• chrischryse@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    3 months ago

    So I’m confused networking stuff has never been my strong suit, is this saying you can still be fucked on public WiFi even if you connect through a VPN?

    • WolfLink@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      50
      ·
      3 months ago

      There are some attacks you are vulnerable to on public WiFi that a VPN can help with.

      More generally, whoever is transporting your data knows who you are talking to. If you don’t use a VPN, your ISP and whoever owns the router know what websites you are visiting (although they don’t know the specific content). If you use a VPN, your ISP and router know you are using that VPN, but not what websites you are visiting. Now your VPN knows what websites you are visiting, but they still don’t know what the content is.

      I hope that helps.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          13
          ·
          3 months ago

          You can substitute “Tor” for “VPN” in the above and be largely correct. Tor acts like a VPN, but every packet goes through multiple hops, so an attacker would need to do quite a bit of work (i.e. compromise multiple nodes) to link traffic to you.

          So:

          • TLS (https) - network owner can’t see specific content, but can determine what sites you visit
          • VPN - network owner can’t tell what sites you visit, but can tell you’re on a VPN; VPN can tell what sites you visit, but not specific content
          • Tor - network owner can’t tell what sites you visit, but can tell you’re using Tor; Tor exit node operators can see what sites people using it visit, but can’t attribute it to an individual user w/o a sophisticated attack

          In most cases, TLS is perfectly fine, provided you make sure to not click through any TLS errors (i.e. certificate can’t be validate => probable middle-man attack), and using a VPN is probably overkill. A VPN protects you from that middle-man attack, but honestly, if you’re savvy enough to use a VPN, you’re probably savvy enough to not get compromised by a middle-man attack. Likewise if you use Tor, you’re probably savvy enough to not get compromised by a middle-man attack.

          That said, I fully support using Tor and VPNs, I just won’t go so far as to say someone is dumb for not using them on public Wi-Fi. Make sure you’re connecting to a real Wi-Fi service and don’t disable TLS protections and you’re probably fine, from a security perspective. If you’re likely to be targeted by a government agency, Tor is the bare minimum of what you should use.

          • PM_Your_Nudes_Please@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            ·
            edit-2
            3 months ago

            Yup. The way I’ve always described it is this:

            Http means your employer knows you watched porn on the company WiFi, and they also know which specific videos and what your username for the site is. If site security is particularly lax, they may even know your password.

            Https means your employer can see you watched porn on the company WiFi, but they don’t know which video(s) specifically, and they don’t know your login info.

            VPN means your employer only knows you connected to a VPN. They may be able to take educated guesses at what type of content you were viewing (streaming video, for example, has a pretty easily identifiable pattern of data transfer,) but they don’t know what video you were watching, or what site it was coming from. The VPN service knows you watched porn, but the aforementioned rules about http and https still apply; If you’re using https, they don’t know specifics.

            Tor means even the VPN doesn’t know which specific video(s) you’re watching, because they just see a connection to another Tor node, which sees another tor node, which sees another tor node… Etc. In order to know what you’re watching, they would need to own every node in the chain. If they own both the entry and exit node they may be able to match it to you with a timing attack, (they see packets going into the Tor network at the same time they see packets coming out towards you). Again, they can make educated guesses based on pattern recognition, but they won’t have a clear picture without owning both your entry and exit nodes and performing a timing attack.

            Now you can substitute “your employer” for anyone who is trying to get your info. Public WiFi spoofer, your ISP, etc…

            • sylver_dragon@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              3 months ago

              Probably worth noting that, if you are using an employer owned system to watch said porn, they likely have software on the endpoint which will let them see what porn you are watching, regardless of HTTPS/VPN/Tor. Depending on how much your employer cares about such things, that may or may not come back to bite you. I’ve worked at places where we regularly reported on users watching porn on work computers, and I’ve worked at places where we only reported on users getting malware while browsing porn at work. But, never assume your activity isn’t being monitored on employer owned systems.

              • sugar_in_your_tea@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                3 months ago

                Exactly. If it’s company-issued, assume there’s spyware installed. We recently added a certain level of spyware to ours to monitor system files (afaik it’s not screen recording or anything like that) because these aren’t company issued devices (we bought them separately.

      • kurcatovium@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        What about DoH/DoT which comes enabled by default in some browsers I believe? This should “hide” your activity from isp/router as well, shouldn’t it?

        • xthexder@l.sw0.com
          link
          fedilink
          English
          arrow-up
          9
          ·
          3 months ago

          The ISP will always know the IP you’re connecting to. Encrypted DNS might get you slightly more privacy for sites using shared IPs like with Cloudflare. But in a lot of cases, there’s only 1 website per IP, so the ISP still knows where you’re browsing. A VPN solves this by routing all traffic through the VPNs IP first. But you can still be tracked just the same by the VPN and to an extent, the VPNs ISP.

        • Eufalconimorph
          link
          fedilink
          English
          arrow-up
          5
          ·
          3 months ago

          DoH & DoT still leak the domain name (and of course IP address) you’re connecting to. The domain name leak can be solved by Encrypted Client Hello but that’s still a draft and not turned on for many servers.

        • MystikIncarnate@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          Yes and no.

          Modern HTTPS connections send the URL you are connecting to in the initial hello, so the remote webserver knows what security certificate to use when you connect. A lot of web servers host multiple sites, especially for smaller webpages, and so it doesn’t assume that since you connected to that specific webserver, that you’re connecting to the site that the webserver is hosting, even if it’s only hosting a single site.

          This can leak the data to anyone sniffing the traffic.

          You can also determine some traffic by IP address, this is for larger web services like Facebook, youtube and other sites of similar size. They load balance groups of IPs for their traffic, all are serving the same data. So if you connect to an IP that’s owned by Facebook, for example, then your actions can be easily derived.

          Since the connection is still secured by TLS, the content can’t be deciphered, but the location you are going to absolutely can.

          It really depends on a lot of factors.

    • Encrypt-Keeper@lemmy.world
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      1
      ·
      3 months ago

      No, the context is that for many years, shady commercial VPNs would sponsor YouTubers and the scripts they were given were full of lies and half truths about the dangers of public WiFi, with the implication being that if you purchase their VPN service they will “protect you”. But the problems these VPN companies were claiming to solve have already been solved by HTTPS and it’s perfectly fine to use public WiFi without a VPN. They are using scare tactics to sell you a product.

      What this poster is saying is that they’re disappointed to see this same fear mongering misinformation from Proton, who have an otherwise good reputation for being consumer friendly.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        11
        ·
        3 months ago

        Exactly. Using a VPN can improve your anonymity, provided you trust your VPN operator more than the infrastructure you’re using. But many VPN vendors claim a VPN is essential to provide security, which isn’t true in the slightest, and Proton shouldn’t be stooping to that level. There are plenty of good reasons to use a VPN that don’t involve illegal activities, but it’s hardly essential for the average person.

    • ripcord@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      ·
      3 months ago

      Networking stuff IS my strong suit, and I’m confused about what points most people here, including OP, are trying to make here. Maybe I’m just not awake enough yet.

      Wtf proton what? What do people think Proton is saying and what’s the WTF part…?

      • BeMoreCareful@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        3 months ago

        I don’t think the confusion has anything to do with networking. I’ve been puzzling over this post for a few minutes now… To be honest, I think I’m just more confused.

        Maybe this is some sort of AI battle of the wits or contagious stroke or something.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        3 months ago

        Look at the link in the description.

        Basically, someone went on a rant saying using public wi-fi w/o a VPN is extremely risky, and Proton is basically boosting it, implying a relationship w/ the OP. Proton argues that this is satire and part of a viral trend of misattributing quotes and topics, and the poster here is calling Proton out on it, likening them to the scammy VPN companies that sponsor YouTube videos and other SM content that oversell their claims.

        So basically Proton claims they’re being satirical, and the poster is saying they’re just as bad as other VPN companies.

    • mlg@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      3 months ago

      is this saying you can still be fucked on public WiFi even if you connect through a VPN?

      The quick and dirty answer is no, unless an attacker can figure out a way to get your VPN to strip it’s encryption (doubt you’ll ever see this outside something like defcon but you never know lol).

      The long answer is that not all VPNs are equal depending on what you are trying to accomplish.

      A VPN will simply tunnel your internet traffic over an encrypted channel to a server anywhere in the world.

      On a technical level, this means that it will guarantee your internet traffic is unreadable until it hits the destination, which does mean it can make it more secure to use a public wifi/hotspot.

      Of course privacy is actually a massive security iceberg, so some caveats in no particular order are:

      spoiler
      • Modern protocols like HTTPS are already encrypted, although someone can still mess with stripping and poisoning techniques, so having a VPN running would be peace of mind.

      • Your privacy from companies like Google, Facebook, etc won’t be enforced by a VPN if you don’t also use a new browser session (incognito) because they can easily track your identity via cookies and accounts.

      • Even if you use a fresh session and dedicated VPN accounts, aforementioned tech companies can still identify you via statistical modeling based on your activity. They don’t really care what your IP is unless they need to pay tax for a country or follow some random media block law.

      • Your privacy from the government is nonexistent because most VPN companies will share your info if the government requests it.

      • Lots of VPNs choose to block torrenting so they don’t have to deal with protecting their customers (although lots also don’t).

      • Even if you setup your own VPN via a VPS in anonymous way, the government can still watch your exit traffic and link the origin back to you by inspecting the VPN packets (which is why Tor exists, a much different solution to the privacy problem).

      You should use a VPN if:

      • You want to torrent copyrighted material (yar har piracy)
      • You want to spoof your location to get access to geolocked content
      • You want to negate an attackers ability to mess with your connections on public WiFi
      • You want a secure channel between two of your own locations (make two separate networks accessible to eachother, or VPN to home/work to access resources on that network).
      • ^ same thing but remote access etc.

      You should not use a VPN if:

      • You need to hide what you do on the internet from the government (See Tor, journalists stuck in shithole regimes).
      • You want privacy from internet megacorps (you’d have to keep fresh sessions or use them sparingly which you can 90% do without a VPN anyway)
      • You want to hide anything after it reaches the VPN server (public VPN services, doesn’t apply if you VPN to something you physically own and access only its local resources).

      After all that, the use case basically becomes:

      • VPN to within your own country to secure your connection on public WiFi
      • VPN to home or work to access network
      • VPN with a good public service to other countries to watch or torrent media
    • ricecake@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 months ago

      Yes, to a degree. A VPN protects you from an attacker on the same WiFi network as you and that’s about it.

      Most assaults on your privacy don’t happen like that, and for the most part the attacks that do happen like that are stopped by the website using https and proper modern security.
      The benefit of the VPN is that it puts some of that protection under your control, but only as far as your VPN provider.

      A VPN is about as much protection from most cyber attacks as a gun is.

      They’re not a security tool, they’re a networking tool. They let you do some network stuff securely, and done correctly they can protect from some things, but the point of them is “this looks like a small, simple LAN, but it’s not”.

      It’s much easier to package and sell network tools than security tools, and they’re much more accepted by users, since security tools have a tendency to say “no” a lot, particularly when you might be doing something dumb,and users hate being told no, particularly when they’re doing something dumb.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        Exactly. VPN companies vastly oversell what their services offer.

        That said, I set up my own VPN, we use one at work, and I’m considering paying for a commercial VPN service. My personal VPN gets around my ISP’s CGNAT so I can host public services within my LAN, my work VPN gives us remote access to protected services, and the commercial VPN I’m considering paying for is to get around my state’s laws (they are requiring ID for porn and social media, and I think that’s a privacy overreach).

        VPNs have their place, but they’re hardly “essential” for most people, especially if your concern is security.

    • jagged_circle@feddit.nl
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      6
      ·
      edit-2
      3 months ago

      Yes. X.509 means https is worthless protection from APTs

      Edit: its clear from downvotes that people in this community don’t understand security and don’t understand how to use Lemmy downvote buttons