VPN provider is asking for my device passcode

GlendaFinch wrote:

I am trying to set up Expressvpn on my iPad. Part of the process is asking me for my device passcode. Is this safe?

VPN's in gemeral are not secure/safe unless you are using the VPN to create a secure point-to-point tunnel between you and a secure network like your workplace network. If this is the case, contact the VPN administrator at your workplace and ask them for assistance. If this is a public VPN, check out the insecureties of using such an open VPN. The open VPN provider will see all your Internet traffic then they will dump your data insecurely onto the Internet for routing to its destination.

You will encounter a lot of myth, misinformation and scaremongering about the use of commercial VPNs.

While it is true that use of a commercial VPN will route your internet traffic via the VPN-providers gateway, it is not true that all of your data/traffic is visible to the provider.

While unencrypted traffic protocols, such as DNS queries are visible, your traffic protected by end-to-end TLS/SSL encryption is not visible to parties between the endpoints - at least, not without you seeing obvious security and trust warnings from your devices. As such, your internet traffic is no more at risk than would otherwise be the case. Consider that your ISP already has visibility of all your in-clear traffic.

A Commercial VPN connection adds additional security when you are connecting to an untrusted local WiFi network or LAN. Every other user on these network can access and potentially maliciously manipulate your in-clear traffic protocols. Using a VPN ensures that your unencrypted traffic cannot be intercepted by threat actors that are commonly encountered when using publicly accessible or shared networks.

Returning to your unencrypted network traffic being potentially monitored by a VPN provider - your traffic is at substantially lower risk when using a reputable VPN provider than would otherwise be the case when using insecure public networks. If you have concern for unencrypted traffic being monitored, there are other mitigations that can be used to protect this traffic.

By example, your DNS traffic can be protected using DoH and DoT encrypted DNS, configured to access a security focussed DNS provider such as Quad9. Additionally, Apple provide easily accessible network extensions for their iCloud+ subscribers, using iCloud Private Relay - this using ODoH as the transport protocol. When using any of these mitigations, your DNS traffic is visible to nobody other than you - and your DNS provider.

Infosec Professionals recommend that you use a properly configured VPN whenever you use a public WiFi network - or other network in which you have no “trust”. Used properly, VPN can and will provide additional security and privacy. What is essential is that you understand the limitations of what a Commercial VPN can protect - and if necessary, what other or alternative mitigation is or may be appropriate.

Not also that reputable subscription-based VPN providers have no business interest in monitoring your traffic beyond that enforced by legislation - any such traffic monitoring often being considerably less than that already employed by your Internet Service Provider (ISP).

I'm sorry LotusPilot but I disagree with much of what you say.

If I send any traffic over the Internet insecurely, use of a public VPN does nothing to protect that data. And if it is being sent insecurely all nodes along the path, including the public VPN provider, has access to that data. If I send data securely over the Internet then I do not need a Public VPN. If I use a VPN the traffic to the VPN provider may be secure but once the VPN provider sends that data onto its destination, it does so just as if I had sent the data directly to the end point. Public VPN providers do not have a secret secure backdoor to web services. Users have the same access to the destination.

VPNs provide excellent security if they create a point-to-point secure tunnel to a private network. Public VPNs do not create this tunnel. Public VPNs may help one hide their identity and provide unanimity for those living in a location where web access is restricted or controlled. But the VPN provider still has access to the user's data, to do with as they wish, as it passes through their servers.

Disagree you may, but I regret that your perceived understanding of both network protocols and VPNs are fundamentally flawed.

For the OP, providing that the VPN client is configured for no-split-tunnelling, the use of a VPN protects all traffic (both encrypted and unencrypted traffic alike) between the VPN client and the Commercial VPN gateway. The public-access WiFi network is the least-trust/high-risk network upon which threat-actors can readily intercept and manipulate unprotected “in-clear” traffic.

Extending my earlier example, DNS traffic (from which sensitive data can be derived - and provides address resolution for access to internet resources) is natively an unencrypted protocol - that is being transmitted “in clear”. This traffic can be intercepted and altered - potentially returning false DNS responses to the originator. This can, by example, lead to malicious DNS redirects or profiling. For this example, a VPN tunnel will inhibit interception, monitoring or alteration of the natively unencrypted DNS protocol. Adding clarification, unless otherwise mitigated, the DNS traffic protected by the VPN from interception is visible to the VPN Gateway Operator as you suggest - but this is no different to the situation that occurs with your (presumed trusted) ISP.

If privacy and security of DNS is a concern, and/or monitoring by a VPN operator or ISP is a concern, this traffic can be protected from interception and monitoring by other measures described in my earlier response. That said, in adding this protection, this shifts trust for this element of network traffic entirely to the DNS resolver.

Moving to encrypted TLS/SSL traffic, this is encrypted end-to-end by PKI - and is neither accessible to actors present on the local network, the VPN Gateway, an ISP, or other operators along the full network path. Any attempt to decrypt and re-encrypt traffic for onward transmission will visibly break the CA trust-relationship, alerting both the source and destination. As such, the TLS/SSL end-to-end encryption remains secure regardless of whether a VPN is being used or not.

Unencrypted protocols can be protected by additional measures to provide assurance of integrity end-to-end - and/or with additional encryption - but these measures are likely beyond the capability of novices. This is where Apple’s own Private Relay Service adds a degree of useful protection, being easy to enable without in-depth knowledge of network and routing protocols.

To be clear, the purpose of a Commercial VPN is to protect traffic over the least-trust segment of the connection - to which other hosts on the local network have immediate and otherwise unmitigated access to unencrypted traffic originating from other client devices.

Different measures are necessary to protect the security and integrity of traffic over the full path - requiring the use of various techniques and mitigations - each being targeted to provide protection against a specific risk or threat, combining mitigations as necessary. A VPN is neither intended nor capable of protecting the entire network path, but is but one element of an effective security and privacy solution.

Security and Privacy are always an exercise of trust - and importantly in whom you have least trust. For public high-risk networks, VPN adds useful protection from high-risk threat - but offers little additional benefit when connecting via a “semi-trusted” ISP connection. For greater threat protection, a commercial VPN alone is insufficient in any setting - and this is where additional measures can add additional layers of protection.

In summary, complete security and anonymity is unachievable unless you control every element of the network path between client and resource. For a public internet connection, the first element of the network connection often presents the greatest risk - and with appropriate compensating controls, various elements of network traffic can be both protected and directed to resources of greater trust.

Sounds like a scam to me.

They have absolutely no business asking for such information.

Hello ~ Agreed.

~Katana-San~