Windows 10: Why is using unsecured wifi so DANGEROUS that a VPN is necessary? Solved

  1.    20 Feb 2018 #1

    Why is using unsecured wifi so DANGEROUS that a VPN is necessary?


    I'm sorry but I didn't go to school for this so Iím still trying to understand all of this. It's been months and I still haven't gotten the hang of it. I'm sure this goes for many people like me.

    The question today is:

    Why do I need to access my own VPN when I'm accessing the internet outside using someone's unsecured wifi (eg. coffee shop)?

    Doesn't SSH encrypt the data between you and the website you're accessing? So, doesn't everything you communicate with the website get encrypted? How does the host that offers the free wifi get access to your data?

    Now say you're outside again but this time, you are in the same coffee shop but first access your own VPN server and then start going to other websites on the internet. How does doing this make you more secure? You access your own VPN server via SSH so that the data is encrypted like before. But, now all data goes through the VPN server first and then back out to the internet. How is this safer?

    I guess I just don't get it. I'm missing something here.
      My ComputerSystem Spec

  2.    20 Feb 2018 #2

    Whatever faults Norton/Symantec may have, they do a good job of educating users. Here's an article they wrote recently (it's got a 2018 copyright on it, but I don't see a date in the HTML source markup) entitled "What is a VPN? And why you should use a a VPN on public Wi-Fi." I believe it will answer your questions, and address your concerns.
    HTH,
    --Ed--
      My ComputersSystem Spec

  3.    20 Feb 2018 #3

    Major sites requiring HTTPS/TLS is a very recent advancement and still not all sites require it. Even ones that do may still be vulnerable to downgrade attacks like SSL Strip for Newbies ‚ÄĒ Thanks to Moxie Marlinspike Whiskey Tango Foxtrot .

    From the time you associate with an open WiFi AP there is a lot of unencrypted traffic between your PC and the network before you even get to the first encrypted packet. For instance, to get to https:// google.com your PC needs to send ARP requests, DNS queries, as well as the initial TLS handshake, which are all unencrypted/unauthenticated. That's not to mention any background traffic from Windows or other apps aside from your browser that you might now know about.

    Man-in-the-middle attacks can and do take advantage of this brief period by posing as a legitimate AP (or by hijacking a legitimate AP - see http://www.fire-fx.tv/blog/2017/3/17...-in-the-middle

    You can mitigate all these with careful vetting of every AP you're connecting to but it's much simpler to just use a VPN.
      My ComputerSystem Spec

  4.    20 Feb 2018 #4

    Ed,

    Thanks for the link but I have literally read similar explanations like a 100 times but I still don't get it.

    It doesn't really explain in detail why accessing via HTTPS is any different than accessing via VPN. I read your link and it states that initially, data is exchanged that isn't encrypted as they probe each other. But wouldn't this happen when you first initially contact a VPN server?


    EdTittel said: View Post
    Whatever faults Norton/Symantec may have, they do a good job of educating users. Here's an article they wrote recently (it's got a 2018 copyright on it, but I don't see a date in the HTML source markup) entitled "What is a VPN? And why you should use a a VPN on public Wi-Fi." I believe it will answer your questions, and address your concerns.
    HTH,
    --Ed--
      My ComputerSystem Spec

  5.    20 Feb 2018 #5

    Polar,

    I read the links but I still have the same question. How does the VPN server provide more security than accessing via HTTPS? Couldn't a man in the middle attack do the same thing as when you contact a server via HTTPS? It can pose as a VPN server but then forward the info you give to the VPN server and establish itself between you and the VPN server just like it does when you access a website connected via HTTPS?

    There is one detail I forgot to mention in my initial post. I was referring to a personal VPN (not a VPN service provider) that I created between two of my networks. I created a VPN tunnel between two networks between my home and my parent's home. The VPN servers are my routers and I connected my smartphone to my personal VPN via my routers.

    Is this safe to do? Or does it have the same security issues as connecting to a website that offers an HTTPS connection?

    PolarNettles said: View Post
    Major sites requiring HTTPS/TLS is a very recent advancement and still not all sites require it. Even ones that do may still be vulnerable to downgrade attacks like SSL Strip for Newbies ‚€” Thanks to Moxie Marlinspike Whiskey Tango Foxtrot .

    From the time you associate with an open WiFi AP there is a lot of unencrypted traffic between your PC and the network before you even get to the first encrypted packet. For instance, to get to https:// google.com your PC needs to send ARP requests, DNS queries, as well as the initial TLS handshake, which are all unencrypted/unauthenticated. That's not to mention any background traffic from Windows or other apps aside from your browser that you might now know about.

    Man-in-the-middle attacks can and do take advantage of this brief period by posing as a legitimate AP (or by hijacking a legitimate AP - see http://www.fire-fx.tv/blog/2017/3/17...-in-the-middle

    You can mitigate all these with careful vetting of every AP you're connecting to but it's much simpler to just use a VPN.
      My ComputerSystem Spec

  6.    20 Feb 2018 #6

    Let me give you a very real, and common example.

    You go into a very busy coffee shop with public wifi, and you want to access your bank's site.

    So, you go to http://www.yourbankhere.zzz and it presents you with the site, and you even see that it's encrypted. So good, right?

    Wrong.

    An attacker has, in reality, compromised the Wifi's DNS configuration, and is routing all request to http://www.yourbankhere.zzz to his own site that looks exactly like the real one. When you enter your credentials, he responds with a "We're sorry, an error occurred" or something and he nabs them and uses them to log into your bank site and steal your money.

    Because DNS is insecure, a compromised DNS configuration essentially means you cannot trust that you're actually going to any site you think you're going to, and regardless of whether you are using HTTPS and see a lock icon, your trust is misplaced.
      My ComputerSystem Spec

  7.    20 Feb 2018 #7

    CerebralFreeze said: View Post
    I read the links but I still have the same question. How does the VPN server provide more security than accessing via HTTPS? Couldn't a man in the middle attack do the same thing as when you contact a server via HTTPS? It can pose as a VPN server but then forward the info you give to the VPN server and establish itself between you and the VPN server just like it does when you access a website connected via HTTPS?
    If you configured your client and server correctly, there is no way for a MITM attack on the connection (aside from some bug). The TLS handshake guarantees that. This applies to both your VPN (assuming it uses TLS) and HTTPS.

    The problem comes from misconfigured or out-of-date client/server software. For instance, downgrade attacks allow a MITM to force the client and server to use an obsolete cipher suite by modifying the initial TLS negotiation. Ideally these old ciphers would be disabled but they linger around for backwards compatibility and people don't bother removing them. Again, this is true for both your VPN and HTTPS website, but you actually have control over how your VPN is configured.

    The other problem is that HTTPS protects a only single connection. VPN protects all your connections. If you are 100% sure that you only have one socket connected to an HTTPS server, that server is using the proper security (certificate pinning, HSTS), you are verifying the certificate for that server, and you are using a trusted DNSSEC server for all your DNS queries, then yes, you won't really get any additional benefit with using a VPN. Of course, websites pull in content from multiple sources (i.e. for ads and scripts), so you'd have to verify those connections as well. And Windows does stuff all the time in the background so you'd have to check those connections too.
    CerebralFreeze said: View Post
    There is one detail I forgot to mention in my initial post. I was referring to a personal VPN (not a VPN service provider) that I created between two of my networks. I created a VPN tunnel between two networks between my home and my parent's home. The VPN servers are my routers and I connected my smartphone to my personal VPN via my routers.
    Is this safe to do? Or does it have the same security issues as connecting to a website that offers an HTTPS connection?
    As long as you keep the routers up to date with security fixes then that's perfectly fine.
      My ComputerSystem Spec


 

Related Threads
from Steam £4.99. I presume its single play, dont like multiplay. Tried training target practise, keeping ship on target was the hardest.
Homeland Security warns of 'BrickerBot' malware that destroys unsecured internet-connected devices Homeland Security warns of 'BrickerBot' malware that destroys unsecured internet-connected devices | ZDNet
I can't connect to Unsecured network in Network and Sharing
When I go to coffee house and look at available networks, the unsecured network of coffee house shows up with a shield symbol. I can't connect to this network. I have been using this network for 2 years and suddenly it appeared with this symbol....
No Unsecured internet Access in AntiVirus, Firewalls and System Security
Surface Pro 1 8Gb Ram 256Gb SSD Just upgraded to windows 10 and thought everything was good until i tried the internet. I cant open any unsecured Internet pages. So HTTPS works well but nothing for HTTP.
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 16:29.
Find Us