I keep hearing on VPN ads that you have to use a VPN to not have your login information stolen. So far I have been using Cloudflare WARP to be safe enough. However, if I am using an HTTPS website, do I really need a VPN or WARP? Will an attacker on the same network as me be able to access passwords transmitted over HTTPS?

Boozilla
link
fedilink
81Y

Depends on the context. If you are at home on a wired / non public connection…HTTPS by itself is probably good enough for protecting your password / credentials from your general “web goblin” type of hacker.

However, if your device is compromised with malware (keylogger or whatever) then neither HTTPS nor a VPN can protect you.

HTTPS uses a special key sharing algorithm to safely encrypt your data so that it’s relatively secure to transmit across the internet. Even if a man-in-the-middle intercepts it, they can’t decrypt the data.

A VPN is an extra layer of security that hides your session from your internet service provider, or your boss, or random people on the WiFi at your local coffee place, that sort of thing. Using VPN is a good idea, but it’s not a magic solution, and it’s not always necessary. The VPN helps hide things like the websites you are visiting, your IP address, stuff like that. It also encrypts your traffic in a “tunnel” which is nice, but HTTPs packets are already encrypted. So HTTPS over a VPN is doubly encrypted.

Security-wise, you do no harm using both. However, using a VPN can be a little bit slower and some services (like the Google platform and major video content streamers) really don’t like it when you use a VPN. You can sometimes get around this by purchasing a dedicated IP address from your VPN service provider, but that usually costs extra (on top of whatever you may be paying for the VPN service itself).

And…a dedicated IP may or may not fool those picky content streamers. They have gotten pretty aggressive about blocking VPNs because they know people use them to get around regional content lockouts and restrictions.

Boozilla
link
fedilink
11Y

Replying to myself to add: if you use a VPN to hide your surfing habits from your boss, the security team can tell you are using a VPN. They may or may not care, it largely depends on where you work and if you’re using your device or a company device and the “corporate culture” of the place you work. Just have a cover story / explanation ready to go if you roll the dice on this one. If you work for a large corporate bank or something like that, I wouldn’t even try it.

If you’re using a company device, a VPN won’t help you. They could install a keylogger without you having any way of knowing.

Bruh

a vpn can totally MiM if they force you to use their cert.

upstream server ssl <-> vpn client ssl <-> vpn MiM <-> vpn server ssl <-> you

Even with no MiM, VPN is going to know where you are going and how long you are there, and any unencrypted comms (UDP / torrent, funky http URL) are just … there.

I would assume consumer “privacy” VPN traffic is easily monitored by state agencies since there are fixed points of entry & egress?

Any corporate VPN worth its salt is totally MiM all traffic; usually spells it out in the sales brochure.

The best way to think about a VPN is a different ISP, when you activate a VPN your traffic goes through an encrypted tunnel through your primary ISP to the VPN, then the traffic is decrypted and dumped onto the internet. If you trust your VPN more than your ISP (either because they are more trustworthy or because they don’t know who you are) then it is a win. If you trust your ISP less than your VPN it is a loss.

One important thing to highlight is like public WiFi that can allow people nearby to try and sniff your traffic. A VPN can be quite effective here even if you trust the ISP “behind” the WiFi.

Skull giver
link
fedilink
2
edit-2
1Y

[This comment has been deleted by an automated system]

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 3.12K Posts
  • 78K Comments
  • Modlog