel or on an external medium), this method of connection is relatively secure. It can only be blocked by forcing the user to work in the open.
It is worth noting that the so-called "enterprise information security solutions" have been on sale for a long time, which intercept all traffic passing through an office proxy server and "read" it. Programs look for the presence of certain phrases or information of a certain type in the data stream from browsers, email programs, ftp clients, messengers of office employees. Moreover, these programs are able to distinguish and process correctly the most different types of information interaction with servers. Among other things, they also check secure SSL traffic by substituting certificates. I came across the development of one of these systems almost directly.
But there are ways to escape total surveillance. Through the established SSH connection, you can send any necessary traffic, which from the SSH server will already go in open form to the endpoint. This method is called SSH tunneling. This way you can secure the passage of traffic over an unsecured channel, but this approach makes sense only if you have a trusted server with an SSH daemon set up and configured for tunneling. Moreover, it is quite simple to organize it. The SSH client connects to the server, is configured to listen on any given port on the local machine. This client will provide the SOCKS5 proxy service, i.e. its use can be configured in any browser, email programs, IMs, etc. Through the SSH tunnel, packets go to the server, and from there they go to the target server. The scheme is as follows:
<== SSH-соединение ==> server<=> target server
Another way to protect traffic is a VPN channel. It is easier to use and more convenient than SSH tunneling, but in the initial installation and configuration it is more difficult. The main convenience of this method is that there is no need to register proxies in programs. And some software does not support a proxy at all, therefore only VPN will do.
In practice, there are two options for working. The first is buying a VPN account, which is sold specifically for this purpose (encrypting traffic over an insecure channel). In this case, accounts are usually sold, which must be connected via PPTP (a regular VPN, which is implemented, for example, in Windows) or L2TP.
The second option is to buy a VDS server (virtual dedicated server) with any Linux distribution on board and run a VPN server on it. VDS can be Russian or American (just don't forget about overseas pings), cheap (from $ 5) and weak, or expensive and more powerful. An OpenVPN server is installed on VDS, and an OpenVPN client is installed on the computer. There is even a guish version of the client for Windows.
If you decide to use the OpenVPN option, that is, for example, this simple step-by-step instruction on how to raise a server (Debian). Installing the client is even easier, especially on Windows. There is only one nuance to note. If all traffic needs to be allowed through the created VPN connection, then you need to register the default gateway to the VPN gateway (the redirect-gateway parameter in the client config), and if only part of the traffic (to certain hosts), then you can register normal static routes to these hosts ( by IP; for example, route add -p 81.25.32.25 10.7.0.1).
For OpenVPN connection, the key exchange is done manually, i.e. it is absolutely safe to transport them from server to client.
Thus, SSH and VPN connections can almost completely guarantee the safety of your traffic when traveling over an unsecured channel. The only problem that can arise in this case is the ban on SSL traffic on the corporate firewall. If SSL traffic is allowed to at least one of any port (usually the default 443), then you can potentially bring up both an SSH tunnel and a VPN connection by configuring the appropriate daemon on your VDS for this port.
Tags: Add Tags
