Hacker News new | past | comments | ask | show | jobs | submit login

It works for when you need to use untrusted WiFi, because the alternative is worse. Beyond that, it forms a nice defense against unsophisticated attackers. (e.g. it breaks a single datapoint (ip address) used by Google and FaceBook).



Is the alternative actually worse than SSL? Why?

And no, it doesn't break analytical by Facebook or Google in any substantial way. I know some people use them to evade Netflix region exceptions, and that's about all they're good for.


You can’t always ensure that all traffic goes over SSL. DNS traffic is an example. I always assume that hostile public networks like free WiFi have agents actively trying to man in the middle any connections they can. If your device has a known exploit and a single connection not going over SSL you drastically increase your exposure on a public WiFi, hence the one use case for VPN.


If your privacy concerns include your DNS requests then a commerical VPN isn't a realistic choice. And unlike some rando pseudo-bespoke brand-less coffee shop wifi, commerical VPNs are a big target.

> I always assume that hostile public networks like free WiFi have agents actively trying to man in the middle any connections they can.

And VPNs just move that problem. If you're not demanding and forcing SSL, you're not actually addressing this problem.

> If your device has a known exploit and a single connection not going over SSL you drastically increase your exposure on a public WiFi, hence the one use case for VPN.

I regret to inform you that none of these things you've described stop thise sort those attacks. Forcing SSL on your browser is a realistic option for most threat models. If you're at a level where you're actually being surveilled by a nation-state-level actor, a commercial VPN won't help you. Short of that scenario, forcing SSL will cover most cases.


Try running a traffic or packet monitor on a WiFi network. Now tell me how much of that traffic is going over SSL

And even if I don’t run my own VPN, I’d prefer to “move the problem”. It’s so much easier to attack machines on public WiFi than compromise a VPN provider... and much more anonymous, and less likely to incite law enforcement activity. Public airports, libraries, etc are hotbeds of nefarious activity.


I use plugins to force SSL to all connections. I block outbound non-SSL http traffic.

So, 0%? But personally I don't go to many sites that dont have full SSL coverage. Do you?

I highly recommend you do this.

> It’s so much easier to attack machines on public WiFi than compromise a VPN provider... and much more anonymous, and less likely to incite law enforcement activity.

Do you think there will be a successful law enforcement follow up to this breach? I doubt it.

> Public airports, libraries, etc are hotbeds of nefarious activity.

As are VPN data centers, as evidenced here.

If you really want to just shift your egress point, lots of self-hosted VPN options exist. These are much better able to do the things you want to do, without being as vulnerable to corporate VPN attacks.


Well I agree with you on the self hosted VPN option being the best. I’m just saying there’s not zero benefit to hosted VPN in some cases.

And it sounds like your just looking at http traffic and web browser traffic. Your computer is communicating over lots of other ports and protocols that are often not encrypted. Are you blocking all outbound traffic?

Let’s take the recent iTerm vulnerability. ( https://www.kb.cert.org/vuls/id/763073/ ) I’m guessing you don’t have a plug-in to force curl to use https? What if you execute a script that curls http and you don’t realize?

Now you could say well “I just make sure all my curls are https.” The problem with that approach is it requires unrealistic levels of vigilance, about every outgoing service you may use, and that all your software on your machine is patched or bug free.

The easiest and quickest place for a hacker to learn their tools and skills is simply public WiFi. Want to try that iTerm exploit out... you go to the coffee shop and wait for a programmer to accidentally curl something over http.

VPN is not perfect, but it does provide some protection in certain circumstances that can’t be ruled out.

Best course, force https for web browser, and use your own hosted VPN anytime you are on a public network.


>You can’t always ensure that all traffic goes over SSL. DNS traffic is an example.

But wouldn't you get a cert error if someone messed with the DNS to send you to a different IP than you would normally?

(Especially if they're using pinned certs, which many sites do now)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: