[LordHeini]

Well https takes care of that.

The hotel might be able to see that you visited a certain website but thats about it.

[VectorLock]

You have now shifted your trust from your VPN provider to certificate authorities.

And, I guess, just ignore anything thats not https.

Or just be okay if your hotel blocks certain ports or destinations, which I've had happen multiple times.

[hiq]

> You have now shifted your trust from your VPN provider to certificate authorities.

Don't you have to trust the CAs in any case?

[laurent92]

There are 168 root certificates in macOS and 255 in Windows.

[hiq]

My point was that you have to trust them in any case, even with a VPN. The number of certificates is irrelevant.

[rasguanabana]

Well, http(s) isn’t the only traffic going through network.

[nicoburns]

Asssuming they don't MITM your connection.

[hahajk]

And how would they do that? Your browser should warn you the certs aren’t trusted.

[nicoburns]

And if your browser does warn you: what do you do? You use a VPN.

[bzb6]

Which you would notice immediately because of the big, scary warnings.

[nicoburns]

Right, but how do you respond to that? Using a VPN seems like a reasonable approach in this situation.

[LiberatedLlama]

It's a hotel right? I would respond by closing my laptop, then my eyelids, then checking out the next morning.

[monocasa]

You respond primarily with non technical means, making a giant stink that a hotel that generally lives and dies on corporate money is man in the middling their WiFi.

[LordHeini]

Assume my hotel has some MITM running with the right (broken) certificates and so on.

Which is not that trivial to begin with.

How hard would it be to take over the dns and simulate a fake VPN too?

Or just constantly disconnect the vpn and hope the user stops using it for a while.

[lr4444lr]

Presumably, you exchanged certs with the actual VPN over a known secure network prior.