Hello everyone. I have been working in cyber security for about 2 years now. I try my best to get down to the technical “whys” for practices whenever possible. Something I have been researching off and on now for a month is the technical benefits of client-focused VPN usage.
I know the basics of how a VPN works, pay for, and use one personally because when I broke into the career field I always heard it was safer to use one.
I have seen many many people say and post something like this “I don’t use a VPN at home but you should always use a VPN in a public network like a hotel or restaurant”
I realized last month that I don’t necessarily know the why for this as much as I thought I did and my research online and discussions with others has not really left me satisfied. I was hoping to get some perspectives from people that have been in the industry for a bit.
If I was in an untrusted public network, I am tracking a couple risks:
-
Evil twin -> I connected to a malicious device and am going through them to make request now
-
Compromised router -> Potential access to see my packets coming and leaving network
-
Sharing a network with someone potentially malicious -> I am sure they could arp-scan and probe my device
I am sure there are gaps in my knowledge as to why I am having an issue answering this, so please let me know if there are things I am not considering as I hope to learn from this.
For risk 1 and 2: I ran some Wireshark before making this post to spot check some of my basic understanding of TLS before making this post. When I browsed to reddit, it looks like I was indeed using TLS. From what I understand, most websites utilize HTTPS. If a “bad guy” was sniffing me out, even on a public network, they would see my ClientHello which does contain the SNI for reddit and my JA3 information. After that, all the application data is encrypted. So they would essentially know that someone with my private IP and MAC establishing a TLS connection with reddit.
Now in a more serious attack like Evil Twin, I suppose there is the risk of getting sent malware from a legit MitM position depending if the website uses any unencrypted things like JavaScript files if I am solely relying on TLS with no VPN.
For risk 3: I could be pinged and probed sharing a network with someone. With proper endpoint device security, this doesn’t seem too bad, not ideal, but the VPN does not fix this problem. Me establishing a tunnel to the VPN server does not eliminate the fact that someone in my same network can try to interact with my Private IP/MAC.
These are the benefits of a VPN that I am tracking:
-
Geolocation spoofing/Privacy
-
Encrypted tunnel from client to VPN server. So if I browse to something that is not HTTPS, my unencrypted web request will be inside the encrypted VPN tunnel on the way to the VPN server; however, the traffic from the VPN server to the HTTP server will be unencrypted.
-
Maybe its harder to strip encryption from a VPN provider than TLS?
Is there anything I am missing in the risks above or benefits of VPN usage within the context of an untrusted network. I am under the impression someone is probably fine if they are going to reputable websites even when on a public network. Some snooper will just get a bunch of SNIs and anything else in that client hello and server response.
I’m looking to fill my technological gaps instead of just agreeing that “VPN is good, so safe!”.
Edit:
Thanks for everyone that participated in this discussion! Learned a lot of different perspectives and technical deetz!