My reputation for looking after my online sself often comes with a reputation for paranoia. Amongst the many examples I can quote is the one that has me mocked for my insistence on using public wifi networks only through a VPN service. What's the deal, I'm asked; why bother?
Originally, my intention there was to avoid snoopers who tap the network and can thus imitate me when my connection is not encrypted. Say, for example, I am logged in to Facebook; if my connection with Facebook is not an encrypted one, anyone logged into that network can theoretically listen to my communications and even pretend they are me. The matter was discussed here already, and since then Facebook and many others have started encrypting their interactions. The point is still valid, though: on a public network, I prefer to protect myself from the unknown. Mock me if you will.
Yesterday, I received all the proof I ever needed for my precaution. Apple released an iOS update, a rather strange iOS update: not only did they update iOS 7, they also provided an iOS 6 update that applied to my old and long neglected iPhone 3GS. What's going on there?
Today we learned what was going on (read here). Essentially, everything Apple - be it an iPhone, iPad or a Mac - was totally exposed to "man in the middle" type attacks where someone else pretends to be the website you are after. In other words, if someone wanted to get to you, they could have pretended to be google.com the next time you ran an Internet search. From there the road to your credit card number or other sensitive information is rather short. The horrible thing about this exploit is that this vulnerability applied for a very long time (according to Wikipedia, the previous iOS 6 release took place on 19 June 2013), and still applies to the currently un-patched Macs.
I have no doubt institutions such as the NSA were well aware of this exploit to Apple devices, and that they used it to compromise many an iGadget. But I don't worry that much about them; they're assholes, but they are not assholes of the type that wants my money. The NSA has the facilities to stage a google.com fake when I surf the Internet at home, but the smaller time crook can [usually] only achieve such a feat through a public network. And that's where using a VPN service helps.
Is there a point to this story, other than "use VPN when unsure?"
Yes. The point is that there are too many unknowns when using the Internet, and non of us can pretend to be fully secure when accessing it. However, by using certain protection measures one can make oneself too much of a hassle for crooks to deal with. And that is all we need.
Image by Phil Campbell, Creative Commons licence