Why is using unsecured wifi so DANGEROUS that a VPN is necessary?

I'm sorry but I didn't go to school for this so I’m still trying to understand all of this. It's been months and I still haven't gotten the hang of it. I'm sure this goes for many people like me.

The question today is:

Why do I need to access my own VPN when I'm accessing the internet outside using someone's unsecured wifi (eg. coffee shop)?

Doesn't SSH encrypt the data between you and the website you're accessing? So, doesn't everything you communicate with the website get encrypted? How does the host that offers the free wifi get access to your data?

Now say you're outside again but this time, you are in the same coffee shop but first access your own VPN server and then start going to other websites on the internet. How does doing this make you more secure? You access your own VPN server via SSH so that the data is encrypted like before. But, now all data goes through the VPN server first and then back out to the internet. How is this safer?

I guess I just don't get it. I'm missing something here.

Major sites requiring HTTPS/TLS is a very recent advancement and still not all sites require it. Even ones that do may still be vulnerable to downgrade attacks like SSL Strip for Newbies — Thanks to Moxie Marlinspike Whiskey Tango Foxtrot .

From the time you associate with an open WiFi AP there is a lot of unencrypted traffic between your PC and the network before you even get to the first encrypted packet. For instance, to get to https:// google.com your PC needs to send ARP requests, DNS queries, as well as the initial TLS handshake, which are all unencrypted/unauthenticated. That's not to mention any background traffic from Windows or other apps aside from your browser that you might now know about.

Man-in-the-middle attacks can and do take advantage of this brief period by posing as a legitimate AP (or by hijacking a legitimate AP - see http://www.fire-fx.tv/blog/2017/3/17...-in-the-middle

You can mitigate all these with careful vetting of every AP you're connecting to but it's much simpler to just use a VPN.

Ed,

Thanks for the link but I have literally read similar explanations like a 100 times but I still don't get it.

It doesn't really explain in detail why accessing via HTTPS is any different than accessing via VPN. I read your link and it states that initially, data is exchanged that isn't encrypted as they probe each other. But wouldn't this happen when you first initially contact a VPN server?

EdTittel said:

Whatever faults Norton/Symantec may have, they do a good job of educating users. Here's an article they wrote recently (it's got a 2018 copyright on it, but I don't see a date in the HTML source markup) entitled "What is a VPN? And why you should use a a VPN on public Wi-Fi." I believe it will answer your questions, and address your concerns.
HTH,
--Ed--

Polar,

I read the links but I still have the same question. How does the VPN server provide more security than accessing via HTTPS? Couldn't a man in the middle attack do the same thing as when you contact a server via HTTPS? It can pose as a VPN server but then forward the info you give to the VPN server and establish itself between you and the VPN server just like it does when you access a website connected via HTTPS?

There is one detail I forgot to mention in my initial post. I was referring to a personal VPN (not a VPN service provider) that I created between two of my networks. I created a VPN tunnel between two networks between my home and my parent's home. The VPN servers are my routers and I connected my smartphone to my personal VPN via my routers.

Is this safe to do? Or does it have the same security issues as connecting to a website that offers an HTTPS connection?

PolarNettles said:

Major sites requiring HTTPS/TLS is a very recent advancement and still not all sites require it. Even ones that do may still be vulnerable to downgrade attacks like SSL Strip for Newbies — Thanks to Moxie Marlinspike Whiskey Tango Foxtrot .

From the time you associate with an open WiFi AP there is a lot of unencrypted traffic between your PC and the network before you even get to the first encrypted packet. For instance, to get to https:// google.com your PC needs to send ARP requests, DNS queries, as well as the initial TLS handshake, which are all unencrypted/unauthenticated. That's not to mention any background traffic from Windows or other apps aside from your browser that you might now know about.

Man-in-the-middle attacks can and do take advantage of this brief period by posing as a legitimate AP (or by hijacking a legitimate AP - see http://www.fire-fx.tv/blog/2017/3/17...-in-the-middle

You can mitigate all these with careful vetting of every AP you're connecting to but it's much simpler to just use a VPN.

Let me give you a very real, and common example.

You go into a very busy coffee shop with public wifi, and you want to access your bank's site.

So, you go to http://www.yourbankhere.zzz and it presents you with the site, and you even see that it's encrypted. So good, right?

Wrong.

An attacker has, in reality, compromised the Wifi's DNS configuration, and is routing all request to http://www.yourbankhere.zzz to his own site that looks exactly like the real one. When you enter your credentials, he responds with a "We're sorry, an error occurred" or something and he nabs them and uses them to log into your bank site and steal your money.

Because DNS is insecure, a compromised DNS configuration essentially means you cannot trust that you're actually going to any site you think you're going to, and regardless of whether you are using HTTPS and see a lock icon, your trust is misplaced.

CerebralFreeze said:

I read the links but I still have the same question. How does the VPN server provide more security than accessing via HTTPS? Couldn't a man in the middle attack do the same thing as when you contact a server via HTTPS? It can pose as a VPN server but then forward the info you give to the VPN server and establish itself between you and the VPN server just like it does when you access a website connected via HTTPS?

If you configured your client and server correctly, there is no way for a MITM attack on the connection (aside from some bug). The TLS handshake guarantees that. This applies to both your VPN (assuming it uses TLS) and HTTPS.

The problem comes from misconfigured or out-of-date client/server software. For instance, downgrade attacks allow a MITM to force the client and server to use an obsolete cipher suite by modifying the initial TLS negotiation. Ideally these old ciphers would be disabled but they linger around for backwards compatibility and people don't bother removing them. Again, this is true for both your VPN and HTTPS website, but you actually have control over how your VPN is configured.

The other problem is that HTTPS protects a only single connection. VPN protects all your connections. If you are 100% sure that you only have one socket connected to an HTTPS server, that server is using the proper security (certificate pinning, HSTS), you are verifying the certificate for that server, and you are using a trusted DNSSEC server for all your DNS queries, then yes, you won't really get any additional benefit with using a VPN. Of course, websites pull in content from multiple sources (i.e. for ads and scripts), so you'd have to verify those connections as well. And Windows does stuff all the time in the background so you'd have to check those connections too.

CerebralFreeze said:

There is one detail I forgot to mention in my initial post. I was referring to a personal VPN (not a VPN service provider) that I created between two of my networks. I created a VPN tunnel between two networks between my home and my parent's home. The VPN servers are my routers and I connected my smartphone to my personal VPN via my routers.
Is this safe to do? Or does it have the same security issues as connecting to a website that offers an HTTPS connection?

As long as you keep the routers up to date with security fixes then that's perfectly fine.