Is it really? I guess it depends on what sort of threat you are trying to protect yourself from.

Using public wifi lots of places leaves different traces at completely disconnected ISPs/service-points. For an attacker, obtaining and correlating all these is probably not a realistic option.

Consistently using a third-party VPN service (as opposed to hosting your own) centralizes all your data in a single point which is much easier to target.

I think we should stop fear mongering over shady wifi. In a world with HSTS and CT, these types of attacks ars incredibly difficult to pull off.

Routing traffic onto the public Internet through a 3rd party adds absolutely nothing to security. You shouldn’t trust the Internet in any case.

If you use it to ‘bypass shitty security’ and then all you’re doing is trick yourself into a false sense of security. VPN services like that are complete and total bullshit.

The whole idea of VPNs and why I encourage people to use them is so that when they're sitting on public wifi at a coffee shop, their traffic is going out encrypted. It has almost nothing to do with hiding from authorities or authorities surveilling you. It has everything to do with the kiddiot in the corner hoping to steal a login because your mom re-used the same one 400 times and her favorite cross-stitch site doesn't use SSL.

That's highly contingent on the "as you think" part.

For example, I use ExpressVPN on public WiFi networks because I trust them a whole lot more than random public WiFi providers. Sure, they have access to the URLs I've accessed while using their service. Then again, so does my ISP.

The crucial part is, said random public WiFi providers won't have access to that data.

Additionally, and much more importantly, some public WiFi providers try to MITM secure connections, which is effectively prevented when using a trustworthy VPN.

:(. that's really frustrating. So you really need to vpn to a secure network anytime you use free Wi-Fi?

Conflating "I use a VPN because my commercial ISP would probably sell my data if given the chance" with "I'm a potitical dissident being directly attacked by a nation-state actor".

You can still use a VPN despite it being vulnerable to your governments quantum computer...

Sure, it's hard to find a trustworthy VPN provider, but that's not to say they don't exist

Because the airport made a shitty choice in designing it's wifi, and people who connect to such networks are making shitty choices.

HTTPS is nothing more than a content protocol wrapped in a transport encryption layer used for a subset of your overall traffic.

When you connect to an open wifi network your device is literally screaming 1s and 0s into the air like a maniac. A subset of these 1s and 0s are the things you're actively telling the computer to do. Most of this stuff is things like ARP, Name resolution services and other stuff that isn't encrypted for perfectly understandable reasons.

Instead, when connecting to an open airport wifi network, a personal decision is made that the connectivity is more important than encryption. Airport wifi connections could and should be encrypted with AP client isolation, but they aren't.

I don't think I understand. I run my VPN at home on a raspberry pi. So all of my network traffic, at the end of the day, goes through my home ISP.

I've considered shelling out for a VPN service to shield my traffic from ISP snooping, but at the end of the day you can only hide so much from your ISP, and I'm hesitant to introduce another failure point to my network (my SO will only take so much downtime!).

I mostly use the VPN as a convenience to ad-block on all devices at the DNS level and access self-hosted services like my Jellyfin server even when I'm not at home. The security benefit is also nice when I'm away from home on any WiFi network other than my own -- you never know what's going on behind the scenes.

Overall I don't worry too much about ISP snooping. But I probably should.

Long-outdated? It's more important today than it was 10 years ago. That public wifi you're on is tracking your every move and correlating your devices back to you if you happened to purchase anything in the store with a credit card.

Why is that? Would a VPN not make it safe against most threat models? I mean assuming you are not working at a place where government actors are trying to target you specifically.

Or can they inject something to force the VPN to disable and hope non-encrypted data gets transmitted?

Yes, but what good is a VPN where you cannot trust your own network? I would have zero trust in any closed source private VPN. There are ways to gain anonymity from your host that wont require setting up a MITM attack vector for your traffic.

Circling back to this statement: aren't they also useful on public Wifi?

It's pretty difficult. You can't say anything for sure, it's all trust. That's why you should be so strict.

When you host your own end point you still have to trustits provider of course, but of course the incentive (concentrated, specific user traffic data) for abuse is much reduced.

But how anonymous are you actually? Are you sure your traffic can't be connected to you? Certain you set everything up correctly?

With my provider of choice, because I trust them reasonably much (sure feels like jinxing it), I don't have these worries.

Well if you always turn on VPN I don't think it would be such a huge issue would it

We should be worried about ISPs too. They give themselves access to their customer premises equipment. I had to hack their router to put it into bridge mode and then use another router with software I control to connect.

The NSA is simply not most people's threat model, and if they _are_ running it, it probably means that someone shadier is not. I'm using a VPN because I don't want my ISP to see what I'm browsing, don't want end sites to know who I am, want to watch American Netflix, and because the country I'm in tries to block all adult sites. The NSA is welcome to all of this traffic _shrug_

Unless you run this yourself, I don't understand why you nor anyone thinks that adds to their data integrity? VPNs can, have, and are the subject of break-ins and have their own agenda and or government oversight.

People think that VPNs are this magical black box that makes you secure and private, because the YouTube ads told everyone so, the reality is that you are just adding an extra point of trust or potential failure. The needle has barely moved.

All while making performance, in particular latency, worse.

what makes you possibly think that?

using a VPN is the equivalent of walking into a bank with a motorcycle helmet or a bataclava, don't be surprised of the unwarm welcome.

I've worked in bank and fintech around fraud. Blocked quite a few VPN/hosting at the network level so they couldn't even reach our network at all.