Hacker News new | ask | show | jobs
by BjoernKW 1272 days ago
> While public Wifi providers may try to MITM, TLS effectively prevents that from happening unless you are prone to accept "insecure certificate/connection" warnings.

For connections happening via a browser that's true. For other applications, it depends, since those might happily accept a certificate that has been tampered with without the user being aware of it.

> That said, why did you choose EXpressVPN?

Put snarkily: Because I'm not Edward Snowden and I'm not subject to the same kind of threat level.

At the time (2018), ExpressVPN for me was the right choice in terms of sufficient security for my requirements and - not to be underestimated - user experience.

Other VPN products I tried out back then were more difficult to install and use (sometimes significantly so) and suffered from slow or even regularly dropped connections.
1 comments
leftcenterright 1272 days ago
TLS validation is enforced in all mobile applications unless you have spyware/malware which would use insecure CAs or self-signed certificates. Please see my comment above https://news.ycombinator.com/item?id=34159195 All standard mobile clients do TLS validation. They just can't be MiTMed by anyone using self-signed certificates/CAs which is how most mitm tools work (e.g. mitmproxy) Do you have any examples of apps not doing TLS validation?

I am really surprised to see this misconception.

> Put snarkily: Because I'm not Edward Snowden and I'm not subject to the same kind of threat level.

Well that is alright, we should all make decisions based upon our own threat models. It is just that in that case you are also at no risk with public WiFis unless you are sincerely looking for a fully secure alternative.

link
BjoernKW 1272 days ago
> Do you have any examples of apps not doing TLS validation?

Potentially, any desktop app not downloaded via an app store might do this.

link
leftcenterright 1272 days ago
What does it have to do with app store? Insecure apps which might not respect server TLS certificates / settings or communicate over plain HTTP will be insecure to use over a VPN as well. A VPN is not an alternative to not using proper TLS validation.
link
BjoernKW 1272 days ago
You specifically mentioned TLS being enforced in mobile apps. For non-mobile apps such an enforcement either happens through an app store vetting process or the operating system restricting access to non-secure API calls.

I also didn't say a VPN is an alternative to proper TLS validation. It just prevents public WiFi networks from trying to intercept (improperly validated) connections.

link
leftcenterright 1272 days ago
I said "mobile apps" to exclude browsers which do similar validation anyways. And it is the same process for mobile apps, only apps designed in an insecure manner (to choose to ignore cert warnings, use custom TLS clients etc) would fail validation and there is no reason to use such apps, it does not matter whether you use a VPN or public-wifi.

Have you encountered any such apps?

- https://developer.android.com/training/articles/security-ssl

link