duplico

joined 11 months ago
[–] duplico@alien.top 1 points 11 months ago

I don't know why you'd put "threat model" in scare quotes, but I'm going to engage in good faith with this question.

The average person's threat model should probably be focused on low effort, high volume attacks. I'd suggest that the top technical risk, for most people, almost to the exclusion of all others, is account compromise for spam/scam purposes due to either phishing or credential stuffing (typically from a third party breach). Next up is probably being scammed from others' compromised accounts and being tricked into sending people money or gift cards or buying into their crypto currency scams. After that, there's really such diminishing returns that I think in 2023 the one main security tool that the average user should be considering is a password manager.

Now, maybe someone's threat model includes something like "I'm working for a US company from South America and will be fired if they find out I'm outside the country." That's a legit personal threat, and a legit reason to consider using a personal VPN. Similarly, "corporate intranet requires me to use a corporate VPN to access it" isn't really a threat so much as a security control on the company's part, but nonetheless would obviously be a really good reason to use a corporate VPN. Wifi security doesn't really have any impact on those one way or the other, though.

But anyway, I guess we're talking specifically about the risks of using public wifi. Okay. Let's model the threats.

There's the potential for others on the network and the network operator to read your unencrypted traffic. These days, most sites are using HTTPS, so this is going to be limited to any sites that you access using plain HTTP, and potentially also your DNS queries. It's unlikely that any sensitive site is still using plain HTTP, but if you do know that you regularly exchange sensitive data with a site that doesn't support HTTPS then that could be a legitimate risk.

Your DNS queries could leak the names of sites you're visiting. So if you're cheating on your wife and are paranoid that people on your network may be able to see that someone is going to ashleymadison or something, okay, that's a risk. Or maybe you're in a place where it could be a physical danger for someone in the same coffee shop as you to realize that, say, an employee of a multinational defense contractor is in the same room as them. Or maybe you're going to queer news sites in a country where that's either illegal or dangerously unaccepted. But unless you assess that you're subject to those kinds of specific threats, there's really not much risk there.

Now, maybe someone can do some MITM and execute some kind of HTTPS to HTTP downgrade like sslstrip to sniff your sensitive traffic. This used to be much more of a real threat before the ubiquity of HTTPS and the proliferation of HSTS. Ideally we'd see more HSTS adoption and quicker rollout of HTTPS everywhere features on browsers, but these kinds of attacks are already very limited in their effectiveness. Additionally, UI updates to modern browsers now treat connections to HTTP sites as a warning, and at least Chrome now performs automatic HTTPS upgrades when available (though a MITM attacker could likely at least partially work around that). The risk here still isn't zero, but it's an attack with a low likelihood of working well in 2023. It's also not widespread, and the way that most users navigate the web today isn't really compatible with this attack either. It is true that the best preventive control to mitigate this risk is probably using a VPN, but the risk is small and mitigated by existing server side controls in most cases. It's just not a likely attack for the average person to encounter, or to have sufficient impact on them for it to matter.

Finally, what if the attacker or malicious network operator has the ability to sign certificates for the sites you visit that your browser will treat as valid. In that case, there's basically two possibilities. They could have installed their certificate on your computer, in which case a precondition of the attack is that they can change the configuration of your computer, which is pretty much game over anyway. Or, they have access to the private key for a signing certificate from a widely trusted CA that hasn't wound up in their CRL yet, or a similarly catastrophic security incident. This would be big tech news and would pose a huge threat to secure communication, potentially Internet wide, and trigger a rapid urgent response from the CA and from all major browser and OS vendors once disclosed. They're not burning that on you at the coffee shop.

So, anyway, that's a lot of text, but this is basically how I'd analyze the risks of open wifi networks offhand, though I'm sure others have done so better and more thoroughly. Regardless, I (and most other security professionals) view a personal VPN for security purposes as unnecessary at best and snake oil scam at worst for people with a typical threat profile.

As to your second question, I think I covered corporate intranet services already. I'm not clear on what specific risks we'd be talking about mitigating for someone who banks abroad aside from those potentially associated with pretending to be in a location you're not, but that risk has entirely to do with physically being in that location, not with being on open wifi.

There are legitimate situations where personal VPNs could be necessary (region spoofing being a big one for lots of people in this sub), but the risks for average people on open wireless networks are almost entirely mitigated by HTTPS and related features on the web today. Also, at the risk of repeating myself, the single most important security technology most people can adopt is a password manager, so people with a typical risk profile should almost certainly allocate their time and money to a PW manager before even thinking about using it on a personal VPN.

[–] duplico@alien.top 1 points 11 months ago (3 children)

Did a YouTube VPN ad write this?

Stop giving people bad advice. SSL/TLS MITM should not be a part of the average person's threat model. It also has nothing at all to do with a captive portal.