StarDestroyer.Net BBS

Hi,

if I connect from my home office to my clients server via VPN is all my internet traffic routed to the client first?
If, for example, I am connected via VPN and conduct my online banking, can the client theoretically intercept and read the password and login data I enter?

Or is the connection established to my bank directly between me and the bank?

Yes, VPN is basically a secure connection between you and the remote computer. If the remote computer is compromised, then it could certainly read anything you send through it.

Borgholio wrote:Yes, VPN is basically a secure connection between you and the remote computer. If the remote computer is compromised, then it could certainly read anything you send through it.

Ok, thank you. So, theoretically, if the admin of the company was malicious he could extract my passwords and steal my login information.
I guess I´ll change my passwords then and not online bank anymore while connected.
What is more problematic is that I wouldn´t be able to have my email client running while being logged in. That would be pretty much impossible.

Ok, thank you. So, theoretically, if the admin of the company was malicious he could extract my passwords and steal my login information.

In theory, yes. See, a VPN is designed to ensure that any communications between you and the remote network are safe and secure. But if the remote network has an admin who is snoopy, he can just intercept anything on his end (which is outside the VPN).

VPNs can be set up so only some traffic is routed over it (this is the setup I use for my work), but it may not be the default and is hard to ensure. You'd have to make sure the VPN was not the default route for your internet traffic.

Any https link uses it's own encryption, on top of what your VPN uses. The only thing compromising the VPN does it give any malcontent access to your data via a "man in the middle" style packet sniffing. He would only possibly have access to your password hash used for your online banking. Dangerous if he tries to brute-force your hash to get your password. But there's also the possibility of weak or comprised encryption on the bank's end. This also could allow for session spoofing, but those don't rely on needing the password.

NOTE: I'm not up modern encryption schemes.

Under your VPN settings, uncheck the box "use default gateway remote network." This will make it so only data "needed" by your VPN goes through it, such as accessing a network drive on that subnet and/or accessing an internal mail server, such as Exchange. You may also want to ensure you are not using the VPN DNS server, to forestall any possible DNS hijacks.

Cool, thank you for the information, everybody.

If you are using an up to date browser and operating system with appropriate security patches your connection should be secure end-to-end with an HTTPS connection. The sort of brute force hash attack Fenix mentioned is far more difficult on those, and most such attacks center around tricking older browsers into using weaker encryption.

To avoid man in the middle attacks, you just need to make sure that your certificate is valid, and more often than not your browser will warn you if something is amiss. If you want to check the certificate chain yourself, that's relatively easy to do. You just want to make sure that it is issued by a Trusted Root Certificate Authority.

More information can be found here:

https://www.instantssl.com/ssl-certific ... ation.html

Now, if you're operating from a company owned asset that is remotely managed there are other ways they could get information from your client machine itself, but if its your home PC and all you're doing is connecting via VPN. Generally speaking, unless you've got specific cause for suspicion, I wouldn't worry about a malicious network admin in your office as much as I would about connecting to anything from a "free wi-fi hotspot". With the former, its far easier to trace back malicious activity than the latter.