cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

HTTPS and VPN

Bachelor
Explorer
Explorer
I was wondering if one is on a secure website does using a VPN provide extra protection, or is it just redundant? Thanks.
31 REPLIES 31

Bachelor
Explorer
Explorer
Thanks for all the replies and explanations. I always thought that you were pretty safe using HTTPS, even on a public connection because everything is encrypted. I guess, as some of you mentioned, you're more safe using your own hotspot, such as cell phone, your own router, etc.

Edit: I was just investigating VPN's online and all the big nemes, such ax Nord, Express,PIA and others all offer strong encryption. So it would appear to me that usage of these VPN's on an unsecured network would provide good protection. Comments?

Gdetrailer
Explorer III
Explorer III
garry1p wrote:
No matter how secure YOU are the business you shop at bank with or have any transaction with will be a target of hackers they get millions of individual accounts such as Target, Home Depot or any site that clears your CC information is more at risk than the individual. You have no control

Using an open WIFI is normally a one one attract and yes there are many bad actors praying on open WiFi's you just never know until it is to late. You have some level of control use it or....

V{N is point to point encrypted and better than not having it but nothing is totally secure on the internet.


A VPN is no more "secure" than an open wifi, period.

You are DEPENDING AND TRUSTING on a faceless, unreachable, untouchable THIRD PARTY VPN software to make this "encryption" happen..

Much of these third party VPNs are based outside of the US, ever wonder why?

What if that third party VPN you chose is ACTUALLY one of the BAD GUYS?

What if that third party VPN has one of their servers hacked and compromised?

Your data integrity and security is only as good as all of the moving parts between your computer and your data's final destination..

As someone else has mentioned, VPNs are more about HIDING YOUR IP LOCATION than they are for making your connection more secure..

IF you are wanting to do general Internet browsing, open wifi OR secured wifi should not pose any real threat.

IF you are BANKING or putting other personal info onto the Internet and are over the top privacy concerned then skip wifi and move to WIRED connection.

Alternately, while less secure than a wired connection, bring your own wifi (cell based) would be the better method over depending on a third party VPN on a public wifi..

2oldman
Explorer II
Explorer II
ljr wrote:
I canโ€™t give you a number of cases I helped untangle but it would be in the hundreds..
Hundreds sounds ominous until you compare that to the number of wifi users in total.
garry1p wrote:
No matter how secure YOU are the business you shop at bank with or have any transaction with will be a target of hackers they get millions of individual accounts such as Target, Home Depot or any site that clears your CC information is more at risk than the individual.
That is a more significant risk because that's where the real gold mine is.

We've had this conversation many times over the years and it ends up being like driving with the propane on. Is it risky? No, but if you THINK it's risky then don't do it.
"If I'm wearing long pants, I'm too far north" - 2oldman

garry1p
Explorer
Explorer
No matter how secure YOU are the business you shop at bank with or have any transaction with will be a target of hackers they get millions of individual accounts such as Target, Home Depot or any site that clears your CC information is more at risk than the individual. You have no control

Using an open WIFI is normally a one one attract and yes there are many bad actors praying on open WiFi's you just never know until it is to late. You have some level of control use it or....

V{N is point to point encrypted and better than not having it but nothing is totally secure on the internet.
Garry1p


1990 Holiday Rambler Aluma Lite XL
454 on P-30 Chassis
1999 Jeep Cherokee sport

ljr
Nomad
Nomad
2oldman wrote:
ljr wrote:
2oldman wrote:
So much is possible, but whether it's even in the realm of probability that someone's sitting in Starbucks waiting to steal my information is what I focus on.
.....and thatโ€™s why it works.
We all have a different tolerance for risk. It's possible I could be in a plane crash too.

Maybe someone will come on here and tell us their experience getting hacked on public wifi.


I spent 30+ years in government, corporate and higher education IT. I canโ€™t give you a number of cases I helped untangle but it would be in the hundreds. With very few exceptions the victims were in complete agreement with you before it happened to them.

You donโ€™t need to surrender to paranoia but you would be well served by taking the threat seriously.

PS: I was in a plane crash once.
Larry

fj12ryder
Explorer III
Explorer III
2oldman wrote:
ljr wrote:
2oldman wrote:
So much is possible, but whether it's even in the realm of probability that someone's sitting in Starbucks waiting to steal my information is what I focus on.
.....and thatโ€™s why it works.
We all have a different tolerance for risk. It's possible I could be in a plane crash too.

Maybe someone will come on here and tell us their experience getting hacked on public wifi.
That could be a really long wait.

But if you ask someone to come on here and tell about the time their data was stolen from a supposedly secure credit card repository or department store repository, it won't take very long at all.
Howard and Peggy

"Don't Panic"

mike-s
Explorer
Explorer
GordonThree wrote:
a lot of users have become conditioned to accept and ignore certificate errors, including self signed certificates.
Can't do anything about foolishness. All modern browsers throw up huge red flags for cert errors. If someone is going to ignore cert errors, they're going to also ignore any advice on when to avoid WiFi connections. And, of course, MITM attacks can occur even on password connected WiFi connections, so encouraging people to think that "secure" WiFi prevents MITM is no different than encouraging them to ignore cert problems.

2oldman
Explorer II
Explorer II
ljr wrote:
2oldman wrote:
So much is possible, but whether it's even in the realm of probability that someone's sitting in Starbucks waiting to steal my information is what I focus on.
.....and thatโ€™s why it works.
We all have a different tolerance for risk. It's possible I could be in a plane crash too.

Maybe someone will come on here and tell us their experience getting hacked on public wifi.
"If I'm wearing long pants, I'm too far north" - 2oldman

ljr
Nomad
Nomad
2oldman wrote:
So much is possible, but whether it's even in the realm of probability that someone's sitting in Starbucks waiting to steal my information is what I focus on.


.....and thatโ€™s why it works.
Larry

2oldman
Explorer II
Explorer II
So much is possible, but whether it's even in the realm of probability that someone's sitting in Starbucks waiting to steal my information is what I focus on.
"If I'm wearing long pants, I'm too far north" - 2oldman

Gdetrailer
Explorer III
Explorer III
GordonThree wrote:
mike-s wrote:
GordonThree wrote:
Now the hacker can run a MITM attack against those people, injecting a fake certificate in front of a bank or credit card real certificate, and copy all the juicy details.
So, please do tell where one gets a certificate signed by a well-known (i.e. included with OS/browsers) root authority for www.mybank.com, but can't get one for www.myvpn.com.


Exactly the reason to not use open wifi networks, ever.


:R

Over the top reaction.

EVERYTHING you do contains a "risk" and a connection to ANY network (internal only or Internet facing) IS RISKY.

So in reality if you are this concerned about your information then you would be better off NOT doing anything "online".

In reality, you have a greater chance of your personal information being exposed on EITHER END of the Internet (IE YOURSELF OR YOUR BANK/WEBSITE). Yes, an "intercept" is entirely possible via a "open" wifi connection but the bad guys have found considerably easier methods than to park out at a random airport, McDs, Starbucks.

Social engineering (Phishing, Spearphishing), Malware, Virus, keyloggers, ect are much more efficient means to get information than to have one person setup and operate one single wifi intercept operation..

Social engineering is one of the easiest ways to completely bypass any of the strongest security settings, firewalls, encryption you can place.

Social engineering in a nutshell amounts to playing on the "human factor" or emotions to get personal information to use for someone elses gain..

Folks can't seem to resist opening odd emails like a UPS/Fedex,USPO which make a shipping claim that you need to sign in and enter information.. You do and the bad guys get you to enter personal info into a fake website..

Or a Bank email claiming that your credit card or bank account will be closed if you do not respond to that email via an included link.. Following that link takes you to carefully crafted fake websites which you simply hand over all the keys to your kingdom..

With the Internet, there really is no such thing as "security" no matter how much spin folks like to give to HTTPS or "secure wifi" as long as the HUMAN part cannot be "secured".

If it can be encoded, it WILL be decoded by someone else if they want it bad enough.

GordonThree
Explorer
Explorer
mike-s wrote:
GordonThree wrote:
Now the hacker can run a MITM attack against those people, injecting a fake certificate in front of a bank or credit card real certificate, and copy all the juicy details.
So, please do tell where one gets a certificate signed by a well-known (i.e. included with OS/browsers) root authority for www.mybank.com, but can't get one for www.myvpn.com.


Exactly the reason to not use open wifi networks, ever.

The certificate doesn't need to be signed by anyone well known, a lot of users have become conditioned to accept and ignore certificate errors, including self signed certificates.
2013 KZ Sportsmen Classic 200, 20 ft TT
2020 RAM 1500, 5.7 4x4, 8 speed

mike-s
Explorer
Explorer
GordonThree wrote:
Now the hacker can run a MITM attack against those people, injecting a fake certificate in front of a bank or credit card real certificate, and copy all the juicy details.
So, please do tell where one gets a certificate signed by a well-known (i.e. included with OS/browsers) root authority for www.mybank.com, but can't get one for www.myvpn.com.

mike-s
Explorer
Explorer
So much misunderstanding here. VPNs are protected with the same sort of encryption/AAA (Authorization, Authentication, Accounting) as are links to (well managed) sites. A VPN basically hide your physical location when browsing, but it really makes no difference in security. The most a VPN provides in that case is that the site doesn't know were you are physically. Adding a VPN to an already encrypted connection adds no security, unless you think nation-states are trying to snoop on you, because if someone can break the encryption of either, they can break the encryption of both.

It's like people putting in a stronger deadbolt, when there's a glass window right next to the door.

ljr
Nomad
Nomad
Bachelor wrote:
I was wondering if one is on a secure website does using a VPN provide extra protection, or is it just redundant? Thanks.


SSL/TLS (aka: HTTPS) is between a browser and a web server. VPN is between two endpoints. I suppose both is sort of redundant but it depends on where the endpoints are.
Larry