I keep hearing on VPN ads that you have to use a VPN to not have your login information stolen. So far I have been using Cloudflare WARP to be safe enough. However, if I am using an HTTPS website, do I really need a VPN or WARP? Will an attacker on the same network as me be able to access passwords transmitted over HTTPS?
Think of it like this
- HTTPS hides what you are saying.
- VPN hides who you are saying it to.
VPNs hide it from your local WiFi, but tells the VPN company. Something more people should be asking themselves: do you trust your WiFi more or less than your VPN provider?
For Cloudflare, I’d say yes, but for the VPN companies the Youtube ads keep shoving down everyone’s throats, I think you’re better off just leaving the VPN disconnected in many cases.
It’s not particularly easy to find a trustworthy VPN, but it’s not particularly hard to find one you’d trust more than whatever random public wi-fi you’ve found while on the road. Your stock reminder that we can never trust anyone is not really useful here.
Using a good VPN is one way to sanitize the whole network environment when you have no reason to trust even the router you’re connecting to, avoiding quite a few risks besides that of someone passively analyzing your traffic.
Just don’t use VPN’s that streamers push. VPN over public WiFi is a must
For what reason? If your doing something scketchy the VPN company is going to know about it.
If you want your DNS encrypted use encrypted DNS. If you want to be really hidden use Tor
There’s a possibility, but not a big one that any given WiFi has an decrypting proxy in place. Your device should be giving a big warning flag if a certificate was found issued by an untrusted cerificate authority. It’s possible if someone like Google or a government body ran the portal that they could issue ‘trusted’ certificates for sites on the fly through such a proxy and grab whatever they want while it’s decrypted mid stream.
The whole premise of HTTPS as security is based on the notion that the CAs at the end of the chain are trustworthy and wouldn’t do something like that, but it is possible.
Non-Internet analogy:
You communicate via snail mail with someone. Both ends know the address of each other. So does the postal service delivering your mail. Everyone opening your letter can read (and with some work even manipulate) the content. That’s HTTP.
Now you do the same, but write in code. Now the addresses are still known to every involved party but the content is secured from being read and thus from being manipulated, too. That’s HTTPS.
And now you pay someone to pick up your mail, send it from their own address and also get the answers there that are then delivered back to you. The content is exactly as secure as before. But now you also hide your address from the postal service (that information has the guy you pay extra now though…) and from the one you are communicating with. That’s a VPN.
So using a VPN doesn’t actually make your communication more secure. It just hides who you are communicating with from your ISP (or the public network you are using). Question here is: do you have reasons to not trust someone with that information and do you trust a VPN provider more for some reason? And it hides your address from the guy you are communicating with (that’s the actual benefit of a VPN for some, as this can circumvent network blocks or geo-blocking).
Long story short: Do you want to hide who you are communicating with from the network you are using to access the internet? Then get a VPN. The actual data you send (and receive) is sufficiently secured by HTTPS already.
@Ooops @tester1121 just scrolling through some of your responses
why would you leave out the role encryption plays in the VPN tunnels? And that VPN providers are independently audited and subsequently rated for their data log retention rates?
Then you should probably point out to OP which VPNs are independently audited and not keeping data or not operating in any country requiring access by law enforcement. As everything else would totally defeat your “but government actors”-argument from above.
You know that VPN traffic is encrypted, right?
But encrypting already encrypted HTTPS data is largely irrelevant (for that simplified analogy) unless you don’t trust the encryption in the first place. So the relevant part is hiding the HTTPS headers (your addresses from above) from your the network providing your connection (and the receiving end) by encrypting them.
Unless of course you want to point out that a VPN also encrypts HTTP… which most people have probably not used for years, in fact depending on browser HTTP will get refused by default nowadays.
@Ooops @tester1121 @loudWaterEnjoyer and apparently you also believe that the primary benefit of hiding your packet data is to avoid high-layer sifting by ISPs, and not hostile bad actors or foreign/domestic governments
Yes, given OPs question (triggered by VPN Ads even) and way of asking there is no reason to believe in any scenario where a state-sponsored actor “on the same network” is intercepting data (like “transmitted passwords”) because it’s only secured by https. That’s “can I login safely from a public wifi?”-level.
As you seem to be passionate about these security issues I’m sure that you are familiar with the concept of threat assesment first. Do you believe that a random user asking publically about information seen in advertising is the target of government-level actors wanting to steal his login passwords used on https sites and that breaking the encryption is the easiest measure here?
As I read this question “high-layer sifting by ISPs” (and providers of open wifi) is exactly the threat scenario here.
VPN is mainly good for bypassing region blocks (like Netflix) or as a tunnel through company firewalls. All other advertised use cases are either overstated or outright false.
your https connection is sufficient to protect the connection.
only unencrypted traffic is at risk to public wifi attacks.
Biggest risk is email imo where it is far too easy to have unencrypted settings
What do you mean? Your email server isn’t connected to public WiFi. As long as your using https to access the the web interface your fine.
Even if your using an email client like Thunderbird you emails are most likely encrypted as that’s the default
Pop/imap is not https
For for a web interface.
Anyway both of those are encrypted by default
They should be… but are they … it is entirely too easy to setup unencrypted email just to get it working. Crazy…
Can you name one email provider who doesn’t do that by default?
It is the client and yes, most of them.
If I’m on the same network, it is possible to have a MITM attack and resolve the content of the SSL cert.
Resolve the content of the SSL cert? Sounds like something the CSI writers would say…
No, SSL is actually very good in preventing MITM attacks. That’s what alle the CAs are for you trust on your device.
https://github.com/moxie0/sslstrip
https://github.com/moxie0/sslsniff
You can ARP spoof a network and also serve spoofed certs resulting in the ability to resolve them. But I can see, if your not an expert, it’s hard to see the difference between reality and Navy CIS
Sorry, but no. Resolve certs? Seriously?
I don’t care anyway if you wanna start the not an expert argument. What you linked doesn’t work either in the modern web so… No, I am out.
That’s not really the case unless you add cert authorities to your device.
