Chan said:
@Huxley
It’s not an extreme claim, though, there are documented instances of it happening. CNNIC was revoked from the default store for specifically this (‘pay to play MITM’).
That’s kinda my point. It’s a flagrant abuse and will get the CA kicked out of all the trust stores. If a CA is available for hire it’s only on the black market, and only for as long as it can go undetected—probably not long now that CT logs are a requirement.
@Huxley
Well I did not actually see it, other than having learned about it being theoretically possible. Yes, in normal situations it’s your separate CA, but the software technically doesn’t require that it is specifically a CA certificate. Just one that can sign for any hostname.
@Ciel
Yeah, CAs can issue intermediate certificates or cross-sign other roots. The CA/Browser Forum keeps a close eye on that and any abuses or breaches (which there have been) will result in a revocation.
The idea is that the VPN encrypts your data before sending it to the router, so the network admins can’t see your sensitive information. The fear isn’t so much that the McDonald’s network admins are gonna try and steal your data, but that hackers will set up fake McDonald’s networks to trick your device into auto-connecting.
The problem with this advice is that most modern web browsers do this same encryption natively, so the VPN is mostly just an unneeded redundancy.
That said, VPNs can still be useful for privacy, albeit in a more limited way. When connecting directly to the router, the data you send may be encrypted, but you still have to tell your router the domain name so it knows where to send it. With a VPN, the router is just told to send the data to the VPN’s server, so it doesn’t get to see the domain you’re trying to access. Which is useful if the website you’re trying to access is either prohibited by the network or otherwise compromising.
@Robin
> most modern web browsers do this same encryption natively,
More accurately, most modern websites do this, the browsers just follow what is available, though both Chrome & Firefox will actively complain if a site doesn’t use encryption.
@Robin
>but you still have to tell your router the domain name so it knows where to send it.
“In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.[5] In May 2020, Chrome switched to DNS over HTTPS by default.” - https://en.wikipedia.org/wiki/DNS_over_HTTPS
@Payne
DoH hide the DNS queries, but unless ECH is also implemented by the site and the browser, the domain is still plaintext on the TLS traffic themselves.
@Payne
He should have said IP address.
@Robin
R "
@Robin
You can always attempt to use DoH and bypass the gateway’s DNS, which would resolve the domain name resolution inspection if not using a VPN.
@Robin
You don’t tell your router/firewall a domain name.
What that device will see is the SNI of the certificate and the ip address you’re going to. That’s enough to know you’re going to your bank’s website, but not enough to see your transactions or how much money you have, unless you’re doing SSL decrypt which is a whole different discussion.
Many commodity routers, especially in public spaces such as bed and breakfasts, airbnbs, and coffee shops are poorly configured, set up primarily for ease of customer access with minimal fuss. Every router these days comes with secure wifi enabled, but many are factory defaulted to effectively rebroadcast certain protocols to every other device on the network, again to make device discovery easy for hard to configure devices like smart plugs, lights, etc.
If you’ve ever seen YouTube controls pop up on your phone even if you’re not playing YouTube, it’s because there’s a Chromecast plugged in somewhere on the motel wifi. Remember if you can see them, they can see you.
VPNs prevent this.
The usefulness of a VPN for such situation is limited.
In theory everything you send across the internet can be seen by anyone who controls any of the systems along the way.
You ISP knows what websites you visit for example.
If your ISP is temporarily some free wifi in a cafe, they will know too.
Under some circumstances some else on the same network or pretending to be that network or just having taken control of it can get the same level of access to your communications.
Using encryption like https means that nobody along the way knows what exactly you send and receive. They know you googled something or visited reddit and Wikipedia, but now what you googled, which subreddit you looked at and which article on Wikipedia you read.
This level of security is usually enough.
There is some concern about man in the middle attacks, where somebody between you and the place on the internet you visit manages to intercept and edit the messages and messes with DNS to send your inquiries to the wrong place, but those mostly are mitigated with the sort of encryption tech that is already standard.
The danger is still there, but it is not nearly as bad as the people trying to sell you VPN services try to make you think it is.
All a VPN does is send all your traffic through the VPN. So your ISP or anyone controlling or listening in on the free wifi will only be able to see that you are using the VPN and nothing more.
This increases your security on that end. It also marks you as someone who has something to hide and it means that the company that runs the VPN now has the sort of data and opportunity to mess with you that your ISP had.
It also means that when law enforcement or similar wants to know which websites you visited they will have to subpoena or politely ask you VPN instead of your ISP.
At the end of the day the question is how much you trust the company or person that supplies your internet connection and how much more you trust the VPN provider and if the difference is worth it to you.
There are good reason to use a VPN for some people in some situations in some places. You have to decide for yourself if you are one of them.
Ordinarily, anyone else on WiFi network can monitor what websites (IP addresses) are accessed by what devices
This could potentially reveal sensitive information if someone is able to associate a device with a person, such as what bank they use.
Most web traffic itself is encrypted, so the contents of webpages would still be invisible for anything sensitive, though.
Who is advising this? A VPN could potentially protect your data by additionally encrypting your data from someone snooping on all data being transmitted over local public network, if such data is not already encrypted (which most of it is), but generally this would be a fairly extreme measure to only be necessary if you are expecting to be attacked or you have an extreme importance of security (such as being a govt official)
For regular folks, this is not a concern, unless you’re in China.
Most ‘advice’ about VPNs tend to be pretty much a ploy to sell VPN services to people who do not need them
Flint said:
[deleted]
So what are the common and harmful methods and what measures can be taken to protect against them?
Flint said:
[deleted]
So what are the common and harmful methods and what measures can be taken to protect against them?
[deleted]
Maddox said:
Flint said:
[deleted]
So what are the common and harmful methods and what measures can be taken to protect against them?
[deleted]
Love the ChatGPT answer that’s just completely wrong.
Public wifi isn’t inherently insecure, provided you’re using HTTPS on all connections. You can also go DoH or DoT for DNS security too.
Its not, it’s snakeoil. There are really no security issues browsing Web on public WiFi over private WiFi. If you dont know exactly why you need VPN, then you dont need it.
The thing about security when it comes to any sort of communication on a network can be described using a famous ‘Alice-Bob-Eve’ example.
Say Alice wants to send something to Bob. This message will be sent over a network (WiFi, cellular or anything). Eve is an attacker who wants to listen to this message.
In your situation, Eve may be able to read things that are being sent over a network. This can be done using a man-in-the-middle attack or a compromised router.
Using a good VPN essentially masks your location, IP and adds an additional layer of encryption to your messages. This makes it much harder, and in turn, generally much less interesting for an attacker to target you.
Edit: This is usually not an issue for browsing something like YouTube at Starbucks. But it becomes relevant if you are transmitting sensitive information or are on an untrusted network like most public WiFi are.