Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,740 --> 00:00:05,490
There are a number of VPN protocols which are available so we can get a little bit confusing when it
2
00:00:05,490 --> 00:00:15,200
comes to choosing what you should use and why we have things like p p t p l to t p IPs SEC open VPN
3
00:00:15,200 --> 00:00:15,450
.
4
00:00:15,660 --> 00:00:18,900
SS T.P. version 2.
5
00:00:19,020 --> 00:00:20,840
And those are the most common ones.
6
00:00:20,850 --> 00:00:25,330
Plus there are some other more obscure ones that use SSL and TLR.
7
00:00:25,620 --> 00:00:28,730
Which is open connect and soft ether.
8
00:00:28,920 --> 00:00:31,340
So let's go through these as quickly as we can.
9
00:00:31,380 --> 00:00:35,550
So you have people ETP which is a point to point protocol.
10
00:00:35,550 --> 00:00:36,870
Do not recommend this.
11
00:00:36,870 --> 00:00:44,610
The Microsoft implementation has had major security flaws M-S chap version 2 which is often uses the
12
00:00:44,610 --> 00:00:52,050
authentication within Piep ETP is vulnerable to dictionary attacks and the RC for algorithm is subject
13
00:00:52,050 --> 00:00:54,060
to a bit fliping attack.
14
00:00:54,180 --> 00:00:57,050
Even Microsoft does not recommend using it.
15
00:00:57,060 --> 00:01:02,070
It does come available within the Windows operating system so it's very easy to set up.
16
00:01:02,080 --> 00:01:03,820
That's why people still use it.
17
00:01:03,880 --> 00:01:06,230
Nation-State NSA GCH.
18
00:01:06,240 --> 00:01:14,700
Q People like that are very very likely to be able to decrypt PPTP and will be able to with previous
19
00:01:14,820 --> 00:01:20,760
recorded and stored traffic be able to decrypt that PBT be encrypted VPN.
20
00:01:20,910 --> 00:01:27,450
And if you want to look at some cryptanalysis or PBT pay and sort of a classic paper by Bruce Schneier
21
00:01:27,590 --> 00:01:30,490
on on why he has broken.
22
00:01:30,540 --> 00:01:37,410
So the only reason to use ETP is if all of the options are effectively not possible and the only other
23
00:01:37,410 --> 00:01:39,890
option is sending plain text.
24
00:01:40,020 --> 00:01:50,060
Next is El-Soo T.P. and the second combination L2 T-P is usually implemented with resect provide encryption
25
00:01:50,100 --> 00:01:57,900
privacy because L2 T.P. doesn't provide encryption of the traffic an IP sec does provide encryption
26
00:01:57,900 --> 00:02:06,270
and privacy advantage of L2 T.P. IP sec is that most modern operating systems natively support them
27
00:02:06,400 --> 00:02:06,810
.
28
00:02:06,900 --> 00:02:16,840
A quick and easy to set up Windows Mac Linux I asked Android will support these now LDP and IP sex uses
29
00:02:16,860 --> 00:02:22,470
fixed ports and protocols which unfortunately makes it inflexible.
30
00:02:22,590 --> 00:02:25,050
So UDP 500 is huge.
31
00:02:25,050 --> 00:02:36,030
The initial key exchange protocol 50 for the IP encrypted ISP UDP 17:1 for the initial L2 T.P. configuration
32
00:02:36,420 --> 00:02:41,170
and UDP four thousand five hundred four not traversal.
33
00:02:41,190 --> 00:02:48,090
It is therefore more easily blocked by net firewalls and may require port forwarding when used behind
34
00:02:48,090 --> 00:02:48,680
a firewall.
35
00:02:48,690 --> 00:02:57,930
So L2 T-P is much easier to block than open VPN due to its reliance on these fixed protocols and pause
36
00:02:58,140 --> 00:03:04,780
the traffic coming encrypted that triple Dare's And yes the preference would be two five six.
37
00:03:04,800 --> 00:03:06,510
Yes give them the choice.
38
00:03:06,570 --> 00:03:14,370
If you're not concerned about nation state level adversaries then this is a viable VPN option.
39
00:03:14,370 --> 00:03:19,160
If you're using a ass and it's not a problem for getting through a firewall.
40
00:03:19,180 --> 00:03:25,110
However if you are concerned about nation state adversaries this is not recommended.
41
00:03:25,110 --> 00:03:33,420
There is strong evidence that the NSA and probably others GCH Q et cetera are using a flaw in the key
42
00:03:33,420 --> 00:03:36,330
exchange in order to decrypt the traffic.
43
00:03:36,330 --> 00:03:42,270
Now if you want to know more about this that's being released this top secret document which is where
44
00:03:42,270 --> 00:03:44,000
the information is from.
45
00:03:44,280 --> 00:03:51,600
And if we scroll down you can read more about what it is that they're actually doing.
46
00:03:51,600 --> 00:03:59,460
So the to use VPN capability will implement an operational capability to detect and decrypt selected
47
00:03:59,460 --> 00:04:06,700
communication that are encrypted using IP security IP SEC algorithms and protocols.
48
00:04:06,750 --> 00:04:12,160
It will forward the encrypted content to follow on processing systems.
49
00:04:12,160 --> 00:04:19,830
The T VPN capability will collect metadata about IP sec Internet key exchange events and for the method
50
00:04:19,830 --> 00:04:22,410
data to follow on SIGINT.
51
00:04:22,500 --> 00:04:28,550
So they're pretty good evidence that's IP PSEC is compromise on a nation state level.
52
00:04:28,560 --> 00:04:35,700
Another potential problem is when IP Sec'y is configured to use pre-shared keys and that those pre-shared
53
00:04:35,700 --> 00:04:38,160
keys are available publicly.
54
00:04:38,250 --> 00:04:45,930
So this can be for example you use a VPN service and they give out a password for you to connect to
55
00:04:45,930 --> 00:04:47,320
that VPN service.
56
00:04:47,400 --> 00:04:50,520
And that is a known password that everybody uses.
57
00:04:50,520 --> 00:04:54,980
Now that's an implementation vulnerability and enables man in the middle attacks.
58
00:04:55,110 --> 00:04:57,990
There's nothing wrong with IP set per se.
59
00:04:58,110 --> 00:05:00,930
It's just that somebody can implement it incorrectly.
60
00:05:00,930 --> 00:05:06,530
Another concern is the IP sec may have been deliberately weakened by the NSA.
61
00:05:06,600 --> 00:05:12,000
And there is an interesting post on this which is here and this is by a guy called John Gilmore is a
62
00:05:12,000 --> 00:05:19,350
security researcher and he was one of the founding members of the F-F the Electronic Frontier Foundation
63
00:05:19,510 --> 00:05:19,770
.
64
00:05:20,680 --> 00:05:23,960
An essay may have actually deliberately weakened.
65
00:05:24,010 --> 00:05:30,880
So in conclusion on this one it does work natively on most operating systems so it's simple and easy
66
00:05:30,880 --> 00:05:34,450
to get to work which is obviously always great.
67
00:05:34,480 --> 00:05:37,370
You don't want to be using a two five six.
68
00:05:37,450 --> 00:05:38,560
That's pretty solid.
69
00:05:38,620 --> 00:05:44,710
And this will protect you against hackers and low level trackers but it isn't going to protect you against
70
00:05:44,710 --> 00:05:49,320
nation state level adversaries are best avoided in that case.
71
00:05:49,330 --> 00:05:51,250
So onto open VPN.
72
00:05:51,250 --> 00:06:00,520
This is an open source project that uses the open SSL library and SSL version 3 anti-alias version 1
73
00:06:00,520 --> 00:06:09,190
protocols one of its main advantages is that the protocols and ports are configurable so it runs fastest
74
00:06:09,190 --> 00:06:14,530
over UDP but it can use TZP and sacrifice speed.
75
00:06:14,530 --> 00:06:22,360
This means you could set it up for example that emulate normal CPS web traffic by configuring it for
76
00:06:22,360 --> 00:06:25,920
poll for 4:03 on TC pay.
77
00:06:25,930 --> 00:06:33,310
This makes it very difficult to tell the VPN is being used and not just normal web traffic but if you
78
00:06:33,310 --> 00:06:42,940
don't need that level of port protocol obfuscation it works faster over UDP open VPN uses the open SSL
79
00:06:42,940 --> 00:06:47,540
library which means it supports lots of encryption algorithms.
80
00:06:47,630 --> 00:06:48,620
Sure you here
81
00:06:51,730 --> 00:07:01,820
including all of the ASP Blowfish Kamila RSA if he held a key Xchange elliptical curve that kooka helmet
82
00:07:01,950 --> 00:07:02,580
together.
83
00:07:02,620 --> 00:07:10,450
Perfect Forward Secrecy Yes Blowfish are the most commonly used for trafficking correction and blowfish
84
00:07:10,540 --> 00:07:15,120
is the default symmetric encryption algorithm for encrypting the data.
85
00:07:15,130 --> 00:07:20,770
I recommend a two five six as usual or Kamila to 5:6 open.
86
00:07:20,770 --> 00:07:26,180
VPN is fast but obviously the higher bit Leonti go slow the connection.
87
00:07:26,260 --> 00:07:28,180
That's the same with most VPN.
88
00:07:28,480 --> 00:07:36,380
Probably the biggest disadvantaged open VPN is is not natively supported by most operating systems.
89
00:07:36,430 --> 00:07:37,940
You just click on here.
90
00:07:38,710 --> 00:07:45,000
So what you have to do is you have to get free software that you can download and install.
91
00:07:45,010 --> 00:07:53,380
So here on the open VPN Web site you can see you can download these various third party software set
92
00:07:53,450 --> 00:08:00,230
up these clients isn't straightforward and some non-technical could get lost in a configuration.
93
00:08:00,310 --> 00:08:06,060
They are available for all the major operating systems and you can see here but also Linux and what
94
00:08:06,070 --> 00:08:12,340
you after end up doing is configuring a config file which does something like this depending on your
95
00:08:12,340 --> 00:08:13,370
configuration.
96
00:08:13,360 --> 00:08:18,390
So as you can see this can be a little bit confusing for some people.
97
00:08:18,580 --> 00:08:25,840
So to alleviate this known problem what VPN providers do is they develop their own VPN clients the ones
98
00:08:25,840 --> 00:08:29,200
like I showed you before the site against example.
99
00:08:29,410 --> 00:08:35,350
But mostly these is closed source so you can validate if there's any vulnerabilities or implementation
100
00:08:35,350 --> 00:08:42,460
errors and then there's no evidence that the NSA or GZA secure the nation state has compromised open
101
00:08:42,460 --> 00:08:49,340
VPN only using strong algorithms and ephemeral keys in SSL stroked VLS mode.
102
00:08:49,450 --> 00:08:56,920
The session keys are ephemeral i.e. the session keys are periodically changed and if an adversary manages
103
00:08:56,920 --> 00:09:03,550
to compromise one of the session keys they can decrypt only that traffic for that short period of time
104
00:09:03,790 --> 00:09:08,420
which is what purrfect for secrecy is when it comes to the encryption algorithms.
105
00:09:08,590 --> 00:09:19,780
You want to look for 2048 bit or four thousand ninety six bit RSA certificates DHC RSA a two five six
106
00:09:19,780 --> 00:09:24,010
Shaw for exchange of open VPN key material.
107
00:09:24,010 --> 00:09:31,820
And as I've said a two five six CBC show a data and those should be good enough for most people.
108
00:09:31,840 --> 00:09:39,070
Given that there's perfect forward secrecy as well and for most situations so open VPN is the VPN protocol
109
00:09:39,070 --> 00:09:44,560
that you should use whenever possible with those configuration settings that I've mentioned.
110
00:09:44,770 --> 00:09:53,710
You can get strong algorithms we have do currently recompile open VPN and it's quite complex but that
111
00:09:53,770 --> 00:09:56,710
is viable and it's something you can look into.
112
00:09:57,040 --> 00:10:02,370
But the algorithms and settings I mentioned should be fine for almost all situations.
113
00:10:02,410 --> 00:10:04,390
Now answer the last two.
114
00:10:04,450 --> 00:10:13,910
SS TPA this is a proprietary standard owned by Microsoft offers many of the advantages of open VPN but
115
00:10:13,940 --> 00:10:19,090
is for Windows only and not well supported by VPN providers.
116
00:10:19,090 --> 00:10:21,590
In fact you virtually never see it.
117
00:10:21,730 --> 00:10:24,440
The code is not open source.
118
00:10:24,450 --> 00:10:30,360
Microsoft does not have a brilliant record when it comes to cooperation certainly with the NSA.
119
00:10:30,370 --> 00:10:32,830
So for this reason not recommended.
120
00:10:32,830 --> 00:10:35,230
Not worth going into any more detail.
121
00:10:35,250 --> 00:10:39,780
You also have another interesting option which is the ICQ version too.
122
00:10:39,780 --> 00:10:47,580
Now this is an IP set based tunneling protocol that was jointly developed by Cisco and Microsoft.
123
00:10:47,590 --> 00:10:51,200
There could be a situation way you might want to use this.
124
00:10:51,370 --> 00:10:58,690
If it's on a mobile platform because it has enhanced ability to reconnect when the connection is dropped
125
00:10:58,690 --> 00:11:00,800
which is something that obviously you might want.
126
00:11:00,940 --> 00:11:04,950
If you are on a mobile device and it's reasonably secure and fast.
127
00:11:04,960 --> 00:11:11,650
So to conclude what we've gone through where possible you should always be choosing open VPN.
128
00:11:11,650 --> 00:11:17,390
Version 2 is viable on mobile devices for a quick and easy solution.
129
00:11:17,390 --> 00:11:19,000
They open VPN is there.
130
00:11:19,030 --> 00:11:23,730
You should be using that unless reconnection is more important than privacy.
131
00:11:23,890 --> 00:11:25,510
And better than no VPN.
132
00:11:25,510 --> 00:11:31,450
Say for example if you are on a public Wi-Fi and you don't want a hackers or trackers then you can use
133
00:11:31,480 --> 00:11:34,020
L2 TPA and IP Seck.
134
00:11:34,030 --> 00:11:41,170
If your adversary is not a nation state or news ETP as a total last resort.
135
00:11:41,200 --> 00:11:43,270
So that should VPN protocols
14955
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.