Considering how most of the Internet is encrypted with TLS, if you add DNSSEC+DoH/DoT on top, trying to MITM someone on a public WiFi is way harder than it was, unless you’re a state-level adversary and you’re able to craft valid certificate for a domain you don’t control from a globally trusted (root) certificate autority (which will lose its trusted status quite fast once discovered, ex: CNNIC)
Yeah, the days of your local coffee shops Wi-Fi being a problem or mostly gone. Not the VPN doesn’t have a place anymore though. If you’re trying to hide your downloading of ISOs from your ISP it’s still a perfectly reasonable method. Or temporarily relocating yourself to another country to make a purchase or watch some streaming content both perfectly reasonable.
Of course some of the streaming providers are getting wise to this.
I have a VPN so I can securely access my home network when I’m away
Yeah, pptp will always have a strong purpose and home. I’m more speaking to the viability of commercial anonymization VPN.
I have a feeling you are using pptp as shorthand for Point to Point disregarding protocol and already knows what I’m about to say. To anyone else reading this - PPTP is obsolete and unsafe. Use an alternative such as OpenVPN, WireGuard or SSTP.
Tailscale FTW. I honestly haven’t looked at the underlying protocols in years. Was using ubiquiti’s implementation of openVPN but it seemed to get grumpy when you connect one user multiple times.
Poking around at available products, I had settled on zero tier and tailscale, I went ahead and tried tail scalefirst because it was basically free for my house. One month in, I had a few decent detectable guys at work join me on a trial there. Full licenses for everybody at work cost less than my Cisco refresh. And makes it so that the office is no longer a critical hosting site.
OpenVPN allows multiple connections if you enable duplicate-cn:
–duplicate-cn
Allow multiple clients with the same common name to concurrently connect.
In the absence of this option, OpenVPN will disconnect a client instance upon connection of a new client having the same common name.
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/There’s also headscale if you wanna selfhost the tailscale control server:
https://github.com/juanfont/headscaleIt was allowing me to make multiple connections but they were unpredictable, I assumed it was a unified problem back in the day thanks for the information!
I use a VPN for the same reason I use the Internet. Porn.
why would I need to hide my terabytes of Linux ISO downloads?
Bill Gates, man, Bill Gates
It’s all fun and games until a Microsoft Purity Enforcement squad is kicking in your door.
Nah, it’s all good I subscribe to Linus Torvalds protection services. When the Microsoft vans get within four blocks of my address, They’ll drop ship in dozens of fully-armed penguin paratroopers. After the incursion they even send in a penguin based cleaner team to help get rid of the remains.
Because we see which distros you’re using, and we judge you for it.
Gentoo, in 2024? Really? You should be using Arch if that’s your thing. It’s not the 90s any more.
Arch? I prefer EndeavorOS as it lets me easily install an arch distro using a nice GUi, I really don’t care about the nitty gritty of setting up my own network manually, i am like 99.9% of people in that regard
You don’t want their admin to contact you about how you’re a n00b for not using Arch.
Or the tld is .mobi
Interesting read, thanks!
Not all applications on your computer may be encrypting their packet traffic properly, though. That goes especially for the applications that might be trying to reach out for resources on your local home network (like printers, file shares, and other home servers) as well as DNS requests which are usually still made in the open. I would not recommend eschewing an entire security layer willy-nilly like that. On public Wi-Fi, I would definitely still suggest either a VPN or using your cell phone as a tether or secure hotspot instead if possible.
Sure, but it’s also like, if you’re stepping away from your laptop for a few minutes should you lock the screen or shut it down completely.
The most secure option is to shut it down completely, but also it’s fine to just lock your screen.
If you’ve already got a VPN and it’s as easy as locking your screen to enable, go for it, use it. But if you don’t, you don’t need to go out and get one. You’ll generally be ok without one.
The most secure option is bringing the laptop with you.
I mean, technically - the most secure option is irrevocably destroying the laptop everytime you have a break.
Oh so a one time pad
I’m not online enough to understand this.
how do I reboot my computer?
Throw a brick at it.
That’s just turning it off with Style✨
that’s gonna brick it. it’s right there in its name.
people on the internet and their advice sometimes, ffs.
Nah, you just gotta do it correctly, yeah you might brick a few computers, TVs, cars or a couple electrical mains boxes, but once you master the technique you’ll be able to restart anything.
We call that percussive maintenance… the brick is optional.
Hailey “Hawk Tuah” Welch is an influencer that gained a lot of popularity from her nickname (the sound of spitting, with HEAVY implications of performing fellacio). She used her platform to voice a very reasonable and intelligent opinion, which surprised a lot of people because her nickname is essentially blowjob queen.
One of her opinions is that it’s important to spread cyber security and used her fame to try to educate the public (potentially a fake story from the image? Idk this drama). And some xit-head claiming to be a cyber security expert ate the onion and offered some shitty advice. Proton fact checked them, because there are a ton of fake news stories about her right now.
Thanks for clarifying. This thread has felt like the cyber security equivalent of the Flat Earth Theory.
Sorry, not just implication; she was straight up talking about that.
deleted by creator
I’m pretty sure that Proton quoting her in the first place is fake. I know she’s milking her 15 minutes of fame for all she can, but this seems outside her experience.
but this seems outside her experience.
When has that ever stopped people from saying shit.
So I’m confused networking stuff has never been my strong suit, is this saying you can still be fucked on public WiFi even if you connect through a VPN?
Networking stuff IS my strong suit, and I’m confused about what points most people here, including OP, are trying to make here. Maybe I’m just not awake enough yet.
Wtf proton what? What do people think Proton is saying and what’s the WTF part…?
Also - using someone who got famous by describing sucking dick seems quite weird :) Who wants technical advice from her?
What does sucking dick have to do with technical competency?
That’s the joke.
Can someone share proton’s response? I don’t have a xitter account
https://xcancel.com/ProtonVPN you can find it here
Appreciate the alternative!
Grabbed this screenshot because I don’t trust anything on Twitter to stay visible (or the platform to even be stable)
https://protonvpn.com/blog/public-wifi-safety/#:~:text=5 ways to stay safe on public WiFi
Nobody has a Xitter account.
Millions and millions of idiots do.
Is this some highly-voted pedantry about the site not technically being called “Xitter”? Or wtf is going on in this thread…?
The only effective antivirus program known to man is called a backup
How is this related to a VPN? Antivirus does nothing against a MITM attack.
Woosh
I’m saying that no system is secure on a long enough timeframe . But that if you do get infected you can nuke and pave if you have a backup. Most of these VPN advertisers treat their product VPN like a magic shield / antivirus when it is In fact, nothing more than a fancy condom.
VPN is not an anti-virus program. Also, you can’t really backup your online accounts and restore them in case they are hacked.
I am fully aware it’s not an antivirus program which is why I’m mocking people who pretend that they are. Just being on a virtual private Network does not protect you from man in the middle attacks. Sure it hardens your device against Wi-Fi eavesdropping. But you are still vulnerable to DNS spoofing session hijacking cache poisoning and SSL stripping. Aka a VPN won’t protect you from man in the middle attacks once you’ve entered a site app or network under someone else’s control.
My day job is in web hosting.
When I first saw this I thought it was funny. The fact that so many people are falling for it has only made it even funnier.
FWIW, Haley Welch might seem dumb as bricks, but she also seems quite sweet - doing charity stuff, keeping her other friend from “that” vid for the ride, etc. As far as people becoming famous for bullshit reasons goes, she seems to be handling it well.
Falling for what?
She’s handling fame better than Chappel Roan.
You think she’s not handling fame well because she’s setting clear boundaries, and reminding fans that she’s not their friend just because she’s famous?
No, because she has a reaction video to every single negative thing anyone says on TikTok. I’m all for her boundaries.
she has a reaction video to every single negative thing anyone says on TikTok
Ew.
I feel bad for her, honestly. She was open about her sexuality and she’s conventionally attractive, so now she has all these leering old men on TV slobbering all over her.
Bill Maher practically tried to talk her into bed on his show with his creepy shit about mentoring her.
Oof. What is up with these creepy, sweaty dudes on talkshows? I know they somewhat reflect the general populace, but to pull shit like this on air is just boggling.
They don’t reflect the “general populace” it’s just that you kinda have to be an asshole to become famous or you become an asshole afterwards.
I didn’t know who she was, so I just assumed it was true and that she was just another celebrity sponsored by a VPN company.
"It’s a prank bro"😅 but seriously as an IT guy I’m tired of pushing VPNs down our (collective) throats, not saying the threat isn’t real but it’s really overblown by the ads
Just free, unregulated market shenanigans.
I don’t know how effective VPNs are over a public WiFi network, but I do know it stopped Spectrum from sending me “you are downloading copyrighted material, stop it” emails once I started using one. Fuck Spectrum, I don’t have them anymore, but that seems like a good enough reason to keep using one in certain circumstances.
On public WiFi I just vpn into my home network. The issue with public WiFi is that it can be sniffed by anyone in range since there is generally no encryption.
Although pretty much everything we do is over tls these days, and DoH helps protect against even dns sniffing. There’s still at least some risk to working in the clear over a public WiFi network. At least in information gathering, what bank you use, etc.
But, there’s no real benefit in using a paid vpn over one you own unless you’re downloading illegal content, want to watch another Netflix region, or are in a country with heavy Internet monitoring/filtering.
With TLS and DoH, how is your bank and other information leaked?
Possibly the domain is visible with a traffic monitoring tool. Everything else is between you and the bank via HTTPS. Having said that, whatever is not over https is visible to whoever sits on the same network as yourself.
Importantly, you probably don’t know what all is encrypted in every app you use on your phone, so it’s best practice to encrypt the transport.
He said “which bank”, which could be determined by the sniffing DNS requests, or seeing which IPs his computer is connecting to.
Not a breach of his personal information (assuming the bank that he’s using and the client he’s using after putting everything in TLS properly).
But with DoH you can’t sniff the DNS, that’s the whole point.
But you can see the ip address, which will id the bank. They can derive other information by ip addresses or leaked data and there’s still things using unencrypted connections even today. I generally just connect to my home vpn so at least it’s inly my isp spying on me.
Generally you can also read the SNI.
They need to advertise a legitimate use for their service.
If they don’t have a threat from public wifi or other security concerns to remedy, then the only purpose for their service is to bypass region limits and block infringement notices. They would be considered complicit in such infringement.
That their service also hinders efforts to stop pirates needs to be an “unintended” and “unavoidable” side effect.
I use Proton when I’m on my university’s campus because they switched to using EDUroam for the campus wifi. I used to be a Sys Admin at a different university a while back, and from what I know, EDUroam allows the IT department to monitor basically all of the traffic over the network. I don’t know exactly how deep that stuff goes, but if I was doing anything personal or sensitive like banking or whatever, I’d flip on the VPN on my personal computer. I also don’t have any personal accounts logged in on the school issued laptop because they have it loaded with institutional spyware. Once I graduate, I’ll blank the drive and reinstall the OS to have a decent Lenovo laptop on hand as a spare.
Edit to add: I use Proton because it was the least shady service that I could get for a reasonable price as a student. It is also helpful for finding textbooks. :)
I’m not defending Proton. I don’t even use them.
Edit: The region limits thing is nice though. It’s not why I got the VPN, but it’s nice to not have to pay to watch the Olympics and just watch it via the CBC or the BBC.
I experienced the same with Cox Internet.
This was poorly executed. The National Park Service twitter account does jokes well.
The only real use case for VPNs is to bypass geo blocking on streaming sites, and the VPN providers know this. They also know that if they lean too hard into that, eventually someone will sue them and their business model will evaporate - so they add the “iT MaKEs yOu mORe SeCurE” nonsense as a fig leaf so they can say with a straight face that they operate a product with legitimate uses
I can’t say VPNs are great for bypassing geo restrictions in 2024, unless you’re talking about tunneling through your home network.
That is definitely what 90% of people use them for.
I think Tom Scott is the only person who’s ever done an honest VPN sponsor read.
Ryan George too, he’s very clear in his VPN ad reads that he uses them to access streaming that isn’t available to him in outer space (his shtick is that he’s an ADstronaut).
Taking cybersecurity advice from someone called Hawk Tuah is modern day version of clicking banner that says find 40+ single women in your zip code
Hot MILFs wanna talk to YOU!
Thank goodness someone explained that to me. I was startong to wonder if she was some sort of technology expert, or something.
Who is she?
the girl from the memes a few weeks ago https://knowyourmeme.com/memes/hawk-tuah-girl
Mulvad.
I don’t understand why everyone assumes using a VPN means paying for a third party. I have Wireguard deployed in my NAS and I always have that VPN connection active on my phone to be able to access my LAN deployed services remotely, Jellyfin for example.
It’s also worth mentioning that the VPN in question, Proton, offers one of the best free tiers of any VPN company.
My setup as well (plus encrypted DNS for good measure)
I still have to somehow trust my ISP but I go down from having to trust my mobile ISP, my employer WiFi, random shops WiFi to just one ISP (that,fwiw, has shown to be transparent, customers friendly etc)
Most VPNs sell themselves on encrypting your traffic to an endpoint that either is in a different locale to get around region locks or to put it out of the grasp of the RIAA so they can’t send your ISP copyright notices.
While remote access to a local network is a good use case for a self-hosted VPN it’s totally unrelated to the use case for commercial VPNs
For the use case of encrypting your traffic while using a public WiFi, both commercial VPNs and self-hosted ones provide the same functionality.
Yes that’s true. But also that’s the wink and nudge marketing claim that VPN marketers make while everyone knows the real reason you are using a VPN.
With HTTPS, DNS-over-HTTPS, and most endpoint firewalls dropping non-gateway traffic, the risk is a lot less than the VPN ad reads want you to believe
DNS-over-HTTPS sounds like it’ll be the least used by general public since most people I know are still using default DNS settings which would point towards their ISP’s. I’m not sure how many ISPs have moved towards DNS-over-HTTPS or if they are even activated by default.
I think the point they’re getting at Is that you can’t use a self-hosted vpn to hide your piracy activity because the link is registered to yourself.
Yes, but this thread is about security while using public Wi-Fi, which the original comment was saying doesn’t require commercial VPNs.
I do the same, but it’s very clear that when people talk about “a VPN” they’re referring to a commercial cloud hosted product.
I don’t understand why everyone assumes using a VPN means paying for a third party.
It’s because that is what is advertised to them.
For less technical people or just don’t want to deal with public-facing open port: Tailscale or Zerotier are both great option (use Tailscale if former)!
I am technical, I decided to just not open up any port that’s not needed for Plex and Jellyfin, sometimes it would be nice to access radarr and sonarr remotely, but fuck I just don’t want to deal with the setup
Since Wireguard uses UDP and peers only reply to a received packet if it’s expected and valid, it won’t show up in port scans and barely increases your attack surface. Tailscale and Zerotier are quite nice, but personally I dislike NAT-punching protocols.
I use tailscale for hosting gameservers for friends and the occasional watch together on jellyfin. Kinda scuffed setup with one burner github account for login. And ~10 devices connected to that network. So I need to authenticate every device myself (at the beginning and sporadically) but I don’t need to pay Tailscale for adding multiple accounts to the network.
At the beginning I tried to do set up everything with my own wireguard server. I only have a public v6 IP, so some of my friends connected without problems and for some it would not work. After I think 3h helping them in their router settings I just gave up. I looked up if I could rent a service somewhere that gives me a public Ipv4 relay, found Tailscale instead and stopped looking for something else haha. Sometimes it’s not worth the effort.
I tried setting this up, and I can connect to my honeserver, but I’ve no idea how to access its LAN services. How does it work?
Do you have internal DNS set up? I have my wire guard deployed on both of my pihole servers, which have local DNS entries for my internal services, which point back to my internal Traefik container for NAT translations. I know that sounds a bit complicated, but that’s how it works for my environment.
