Why is a VPN "safer" on public networks? No really...why

Hello everyone. I have been working in cyber security for about 2 years now. I try my best to get down to the technical “whys” for practices whenever possible. Something I have been researching off and on now for a month is the technical benefits of client-focused VPN usage.

I know the basics of how a VPN works, pay for, and use one personally because when I broke into the career field I always heard it was safer to use one.

I have seen many many people say and post something like this “I don’t use a VPN at home but you should always use a VPN in a public network like a hotel or restaurant”

I realized last month that I don’t necessarily know the why for this as much as I thought I did and my research online and discussions with others has not really left me satisfied. I was hoping to get some perspectives from people that have been in the industry for a bit.

If I was in an untrusted public network, I am tracking a couple risks:

1.  Evil twin -> I connected to a malicious device and am going through them to make request now
   

2.  Compromised router -> Potential access to see my packets coming and leaving network
   

3.  Sharing a network with someone potentially malicious -> I am sure they could arp-scan and probe my device
   

I am sure there are gaps in my knowledge as to why I am having an issue answering this, so please let me know if there are things I am not considering as I hope to learn from this.

For risk 1 and 2: I ran some Wireshark before making this post to spot check some of my basic understanding of TLS before making this post. When I browsed to reddit, it looks like I was indeed using TLS. From what I understand, most websites utilize HTTPS. If a “bad guy” was sniffing me out, even on a public network, they would see my ClientHello which does contain the SNI for reddit and my JA3 information. After that, all the application data is encrypted. So they would essentially know that someone with my private IP and MAC establishing a TLS connection with reddit.

Now in a more serious attack like Evil Twin, I suppose there is the risk of getting sent malware from a legit MitM position depending if the website uses any unencrypted things like JavaScript files if I am solely relying on TLS with no VPN.

For risk 3: I could be pinged and probed sharing a network with someone. With proper endpoint device security, this doesn’t seem too bad, not ideal, but the VPN does not fix this problem. Me establishing a tunnel to the VPN server does not eliminate the fact that someone in my same network can try to interact with my Private IP/MAC.

These are the benefits of a VPN that I am tracking:

•      Geolocation spoofing/Privacy
  

•      Encrypted tunnel from client to VPN server. So if I browse to something that is not HTTPS, my unencrypted web request will be inside the encrypted VPN tunnel on the way to the VPN server; however, the traffic from the VPN server to the HTTP server will be unencrypted.
  

•      Maybe its harder to strip encryption from a VPN provider than TLS?
  

Is there anything I am missing in the risks above or benefits of VPN usage within the context of an untrusted network. I am under the impression someone is probably fine if they are going to reputable websites even when on a public network. Some snooper will just get a bunch of SNIs and anything else in that client hello and server response.

I’m looking to fill my technological gaps instead of just agreeing that “VPN is good, so safe!”.

Edit:

Thanks for everyone that participated in this discussion! Learned a lot of different perspectives and technical deetz!

VPN at the coffee shop was made popular by the FireSheep software:

https://en.wikipedia.org/wiki/Firesheep

This was back when SSL wasn’t popular so you could see what someone was browsing on facebook.

So with SSL (TLS) it’s much safer, but similar issue are still around, do you trust that the gateway isn’t snooping your traffic, is it modify your traffic, some ISP or cafes put AD’s in the web pages you browse, yes really.

So it’s all about trust, do you trust the café, do you trust your ISP, do you trust your VPN provider, etc.

The real reason we have VPN is to communicate to recourses behind a firewall, it was standard corporate access before most cloud services, still is, so you can see it’s a technology that has been repurposed and mostly marketed to make a buck.

I see VPN usage as more of a privacy control than a security control (although privacy and security do go hand in hand).

At the end of the day, I don’t want anyone around me, especially in a public setting, to know what websites I am visiting. That info is still largely possible to discern even with HTTPS use by both the cafe’s gateway as well as the potential for someone within that cafe that might have poisoned my ARP cache for snooping purposes or is posing as an evil twin like you mentioned. They might not know the specific URIs I’m accessing due to the encryption, but they will still know the host I am sending the request to leading to a loss of privacy.

Your outgoing traffic from the VPN is also obscured amongst all the other users of that same VPN provider, leading to some privacy benefits there as well.

With a VPN, I still need to trust my VPN provider with all of this though. This is why at the end of the day, if I really want privacy, I just use TOR with my own obfuscating proxy/bridge server that I can connect to. This eliminates the concerns mentioned.

Your question has been well answered. I just wanted to commend you on asking a GOOD question, meaning that you did your research and own study to ensure that you had a strong foundation and are filling in the gaps. This is excellent behaviour and the type of core personality that will land you good jobs and growth if you keep the attitude. It beats people that ask: “Tell me XYZ”, without putting in any effort. Kudos and all the best to you!

With a $200 pineapple device and some copy and paste html I can sniff a fair amount of traffic in any public setting.

And while many websites use https, many mobile apps do not necessarily encrypt or cert pin inside the app itself, meaning mobile login info can be seen in plain text with some basic MITM.

SSL is rarely mutual, but is instead unidirectional authentication. And cert mgmt is all over the place regarding mobile apps. Banks are surprisingly bad.

With the amount of https around, general data stealing is unlikely. A bigger risk is dns interception, which can be used for all kinds of different purposes both good and bad

Primarily it’s just for feel-good purposes these days - a huge number of people are obsessed with the boogie man of companies and people tracking their data. They perceive an incredible sense of harm and violation, far in excess of any actual reason beyond feels and hand waving, so that’s likely to be by far the largest motivator for VPN usage out there.

Don’t forget about CVE-2024-3661 aka Tunnel Vision - Uses DHCP’s Option 121 to modify routing tables without decryption.

The Classless Static Route Option for Dynamic Host Configuration Protocol - RFC 3442

At this point, VPN use is more related to privacy than security.

The difference between a home network and a public network like coffee shop or hotel is chain of custody of the hardware. In your home network, within reason, your personal hardware has passed from the manufacturer to you. Your ISP modem has passed from the ISP directly to you. It’s reasonable to assume the hardware has not been altered to violate your privacy/security. This isn’t so with a hotel, etc.

What can happen with the equipment out of your control? Isn’t TLS good enough? TLS is susceptible to man-in-the-middle to intercept and decrypt your TLS traffic. Typically if this happens, you will see the untrusted certificate message in your browser, etc. The problem is we have gotten so used to self-signed certificates that too many people just go right past that. Additionally, some services use CA certs issued by trusted sources, OR require you to install a CA cert before joining the network. This is A LOT of effort to go through to decrypt and steal data from a hotel’s wireless network. The VPN (the good ones at least) let you choose what protocol to use for your VPN, like IPsec, etc.

Additional security features for VPN clients is they often have settings to block known malicious sites. This is not unique to VPNs, it’s just another layer of protection.

That brings us to privacy. ISPs and operators of public networks routinely sell your data for advertising purposes. Doesn’t TLS protect your privacy? Sure, but it’s no infallible. A network device doesn’t need to completely decrypt your TLS session to see what you’re doing. They can simply inspect the certificate itself. The cert gives up information about where you’re going, which is something.

But TLS is not the only thing you’re pushing over a network. There’s also DNS. Nearly all public domains are categorized. You hit the public domain, you are probably using their DHCP services which is going to assign their DNS servers (or the ISP’s). Unless you’re using DNS over HTTPS, your requests are in clear text. Take a hotel. You join the ‘hhonors’ wireless, what happens? Portal screen to confirm your room number and last name. That authenticates you to the room. Your name, address, phone number, credit card, DOB and in some cases car make, model, license plate are correlated with that room. Some other public use networks may have you authenticate by confirming your identity by logging in to social networks. Regardless, they now have a log of your identity, IP address, and DNS requests (and TLS requests).

This data is then sold for the purpose of advertising and marketing. Or, depending on the size of your tinfoil hat, being provided to the government. But if you’re worried about government, there’s little you can do in the Internet to avoid detection.

Edit: Forgot to go in to the idea of sharing a network with a malicious person. It’s not a case of necessarily scanning your computer. The risk is two-fold. One is if you are connected to a open wireless network, there is no encryption between you and wireless router. Your packets can be captured. Most things are TLS now, so it’s not a huge concern. The other is a malicious actor ARP poisoning to assume the identity of wireless router/gateway. They spam ARP responses naming their device’s MAC as the IP of the gateway. They retain a static entry mapping the real MAC of gateway to the real IP of the gateway. Now everyone else’s traffic uses the malicious actor’s device as their first hop. From there the bad guy can break down your packets, blah blah blah. Again, TLS, but maybe you have a Windows box with a shitty local policy and you have a mapped drive at work. Your computer is now, potentially, trying to connect to that mapped drive with an older version of SMB and giving up credentials. Again, that is A LOT of effort to go through.

To put it extremely simple.

Without a VPN I can see what you’re doing. I may not be able to read your SSL traffic with a website but I sure as hell can see which protocols you’re talking to what. If you’re running protocols without encryption I can easily listen to that traffic

With a VPN I can see you have a VPN connection with a certain endpoint and that’s pretty much it. I have no clue whatsoever what you’re up to inside that VPN

My wife and me have a rule. Public wifi is OK as long as you enable the wireguard to our box at home.

Not all of the transaction is within the TLS. The DNS before the TLS is usually unencrypted. And many non-HTTP protocols are still plaintext on the wire, or at least partially.

Depends on what you do. I would say this. some average third world country values your privacy more than your isp if you live western europe or north america

You need to understand that VPN was originally intended to be a way to get to corporate resources that live behind a firewall, when you are connected to the internet from outside the firewall. VPN has been around since before wireless, and certainly before wireless was commonly available everywhere, so really, all this talk about using a consumer focused vpn to protect your web browsing habits from those who may be out there trying to sniff your packets, read your email, and steal your credit card number, etc, is less important in the world of real VPN and is mostly a marketing gimmick at this point thanks to modern web encryption. That is not to say that VPN when connecting to a public network for generic web browsing or whatever isn’t a good thing… It is a good thing as you should never trust a network that is not your own, I just mean that this particular use of VPN was not it’s original or even current primary purpose.

Corporate VPN also plays a significant role in conditional access, as many internet facing web/logon portals will completely ignore you if you aren’t coming from a known-good IP address. When we distribute laptops, they aren’t able to function on the internet until they are connected to their VPN. It’s automatic and invisible to the end user, no need to connect manually or even think about it from their perspective. So as you can probably imagine, beyond simply securing web traffic, it’s also very effective in the ongoing battle to keep data properly contained within the org resources. Because modern corporate VPN techniques are also aware of the endpoint they’re connecting from, it nearly entirely eliminates people connecting to resources from unknown endpoints and downloading or even viewing corporate data.

Even if most websites support TLS, there are still multiple ways to end up contacting them via HTTP instead of HTTPS if the URL does not start with https://. Some things to consider:

• Most websites don’t support HSTS, and even less support HSTS preload.
• It’s kinda mitigated by browsers which more and more are by default in “HTTPS-first” mode, where they try to reach the website via HTTPS even if the URL does not start with https://. If it fails they fall back to HTTP. But that behavior is not standard accross browsers. For instance I did some tests late 2022 and depending on the browser clicking on a link containing http://example.com or typing that URL manually may or may not end up in a plaintext request. According to my notes Chromium-based browsers handle it worse than Firefox. But for Firefox you need to either be in private browsing or switch a bool in about:config (dom.security.https_first) because it defaults to false: In both cases it means most Firefox users won’t benefit from that protection, as most users don’t tweak settings and only using private browsing is annoying as it purges auth/session tokens stored in cookies or local storage.
• Still according to my notes, the only behavior that seems reliable by default on Chromium-based browsers and Firefox is to internally upgrade to HTTPS if the user types example.com manually (so without the protocol). That would render exploits like one used to infect targets with Pegasus harder to pull out. But see next point.
• A lot of services still send http:// links via email or SMS, or links without the protocol (e.g. directly example.com). IIRC from my tests links without the protocol tend to be more reliably internally upgraded to HTTPS. As for links starting with http://, see the second point.

There is also the downgrade attack mentioned here: Even if most websites support TLS, most of these also still support ciphers that are no longer considered secure, so you are still vulnerable to MitM. Disclaimer: I don’t have the knowledge to judge if what this website claims is sound, I am just relaying the information.

To sum it up, a VPN might help defend against some MitM related threats:

• Downgrade attacks, supposing the VPN only supports state of the art ciphers.
• Unreliable browser behavior if an URL not starting with https:// is visited and the website actually supports HTTPS, said behavior potentially exposing the user to a MitM because a plaintext request is sent.

It’s not. You’re just moving who you trust. Unless you are actually using it to access a private network across the public internet but strangely that is the minority these days

It matters less now than it used to, from a technical perspective. But at the same time…the bad guys are worse and so are the impacts.

TLS and other forms of encryption protect you about as well as a VPN would, but the problem is not knowing for sure that everything is encrypted. You don’t control every connection and protocol that’s used, and some things do get missed by devs (or just aren’t usually encrypted to begin with). But if you’re using a VPN, you dramatically reduce the risk of something problematic going out in the clear on your local segment.

Think about it this way, of all people, how many of them would click continue anyway on an error such as this?

The answer is a lot. It is the reason that HSTS exists, it removes the users ability to click continue anyway. You cannot even connect to this page in a modern browser unless you do some shenanigans.

growth complete icky gaze summer square recognise disarm slap chubby

This post was mass deleted and anonymized with Redact

What I do like about using a VPN is the fact you can increase security by adding pi-hole/pfblockerng and snort/suricata. I use Wireguard + pfBlockerNG and Suricata on my pfSense box at home. The benefits of ad-blocking, trackers are amazing. There is a paper on google.scholar that you can reference: Securing Network Using Raspberry Pi by Implementing VPN, Pi-Hole, and IPS (VPiSec).

For banking I just use a hotspot in public. Alternatively you could set up a vpn using your home router so that you surf via your home network if you aren’t sure about the encryption in the public network you are in.

And here is a cite from CompTIA Pentest+ learning material (PT0-002, Topic 10A page 3):

When sending and receiving wireless transactions on a LAN, there may be sensitive information transmitted. For example, if you are in a coffee shop that offers free internet, the connection might not be encrypted, which will leave your data exposed. A malicious actor might be able to obtain your information, such as credit card numbers or login credentials, by using traffic sniffing. Because of this threat, it’s best to encrypt data with the strongest protocol available.

But if you want details, you might wanna set up a lab and try it out yourself. The bigest problem with public networks I see is, that you don’t know the configs and it’s most probably not set up using best practices.