|
|
|
|
|
|
by lmm
4867 days ago
|
|
|
>In terms of security in depth, VPN provides another layer. If someone gets your VPN credentials, all they've done is given themselves a new endpoint, not gained access to any of your stuff. One strong layer is better than two weak ones. If you're willing to remember 20 characters, a 20 character ssh password is much safer against these brute force attacks than 10 character VPN password + 10 character ssh password. (as for non-bruteforce attacks, if someone compromises the VPN software they now have access to your home box without needing a second attack, so it comes down to whether the VPN software is more or less likely than SSH to have bugs - and my impression is that the SSH codebase is possibly the most thoroughly audited in the world) >VPN also protects web surfing, which ssh does not. Non-https traffic is going to be unencrypted over the open internet anyway, so I see no harm in it being unencrypted on the cafe network. (And if you're worried about being under surveillance, routing all your traffic via your home internet connection makes that easier than using a variety of public access points). |
|
|
With the commercial VPN service, you run your own server exactly the same way as before, but restrict ssh access to only your VPN endpoint IP. Now your attack surface is way way smaller. (And your ssh logs are nice and clean.)
> Non-https traffic is going to be unencrypted over the open internet anyway, so I see no harm in it being unencrypted on the cafe network.
It's just so much easier to sniff traffic on unsecured WiFi than anywhere else. Not every site you log into implements https, or implements it correctly, and there are a variety of nasty things that can be done with that.
Think of running a Wordpress blog on your own server...how many people bother to force https for that? But if someone hijacks your Wordpress admin session, they've basically got your whole server.