HTTPS and VPN
I was wondering if one is on a secure website does using a VPN provide extra protection, or is it just redundant? Thanks.
Forum Discussion
31 Replies
GordonThree wrote:
Can't do anything about foolishness. All modern browsers throw up huge red flags for cert errors. If someone is going to ignore cert errors, they're going to also ignore any advice on when to avoid WiFi connections. And, of course, MITM attacks can occur even on password connected WiFi connections, so encouraging people to think that "secure" WiFi prevents MITM is no different than encouraging them to ignore cert problems.
a lot of users have become conditioned to accept and ignore certificate errors, including self signed certificates.ljr wrote:
We all have a different tolerance for risk. It's possible I could be in a plane crash too.2oldman wrote:
.....and that’s why it works.
So much is possible, but whether it's even in the realm of probability that someone's sitting in Starbucks waiting to steal my information is what I focus on.
Maybe someone will come on here and tell us their experience getting hacked on public wifi.2oldman wrote:
So much is possible, but whether it's even in the realm of probability that someone's sitting in Starbucks waiting to steal my information is what I focus on.
.....and that’s why it works.- So much is possible, but whether it's even in the realm of probability that someone's sitting in Starbucks waiting to steal my information is what I focus on.
GordonThree wrote:
mike-s wrote:
GordonThree wrote:
So, please do tell where one gets a certificate signed by a well-known (i.e. included with OS/browsers) root authority for www.mybank.com, but can't get one for www.myvpn.com.
Now the hacker can run a MITM attack against those people, injecting a fake certificate in front of a bank or credit card real certificate, and copy all the juicy details.
Exactly the reason to not use open wifi networks, ever.
:R
Over the top reaction.
EVERYTHING you do contains a "risk" and a connection to ANY network (internal only or Internet facing) IS RISKY.
So in reality if you are this concerned about your information then you would be better off NOT doing anything "online".
In reality, you have a greater chance of your personal information being exposed on EITHER END of the Internet (IE YOURSELF OR YOUR BANK/WEBSITE). Yes, an "intercept" is entirely possible via a "open" wifi connection but the bad guys have found considerably easier methods than to park out at a random airport, McDs, Starbucks.
Social engineering (Phishing, Spearphishing), Malware, Virus, keyloggers, ect are much more efficient means to get information than to have one person setup and operate one single wifi intercept operation..
Social engineering is one of the easiest ways to completely bypass any of the strongest security settings, firewalls, encryption you can place.
Social engineering in a nutshell amounts to playing on the "human factor" or emotions to get personal information to use for someone elses gain..
Folks can't seem to resist opening odd emails like a UPS/Fedex,USPO which make a shipping claim that you need to sign in and enter information.. You do and the bad guys get you to enter personal info into a fake website..
Or a Bank email claiming that your credit card or bank account will be closed if you do not respond to that email via an included link.. Following that link takes you to carefully crafted fake websites which you simply hand over all the keys to your kingdom..
With the Internet, there really is no such thing as "security" no matter how much spin folks like to give to HTTPS or "secure wifi" as long as the HUMAN part cannot be "secured".
If it can be encoded, it WILL be decoded by someone else if they want it bad enough.mike-s wrote:
GordonThree wrote:
So, please do tell where one gets a certificate signed by a well-known (i.e. included with OS/browsers) root authority for www.mybank.com, but can't get one for www.myvpn.com.
Now the hacker can run a MITM attack against those people, injecting a fake certificate in front of a bank or credit card real certificate, and copy all the juicy details.
Exactly the reason to not use open wifi networks, ever.
The certificate doesn't need to be signed by anyone well known, a lot of users have become conditioned to accept and ignore certificate errors, including self signed certificates.GordonThree wrote:
So, please do tell where one gets a certificate signed by a well-known (i.e. included with OS/browsers) root authority for www.mybank.com, but can't get one for www.myvpn.com.
Now the hacker can run a MITM attack against those people, injecting a fake certificate in front of a bank or credit card real certificate, and copy all the juicy details.- So much misunderstanding here. VPNs are protected with the same sort of encryption/AAA (Authorization, Authentication, Accounting) as are links to (well managed) sites. A VPN basically hide your physical location when browsing, but it really makes no difference in security. The most a VPN provides in that case is that the site doesn't know were you are physically. Adding a VPN to an already encrypted connection adds no security, unless you think nation-states are trying to snoop on you, because if someone can break the encryption of either, they can break the encryption of both.
It's like people putting in a stronger deadbolt, when there's a glass window right next to the door. Bachelor wrote:
I was wondering if one is on a secure website does using a VPN provide extra protection, or is it just redundant? Thanks.
SSL/TLS (aka: HTTPS) is between a browser and a web server. VPN is between two endpoints. I suppose both is sort of redundant but it depends on where the endpoints are.downtheroad wrote:
Secure website in one thing....it's "open" or unsecured wifi that is very vulnerable and and not secure.. Doing your banking at, for example, Starbucks or at an airport on their open wifi is dangerous....we always use a VPN when away from our password protected wifi at home.
x2 on this
a secure website (https) offers minimal protection if you're connected to an open unencrypted wifi network, plenty of chances to get hacked, so much so I'd say never connect to an "open" network. it's not worth the risk. very easy to compromise.
for example, Starbucks - maybe the official open network is named Starbucks guest or some such. so your hacker connects to it and runs de-auth attacks on everyone else connected. then they start their own open wifi network, called Starbucks 2 or something. Everyone that got hit with the deauth is disconnected. they might think oh that's weird, I'll try starbucks 2. Now the hacker can run a MITM attack against those people, injecting a fake certificate in front of a bank or credit card real certificate, and copy all the juicy details.
it works because everyone is so conditioned (thanks to sites like Marcus runs here) to hit accept when your browser warns you about a certificate problem.
