this post was submitted on 01 Jan 2024
-65 points (21.7% liked)

Technology

58134 readers
4730 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s
[email protected]
[email protected]
[email protected]
enu
[email protected]
L4s
-65
You probably don't need a VPN (www.spacebar.news)
submitted 8 months ago by [email protected] to c/technology
25 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 8 months ago (1 children)

Unless they intercept the handshake as a proxy and have access to everything after that.

You’re thinking of a MitM proxy, and generally speaking what you described is not a risk when using public wifi.

There are two ways you can set up a MitM proxy:

  1. Forward all traffic back to the user unencrypted (over HTTP)
  2. Forward all traffic back to the user encrypted (with HTTPS)

The first option will result in prominent warnings in all modern browsers. If the sites in question implemented HSTS and the user has visited them before, the browser will outright refuse to load them.

The second option will result in even more prominent warnings that you have to go out of your way to bypass in all browsers. The only way it wouldn’t would be if one or more of the following is true:

  1. your computer has already been compromised and root certificates were installed, such that the proxy owner could use it to sign the certificates
  2. if a certificate authority was compromised, or
  3. if the site itself was compromised (e.g., if the attacker was able to acquire the SSL cert used for the site or the credentials necessary to generate a new, trusted one).
[–] grabyourmotherskeys 1 points 8 months ago

Hence "won't happen at Starbucks, might if Mossad is after you". Thanks for adding the details. I feel like most people think vpns are magic but also radically overestimate their personal risk.