[darken]

> Use a VPN? Yes, if the VPN is free, trustworthy, and not blocked by the wifi.

I agree with most of your points; I'd just like to say that I'd never trust a "free VPN"... (Outside of "it's free since I host it".) I'd put most of my effort into vetting which VPN is best audited/trustworthy.

As an aside, the other big threat that sidesteps HTTPS certificate validation would be for the attacker to only serve HTTP. The browser will call this out in the URL bar at least. This can be mitigated by sites sending HSTS headers (forcing you to use HTTPS for future connections), but this isn't necessary universal. And requires having visited the site earlier on a "safe" network.

[md_]

As I said to the other reply, I was thinking “that you host yourself” (i.e. Algo) when I wrote this.

That said, I think this is a bit too absolute. ProtonVPN has a free tier, for example, and they’re seemingly a legit company (who make their money from the paid tier). I would not disrecommend ProtonVPN—it’s probably as or more trustworthy than most free public wifi.

But the same argument for public wifi applies to VPNs: you shouldn’t be that worried, because important things don’t rely on network trust anyway.

[tialaramex]

HSTS is also pre-loaded, you can pre-load an entire apex domain (such as ycombinator.com) or indeed an entire TLD (.dev is pre-loaded).

And browsers are starting to offer HTTPS-by-default mode where the browser just interprets HTTP as HTTPS (in links, in bookmarks, almost everywhere) and if the HTTPS server won't accept the connection you get a full-page interstitial where you can choose to let it go for one site that doesn't have HTTPS if you're comfortable with that.

[7ewis]

I have my own self hosted VPN, but I am a fan of Windscribe too, they offer a free VPN which I'd personally trust. I do pay for it, but wouldn't have any concerns recommending it.

They actually wrote an article explaining how/why it's free: https://blog.windscribe.com/free-vpn-myths-debunked-70a0aa46...

Obviously do your own research.

[tracker1]

I setup wireguard, pihole and caddy (reverse proxy) on an rpi4 for this purpose... that and access to my internal network (nas, desktop, etc). Works relatively well, was a bit of a pain to get pihole binding properly via docker (compose file).

Using dyndns service on my domain so that I can refresh a subdomain to always point home.

[zargon]

Yeah, a free VPN is almost guaranteed to be a honeypot, whereas free wifi has only a small chance of being a problem.

[willis936]

"Free Wi-Fi" also almost always means "no encryption on the PHY" meaning eavesdropping is trivial and MITM is much more likely. I never use public, open Wi-Fi without wireguarding home.

[zargon]

That's the point. If you don't trust open wifi then you would trust free VPN far less.

[md_]

I don’t think that’s necessarily true.

Do I trust ProtonVPN’s free tier less than I trust a random access point named (say) “NYC Free WIFI”? I would say no: I know who ProtonVPN is, and I’m only trusting them, not all their other users.

I agree a lot of free VPNs are shady as fuck, but free tiers from reputable companies are reasonable, and if anything may be more trustworthy than your home ISP.