Privacy & Security? HTTPS & VPN

        Earlier we heard from Jim Hamm, (posted on 3-28 as "Need to Use an Unsecured Wifi Hotspot") and now he helps us with clarification.  Jim wrote to the developers of Cloak, which is VPN (Virtual Private Network), "If  'HTTPS' is all one needs to be secure, why have a VPN function at all?"
         HTTPS is Hypertext Transfer Protocol over Secure Socket Layer.  It encrypts and decrypts the page requests.
        The reply Jim received explains more about HTTPS and VPN.  The following is quoted from Dave Peck, founder of 
        1. HTTPS helps your browser verify the identify of the server it's talking to. For example, HTTPS can help the browser decide whether it's really talking to your bank. (This is why, if you ever see a warning about certificates when connecting to a site, you should stop immediately.)
        2. Once the identity of the server is verified, HTTPS sets up an end-to-end encrypted connection between you and the server. So to continue the example, HTTPS lets you have a secure communications channel directly with your bank that nobody can listen in on.
        So HTTPS, and the protocol it is built on (TLS), is awesome. And... if everyone used HTTPS/TLS then yes, there would be no reason as an individual to use a VPN like Cloak. There would still be plenty of reasons for small and medium businesses to use VPNs.   ----
        Unfortunately, we don't live in this world, at least not yet. Not everyone uses HTTPS or SSL/TLS (in fact, most web sites don't) and, further, even sites that do use HTTPS often use it badly, or inconsistently. Things seem to fall into four buckets:
        1. Sites that don't use HTTPS at all. This is, sadly, the majority of sites. When you're on a network you don't trust (like at a coffee shop, airport, hotel, or at a conference) anybody can see what you're doing.
        2. Sites that use HTTPS badly. Usually this means they don't use HTTPS everywhere. Prime examples of this would be Facebook and By default, when you log in to Facebook and Amazon, you log in with HTTPS. It might seem that this protects your username and password, but this isn't quite the case. After you log in, Facebook and Amazon kick you back to HTTP pages. But wait! How do they know who you are on those HTTPS pages? They know who you are because they've cookied you with an non-secure cookie. For the duration of your session with those sites, that cookie is as good as your username and password. Anybody can log in as you and do whatever they want as you. This is what the hacker tool Firesheep was built to exploit, and unfortunately it is all too common -- Firesheep works on nearly 100 different web sites.
        3. Native apps! These days, lots of stuff is done outside of the browser. Does the Twitter App for Mac use HTTPS or TLS? Who knows! We see a lot of problems here these days, and a lot of opportunities for Cloak to make things better.
        4. Sites that use HTTPS well. Your bank, and PayPal, probably fall into this category. For these sites, Cloak doesn't make a difference.
        I would like nothing more than to wake up one day and discover that Cloak is not necessary. But given that only one of four buckets is actually truly secure, I think we're easily five years off from that day. That said, one can never truly predict in the world of technology. -----
        I should explain, in case it isn't clear, that Cloak isn't an end-to-end solution for security. When you use HTTPS, you get end-to-end encryption: just you and (say) your bank. When you use Cloak, you get encryption from your laptop or iDevice to our servers. From there, things are decrypted. But we host our own servers on networks with great peering agreements and extremely strict security policies. Our networks are trustworthy, whereas presumably the networks "out there" in the wild, like at coffee shops etc, are not. It's only if you truly cannot trust the Internet at all that HTTPS and TLS are your only options.       ---
        Bottom line for all of this: I believe that we still live in a world where Cloak can provide real value; I hope that technologies like HTTPS and SSL will ultimately become so prevalent that tools like Cloak won't be needed anymore. I think we're many years off from that day."
      Thanks to Jim for getting this information for PMUG.