Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,740 --> 00:00:05,490 There are a number of VPN protocols which are available so we can get a little bit confusing when it 2 00:00:05,490 --> 00:00:15,200 comes to choosing what you should use and why we have things like p p t p l to t p IPs SEC open VPN 3 00:00:15,200 --> 00:00:15,450 . 4 00:00:15,660 --> 00:00:18,900 SS T.P. version 2. 5 00:00:19,020 --> 00:00:20,840 And those are the most common ones. 6 00:00:20,850 --> 00:00:25,330 Plus there are some other more obscure ones that use SSL and TLR. 7 00:00:25,620 --> 00:00:28,730 Which is open connect and soft ether. 8 00:00:28,920 --> 00:00:31,340 So let's go through these as quickly as we can. 9 00:00:31,380 --> 00:00:35,550 So you have people ETP which is a point to point protocol. 10 00:00:35,550 --> 00:00:36,870 Do not recommend this. 11 00:00:36,870 --> 00:00:44,610 The Microsoft implementation has had major security flaws M-S chap version 2 which is often uses the 12 00:00:44,610 --> 00:00:52,050 authentication within Piep ETP is vulnerable to dictionary attacks and the RC for algorithm is subject 13 00:00:52,050 --> 00:00:54,060 to a bit fliping attack. 14 00:00:54,180 --> 00:00:57,050 Even Microsoft does not recommend using it. 15 00:00:57,060 --> 00:01:02,070 It does come available within the Windows operating system so it's very easy to set up. 16 00:01:02,080 --> 00:01:03,820 That's why people still use it. 17 00:01:03,880 --> 00:01:06,230 Nation-State NSA GCH. 18 00:01:06,240 --> 00:01:14,700 Q People like that are very very likely to be able to decrypt PPTP and will be able to with previous 19 00:01:14,820 --> 00:01:20,760 recorded and stored traffic be able to decrypt that PBT be encrypted VPN. 20 00:01:20,910 --> 00:01:27,450 And if you want to look at some cryptanalysis or PBT pay and sort of a classic paper by Bruce Schneier 21 00:01:27,590 --> 00:01:30,490 on on why he has broken. 22 00:01:30,540 --> 00:01:37,410 So the only reason to use ETP is if all of the options are effectively not possible and the only other 23 00:01:37,410 --> 00:01:39,890 option is sending plain text. 24 00:01:40,020 --> 00:01:50,060 Next is El-Soo T.P. and the second combination L2 T-P is usually implemented with resect provide encryption 25 00:01:50,100 --> 00:01:57,900 privacy because L2 T.P. doesn't provide encryption of the traffic an IP sec does provide encryption 26 00:01:57,900 --> 00:02:06,270 and privacy advantage of L2 T.P. IP sec is that most modern operating systems natively support them 27 00:02:06,400 --> 00:02:06,810 . 28 00:02:06,900 --> 00:02:16,840 A quick and easy to set up Windows Mac Linux I asked Android will support these now LDP and IP sex uses 29 00:02:16,860 --> 00:02:22,470 fixed ports and protocols which unfortunately makes it inflexible. 30 00:02:22,590 --> 00:02:25,050 So UDP 500 is huge. 31 00:02:25,050 --> 00:02:36,030 The initial key exchange protocol 50 for the IP encrypted ISP UDP 17:1 for the initial L2 T.P. configuration 32 00:02:36,420 --> 00:02:41,170 and UDP four thousand five hundred four not traversal. 33 00:02:41,190 --> 00:02:48,090 It is therefore more easily blocked by net firewalls and may require port forwarding when used behind 34 00:02:48,090 --> 00:02:48,680 a firewall. 35 00:02:48,690 --> 00:02:57,930 So L2 T-P is much easier to block than open VPN due to its reliance on these fixed protocols and pause 36 00:02:58,140 --> 00:03:04,780 the traffic coming encrypted that triple Dare's And yes the preference would be two five six. 37 00:03:04,800 --> 00:03:06,510 Yes give them the choice. 38 00:03:06,570 --> 00:03:14,370 If you're not concerned about nation state level adversaries then this is a viable VPN option. 39 00:03:14,370 --> 00:03:19,160 If you're using a ass and it's not a problem for getting through a firewall. 40 00:03:19,180 --> 00:03:25,110 However if you are concerned about nation state adversaries this is not recommended. 41 00:03:25,110 --> 00:03:33,420 There is strong evidence that the NSA and probably others GCH Q et cetera are using a flaw in the key 42 00:03:33,420 --> 00:03:36,330 exchange in order to decrypt the traffic. 43 00:03:36,330 --> 00:03:42,270 Now if you want to know more about this that's being released this top secret document which is where 44 00:03:42,270 --> 00:03:44,000 the information is from. 45 00:03:44,280 --> 00:03:51,600 And if we scroll down you can read more about what it is that they're actually doing. 46 00:03:51,600 --> 00:03:59,460 So the to use VPN capability will implement an operational capability to detect and decrypt selected 47 00:03:59,460 --> 00:04:06,700 communication that are encrypted using IP security IP SEC algorithms and protocols. 48 00:04:06,750 --> 00:04:12,160 It will forward the encrypted content to follow on processing systems. 49 00:04:12,160 --> 00:04:19,830 The T VPN capability will collect metadata about IP sec Internet key exchange events and for the method 50 00:04:19,830 --> 00:04:22,410 data to follow on SIGINT. 51 00:04:22,500 --> 00:04:28,550 So they're pretty good evidence that's IP PSEC is compromise on a nation state level. 52 00:04:28,560 --> 00:04:35,700 Another potential problem is when IP Sec'y is configured to use pre-shared keys and that those pre-shared 53 00:04:35,700 --> 00:04:38,160 keys are available publicly. 54 00:04:38,250 --> 00:04:45,930 So this can be for example you use a VPN service and they give out a password for you to connect to 55 00:04:45,930 --> 00:04:47,320 that VPN service. 56 00:04:47,400 --> 00:04:50,520 And that is a known password that everybody uses. 57 00:04:50,520 --> 00:04:54,980 Now that's an implementation vulnerability and enables man in the middle attacks. 58 00:04:55,110 --> 00:04:57,990 There's nothing wrong with IP set per se. 59 00:04:58,110 --> 00:05:00,930 It's just that somebody can implement it incorrectly. 60 00:05:00,930 --> 00:05:06,530 Another concern is the IP sec may have been deliberately weakened by the NSA. 61 00:05:06,600 --> 00:05:12,000 And there is an interesting post on this which is here and this is by a guy called John Gilmore is a 62 00:05:12,000 --> 00:05:19,350 security researcher and he was one of the founding members of the F-F the Electronic Frontier Foundation 63 00:05:19,510 --> 00:05:19,770 . 64 00:05:20,680 --> 00:05:23,960 An essay may have actually deliberately weakened. 65 00:05:24,010 --> 00:05:30,880 So in conclusion on this one it does work natively on most operating systems so it's simple and easy 66 00:05:30,880 --> 00:05:34,450 to get to work which is obviously always great. 67 00:05:34,480 --> 00:05:37,370 You don't want to be using a two five six. 68 00:05:37,450 --> 00:05:38,560 That's pretty solid. 69 00:05:38,620 --> 00:05:44,710 And this will protect you against hackers and low level trackers but it isn't going to protect you against 70 00:05:44,710 --> 00:05:49,320 nation state level adversaries are best avoided in that case. 71 00:05:49,330 --> 00:05:51,250 So onto open VPN. 72 00:05:51,250 --> 00:06:00,520 This is an open source project that uses the open SSL library and SSL version 3 anti-alias version 1 73 00:06:00,520 --> 00:06:09,190 protocols one of its main advantages is that the protocols and ports are configurable so it runs fastest 74 00:06:09,190 --> 00:06:14,530 over UDP but it can use TZP and sacrifice speed. 75 00:06:14,530 --> 00:06:22,360 This means you could set it up for example that emulate normal CPS web traffic by configuring it for 76 00:06:22,360 --> 00:06:25,920 poll for 4:03 on TC pay. 77 00:06:25,930 --> 00:06:33,310 This makes it very difficult to tell the VPN is being used and not just normal web traffic but if you 78 00:06:33,310 --> 00:06:42,940 don't need that level of port protocol obfuscation it works faster over UDP open VPN uses the open SSL 79 00:06:42,940 --> 00:06:47,540 library which means it supports lots of encryption algorithms. 80 00:06:47,630 --> 00:06:48,620 Sure you here 81 00:06:51,730 --> 00:07:01,820 including all of the ASP Blowfish Kamila RSA if he held a key Xchange elliptical curve that kooka helmet 82 00:07:01,950 --> 00:07:02,580 together. 83 00:07:02,620 --> 00:07:10,450 Perfect Forward Secrecy Yes Blowfish are the most commonly used for trafficking correction and blowfish 84 00:07:10,540 --> 00:07:15,120 is the default symmetric encryption algorithm for encrypting the data. 85 00:07:15,130 --> 00:07:20,770 I recommend a two five six as usual or Kamila to 5:6 open. 86 00:07:20,770 --> 00:07:26,180 VPN is fast but obviously the higher bit Leonti go slow the connection. 87 00:07:26,260 --> 00:07:28,180 That's the same with most VPN. 88 00:07:28,480 --> 00:07:36,380 Probably the biggest disadvantaged open VPN is is not natively supported by most operating systems. 89 00:07:36,430 --> 00:07:37,940 You just click on here. 90 00:07:38,710 --> 00:07:45,000 So what you have to do is you have to get free software that you can download and install. 91 00:07:45,010 --> 00:07:53,380 So here on the open VPN Web site you can see you can download these various third party software set 92 00:07:53,450 --> 00:08:00,230 up these clients isn't straightforward and some non-technical could get lost in a configuration. 93 00:08:00,310 --> 00:08:06,060 They are available for all the major operating systems and you can see here but also Linux and what 94 00:08:06,070 --> 00:08:12,340 you after end up doing is configuring a config file which does something like this depending on your 95 00:08:12,340 --> 00:08:13,370 configuration. 96 00:08:13,360 --> 00:08:18,390 So as you can see this can be a little bit confusing for some people. 97 00:08:18,580 --> 00:08:25,840 So to alleviate this known problem what VPN providers do is they develop their own VPN clients the ones 98 00:08:25,840 --> 00:08:29,200 like I showed you before the site against example. 99 00:08:29,410 --> 00:08:35,350 But mostly these is closed source so you can validate if there's any vulnerabilities or implementation 100 00:08:35,350 --> 00:08:42,460 errors and then there's no evidence that the NSA or GZA secure the nation state has compromised open 101 00:08:42,460 --> 00:08:49,340 VPN only using strong algorithms and ephemeral keys in SSL stroked VLS mode. 102 00:08:49,450 --> 00:08:56,920 The session keys are ephemeral i.e. the session keys are periodically changed and if an adversary manages 103 00:08:56,920 --> 00:09:03,550 to compromise one of the session keys they can decrypt only that traffic for that short period of time 104 00:09:03,790 --> 00:09:08,420 which is what purrfect for secrecy is when it comes to the encryption algorithms. 105 00:09:08,590 --> 00:09:19,780 You want to look for 2048 bit or four thousand ninety six bit RSA certificates DHC RSA a two five six 106 00:09:19,780 --> 00:09:24,010 Shaw for exchange of open VPN key material. 107 00:09:24,010 --> 00:09:31,820 And as I've said a two five six CBC show a data and those should be good enough for most people. 108 00:09:31,840 --> 00:09:39,070 Given that there's perfect forward secrecy as well and for most situations so open VPN is the VPN protocol 109 00:09:39,070 --> 00:09:44,560 that you should use whenever possible with those configuration settings that I've mentioned. 110 00:09:44,770 --> 00:09:53,710 You can get strong algorithms we have do currently recompile open VPN and it's quite complex but that 111 00:09:53,770 --> 00:09:56,710 is viable and it's something you can look into. 112 00:09:57,040 --> 00:10:02,370 But the algorithms and settings I mentioned should be fine for almost all situations. 113 00:10:02,410 --> 00:10:04,390 Now answer the last two. 114 00:10:04,450 --> 00:10:13,910 SS TPA this is a proprietary standard owned by Microsoft offers many of the advantages of open VPN but 115 00:10:13,940 --> 00:10:19,090 is for Windows only and not well supported by VPN providers. 116 00:10:19,090 --> 00:10:21,590 In fact you virtually never see it. 117 00:10:21,730 --> 00:10:24,440 The code is not open source. 118 00:10:24,450 --> 00:10:30,360 Microsoft does not have a brilliant record when it comes to cooperation certainly with the NSA. 119 00:10:30,370 --> 00:10:32,830 So for this reason not recommended. 120 00:10:32,830 --> 00:10:35,230 Not worth going into any more detail. 121 00:10:35,250 --> 00:10:39,780 You also have another interesting option which is the ICQ version too. 122 00:10:39,780 --> 00:10:47,580 Now this is an IP set based tunneling protocol that was jointly developed by Cisco and Microsoft. 123 00:10:47,590 --> 00:10:51,200 There could be a situation way you might want to use this. 124 00:10:51,370 --> 00:10:58,690 If it's on a mobile platform because it has enhanced ability to reconnect when the connection is dropped 125 00:10:58,690 --> 00:11:00,800 which is something that obviously you might want. 126 00:11:00,940 --> 00:11:04,950 If you are on a mobile device and it's reasonably secure and fast. 127 00:11:04,960 --> 00:11:11,650 So to conclude what we've gone through where possible you should always be choosing open VPN. 128 00:11:11,650 --> 00:11:17,390 Version 2 is viable on mobile devices for a quick and easy solution. 129 00:11:17,390 --> 00:11:19,000 They open VPN is there. 130 00:11:19,030 --> 00:11:23,730 You should be using that unless reconnection is more important than privacy. 131 00:11:23,890 --> 00:11:25,510 And better than no VPN. 132 00:11:25,510 --> 00:11:31,450 Say for example if you are on a public Wi-Fi and you don't want a hackers or trackers then you can use 133 00:11:31,480 --> 00:11:34,020 L2 TPA and IP Seck. 134 00:11:34,030 --> 00:11:41,170 If your adversary is not a nation state or news ETP as a total last resort. 135 00:11:41,200 --> 00:11:43,270 So that should VPN protocols 14955