Do you REALLY need a VPN?

Hussein Nasser · Intermediate ·🔐 Cybersecurity ·6y ago

Key Takeaways

The video discusses the importance of Virtual Private Networks (VPNs) in protecting user data and explores various cybersecurity threats such as ARP spoofing, man-in-the-middle attacks, and DNS requests. It also explains how VPNs can protect against these threats, but also has its own limitations.

Full Transcript

they'll expect to know about VPNs virtual Thomas Scott is a youtuber with around 2 million subscriber who discusses and specializes in computer security I always enjoyed his video especially those on computer file he recently made a very interesting video titled this video sponsored by blank VPN we all probably know that this is a reaction to the North VPN hack I wanted to make a video to elaborate on some of the statements that Tom made in his video and how those actually work ok let's elaborate on this little bit I want to go to Bank of America I'm connected to Starbucks and there's like 30 shady people connected to the same public unencrypted network so what what will happen here so I'm gonna go to Bank of America calm well I'm gonna ask ask the question where is Bank of America what's the IP address that's a DNS unencrypted UDP request so everybody can sniff that there's obviously the how of how they can snoop but that router knows that you go into Bank of America that's it right you get back the IP address let's start there so let's try to illustrate that with a picture so this is the shady public Wi-Fi this is you this is some other three shady people and this is where you want to connect to I say this is Bank of America and what do you what do you want and this is like a connection to the public Wi-Fi right this is what it means this is the private IP address you get this is the starbuck gateway address right and this is the basically the the your private IP at it and this is your MAC address and this is very important because we're gonna talk he talked about ARP right ARP spoofing so what does that mean so what happens in let's say 1 9 2 & 6 a 1 1 5 won't connect to 4 for that one to do 4 so the first thing we want to do let's say I want this is my IP address and I want to connect to this IP at it which is the Bank of America for example and for four one two four is this in my subnet if it is then I can ask an ARP request and say okay give me the MAC address because this is how will you communicate at a low level you need the MAC address of the thing to send it information but guess what this is not even in my subnet so I'm not gonna bother doing an ARP request so what's next if it's not in my submit I get a till the router I can I tell him my gateway hey this is someone I need to communicate to but I think he's outside my network Hey the tech this packet and send it to him please or to her so how do I send this packet to this IP address well I need to know the ARP of that gateway to in order to send it the packet you do an ARP request if you're lucky and you have an ARP table here telling you them the MAC address of 192 168 dot one dot one is a then you immediately send it but unfortunately let's say you don't have it so what are you gonna send is like hey who has this IP address and the router will tell you hey it's cool I have that IP address my MAC address is a so you notice that what happened right everybody got that request right everybody got that request is 191 second with one right but those guys are good actors they said no it's not my son it's not me son it's not me so on it's normally son this guy said it is me son so what they will do is ensure this just like hey alright I know the MAC address I'm gonna send you the request take that packet and then the router will take that packet and send it to you so what tom was talking about here is that bad actor case where so this is one approach of doing spoofing essentially right so when you decide to ask the question who has this IP address 192 168 1 2 1 you can send it but this guy if they are applied before the grout er like if they are fast enough their replies is hey that's actually that's me 191 68 that one that one is me send me your beautiful data so what will happen here is this guy will think oh it's mac-address D who has the Gateway alright I'm gonna send you the information anything it goes through this guy and this guy will pretend to be the router and we'll make anything any sort of encrypted HTTP websites that is absolutely true even if someone pretend to be the router in order to establish the TCP define the the connection between you and the final destination you can accomplish what we call the TLS connection which we talked about i'm the reference of the video here once you agree on a symmetric key between you and Bank of America they can sniff everything they want they won't they won't see anything because everything will be encrypted any piece of data you send it's gonna be encrypted that's what tones talking about here if it's HTTPS then it's not possible now what Tom did not mention here is if that bad actor did a man-in-the-middle attack and pretended to be Bank of America by providing you a valid certificate from Bank of America somehow which happened before then you will have no clue that this happened to you it can happen you have to forge a certificate that is valid and if you for just certificate there is no value you're gonna get the message that you're seeing right here potential error okay because you can obviously fake a Bank of America certificate which has a public key of Bank of America but you will not be able to the browser will they use and will give in this measure this connection is not private something is off this certificate is expired something is weird it's up to you client do you want to communicate or nom you better click you know okay in that case right if that's specially if you're connected through a Wi-Fi that is public all right someone could have done this is not easy but can be done right so I just wanted to add to Tom's point there that's a very interesting point that thank God he blurred that part because they can only see the domains and what why because of DNS when you make a dns UDP request you say hey no there's no connection right youtube.com/ what's its IP address okay and you make a correct quest it's a it's an unencrypted request that will get routed and obviously any records you make goes through your eyes beam to make sure you haven't turn it or not and they come as they can only look at requests that are unencrypted especially DNS they are very light unencrypted stuff so they can see that ho-oh hmm you made a request to all go to this website because you want to get the IP address right that's very visible to the ISP okay so they can see where you want to go can they say which page absolutely not if you make a good request to youtube.com slash the 64 bit idea that I have this is part of the HTTP packets is part of the HTTP header well the HTTP header is part of the header content which is data which is encrypted with HTTPS for using TLS right it's interrupted so they cannot see it unless they do man in the middle cause the host on government did try to do that they actually forced ISP to install a terminating proxy - term TLS and they forced people to install their certificate on their machines so so they don't get this error that Tom once put in this video speech can block those they know let them in hey you're going to that domain no sorry no you cannot go so what they do essentially is like they even give you the DNS request wrong they block that DNS request or they make sure that they have a list of IP addresses they can block that stuff if they want to okay so they can block that stuff he mentioned also Tom mention about something that VPN can protect you from your ISP not knowing where you're going okay so the ISP obviously we determine that they know which domains you visited but they don't know which pages which content that is correct obviously if using TLS connection they cannot read it HP's cannot read it unless obviously they install terminating proxy and they force you to install a certificate on your machine they cannot read Jack that's a very important point okay so if you're using a VPN you're I speak and no longer know which domains you visited and so as a result you can open any sites you want because the DNS requests can go anywhere you want right they go essentially you're creating a tunnel between you and the VPN the ispeed knows that hey that's the last thing you want to connect to which is nor the VPN right and then after you connect to nor VPN you establish a can't like almost like a TLS connection between you and then or maybe and maybe something else right and then you start shoving data in side that nor between unpacked this data and then look at it they say okay oh you want to go to youtube.com wink wink let's go there right and then we'll make the request on your behalf obviously i Spees do not know anymore because you just tunneled it the isp know that you're connected to a VPN by the way they know that so what what does Tom mean by logs here and logs obviously they not seem you did a VPN cannot see your data again because you're always connected the file destination to establish a TLS connection so they will generate that random ephemeral key and then you will generate the random ephemeral key and the final you're gonna agree on a symmetrical key that you can have nobody in the middle can do anything about it unless again the TLS is terminated I'm gonna force a video about the tailless termination here if you're interested go there check it out actually talk about the laws they cannot look at it but they the only thing that you can knows which domains you visited that's it through the DNS request that's it if DNS were encrypted we don't have this problem but it's almost impossible to encrypt in s request you think it's our public I don't understand that point relays like how do you plan an assassination and what web sites do you visit to plan an association jeez that's the only site you visit what it's like how to kill people calm what what do you like if you want to cover your tracks I probably what did you want you don't want to do it online you want to go you want to go to Lowe's or Home Depot or something probably you don't want to do this stuff online but I add on that like even if you're publicly browsing if the what domain name doesn't give shady information if you buy everything from that's true so if you're a person in China and you wanna watch Netflix which is blocked is you you wanna VPN into a network that is in America and then from that network we the VPN company will make a request on your behalf sir and then we make a request and we do your thing right we're gonna make a request so we don't know that you're we know you are from China as a VPN company but we got your son okay but again China can actually block VPN companies I can do it if they want they can prevent you from VPN Inc right it's it's not hard for them the IP address can give where are you from it's it's a very simple process to know to geo locate your IP address to air and location alright guys so that's it for me today I hope you enjoyed this video check out the I'm gonna deliver friends the full video for Tom here so go check it out I'm gonna see you on the next one hope you enjoy this kind of kinda a little bit different I'm kind of elaborating on someone else's video I never done this before so if you enjoy this really you want to do to see more of that hit that like button and leave a comment if you don't enjoy it that's fine I'm just trying things out in this channel I'm gonna see you on the next one you guys stay awesome

Original Description

@Tom Scott Full Video ​This Video Is Sponsored By ███ VPN #tomscott https://youtu.be/WVDQEoe6ZWY In this video I am elaborating on Tom’s video on Virtual Private Networks claims and I ask the question whether you really need a VPN or not. Virtual Private Networks or VPNs allows you to to tunnel your requests through a private network which hides your identity but how true is this? Cards 5:30 TLS https://www.youtube.com/watch?v=AlE5X1NlHgg 12:24 TLS Termination https://www.youtube.com/watch?v=H0bkLsUe3no Forged certificate https://slate.com/technology/2016/12/how-the-2011-hack-of-diginotar-changed-the-internets-infrastructure.html Support me on PayPal https://bit.ly/33ENps4 Become A Patron https://www.patreon.com/join/hnasr? Stay Awesome! Hussein
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Hussein Nasser · Hussein Nasser · 0 of 60

← Previous Next →
1 Extending ArcObjects (IGeometry) - 01 - Getting Started
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
2 Extending ArcObjects  (IGeometry) - 02 - The Document, The Map and The Layers
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
3 Channel Update - New Book, New Job, New Videos
Channel Update - New Book, New Job, New Videos
Hussein Nasser
4 Learn Programming with VB.NET - 01 - Getting Started
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
5 Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
6 Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
7 Learn Programming with VB.NET - 04 - User Interface
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
8 Learn Programming with VB.NET - 05 - By Value v. By Reference
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
9 Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
10 Learn Programming with VB.NET - 07 - Conditional Statements
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
11 Learn Programming with VB.NET - 08 - Inheritance
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
12 Learn Programming with VB.NET - 09 - Strategy Design Pattern
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
13 Learn Programming with VB.NET - 10 -  How did I learn programming
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
14 IGeometry 2016 Retrospective - Channel Update
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
15 Javascript by Example - The Vook
Javascript by Example - The Vook
Hussein Nasser
16 Vlog - Keep your servers close and your database closer
Vlog - Keep your servers close and your database closer
Hussein Nasser
17 Vlog - Client/Server Programming Languages
Vlog - Client/Server Programming Languages
Hussein Nasser
18 Javascript By Example L1E01 - Getting Started
Javascript By Example L1E01 - Getting Started
Hussein Nasser
19 Persistent Connections (Pros and Cons)
Persistent Connections (Pros and Cons)
Hussein Nasser
20 Javascript By Example L1E02 - Building the Calculator Interface
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
21 Happy new Year from IGeometry!
Happy new Year from IGeometry!
Hussein Nasser
22 Synchronous v. Asynchronous
Synchronous v. Asynchronous
Hussein Nasser
23 Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
24 Show Your Work. Blog, Vlog, Write, Create and Develop!
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
25 Relational Database Atomicity Explained By Example
Relational Database Atomicity Explained By Example
Hussein Nasser
26 Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
27 What Comes First, User Experience or Software Architecture?
What Comes First, User Experience or Software Architecture?
Hussein Nasser
28 Javascript By Example L1E05 -  Evaluate the Calculator Expressions with eval
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
29 Fastest Way to Learn Programming Language or Technology
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
30 Javascript By Example L1E06 -  Fix Leading Zero Bug with Conditions
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
31 Stateful vs Stateless Applications (Explained by Example)
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
32 Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
33 Advice for New Software Engineers and Developers
Advice for New Software Engineers and Developers
Hussein Nasser
34 Why JSON is so Popular?
Why JSON is so Popular?
Hussein Nasser
35 Building Scalable Software - SLA, HS, VS
Building Scalable Software - SLA, HS, VS
Hussein Nasser
36 Vlog (Istanbul) - Datacenter Proximity
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
37 Should Software Engineers Learn Bleeding-Edge Technologies?
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
38 Do Developers Build Bad User Interfaces/Experience?
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
39 Learn By Doing.
Learn By Doing.
Hussein Nasser
40 I Wrote Bad Front-End Code That Broke Chrome
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
41 My Story
My Story
Hussein Nasser
42 Vlog - Horizontal vs Vertical Scaling
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
43 Can User Experience Help Build Better Rest API?
Can User Experience Help Build Better Rest API?
Hussein Nasser
44 Reverse engineering Instagram in flight mode
Reverse engineering Instagram in flight mode
Hussein Nasser
45 The Benefits of the 3-Tier Architecture (e.g. REST API)
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
46 Stateless v. Stateful Architecture (Podcast)
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
47 The evolution from virtual machines to containers
The evolution from virtual machines to containers
Hussein Nasser
48 Proxy vs. Reverse Proxy (Explained by Example)
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
49 Canary Deployment (Explained by Example)
Canary Deployment (Explained by Example)
Hussein Nasser
50 No Excuses
No Excuses
Hussein Nasser
51 Synchronous vs Asynchronous Applications (Explained by Example)
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
52 What is an Asynchronous service?
What is an Asynchronous service?
Hussein Nasser
53 Difference between Client Polling vs Server Push in Notifications
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
54 Software vs. Hardware AdBlockers (Explained by Example)
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
55 HTTP Caching with E-Tags -  (Explained by Example)
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
56 Simple Object Access Protocol Pros and Cons (Explained by Example)
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
57 Nodejs Express "Hello, World"
Nodejs Express "Hello, World"
Hussein Nasser
58 Reverse Engineering Instagram feed
Reverse Engineering Instagram feed
Hussein Nasser
59 Popup Modal Dialog with Javascript and HTML
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
60 MIME and Media Type sniffing explained and the type of attacks it leads to
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser

This video teaches viewers about the importance of VPNs in protecting user data and explores various cybersecurity threats. It explains how VPNs can protect against these threats, but also has its own limitations. Viewers will learn about the process of ARP spoofing, man-in-the-middle attacks, and DNS requests, and how VPNs can mitigate these risks.

Key Takeaways
  1. Understand the process of ARP spoofing
  2. Learn about man-in-the-middle attacks and how to protect against them
  3. Configure a VPN to protect against DNS requests and ISP tracking
  4. Implement encryption to secure data
  5. Test and verify VPN connections
💡 A VPN can protect against various cybersecurity threats, but it's not a foolproof solution and has its own limitations, such as the potential for the VPN company to know user location and activity.

Related Reads

📰
Top 20 Cyber Security Interview Questions for Freshers
Learn the top 20 cyber security interview questions for freshers to boost your career in cyber security
Dev.to AI
📰
Managing a Million Security Profiles at the Edge
Learn how to manage a large number of security profiles at the edge of a global network by predicting site defenses and traffic patterns
Medium · AI
📰
The First Five Minutes After an Employee Clicks a Phishing Link
Learn what happens in the first five minutes after an employee clicks a phishing link and why it matters for cybersecurity
Medium · Cybersecurity
📰
IDOR simple way with no burpsuite banged P3
Learn a simple way to identify IDOR vulnerabilities without using Burpsuite, and understand the impact and reporting of such vulnerabilities
Medium · Cybersecurity
Up next
Best VPN For China 2026 — Which One Actually Works?
Tutorial Stack
Watch →