I keep hearing on VPN ads that you have to use a VPN to not have your login information stolen. So far I have been using Cloudflare WARP to be safe enough. However, if I am using an HTTPS website, do I really need a VPN or WARP? Will an attacker on the same network as me be able to access passwords transmitted over HTTPS?

Monkey With A Shell
link
fedilink
3
edit-2
1Y

There’s a possibility, but not a big one that any given WiFi has an decrypting proxy in place. Your device should be giving a big warning flag if a certificate was found issued by an untrusted cerificate authority. It’s possible if someone like Google or a government body ran the portal that they could issue ‘trusted’ certificates for sites on the fly through such a proxy and grab whatever they want while it’s decrypted mid stream.

The whole premise of HTTPS as security is based on the notion that the CAs at the end of the chain are trustworthy and wouldn’t do something like that, but it is possible.

You might not know if an app on your computer uses encryption when it communicates. And you dont know if a ssl cert has been exposed but not revoked yet. So no, you cant trust https alone.

And I’ve seen just how easy it is to setup a fake wifi and have peoples phones be autoconnected to it because the victims have an old public network in the “remembered networks” list. On a dev conference.

So i use either use vpn or a private mobile network. Well, honestly I actually don’t. I suck at practicing what I preach. Convenience versus risk.

deleted by creator

Personally I would use my own cellular Wi-Fi hotspot over a third party VPN. A VPN … unless you are running your own … is just a giant honeypot for snagging everything you do.

The only way you know it’s not happening is you don’t.

An in country cellular service at least can be assumed not to sell your data to a cyber crime group.

@Fades@lemmy.world
link
fedilink
5
edit-2
1Y

A VPN … unless you are running your own … is just a giant honeypot for snagging everything you do. .

That is an absurd statement

Prove them wrong. I’m listening

And yet …

I will do anything to deny Comcast even a penny. From the heart of hell I stab at thee.

If my VPN is selling traffic information so be it. Fuck Comcast. I would rather mullvad sell my info then let Comcast get another penny.

I can’t overstate how much I hate Comcast.

Also use HTTPS for DNS, e.g. private DNS for Android. https://adguard-dns.io/en/public-dns.html

If I’m on the same network, it is possible to have a MITM attack and resolve the content of the SSL cert.

That’s not really the case unless you add cert authorities to your device.

Resolve the content of the SSL cert? Sounds like something the CSI writers would say…

No, SSL is actually very good in preventing MITM attacks. That’s what alle the CAs are for you trust on your device.

https://github.com/moxie0/sslstrip

https://github.com/moxie0/sslsniff

You can ARP spoof a network and also serve spoofed certs resulting in the ability to resolve them. But I can see, if your not an expert, it’s hard to see the difference between reality and Navy CIS

Sorry, but no. Resolve certs? Seriously?

I don’t care anyway if you wanna start the not an expert argument. What you linked doesn’t work either in the modern web so… No, I am out.

@ranok@sopuli.xyz
mod
link
fedilink
21Y

This is pretty misleading due to its brevity, an attacker on the same network can determine what website you’re going to but not the content being exchanged. A VPN moves the threat of having your browsing destination determined to the VPN provider from the local network.

That said, modern WiFi encryption does prevent other devices on the network from eavesdropping, so the attacker would have to employ a more involved attack (e.g. ARP spoofing) in order to even see the destinations.

@4am@lemm.ee
link
fedilink
41Y

If all you use is a web browser and all the sites you visit are HTTPS only

VPN is mainly good for bypassing region blocks (like Netflix) or as a tunnel through company firewalls. All other advertised use cases are either overstated or outright false.

Ooops
link
fedilink
31
edit-2
1Y

Non-Internet analogy:

You communicate via snail mail with someone. Both ends know the address of each other. So does the postal service delivering your mail. Everyone opening your letter can read (and with some work even manipulate) the content. That’s HTTP.

Now you do the same, but write in code. Now the addresses are still known to every involved party but the content is secured from being read and thus from being manipulated, too. That’s HTTPS.

And now you pay someone to pick up your mail, send it from their own address and also get the answers there that are then delivered back to you. The content is exactly as secure as before. But now you also hide your address from the postal service (that information has the guy you pay extra now though…) and from the one you are communicating with. That’s a VPN.

So using a VPN doesn’t actually make your communication more secure. It just hides who you are communicating with from your ISP (or the public network you are using). Question here is: do you have reasons to not trust someone with that information and do you trust a VPN provider more for some reason? And it hides your address from the guy you are communicating with (that’s the actual benefit of a VPN for some, as this can circumvent network blocks or geo-blocking).

Long story short: Do you want to hide who you are communicating with from the network you are using to access the internet? Then get a VPN. The actual data you send (and receive) is sufficiently secured by HTTPS already.

serial26
link
fedilink
01Y

@Ooops @tester1121 just scrolling through some of your responses

why would you leave out the role encryption plays in the VPN tunnels? And that VPN providers are independently audited and subsequently rated for their data log retention rates?

Ooops
link
fedilink
11Y

Then you should probably point out to OP which VPNs are independently audited and not keeping data or not operating in any country requiring access by law enforcement. As everything else would totally defeat your “but government actors”-argument from above.

You know that VPN traffic is encrypted, right?

Ooops
link
fedilink
8
edit-2
1Y

But encrypting already encrypted HTTPS data is largely irrelevant (for that simplified analogy) unless you don’t trust the encryption in the first place. So the relevant part is hiding the HTTPS headers (your addresses from above) from your the network providing your connection (and the receiving end) by encrypting them.

Unless of course you want to point out that a VPN also encrypts HTTP… which most people have probably not used for years, in fact depending on browser HTTP will get refused by default nowadays.

serial26
link
fedilink
01Y

@Ooops @tester1121 @loudWaterEnjoyer and apparently you also believe that the primary benefit of hiding your packet data is to avoid high-layer sifting by ISPs, and not hostile bad actors or foreign/domestic governments

Ooops
link
fedilink
1
edit-2
1Y

Yes, given OPs question (triggered by VPN Ads even) and way of asking there is no reason to believe in any scenario where a state-sponsored actor “on the same network” is intercepting data (like “transmitted passwords”) because it’s only secured by https. That’s “can I login safely from a public wifi?”-level.

As you seem to be passionate about these security issues I’m sure that you are familiar with the concept of threat assesment first. Do you believe that a random user asking publically about information seen in advertising is the target of government-level actors wanting to steal his login passwords used on https sites and that breaking the encryption is the easiest measure here?

As I read this question “high-layer sifting by ISPs” (and providers of open wifi) is exactly the threat scenario here.

deleted by creator

Think of it like this

  • HTTPS hides what you are saying.
  • VPN hides who you are saying it to.

I’d add you can get around this with a custom DNS server with DNSSEC

Skull giver
link
fedilink
21
edit-2
1Y

[This comment has been deleted by an automated system]

@jsdz@lemmy.ml
link
fedilink
10
edit-2
1Y

It’s not particularly easy to find a trustworthy VPN, but it’s not particularly hard to find one you’d trust more than whatever random public wi-fi you’ve found while on the road. Your stock reminder that we can never trust anyone is not really useful here.

Using a good VPN is one way to sanitize the whole network environment when you have no reason to trust even the router you’re connecting to, avoiding quite a few risks besides that of someone passively analyzing your traffic.

He’s not suing trust nobody. He’s saying apply the same scrutiny to your VPN provider as you would any other vendor who you only hear about in online ads.

Wookie
link
fedilink
61Y

Just don’t use VPN’s that streamers push. VPN over public WiFi is a must

For what reason? If your doing something scketchy the VPN company is going to know about it.

If you want your DNS encrypted use encrypted DNS. If you want to be really hidden use Tor

Boozilla
link
fedilink
81Y

Depends on the context. If you are at home on a wired / non public connection…HTTPS by itself is probably good enough for protecting your password / credentials from your general “web goblin” type of hacker.

However, if your device is compromised with malware (keylogger or whatever) then neither HTTPS nor a VPN can protect you.

HTTPS uses a special key sharing algorithm to safely encrypt your data so that it’s relatively secure to transmit across the internet. Even if a man-in-the-middle intercepts it, they can’t decrypt the data.

A VPN is an extra layer of security that hides your session from your internet service provider, or your boss, or random people on the WiFi at your local coffee place, that sort of thing. Using VPN is a good idea, but it’s not a magic solution, and it’s not always necessary. The VPN helps hide things like the websites you are visiting, your IP address, stuff like that. It also encrypts your traffic in a “tunnel” which is nice, but HTTPs packets are already encrypted. So HTTPS over a VPN is doubly encrypted.

Security-wise, you do no harm using both. However, using a VPN can be a little bit slower and some services (like the Google platform and major video content streamers) really don’t like it when you use a VPN. You can sometimes get around this by purchasing a dedicated IP address from your VPN service provider, but that usually costs extra (on top of whatever you may be paying for the VPN service itself).

And…a dedicated IP may or may not fool those picky content streamers. They have gotten pretty aggressive about blocking VPNs because they know people use them to get around regional content lockouts and restrictions.

Boozilla
link
fedilink
11Y

Replying to myself to add: if you use a VPN to hide your surfing habits from your boss, the security team can tell you are using a VPN. They may or may not care, it largely depends on where you work and if you’re using your device or a company device and the “corporate culture” of the place you work. Just have a cover story / explanation ready to go if you roll the dice on this one. If you work for a large corporate bank or something like that, I wouldn’t even try it.

If you’re using a company device, a VPN won’t help you. They could install a keylogger without you having any way of knowing.

Bruh

a vpn can totally MiM if they force you to use their cert.

upstream server ssl <-> vpn client ssl <-> vpn MiM <-> vpn server ssl <-> you

Even with no MiM, VPN is going to know where you are going and how long you are there, and any unencrypted comms (UDP / torrent, funky http URL) are just … there.

I would assume consumer “privacy” VPN traffic is easily monitored by state agencies since there are fixed points of entry & egress?

Any corporate VPN worth its salt is totally MiM all traffic; usually spells it out in the sales brochure.

The best way to think about a VPN is a different ISP, when you activate a VPN your traffic goes through an encrypted tunnel through your primary ISP to the VPN, then the traffic is decrypted and dumped onto the internet. If you trust your VPN more than your ISP (either because they are more trustworthy or because they don’t know who you are) then it is a win. If you trust your ISP less than your VPN it is a loss.

One important thing to highlight is like public WiFi that can allow people nearby to try and sniff your traffic. A VPN can be quite effective here even if you trust the ISP “behind” the WiFi.

Skull giver
link
fedilink
2
edit-2
1Y

[This comment has been deleted by an automated system]

Yes you’re good. The ads are basically lying, or at least vastly overblowing the importance of VPN. It’s nice to have in some situations, but no, hackers won’t immediately pwn you as soon as you connect to a McDonald’s wifi.

It was just a few years ago, before everything on the Internet was HTTPS, that using a public Wi-Fi was pretty dangerous, in terms of exposing your login credentials and traffic.

Even today, it’s possible that some random sites might be HTTP only, but it’s unlikely.

But even then, anyone on the same network can still see what sites you are going to, just not what’s being said.

This is not completely true. Try to look at email from shops (for campaigns etc.), and you will see tons of click-tracking links that go through HTTP. Any of that gets hijacked, and you have an avenue to be phished. DNS integrity is key, and a VPN being a layer 3 control (i.e., at the network level, not the application level) helps preventing some of these attack vectors.

Otter
link
fedilink
81Y

Most (all?) Http sites now give an angry “WARNING” message, and you need to hop through menus to access them.

So most people should be safe probably

I think that it is actually your browser warning you, so you should see it on every http site.

It was just a few years ago, before everything on the Internet was HTTPS,

It’s been more than a decade since that was the case.

If you do some sort if captive portal login even with VPN, you could still get pwned.

deleted by creator

your https connection is sufficient to protect the connection.

only unencrypted traffic is at risk to public wifi attacks.

Biggest risk is email imo where it is far too easy to have unencrypted settings

What do you mean? Your email server isn’t connected to public WiFi. As long as your using https to access the the web interface your fine.

Even if your using an email client like Thunderbird you emails are most likely encrypted as that’s the default

Pop/imap is not https

For for a web interface.

Anyway both of those are encrypted by default

They should be… but are they … it is entirely too easy to setup unencrypted email just to get it working. Crazy…

Can you name one email provider who doesn’t do that by default?

It is the client and yes, most of them.

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 3.11K Posts
  • 77.9K Comments
  • Modlog