[s1rech]

If you are using the network of a hotel or a train station, for instance. Assumption is that you trust that VPN provider of course.

[LordHeini]

Well https takes care of that.

The hotel might be able to see that you visited a certain website but thats about it.

[VectorLock]

You have now shifted your trust from your VPN provider to certificate authorities.

And, I guess, just ignore anything thats not https.

Or just be okay if your hotel blocks certain ports or destinations, which I've had happen multiple times.

[hiq]

> You have now shifted your trust from your VPN provider to certificate authorities.

Don't you have to trust the CAs in any case?

[laurent92]

There are 168 root certificates in macOS and 255 in Windows.

[hiq]

My point was that you have to trust them in any case, even with a VPN. The number of certificates is irrelevant.

[rasguanabana]

Well, http(s) isn’t the only traffic going through network.

[nicoburns]

Asssuming they don't MITM your connection.

[hahajk]

And how would they do that? Your browser should warn you the certs aren’t trusted.

[nicoburns]

And if your browser does warn you: what do you do? You use a VPN.

[bzb6]

Which you would notice immediately because of the big, scary warnings.

[nicoburns]

Right, but how do you respond to that? Using a VPN seems like a reasonable approach in this situation.

[LiberatedLlama]

It's a hotel right? I would respond by closing my laptop, then my eyelids, then checking out the next morning.

[monocasa]

You respond primarily with non technical means, making a giant stink that a hotel that generally lives and dies on corporate money is man in the middling their WiFi.

[LordHeini]

Assume my hotel has some MITM running with the right (broken) certificates and so on.

Which is not that trivial to begin with.

How hard would it be to take over the dns and simulate a fake VPN too?

Or just constantly disconnect the vpn and hope the user stops using it for a while.

[lr4444lr]

Presumably, you exchanged certs with the actual VPN over a known secure network prior.

[Hamuko]

Wouldn't you be better served by your own VPN server?

[yjftsjthsd-h]

Then you're the only person coming from that IP; a commercial service lets you hide in the crowd.

[J-Kuhn]

Not everyone can setup their own web/mail/vpn/whatever server.

[muststopmyths]

exactly. I have at least some trust in Mulvad, but I'll be damned if I'm getting on the hotel WiFi in a US hotel chain without VPN. Let alone while travelling in foreign countries.

I frequently access my bank info etc. on such trips. With a VPN at least I have fewer random threat vectors to consider on a network.

[djrogers]

What ‘bank info etc.’ are you accessing that isn’t TLS encrypted already? Adding IPSEC on top of that isn’t helping much, if at all…

[muststopmyths]

I've frequently (especially outside the US, but even in a major hospital system here in San Francisco) come across WiFi networks that force access web through a MITM proxy. Yes, HTTPS will help me detect it, but if I need to actually get through, a VPN is helpful.

"bank info" in this case being anything from logging in to check my balance, pay bills or even contact them via their secure messaging because I'm disputing a transaction.

It doesn't eliminate all threats, but I'm not a secret agent ninja that needs 100% hardened communications. I just need a modicum of assurance.

[BoumTAC]

but every site nowadays use https. Doesn't it prevent issue with public wifi ?

[rasguanabana]

Not all traffic is http.