Want to highlight a helpful answer? Upvote!
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >
Dear forum,
So I signed up for a VPN service from NordVPN. On my MBP I chose to simply install the NordVPN app to get me going quickly. While installing the NordVPN app asks permanent access to my keychain. I know this is to avoid having to type the password every time the VPN wants to connect.
Question: does NordVPN now have access to the entire contents of my keychain?
Thanks.
MacBook Pro 15", macOS 10.14
Typically, when an app is given permission to access the Mac's Keychain, it is to retrieve the password that is used by that app. Is it possible that this app can be malicious and attempt to access all of your Keychain passwords? Sure, but that would be true for any app that uses the Keychain. NordVPN is one of the more "trusted" VPN providers out there and I would suspect that they are not using their VPN apps for this purpose, but it always pays to be vigilant.
The only way to know for sure is to perform a data capture before, during, and after you run the VPN app to see what it is "up to." However, in this case, I don't believe this is necessary.
FWIW, I do use VPNs. I only use them for two specific situations: 1) To access my home network from a remote location. In this case, I have networking hardware that supports VPNs. I then have a VPN client on my portable Macs and iOS devices, that allow me to create a secure tunnel between them, and 2) When I use any of my portable devices that I connect to an unsecured wireless network, like at an airport or coffee shop. In this case I went with PIA as my VPN provider. Regardless, I don't rely on using this VPN for banking or other critical communication unless absolutely necessary. I basically use it to prevent others nearby from attempting to gain access my device or its communications. I totally agree with the others who have replied to you that using a VPN is no way a 100% fool-proof security method, but I do believe it has a valid purpose for certain situations.
Typically, when an app is given permission to access the Mac's Keychain, it is to retrieve the password that is used by that app. Is it possible that this app can be malicious and attempt to access all of your Keychain passwords? Sure, but that would be true for any app that uses the Keychain. NordVPN is one of the more "trusted" VPN providers out there and I would suspect that they are not using their VPN apps for this purpose, but it always pays to be vigilant.
The only way to know for sure is to perform a data capture before, during, and after you run the VPN app to see what it is "up to." However, in this case, I don't believe this is necessary.
FWIW, I do use VPNs. I only use them for two specific situations: 1) To access my home network from a remote location. In this case, I have networking hardware that supports VPNs. I then have a VPN client on my portable Macs and iOS devices, that allow me to create a secure tunnel between them, and 2) When I use any of my portable devices that I connect to an unsecured wireless network, like at an airport or coffee shop. In this case I went with PIA as my VPN provider. Regardless, I don't rely on using this VPN for banking or other critical communication unless absolutely necessary. I basically use it to prevent others nearby from attempting to gain access my device or its communications. I totally agree with the others who have replied to you that using a VPN is no way a 100% fool-proof security method, but I do believe it has a valid purpose for certain situations.
My question would be why are you installing a VPN? Are you connecting to a private network at the other end? If not, then the only other use for a VPN is to bypass government/company restrictions. A public VPN does not secure your data. At some point when using a public VPN your data is transitioned to the Internet just as though you put the data out there yourself from your local network. Use secure servers like https and sftp to protect your data rather than allowing some third party VPN provider access to all your data then dumping your data to the internet.
Of course if you are creating a VPN tunnel to a private network at the other end, VPN is very secure.
Thank you Bob for your reply and helpful suggestions!
But actually my concern here really is about the keychain. I would die to know what happens when I grant an app access to my keychain by entering my AppleID passkey. Is it only to provide access to the app to retrieve its own credentials only from the keychain? In that case all is well. But I am concerned about what sensitive data of mine (passkeys stored in my keychain) I may compromise by granting access to an app (any app).
As for your remarks on VPN use: I am only using the VPN while on public WiFi networks to prevent attacks from within the public WiFi subnet, i.e. on the same side of the public WiFi admin's firewall.
Yes I am using a firewall too. But many sources advise a VPN. This particular phrase is from kaspersky labs but I found a lot of other sources saying the same thing:
"Always make sure the sites you're visiting are secure. Most browsers show a lock symbol next to the URL when a website is secure. If you don't see this symbol, check to see if the web address is preceded by "https." The "S" stands for secure, and this ensures your data won't be open to hacker interception.
Using a firewall is also a reliable way to help defend your browsing data. Although it's not foolproof, a firewall provides an extra layer of security when you're using public Wi-Fi. If you browse public Wi-Fi often, it's prudent to set up a virtual protected network (VPN). This type of network secures your traffic and makes it much more difficult for hackers to intercept it."
Here's what they don't tell you about VPNs. This refers to any of them, whether they're free or not. Everything you do online routes through their servers. You have no idea what they're doing with your data. Especially free VPN services. It's free for a reason, and it's definitely not for your benefit.
HTTPS has been around for a long time because it works, and VPN has nothing to do with it, or enhances it. When you connect to a secure web site, it and your browser negotiate a one-time use encryption key. After that, only your browser and that site can decode what passes between them since only they have the decryption key. Anyone else who happens to snag any data packets in the transmissions can't do anything with them. Not unless they have a couple of millennia to crack the key.
Not sure how Kaspersky is coming up with the VPN claim. You're on a public WiFi. Any data going from your computer to the router hasn't gotten to the VPN yet. Anyone else on the WiFi network who wants to try and see what's passing through it unprotected can see whatever you or anyone else is doing. The VPN is zero help since what you're doing has to pass through the open access router before it ever reaches whatever VPN service you're using.
A secure https connection is already protecting your Internet traffic. The VPN is doing nothing extra. This statement is pure baloney:
When you’re connected to the Internet through a VPN connection, this private Internet access ensures that you’re not exposed to phishing, malware, viruses and other cyber threats.
Really?! Soooo, if I'm using a VPN, somehow, no scam emails or messages will make it to my computer. Bunk!
Hi Kurt, you obviously know a lot more about internet security than me. And you can't imagine how much I appreciate your help!
I tend to search for different sources and go with what I read on web sites. There is a dutch web site called "bitsoffreedom" that I read thoroughly. They too recommend VPNs in public WiFi areas.
You say the data that's going back and forth is unencrypted between my device and the public WiFi router. The sources I read and the VPN company claims that is not the case. They say that from the moment a VPN connection has been established, every packet leaving my device is encrypted until it gets to the VPN company server. So that route would be: my device's WiFi controller -> public access point -> public router and its firewall -> VPN server. From there it's going without any extra layer of encryption. I am aware of that.
However from what you stated I'm puzzled now...
If I dump the VPN and instead go and rely on secure connections (HTTPS) I will need to make sure that every connection is in fact secure. Thinking of the type of connections I typically have I need https for every web site in my browser and have secure email connections. I can manage that.
Then there are lots of services that say they use secure transfers like dropbox, Apple iCloud (drive) and such. I don't have any control over such connections. The thought of having the entire bundle of connections secured by a VPN appealed to me.
But I may be totally wrong...
You are correct. A VPN isn't just a remote server hiding our identity from whatever web site you're connected to. It's also privatized on your end. That covers you both ways. The VPN is unnecessary if the site you're on is already secure (https), but protects your data if it's not.
You just have to be aware that the VPN isn't exactly your friend. And that's mainly the free ones. There's something in it for them, or they wouldn't offer it.
Hi Kurt, yes I took quite some effort in selecting a VPN provider, exactly for the reasons you stated. No way I would engage in a free VPN service. Nord and PIA seemed to provide decent services with no logs.
That aside, how much faith do you place in your ISP? I wondered about which is more trustworthy: a reputable VPN provider or my own ISP? ISP's don't feel the pressure to build on a trustworthy privacy policy reputation, it's all about value for money as the vast majority of customers will decide on price, TV channel offerings and down/up speeds, not privacy policies. At
Our local ISP is CenturyLink. We use them simply because they are also the landline service for our small, in home business. We've never had a problem with them. Our business site and connected email is through InMotion Hosting. Also very reliable.
You are conflating two different services.
Unless your VPN is connected to a private network at the other end it is not providing you any data security. You can post your credit card number using your VPN but unless it is going to a secure site at the other end of the VPN tunnel your number is exposed to the Internet and to your VPN provider. If you do not use VPN and only use https to send a credit card number the number is encrypted and even if someone intercepts the data they can not see or determine what your credit card number is.
People often use VPN to hide their identity when visiting illegal sites or sites banned by certain governments. A valid and good use of a VPN is for traveling corporate workers to connect directly to their corporate network without exposing data to the Internet. Another poster gave the example of connecting to their home network using a VPN tunnel. These are valid and good uses of VPNs. Securing data is not a good use of VPNs.
That was my initial thinking. I have to say I'm confused now because I've read various sites reporting both sides. Yes, VPN protects you regardless, and my first response of no, it doesn't.
Someone like Mr Hoffman I know could definitely answer this.
Hi Bob, I agree with most of what you said. I am aware that using a VPN in the way I describe it here only encrypts data right up to the point where my data packets leave the VPN server. Any I am also aware that if I want to communicate with a web site securely I need a https connection and I do use those.
All I am saying in my last post is that some here subject VPN services to suspicion and mistrust while not questioning their ISP's. The IP packet route from our home computers is along the ISP network servers and any unencrypted data streams can be examined and logged. For this reason I don't see why there can be a need to be more reluctant to route our data streams through a VPN provider than through an ISP.
All of that said, I acknowledge the fact that the end user is mostly responsible for their own internet security by keeping to good internet practice, like staying alert to suspicious emails, maintaining strong passkeys for all but especially the essential accounts and so on.
After having shared my thoughts in this topic and having read the replies my resolve is to dive in a little deeper into the types of connections my devices (computers, tablets, phones) have to the internet and whether or not all of those are secure.
VPN isn't what would help you there. What you need to do when using a public WiFi is to turn your Mac's firewall on.
It's apparent I really need to educate myself more about internet security. Any helpful links to web sites are most welcome.
But how about the keychain?
VPN service wants access to keychain. Safe?
