Dashel Posted June 14, 2012 Share Posted June 14, 2012 Can anyone give me some links or examples of relative security differences between VPN and HTTPS? By this I mean, if users are accessing a single website via HTTPS, what additional benefits are there from using VPN on top? I was under the impression that VPN (since it comes in a SSL variety too) is better when multiple locations are involved, which isn't needed in this case. Link to comment Share on other sites More sharing options...
still1 Posted June 14, 2012 Share Posted June 14, 2012 You really cant compare VPN vs Https totally. both are different protocols for different purpose. https is a standard secure communication protocol and is encyption so that no one can sniff through the data packets. VPN is more like a private network but provide security by tunnelling and encryption. lets say you at work where you have access to all websites which are available only on the network and cannot be accessed from outside(eg home) through internet. VPN solves this problem by connecting to the network through internet using a secure channel. if you are in a VPN network u can request for https sites..I hope you got it.. HTTPS on a VPN would be more secure Link to comment Share on other sites More sharing options...
tiagosilva29 Posted June 14, 2012 Share Posted June 14, 2012 Link to comment Share on other sites More sharing options...
Dashel Posted June 14, 2012 Author Share Posted June 14, 2012 Neither address my question, but thanks for trying. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 14, 2012 MVC Share Posted June 14, 2012 What is your question/concern exactly? Are you going to VPN to the site hosting the website that is https, or are you going to vpn to some other location. So your at site A, https site is at B. So if are accessing https://siteb.com all traffic between your browser/machine to siteb.com would be encrypted. Now what say your isp could determine or what someone at your site could determine if they were sniffing traffic would be the site you were going to, this could be found via your dns queries, they would see the SSL connection to siteb.com IP. They could determine the amount of traffic you were sending/getting from the site - but not what the traffic was or than it was SSL/TLS, etc. They would be able to watch the ssl/tls handshake you make since this is in the clear. Now how this would be different if you were using a VPN to say site C. Normally a vpn would be ALL traffic your machine would send out its default route.. So say you were using googledns, the dns query and responses between site A and C would be encrypted. So your ISP would not know your doing dns, nor would they know what your looking for. But traffic from C too googledns would not be encrypted. If you were using a local dns, someone at your site either sniffing or access to the dns server could see your queries for siteb.com But if using a dns that would be accessed via internet and through your vpn tunnel. Only thing someone at your site or your ISP would know would be that you have an encrypted tunnel between A and C -- they could know the amount of traffic but not what kind, etc. They should not be able to tell that you even went to siteB.com - just that your passing traffic to site C. So it comes down to what your trying to secure exactly. Generally speaking https to your site would be secure - no one between A and B would know what your passing back and forth. Passwords, usernames, postings to a forum, etc. would all be encrypted. Hope that answers your question. Link to comment Share on other sites More sharing options...
Dashel Posted June 14, 2012 Author Share Posted June 14, 2012 Thanks for the input BudMan, my question hinges on the last part. So users access https://acme.whatnot but now an outside organization is telling them they have to use a VPN when accessing the HTTPS site externally and it seemed a bit redundant to us. We are only concerned with the information on a single website being protected (a medical case tracker). Anything else like DNS etc aren't an issue. ie they don't make them use VPN to use OWA for example, so we were trying to understand (which they couldn't express) what additional benefits adding VPN would give if only the information on a single secure site is of concern. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 14, 2012 MVC Share Posted June 14, 2012 Where is this vpn? Is it a vpn to the same network that acme.whatnot is on? If they are saying you have to use a vpn, I have to assume its hosted by them, not just any vpn you might sign up for. The vpn might be another layer of auth, maybe they only allow access to site via coming from a specific vpn IP? etc. There could be more reasons to only allow vpn access to site other than just encrypted traffic. Auth could be a big one, maybe you have to do 2 factor to get to the vpn, etc. Maybe they have locked the site down or a section of the site to only allow access from the VPN, that sort of thing. Generally speaking if just worried about traffic to and from the site https should be fine, but maybe some of the site is not via https - so they want the whole conversation via bigger encrypted tunnel for the traffic that is not via the https. Possible some feature of the site is not able to use https, so they want you in a bigger encryption tunnel to cover that, etc. Link to comment Share on other sites More sharing options...
Dashel Posted June 14, 2012 Author Share Posted June 14, 2012 Yes, VPN would be to the same network the site is hosted from (Cisco SSL). Thanks again for the input, good food for thought. I think we discussed some of those but as far as we know, none of those other issues are in play here. Link to comment Share on other sites More sharing options...
Recommended Posts