Why is a VPN safer on public networks, really

Hi everyone. I’ve been in the cyber security field for about two years now. I try to understand the technical reasons behind practices whenever I can. Lately, I’ve been looking into the technical benefits of using client-focused VPNs.

I know the basics of how VPNs operate, I pay for one, and I use it myself since I’ve heard that it’s safer.

I’ve seen many people say something like, I don’t use a VPN at home, but you should always use a VPN on public networks like hotels or cafes.

Last month I realized I didn’t really know why that was the case as well as I thought, and my online research hasn’t made me feel satisfied. I would appreciate some insights from those more experienced in the industry.

If I’m on an untrusted public network, I’m aware of a couple of risks:

  1. Evil twin: I might connect to a fake device that is pretending to be legitimate.

  2. Compromised router: It could be possible for someone to see my data packets coming and going from the network.

  3. Sharing a network with potentially malicious users: I bet they could scan my device for vulnerabilities.

I know I might not have all the knowledge here, so if I’m missing something, I’d appreciate your input.

Regarding risks 1 and 2: Before writing this, I used Wireshark to check some basics of TLS. When I went to Reddit, I saw that I was indeed using TLS. Most websites use HTTPS. If someone harmful were snooping on me, they would see my ClientHello, which has the SNI for Reddit and my JA3 information. After that, all my application data is encrypted. So, they would know that a device from my private IP and MAC is trying to connect to Reddit.

For a serious attack like Evil Twin, I suppose there’s a risk of receiving malware from a Man-in-the-Middle situation, especially if the website uses unencrypted elements like certain JavaScript files, assuming I rely solely on TLS without a VPN.

For risk 3: I could definitely be scanned or probed by another user on the same network. With good security on my device, this doesn’t seem too risky, though. The VPN doesn’t solve this issue. Just making a tunnel to the VPN server doesn’t stop someone on the same network from trying to access my Private IP or MAC.

Here are the benefits of a VPN that I’ve identified:

  • Geolocation masking and privacy
  • An encrypted tunnel from my device to the VPN server. If I visit a non-HTTPS site, my unencrypted request will be encrypted inside the VPN tunnel when going to the server; the traffic from the VPN server to the HTTP server remains unencrypted.
  • Maybe it’s harder to strip encryption from a VPN compared to TLS?

Is there something I’ve overlooked regarding risks or VPN benefits in a public network context? I think as long as someone visits trusted websites, they should be okay even on a public network. Snoopers will mostly just gather SNI and some data from the ClientHello and server response.

I’m more interested in filling in my knowledge gaps rather than just saying, VPNs are good and safe.

Edit:

Thanks to everyone who joined this discussion! I learned a lot from the various perspectives and technical details!

VPNs are popular for public places because of issues like FireSheep software:

https://en.wikipedia.org/wiki/Firesheep

Back when SSL wasn’t common, someone could see what others were doing online.

Now with SSL (TLS), things are much better. But you need to ask yourself, do you trust the network? Can it modify your traffic? Some ISPs or cafes even inject ads into pages you visit, seriously.

It’s all about trust—trust in the cafe, your ISP, your VPN provider, and so on.

VPNs are mainly used to connect to resources behind a firewall. It was standard corporate access before cloud services really took off. So, this technology has been repurposed and marketed to make some cash.

@Cade
I might not fully grasp TLS, but I thought the certificates would prevent traffic modification. I’ve done labs in various courses where we stripped TLS packets, but we needed the client to accept the certificate first just to demonstrate the lab. I learned that this only works if you trick the client into accepting your certificate. I think snooping would still remain encrypted unless someone downloaded a harmful certificate and fell victim to a MitM.

@Khai
You’re spot on. SSLstrip worked in the past, but with HSTS in play, that’s done and dusted.

Kei said:
@Khai
You’re spot on. SSLstrip worked in the past, but with HSTS in play, that’s done and dusted.

I’ve been using SmartProxy for market research—definitely worth it if you need reliable and affordable proxies.

@Khai
While it should be hard, it’s not flawless.

Check this: https://www.grc.com/fingerprints.htm

Plus, you never know what access points are doing with break and inspect. The SNI you mentioned is frequently exposed anyway.

@Arden
Key thing here: breaking SSL (TLS) for inspection means you’ll see a certificate error. This mainly works in enterprise setups where a root cert can be pushed to users.

Most users probably hit ‘accept’ on SSL cert errors, so that’s definitely a problem. But at least they were warned.

@Finian
That’s true for good access points like hotels. They would use a legitimate certificate from a trusted root and conduct break/inspect without arousing suspicion, unless you check the certificate fingerprint. Check my earlier link.

@Arden
You can’t just use a real certificate from a trusted root like that.

Please read more before speaking with confidence about a topic you’re not well versed in.

Dakota said:
@Arden
You can’t just use a real certificate from a trusted root like that.

Please read more before speaking with confidence about a topic you’re not well versed in.

How does GoDaddy handle certificate deployments for their customers?

@Bennet
Because you can validate using HTTP endpoints or DNS TXT records through Let’s Encrypt. GoDaddy controls the validation process.

Cruz said:
@Bennet
Because you can validate using HTTP endpoints or DNS TXT records through Let’s Encrypt. GoDaddy controls the validation process.

Sure, that’s how they check ownership of the domain. But I question what action GoDaddy takes when it comes to deployed certificates, especially regarding oversight from the major root cert holders like Apple or Microsoft.

@Bennet
Yes, if a Certificate Authority gets compromised, that’s a serious matter. This isn’t common, but state-sponsored threats can be an exception.

Cruz said:
@Bennet
Yes, if a Certificate Authority gets compromised, that’s a serious matter. This isn’t common, but state-sponsored threats can be an exception.

This comment is empty, admin should fix

Dakota said:
@Arden
You can’t just use a real certificate from a trusted root like that.

Please read more before speaking with confidence about a topic you’re not well versed in.

That’s not at all what I said. You get certificates by making a CSR and submitting it to a CA, that’s what I meant.

@Arden
So, are you suggesting that enterprise access points submit CSRs to trusted CAs and they just… issue the cert in real-time without any verification?

Finian said:
@Arden
So, are you suggesting that enterprise access points submit CSRs to trusted CAs and they just… issue the cert in real-time without any verification?

I assumed you’d understand I’m talking about established companies that care about preventing malicious traffic on their free Wi-Fi, like a hotel chain. They would absolutely use real certificates from a CA.

@Arden
What does the cert on a WAP have to do with SSL inspection?

@Arden
That’s not how TLS functions.

@Arden
Uh, this isn’t how it works.