[cantrevealname]

> If you are using your device on a public network, VPNs can help you protect your data. I have a ProtonVPN subscription myself, just for those instances where I am sitting in an airport waiting for my plane

Seems like a contradictory message. He just got through telling us how most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport? Is he checking his email? I can't imagine that he's using an email service that doesn't use HTTPS. Is he logging into his bank account? I doubt any bank nowadays still uses plain old unencrypted HTTP. Is he watching cat videos on YouTube? Well, even that's encrypted.

Remember, his argument is that VPNs don't provide privacy--so that's not the reason. And this is the section where he's talking about public networks, not about other rationales for VPNs like geolocking or ISP blocking. It weakens the argument of his essay to say that he needs a VPN at the airport or cafe.

[_ea1k]

I felt exactly the same way. I've run into people who have the idea that public wifi is insecure, as in don't hit your bank's website over that insecure channel. But in reality, the services that really need security are going over TLS, where at least the connection itself is secure (presuming that you are taking the same safeguards that you'd take on a "secure" network). In reality, no internet network is naturally secure and the only security are these transport level encryptions.

But, of course, there is more to it than that. What about the unencrypted connections? DNS access and logging? Ironically these are what people tend to worry the least about but are the most likely to be compromised. A VPN can be very helpful here.

The article brushed across this distinction in a way that I think may have just been confusing to anyone that didn't already understand it. The net effect is that they might see these two pieces of advice as contradictory.

[ridgewell]

>But in reality, the services that really need security are going over TLS, where at least the connection itself is secure.

I think other considerations include whether or not the sites that you visit implement HSTS. While many sites do support HTTPS-only logins, several webservices are actually quite vulnerable to software such as SSLstrip[1], which redirects hijacked users to plaintext HTTP pages whenever feasible.

While many sites implement TLS, several sites don't implement HSTS. I am not sure about the HSTS policies of the top 3000 sites so I will not comment on that.

[1]https://moxie.org/software/sslstrip/

[subway]

The bigger issue with public wifi is even actually finding your bank's server in the first place. HSTS largely saves the day here, but is far from universal. If any non TLS requests are in the request chain, and you don't have an eagle eye on the address bar, all bets are off.

[surge]

Right, and he's not counting the metadata an ISP or wifi provider can be collecting about you, they might not be able to see your private traffic to your bank, but now they know who you bank with. You might be passing that information on to ProtonVPN, but I'm more afraid of what someone sniffing wifi traffic can find out about me than a service I'm paying for, its about the same risk with my ISP. AT&T even collects data from its consumers.

[_b8r0]

> So why does he need a VPN at the airport?

Because the airport made a shitty choice in designing it's wifi, and people who connect to such networks are making shitty choices.

HTTPS is nothing more than a content protocol wrapped in a transport encryption layer used for a subset of your overall traffic.

When you connect to an open wifi network your device is literally screaming 1s and 0s into the air like a maniac. A subset of these 1s and 0s are the things you're actively telling the computer to do. Most of this stuff is things like ARP, Name resolution services and other stuff that isn't encrypted for perfectly understandable reasons.

Instead, when connecting to an open airport wifi network, a personal decision is made that the connectivity is more important than encryption. Airport wifi connections could and should be encrypted with AP client isolation, but they aren't.

[m0dest]

How exactly is the airport supposed to offer a WiFi network that is encrypted and open without breaking usability and compatibility?

This hasn't been possible until WPA3, which has barely started rolling out.

[zamadatix]

OWE and an SAE PSK network with a well known PSK do not solve the trust issue of connecting to public Wi-Fi rather only the encryption issue.

Take the example that you are connecting to an SSID named "Airport_Guest_WiFi". In the case of OWE you simply connect and now everything between you and "Airport_Guest_WiFi" is encrypted. In the case of PSK with SAE you connect to "Airport_Guest_WiFi" and exchange information to generate secret keys only you two know. The problem in either scenario is you've just set up encryption not trust. How do you know the "Airport_Guest_WiFi" you connected to was the airports or the attackers?

WPA3 Enterprise solves this issue somewhat but is not realistic to deploy for temporary guest networks.

I argued ever since I heard OWE was going into draft it should have some optional mode for PKI validation. E.g. if you connect to the SSID "guestwifi.airport.com." and the airport signed the hello with the cert for that domain then the client could validate that against it's root stores and have the same level of identity trust it does when connecting to usersbank.com. Clients need not be forced to validate it but at least it gives a realistic option to connecting to such networks.

[CKN23-ARIN]

Many ways to do this.

Make the password widely-known. Announce it over the intercom. Post it on the walls.

Offer both encrypted and non-encrypted SSIDs. The non-encrypted SSID could even just be a captive portal with instructions to connect to the encrypted SSID.

If you're feeling wild, use WPA2 Enterprise, and accept any credentials.

[icebraining]

"WPA and WPA2 don't provide forward secrecy, meaning that once an adverse person discovers the pre-shared key, they can potentially decrypt all packets encrypted using that PSK transmitted in the future and even past, which could be passively and silently collected by the attacker. This also means an attacker can silently capture and decrypt others' packets if a WPA-protected access point is provided free of charge at a public place, because its password is usually shared to anyone in that place. In other words, WPA only protects from attackers who don't have access to the password."

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Lack_of...

[CKN23-ARIN]

Notably, this is only a problem for WPA2-PSK, not WPA2-Enterprise. But, fair enough -- this does render my first suggestion unsuitable.

[0xf00d]

Doesn't the widely-known password render the encryption useless to anyone that has captured the 4-way handshake at the beginning of your WIFI-session? With the PSK and your session keys an attacker can decrypt your traffic if I remember it correctly.

[0xf00d]

It is already possible using a combination of WPA Enterprise (802.1x) and RADIUS. The RADIUS server is configured to accept any username/password combination, effectively providing an open access point but isolating its users because the 802.1x scheme employs different key material for each user (not completely sure about that key material part but I think that's how it works).

[alasdair_]

>Seems like a contradictory message. He just got through telling us how most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport? Is he checking his email? I can't imagine that he's using an email service that doesn't use HTTPS.

Because the Internet is more than the stuff that lives on port 443?

What does the author do about UDP packets?

It’s interesting that you mention email. SMTP can use TLS of course but I know of plenty of POP3 email providers that still send unencrypted and even if it were, it’s not using HTTPS.

What about DNS requests too? Those are still often sent in cleartext.

Even with actual HTTPS with a browser, the domain itself is visible.

In short - the Internet is not just the web.

[viraptor]

That would imply the author cares enough about privacy / security to use VPN to hide for example POP3, but not enough to immediately drop an email provider which uses unencrypted POP3 service. And that's a strange argument.

[michaelmrose]

Probably because a person can more trivially be taught vpn = privacy than understanding ANY of the details and be legitimately better off especially if they are doing other stupid things like using unencrypted pop3 or use the same password at random http site as they use on their bank.

[lifthrasiir]

He made this point explicit:

> Networks like these make it easy for attackers to get a copy of your network data, and if you send something unencrypted, the results can be quite harmful.

The web should be ideally end-to-end encrypted with HTTPS. But in case this assumption breaks down, VPN gives an additional headroom for security. Not much (as explained in the article, and thus should not be advertised so), but still useful.

[thinkloop]

The VPN only protects the first hop, it would not be a good backup for https.

[lifthrasiir]

Yes, but if the target site does not use https there is no alternative.

[quickthrower2]

It protects the first hop for request data. But response data could be interfered with too.

[dahfizz]

The internet is so much bigger than just websites. HTTPS is great but VPNs provide encryption at a much lower level, where it should be. Even when using https you are exposing a lot of unencrypted data because https is an application layer encryption. It's not enough.

[_b8r0]

> The web should be ideally end-to-end encrypted with HTTPS.

No. People designing public access networks should use encryption and AP client isolation.

[baddox]

They should, of course. And for when they don’t, a VPN can protect you. That’s what the article is saying.

[_b8r0]

I'm responding to OP's comment, not the article.

[sigmar]

>most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport?

What percentage of (typically rushed) people at an airport will notice that a website is loading over http instead of https? SSLsplit is pretty useful.

[tedunangst]

Does your bank, or whatever, not use hsts?

[stordoff]

My bank doesn't _and_ there's a redirect to a different domain (rbs.co.uk homepage does to personal.rbs.co.uk, rbs.co.uk/englandandwales or the login link goes to rbsdigital.com). Serve a redirect on the non-HTTPS rbs.co.uk to some other plausible domain with a valid HTTPS certificate, and I probably wouldn't notice.

[jeltz]

Last time I checked, about 2 years ago, none of the Swedish banks used HSTS. And a couple of them used HTTP on their main page and and HTTPS on their internet bank which was put on some weird domain. Chrome's changes has since then forced them to move everything to HTTPS but I would be very surprised if they all use HSTS now.

[viraptor]

SSL everywhere is also a good workaround for this: https://www.eff.org/https-everywhere

[headmelted]

I can't help but shake my head at this whole argument.

For literally years I've been telling people that a VPN run by a third party does not enhance privacy or security, but because the consensus is "VPN = secure" it's a losing battle, and I sound like a tinfoil-hat-wearing loon.

Most VPN services are not designed to provide privacy or security, and if you have a subscription to one, that's probably not the reason you bought it either. They're designed to provide the minimal amount of traffic hiding required to allow you to pirate TV/movies/video games without getting in trouble or hitting blocked URLs. And it works, or you wouldn't still have the subscription.

Now, as both the buyer and the seller need a non-shady cover story, they describe hiding your suspect downloads as "security and privacy" - it's not utterly inaccurate, but it implies far more than what's happening.

The problem with the narrative is that it makes laypeople think they are "more secure" when using a VPN, when in reality, the opposite is true.

As an example, when I perform a Google search, my traffic is encrypted over SSL, so my ISP can't see that. My ISP can see the domain name of the result I click, and a VPN would mask that from them. But now a new third party (the VPN provider) can see that instead. This makes sense if you're downloading pirated media (as the VPN service doesn't care), but the buyer is in effect trading:

1) An ISP, which is in most western countries heavily regulated, with legal commitments to auditing and your privacy (just not from law enforcement).

for:

2) Some computer somewhere that is run by an utterly unregulated company or individual that may or may not know how to configure OpenVPN correctly and that you don't know anything about, other than they run a shady business based on allowing you to download pirate files on the internet. Also they're not at all regulated or audited, and may not even be in a jurisdiction that requires them to protect your data at all.

Given this trade-off, trusting a VPN to do a better job of protected your privacy than an ISP seems like madness to me, given that they could easily sell whatever information they have on you on and there's nothing you can do about it (and you'd likely never find out). It may not even be a crime depending on where they're located.

There's arguments for VPN in preference to unsecured Wi-Fi, but in reality, how often is that an issue? How many scenarios are there where you can't use mobile data instead? (And even where/when you can't, you still have all the downsides above which may or may not be better).

[pbhjpbhj]

I don't think your analysis is complete.

Most VPN's raison d'être is providing privacy. If it's publicly known that they don't then that kills their business.

An ISP is tasked with connecting prior to the internet, they don't make claims about privacy, they can reveal information about clients without necessarily putting anyone off, most of the clients for large ISPs have probably never heard of a VPN.

If a VPN wanted to they could get audits by pen-testers to warrant their ability to provide secrecy.

A VPN provider that's been around a while and claims to offer a high level of privacy probably does.

Slight aside:

>My ISP can see the domain name of the result I click, and a VPN would mask that from them. //

There was a paper a little while ago, they directly identified pages by mitm-ing HTTPS by using meta-data (page size alone IIRC). Success was something like 80%.

[headmelted]

>There was a paper a little while ago, they directly identified pages by mitm-ing HTTPS by using meta-data (page size alone IIRC). Success was something like 80%.

Link please. I don't doubt what you're saying, I'm just really interested in reading more about this.

[pbhjpbhj]

https://scirate.com/arxiv/1403.0297

>We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. //

[prophesi]

It should be noted that SSLstrip is a thing. Those sites would need to properly force HTTPS, which is easy to get wrong. And it's much easier to allow both HTTP/HTTPS.

[ignoramous]

I think the whole point is you'd want both IPSec and TLS, and just TLS might not be enough. A good VPN impl provides better protection when you're connecting over public networks you don't trust, for protocols that don't use TLS.

[fonosip]

We usually do not have a choice of ISP. A VPN gives you the option of where to "attach" to the internet. As an added bonus at that point you can filter ads, malware, tracking.

[pizzazzaro]

Im actually glad that the author pointed out that once you log in somewhere that will track you, that connection is associated with you.

A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.

Payment information - some prefer to use cryptocurrency, which in their minds, is private. Again, once metadata connects you, there's no denying that that's you.

A third party consultant takes your payment? Maybe. Especially if you've got some anonymizing layer to your credit card info that has earned a similar trust. This will of course add to the cost of the transaction.

Even the way you type can connect you. Sufficient amounts of text - such as this reply - are usually enough.

[gruez]

>If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.

This is probably not going to work with public vpn services because many users share one server, and the server you use changes every connection. Thus facebook can’t really correlate your torrent traffic with your session because it could be anyone else on that server.

[dcolkitt]

> If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time.

Not really. There's not a single documented case of a major VPN user ever receiving a copyright infringement notice. Despite the fact that millions use this exact same use case.

In security it's always important to understand the threat model. If I know I'm being personally targeted by Mossad, that's a very different story than if I'm trying to avoid getting identified in a mass copyright notice from the MPAA.

Facebook would never ever ever in a million years voluntarily give the MPAA unrestricted root access to their IP level user tracking data. If they tried to subpoena it, Facebook can afford much much better lawyers than Warner Brothers.

And I guarantee that at least in the American judicial system, any judge is going to be extremely skeptical against such a sweeping request.

[tya99]

> Im actually glad that the author pointed out that once you log in somewhere that will track you, that connection is associated with you.

Exactly, and it's usually a cookie or some sort of persistent storage. I use a VPN, but I use it at the router level. https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

I know my ISP logs my metadata (by law), whereas I trust that my VPN provider does not.

Essentially VLAN2 all traffic is routed direct to my ISP, and VLAN3 all traffic is routed to VPN. My machine normally sits in VLAN3. I make sure not to log into anything social media related or tied to my real identity.

If I need to do banking, Facebook or something like that I'll use a device in VLAN2 (a separate computer).

All phones and devices like that are broadcasting information anyway so those are in VLAN2 as well, unless they are devices with LineageOS and no Google Apps.

> A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.

See in this scenario I would have a system in VLAN3 that I use for my downloading, and another computer in VLAN2 that is used for the facebooking. I use a hardened browser with https://github.com/ghacksuserjs/ghacks-user.js that hardens the browser and helps against fingerprinting.

I also use a number of addons, for various purposes

That requires hardening. Currently I use

* CleanURLs https://addons.mozilla.org/addon/clearurls/ (remove UTM and parameter tracking)

* CSS Exfil Protection https://addons.mozilla.org/addon/css-exfil-protection/

* Decentraleyes https://addons.mozilla.org/addon/decentraleyes/ (prevent tracking via CDN)

* Firefox Multi-Account Containers https://addons.mozilla.org/addon/multi-account-containers/ (used for sites to keep me logged in)

* HTTPS Everywhere https://addons.mozilla.org/addon/https-everywhere/

* Redirect AMP to HTML https://addons.mozilla.org/addon/amp2html/ (no to AMP)

* Temporary Containers https://addons.mozilla.org/addon/temporary-containers/ (Prevents tracking via ETags and other things like IndexDB)

* uBlock Origin https://addons.mozilla.org/addon/ublock-origin/ (block adverts)

* uMatrix https://addons.mozilla.org/firefox/addon/umatrix/ (block 1st party JavaScript)

[zcid]

I use a very similar list of addons. In addition I recommend:

* CanvasBlocker https://addons.mozilla.org/en-US/firefox/addon/canvasblocker...

* Cookie AutoDelete https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

and I block cookies by default using uMatrix.

Thanks for pointing out CSS Exfil Protection. I hadn't seen that one yet.

Edit: I also recently switched to NoHTTP instead of HTTPS-Everywhere. This way I have to explicitly allow any non-HTTPS connections.

[tya99]

I use a very similar list of addons. In addition I recommend:

> * CanvasBlocker https://addons.mozilla.org/en-US/firefox/addon/canvasblocker....

A lot of people recommend that, but you don't need it if you're using ghacks-user.js. The reason is because of privacy.resistFingerprinting.

> * Cookie AutoDelete https://addons.mozilla.org/en-US/firefox/addon/cookie-autode....

> and I block cookies by default using uMatrix.

I use CookieAutodelete on my mobile because unfortunately the container API isn't available on the Android version of Firefox.

The reason I don't use it on my desktop is because there are certain types of things that cannot be cleared.

> APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy.

* https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/wiki/...

* https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1-Exte...

> Edit: I also recently switched to NoHTTP instead of HTTPS-Everywhere. This way I have to explicitly allow any non-HTTPS connections.

I might have to check that out.

[FabHK]

Superb list.

But what world are we living in that one needs a specific browser with 10+ addons and tweaks to have some amount of basic privacy. Lunacy!

[dngray]

We've documented it here:

https://github.com/dngray/ghacks-user.js/tree/fx-desktop

https://github.com/dngray/ghacks-user.js/tree/fx-android

The setup is aimed to minimize duplication.

> But what world are we living in that one needs a specific browser with 10+ addons and tweaks to have some amount of basic privacy. Lunacy!

Yes, I wish it was like the 90s. . Unfortunately the advertising/tracking industry is insidious and could not care about user experience.