Please help me to clear my ambiguity regarding VPNs
VPN will not make me fully anonymous on line, it does to some extent , reasons could be many, just for example log files by VPN service providers, or legal obligations etc. It's okay.
My question is how does VPN make my communication private/secure to "non-https" website?
If the VPN connect is to https website we can understand that SSL/TLS encrypted communication takes place between the VPN server and https website .
If the connection is to any Organization's private network , i assume the communication between the VPN server and the Organization's private network will be handles by some VPN server setup or by some VPN communication protocols(PPTP,L2TP/ IPSec etc) by the VPN provider on the premises of the org LAN.. ... (am not sure..is it the way?)
So, without a VPN, my connection is fully open, anyone with the right tools can look at my data. Using a VPN solves the problems by encrypting my transmission and making it appear as if it’s the VPN server itself that’s making the connection and not me. But how does it handle the other half of the transmission from VPN server to destination website?
Does it partially open? End to End encryption possible ?
Okay, lets go back to basics: A user's browser interacts with a public web browser, via a handshake negotiation, where the server controls the cryptographic standards it accepts based on the organisations security policies applied. It enforces the appropriate policies on the user's browser i.e. these days TLS V1.2 is the normal standard also known as HTTPS, so the interactions between both remain private or secure.
However, if an bad intermediary manages to step in as a "person-in-the-middle (PC got me), then technically they could with a proxy, interact with the negotiation and make you think you have a secure connection, but read all the data that is available. There are techniques to detect such attacks, which the organisation server, can be set to reduce the likelihood of this. Previously before HTTPS was mandated for the Internet, the number of "person-in-the-middle" attacks was rife, and causing major issues.
Technically the User browser and the organisations Server sets up a point to point secure connection during the period the users browser is interacting etc.
You normally use a fixed VPN between a business partner or supplier, to whom you trust, and you agree, negotiate the security standard required, and how it should be put in place etc. There many types, including SSL/TLS VPN using certificates, or full VPN, using gateways, routers or similar solutions to provide point to point solutions. You can use an IPSec or IKE algorithms or even use PKI certificates depending on the organisations policies.
There are configurations, which quite frankly are not safe with a VPN, for instance split tunneling, - so by policy and mutual agreement - you agree the configuration and standards you need to apply between you and other party.
These days, many organisations are now moving to Software Defined Networks or SDNs, which automatically set up policies, routes with an organisation, defined by policies determined centrally, automatically, including the provisioning of IPS, gateway, firewall/router or even switch and anti malware protection as part of the solution.
Does this help or cause further murk in the waters?
Correct, in your example the traffic is unencrypted from the VPN server to your website, and if someone can intercept that unencrypted traffic then they can look into it. Who said it would be protected in this instance?
Your VPN will only protect your traffic up to the VPN Server. If you want end to end encryption then you need to change your website to use HTTPS, or only connect to websites using HTTPS - most websites on the WWW now also/only offer HTTPS. To be absolutely sure no one is snooping on your traffic check each website's certificate is all in order when you connect.
Personal VPNs are generally promoted for anonymisation purposes which you identified in your first post. Many of them don't keep any logs, but you also need to be careful they are not leaking your details:
EDIT: updated to make it clear when I'm talking about the VPN server and the website.
Let me try to simplify it...
There's a VPN user (A), a VPN server (B) and a destination server (C). When the user communicates with C, the traffic path will be A --- B --- C.
The VPN tunnel itself only gets established between A and B, so ALL traffic between these points will be secured.
There won't be any tunneling between B and C --- so unless the destination server uses HTTPS, traffic between these points won't be secured.
The underlying reality is that the server gets to decide how clients to connect to it. If the server only accepts encryption, you must encrypt. If it only accepts clear-text, you can not encrypt.
VPN providers simply aggregate many clients to make it look like they are all in the provider's building. They can not change the underlying way that the server works.
Using a VPN provider:
A VPN provider can be effective if you want to hide international communications from your own government, but you can not do very much to hide from "everyone" without cooperation from the company which owns the server.
Great. Thank you.
What would be the case with remote Access to your desktop using VPN?
If point C belongs to an Org and if VPN provider has an agreement with it regarding the secure session establishment, will that be possible to secure the traffic between B--C
I agree that we'd need to understand the full set of requirements to be able to advise properly, but to answer the question as stated...
To secure the traffic between B and C would require an IPsec VPN tunnel between them. Just to clarify the IPsec VPN tunnel would terminate directly on B and C. If the tunnel does not terminate directly on B and C then there will always be a portion of the traffic path where the traffic is unencrypted based on the assumptions above.
Will you be able to find a VPN provider who will setup an IPsec VPN tunnel from their VPN server to a desktop? This is unlikely but technically possible.
Assuming they did agree to do this for you:
The above is more likely to be seen in a corporate network. Users connect using a VPN client to a firewall. The firewall then has an IPsec VPN connection to a remote site rather than a single desktop. However, the premise is the same with the users being able to gain access to resources on the remote site via the firewall and the 2 VPNs.