I want to use VPN provider (ProtonVPN), and don’t want to use an app. They ask user to install their Root Ca. How safe is it? What type of info could they get from my laptop? If I have their certificate installed, does that means they can see and get all info from my browser, including passwords and https sites? And what about other non browser traffic? How safe is it? What are the risks?
I’m reading some basic info about Web Cryptography API and I’m wondering if is possible to implement some crypto provider (C/C++ library or something) with some extra algorithms or is mandatory to use the ones “embedded” with the web browser. I have finded articles about the security and tutorials about how to use it but nothing about custom implementation. I don’t know if it uses Operating System libraries or only web browser libraries, if should be used “as is”… Some reference or clarification is appreciated.
As you may know, Virtual Private Network or VPN is a system to create an encrypted tunnel between two computers on the internet, on one end is the VPN client, and on the other end is the VPN server. Everything the client does on the internet can be monitored by the VPN server, which will otherwise be monitored by the ISP and/or the government.
The question is, what kind of data can a VPN server log or monitor? Can the VPN service provider monitor or intercept the full length of the transmitted data, or are they able to do so for some part of it? Also, can they alter and re-transmit the data as it passes through the VPN server?
This question came to my mind after reading some articles warning about VPNs that log and sell user data to third parties. How do I know that the provider isn’t doing such thing?
I’m having difficulty to rate a CVSS for an Identity Provider. Imagine you have a vulnerability where you can bypass an authentication mecanisme.
How would you rate :
- Confidentiality (C)
- Integrity (I)
- Availability (A)
as you don’t how with which system it will be connected ?
The scope is changing, but I can’t just asume the worst scenario, it will just raise the score unnecessarily.
Paydo.com offer all-inclusive solutions for your business with inexpensive fees and maximum flexibility. Incorporating over 300 payment methods across 170 countries we allow your business to grow a huge demographic and widen the clasp of payment opportunity across your platform. This is further emboldened by the 4 settlement currencies and 200+ currencies we support. Here are some of our benefits:
- Over 300 payment methods in 170 countries
- 4 settlement…
PayDo – Your merchant provider for online business
Supposing my VPN provider allows me to route all kinds of internet traffic through its servers, can I access to my cloud VPS using ssh?
I know it is impossible to completely prevent a host from accessing the data of a virtual machine (as noted here, here and here), but I think there is value in making it harder to do so. Bare metal servers aren’t always an option, and they are much more expensive.
Here is the threat model I have in mind:
- Buy a VPS from a fairly small company, maybe even one managed by a single person
- Harden the VPS as much as reasonably possible
- Rogue government entity demands all the server’s data
- The company may not have the time, knowledge or resources to circumvent the hardening
- The company provides only the encrypted data to the government entity
Of course, said government entity could simply demand direct access to the host machine, but even then, it may still require them a good amount of time to figure it out, by which point the VPS owner may have caught on to what’s happening and wiped it clean.
This leads me to my question. Given the typical steps a system administrator may take to obtain data from a virtual machine, what could one do to make this process harder?
Edit: Here is what I have done so far: encrypt the boot partition (GRUB bootloader supports encryption), encrypt the root partition, encrypt the home directory w/ unmounting on logout, use linux-hardened, disable USB via kernel parameters (I am unsure if this helps?)
We have got a new connection from a local ISP provider, the provider supplied a router and other few devices, then he has configured the device with a password, but he does not allow us to reset or change the password for own. means we are unable to configure anything from our side, Is this good secure for our personal data?