Koa said: @Sparrow
But what about privacy? Can my sys admin still see my history if I use a VPN?
Your sys admin can see that you used a VPN and can also prevent you from using that VPN. If you are on a corporate network, well, you can assume IT knows everything you do and will likely not look kindly to using a VPN (other than the company’s if they have one).
If it is your ISP, they’ll know you connected to a VPN service, but that’s it. They won’t know a lick of what you’re doing and unlike an employer who is providing their network for work, you are paying your ISP to get an access to the Internet at large, so the ISP has no legit reason to prevent the use of the VPN.
@Sparrow
This is correct but with one caveat: a lot of people still have non-https links in their bookmarks. Usually the non-https link of, say, site foo.com will send your browser an http redirect, sending you to https://foo.com. In a compromised DNS situation, the perpetrator could exploit that to redirect you to their version of the website instead.
That’s when those “use https only” extensions and “always use https” configurations on your browser come in handy.
@Sparrow
Yup. I have a 3 year plan with nord just to get some region locked content and that’s it. Although streaming sites are getting quite good at detecting so not sure how valuable the service is nowadays
@Sparrow
Keep in mind though that even with https, your URLs are NOT encrypted. If you are browsing pornhub, that’s public information if you are on public WiFi.
@Sparrow
I love that every VPN add on youtube was warning against mitm attacks, then Tom Scott did a video explaining why that isn’t really an issue on the modern internet. Suddenly no VPNs were talking about mitm attacks, every VPN add was focused on circumventng geoblocks and similar things.
I use a vpn for my work’s guest WiFi, because I don’t want them to see what I’m looking at online, I don’t care if a vpn provider does. I’m sure they could still figure out it was me on phone right?
Zion said: @Sparrow
I would like to add that commercial vpn’s like NordVPN have a tendency of slashing your bandwidth. Noticed this with several of my customers.
True enough. Not every service does this, but if you have Gigabit Internet, you’re unlikely to get that full bandwidth.
@Sparrow
well yah, your connecting to ypur vpn server that has to decrypt everything you send it, and encrypt everything sent back using its network connection both to connect to you, and the site you are connecting to for hundreds of different clients. why would you expect gigabit speeds?
@Lael
I am not. I am also willing to pay the bandwidth penalty when I use the VPN. However, I went in knowing all of this. Many of the new customers who see the sponsored ads on YouTube may not be aware of this however.
@Sparrow
Unless the network has a Fortigate (those things actually intercept SSL which can lead to interesting consequences, particularly if the instance has a trusted certificate; however my only experience in real life instead messes with certificates enough that Tailscale doesn’t work)
@Ciel
Thankfully most modern browsers make the button to ignore bad TLS certs hidden enough the average user isn’t going to click on it.
Fortigate, menlo, etc isn’t going to be able to man-in-the-middle SSL on a public wifi. For it to work the way it does the endpoint has to have the firewall/proxy device registered as a certificate signing authority. Which is how it’s able to insert itself. It makes the connection to the website, decrypts it, scans it, then re-encrypts it using it’s own certificate that the endpoint trusts.
edit: side note it is TLS now SSL is no longer in use. But we all still say SSL out of habit
@Huxley
It’s not an extreme claim, though, there are documented instances of it happening. CNNIC was revoked from the default store for specifically this (‘pay to play MITM’).