[roey2009]

If you question whether your electronic device is compromised, it probably is.

If you question if your electronic device has exploitable vurnabilities, the answer is absolutely yes.

Don't store private info on your electronics, if you can't handle them leaking. (Nude photos, bank credentials)

Commercial VPNs are not as useful and secure as you think.

I personally cover the front facing cameras on my laptop and mobile, on the assumption that if someone were to gain access to my phone, that's the first thing they would look at.

Don't connect to random public WiFi. If you do, don't login to any online account on it, or send confidential information.

[leftcenterright]

> Don't connect to random public WiFi. If you do, don't login to any online account on it, or send confidential information.

While this is good advice in general, I have seen that people do end up having to connect to public WiFis in general (airports, traveling in a foreign country, lost LTE connections). I advise people never to accept "Insecure connection" warnings in browsers, with TLS in place and HSTS, practically the risk is very low.

[SeriousM]

MitM on android works very well if you just use an app without a browser view. Android don't tell you that the certificate was changed and the app developer usually don't care to pin the certificate or check for the issuer. When using a random wifi, use a vpn just to be sure.

[ericpauley]

Which certificate authority does this new cert chain from? No reputable authority will issue valid certs for public WiFi MitM.

[SeriousM]

People can't distinguish the official wifi from a rouge one if it "sounds" official. Just go to a crowded place, name your wifi "Joes Coffee Shop" and people will connect to it in no time.

[leftcenterright]

I guess the point is about MiTM which you have not really answered, MiTM requires the man in the middle to present a webpage / api to the user over https with a valid certificate so that the browser or the android app would make connections to it. They just don't accept all tls certificates as valid, only the ones signed by CAs trusted by the device. It is the same for android. I guess you are confusing certificate pinning with standard TLS. Certificate pinning is an additional measure and prevents against compromised CAs etc. Standard TLS itself is sufficient to prevent MITM over https.

> MitM on android works very well if you just use an app without a browser view.

Do you have any examples showing this? Popular http clients like okhttp on mobile devices do perform TLS validation based on trusted CAs stored on the device. You would have to go out of your way to make them trust self-signed certificates to perform MITM or compromise a CA to issue you a certificate to allow MITM.

[Liuser]

> Don't connect to random public WiFi. If you do, don't login to any online account on it, or send confidential information.

Why? TLS establishes secure channels over insecure networks.

[SamuelAdams]

Mitm attacks are still a thing, but personally I wouldn’t bother with it. It’s much easier to go the social engineering route, ie post on Facebook a picture of my “old” dog (really a random dog) with the text “flash back to my first dog Tessie! You will always have a place in my heart :) post in the comments about your first dog”

And boom now you have their answers to security questions to reset their passwords.

[tqi]

> boom now you have their answers to security questions to reset their passwords.

Are there any example of this actually happening? It seems like an old wives tale. The simpler explanation for why these posts are so popular is that they generate a lot of engagement, especially in the form of unique comments and number of commenters, which is a signal used for ranking and helps increase reach of these accounts.

[Liuser]

> Mitm attacks are still a thing

TLS directly addresses this.

[eternityforest]

How do you Mitm TLS? You would need to have the server's keys right?

[BjoernKW]

> Commercial VPNs are not as useful and secure as you think.

That's highly contingent on the "as you think" part.

For example, I use ExpressVPN on public WiFi networks because I trust them a whole lot more than random public WiFi providers. Sure, they have access to the URLs I've accessed while using their service. Then again, so does my ISP.

The crucial part is, said random public WiFi providers won't have access to that data.

Additionally, and much more importantly, some public WiFi providers try to MITM secure connections, which is effectively prevented when using a trustworthy VPN.

[leftcenterright]

While public Wifi providers may try to MITM, TLS effectively prevents that from happening unless you are prone to accept "insecure certificate/connection" warnings.

Leaked keys or keys obtained/accessible by law enforcement from vpn providers effectively allow them to MITM you: https://www.byos.io/blog/nordvpn-torguard-and-vikingvpn-brea...

That said, why did you choose EXpressVPN?

> If you're an ExpressVPN customer, you shouldn't be. - Snowden, Sep 16 2021

- https://twitter.com/Snowden/status/1438291654239215619

- https://www.zdnet.com/article/trust-but-verify-an-in-depth-a...

[BjoernKW]

> While public Wifi providers may try to MITM, TLS effectively prevents that from happening unless you are prone to accept "insecure certificate/connection" warnings.

For connections happening via a browser that's true. For other applications, it depends, since those might happily accept a certificate that has been tampered with without the user being aware of it.

> That said, why did you choose EXpressVPN?

Put snarkily: Because I'm not Edward Snowden and I'm not subject to the same kind of threat level.

At the time (2018), ExpressVPN for me was the right choice in terms of sufficient security for my requirements and - not to be underestimated - user experience.

Other VPN products I tried out back then were more difficult to install and use (sometimes significantly so) and suffered from slow or even regularly dropped connections.

[leftcenterright]

TLS validation is enforced in all mobile applications unless you have spyware/malware which would use insecure CAs or self-signed certificates. Please see my comment above https://news.ycombinator.com/item?id=34159195 All standard mobile clients do TLS validation. They just can't be MiTMed by anyone using self-signed certificates/CAs which is how most mitm tools work (e.g. mitmproxy) Do you have any examples of apps not doing TLS validation?

I am really surprised to see this misconception.

> Put snarkily: Because I'm not Edward Snowden and I'm not subject to the same kind of threat level.

Well that is alright, we should all make decisions based upon our own threat models. It is just that in that case you are also at no risk with public WiFis unless you are sincerely looking for a fully secure alternative.

[BjoernKW]

> Do you have any examples of apps not doing TLS validation?

Potentially, any desktop app not downloaded via an app store might do this.

[leftcenterright]

What does it have to do with app store? Insecure apps which might not respect server TLS certificates / settings or communicate over plain HTTP will be insecure to use over a VPN as well. A VPN is not an alternative to not using proper TLS validation.

[unshavedyak]

Yea, i use it to avoid Comcast mostly out of spite.

"Aren't as secure as you think" seems to imply Comcast or the foreign wifi has what, broken the encryption? If so, tell me! But i kinda doubt it.

[BostonEnginerd]

I think the problem is you’re trading one set of untrustworthy actors for another set of lesser known untrustworthy actors.

[unshavedyak]

Yea, but that's not _my_ problem. My problem is "fuck comcast".

As for the public wifi, i get that i can't trust my random Dropbox VM for example, but i can surely trust it more than an actively hostile public wifi, no? If i can't trust any remote computing VM, how can i host anything on infra i don't own?

[BostonEnginerd]

Of course, I fully expect someone commenting on HN to understand the issues and to have made the trade off.

It took a lot of explaining to my parents why a VPN didn’t add any meaningful security for them.

[unshavedyak]

Very good point. They also sell it as if _just_ using a VPN equals security. I can't count the number of ads i've seen that over sell that :/

[culi]

is the public wifi advice still relevant today with HTTPS?