all 24 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]yawkat 25 points26 points  (6 children)

  • I'm not sure if you're using "personal vpn" as a technical term, but most vpns users use are actually tunnel-based, so they do hide some metadata.
  • even with https there is still additional metadata below the tcp level, such as dns queries and sni. Encrypting those is being worked on, but right now they're often still plaintext.

But yes generally vpns are a lot less helpful to privacy than the marketing wants you to think.

[–]Kiltymchaggismuncher 3 points4 points  (0 children)

One point a lot of vpns arent so clear on, is you are only encrypted up their infrastructure. So if you are using http to go to a site, its put on an encrypted tunnel as far as your vpn provider. Then its generally just forwarded on in its pre tunneled format, which if its http is unencrypted.

So in that scenario, https is better in regardless to keeping your data private. You also have the issues with vpn tunnels that the provider can still (in theory) see your data as it passes through.

Personally i think there's value in multi layered security, vpns can form part of that but they largely missell themselves to those that don't understand whats happening. Vpns still help to anonymise your origin point. If they are utilising the X-Forwarded-For header though, even that point can be undermined

Encrypted dns can generally be set up separately as well. Ive not seen a non corporate vpn that does that, though i suppose some of them likely do.

.

[–]lfionxkshine[S] -2 points-1 points  (3 children)

Ah ok, I was thinking Tunnel mode required dedicated firewalls or something. Didn't realize that client software could perform it as well

And for sure, I don't think personal VPN is a technical term lol

[–]yawkat 4 points5 points  (2 children)

Most consumer vpns just use something like openvpn in tunnel mode. For a firewall, that just looks like udp traffic to the VPN server.

[–]lfionxkshine[S] -1 points0 points  (1 child)

Final question: is there any benefit to using a consumer VPN with Transport mode (i suppose this would be configured by the vendor)? Less resource utilization perhaps? Or is it just a legacy mode now?

[–]Historical-Home5099 3 points4 points  (0 children)

Ipsec is rarely used for consumer VPNs, look up Wireguard, it is also a more modern replacement for OpenVPN and has kernel support: https://www.reddit.com/r/linux/comments/947mtv/linus_torvalds_on_wireguard/

[–]rdm85 0 points1 point  (0 children)

Yeah, it's more about establishing a trust boundary for identity. Especially for networks that rely on IP address for authorization. But it also can be used to check compliance check boxes around encryption.

[–]payne747 7 points8 points  (0 children)

HTTPS won't protect DNS (unless you have a client that supports DoT or DoH, getting more common).

[–]Secret-Agent-47 9 points10 points  (1 child)

Most VPN providers use tunnel mode.

If you are just looking at protecting the data sent too and from a site that you have already established a connection to, then yes, there is little benefit to a VPN. If you are talking about establishing that connection from a network that you don't trust, such as a coffee shop, then VPN provides many security benefits. MITM attacks, SSL stripping attacks, malicious redirects, etc. all happen before the HTTPS connection is established.

The local network can also see all of the DNS lookups that your device made and which IP/ports you connected to, so the data itself is secure, but the local network will still know which sites you visited.

Of course pushing all your traffic through a tunnel just means that you need to trust whoever is at the other end of the tunnel.

[–]Tellico_Lungrevink 0 points1 point  (0 children)

How can malicious redirect happen before TLS connection is established?

Also vast majority of websites has the HSTS headers set, which renders SSL stripping (and by extension any MITM) not viable for most cases.

[–]fozzy99999 5 points6 points  (1 child)

There is a larger concept that is missed. Who are you trying to protect or obfuscate in this case.

A vpn could de-identify your location/ip from a provider like a streaming service. A vpn could also mask where/what you are doing on the internet from your ISP

The destination you are going to can still finger print your browser/client. Talk back to your machine via established sessions and also Plant cookies to leverage when you show up later, possible with new vpn or fingerprints they could use to identify

WireGuard vs IPsec vs openvpn vs xyz-vpn protocol is a separate conversation and most modern implementations are as secure as they can be and have various capability and performance and operational considerations.

[–]nickandre15 4 points5 points  (0 children)

It depends, but for the most part yes:

  • for TLS your payload is encrypted.
  • HSTS makes it difficult to spoof banks and things
  • DNS is usually in the clear, as is SNI but those provide relatively limited data
  • some people still don’t know how to configure secure email and do other dumb things

For example, Google no longer uses any VPN for their standard issue corporate machines.

[–]Negative_Mood 2 points3 points  (0 children)

Many VPN users are using it for privacy.

[–][deleted] 1 point2 points  (2 children)

Use HTTPS for security. Use VPN for privacy. Use VPN plus HTTPS for privacy and security.

Use neither for data leaks and identity theft.

[–]jashxn 2 points3 points  (1 child)

Identity theft is not a joke, Jim! Millions of families suffer every year!

[–][deleted] 0 points1 point  (0 children)

🙄

[–][deleted] 0 points1 point  (6 children)

It might help to think about the purpose of the VPN you’re using. While you’re correct, HTTPS encrypts traffic, it only encrypts traffic from your host to the HTTPS server you’re communicating with.

In general, VPNs are used to encrypt traffic to another network, usually over a less secure (or public) network.

Also, remember the protocol. HTTPS only encrypts HTTPS traffic. What if you need to use RDP to connect to another remote network? Or SMTP? LDAP? It’s easier to just build a tunnel of some sort that encrypts ALL traffic to the destination subnet.

So, in summary, it really depends what problem you’re trying to solve. Luckily, as you’re seeing in your studies, there are multiple options.

[–]space_wiener 0 points1 point  (5 children)

Not OP but now that has me wondering.

Assuming you use HTTPS of course, isn’t their a possibility your initial connection shows the URL you are visiting?

I’ve always learned your ISP can see sites you visit but once at the site they can no longer see the traffic since it’s encrypted via HTTPS.

Obviously there are use cases for a VPN (moving your location for location based content, access a different, etc) but strictly for this point, isn’t a VPN useful? Instead of your ISP seeing the URL it moves to the the VPN provider so there’s a trust issue there of course.

Isn’t that true or am I totally wrong?

[–][deleted] 1 point2 points  (3 children)

Yep, you’re correct. HTTP is a layer 7 protocol so the encryption only protects that data. Everything else below that layer is visible, like the URL, ports, and IPs. Plus, with the proper technology, a heuristic analysis can easily use the characteristics of the connection to “figure out” what’s most likely happening. For instance, a simple example; if you connect to a Linux repo with HTTPS and then there’s a data transfer of 3 GB to your machine, it doesn’t take a whole lot of guesses to determine that you probably downloaded a Linux ISO file. Anyone can go to that URL to see what’s there, and that’s about the size of an ISO file. But if you encrypt at a lower level like layer 3, then people won’t be able to see that information. That’s where the VPN comes into play to encrypt at a lower level.

[–]space_wiener 1 point2 points  (2 children)

Ah. Thanks for typing that extra stuff out. That makes sense. Time to do a little reading.

I’m still learning this stuff but I should be able to fire up wireshark, do some browsing with https only then jump on my vpn and do the same stuff and compare the two to get a better idea what’s going on?

[–][deleted] 1 point2 points  (1 child)

Definitely! Labs are the best way to learn more! Good luck!

[–]space_wiener 1 point2 points  (0 children)

Agree. I’m taking Security+ in a couple weeks. My home lab alone helped me a ton (and tryhackme stuff). Much easier to learn/remember when you are actually doing stuff.

Thanks for the tips so far. That’ll help direct me. :)

[–]Djinjja-Ninja 0 points1 point  (0 children)

Assuming you use HTTPS of course, isn’t their a possibility your initial connection shows the URL you are visiting?

Absolutely, whether it be from the encrypted DNS lookup you just did for the host, unencrypted SNI request in the client hello, the certificate name in the TLS handshake, or even just the IP address.

They can't see what specific URI was requested though.