VPN real protection for websites?

[philb2]

My Norton everything-security application packages includes auto-VPN, so I turned it on recently. But I have to wonder. Back in the 90s and '00s, VPNs for corporate networks very popular, because they provided end-to-end privacy between a user's system and a corporate server. But what is the reach of VPN privacy when connecting to your bog standard public website.

And further, with https practically universal, is VPN privacy even required at all, except to hide some information from your ISP?

 

[SamirD]

Smart questions that most people don't really ask, and you've guessed the answer--all they do is relocate where you are to where the vpn endpoint is. This can be useful in certain situations, but it makes more sense to just use a VPN just like on a corporate network and tunnel back into home so you're on your home network and getting out through there.

 

[BlueLineSwinger]

Yeah, VPNs as offered/advertised by outfits like Nord and that Norton product provide basically nothing for security. Common application protocols such as HTTPS and encrypted DNS (DoT, DoH) cover you there. If some hotspot or whatever seems so sketchy that a VPN feels necessary, maybe it's better to skip it. Common infection methods can hit you over such a VPN just as easily as without. All you're doing is paying for the privilege of another company collecting data about you. I haven't looked into it much, but AFAIK using a VPN service to spoof region-locking for streaming services is largely hit-or-miss now.

The only thing I use a VPN for is a Wireguard setup between my phone and home, mainly to use my Pi-Hole resolver when I'm out.

 

[philb2]

If some hotspot or whatever seems so sketchy that a VPN feels necessary, maybe it's better to skip it.

VPN or not, I would not go to such a website. Or if somehow a link sent me to such a website, I would immediately leave it.

All you're doing is paying for the privilege of another company collecting data about you.

Norton VPN is included in the overall price for the software. But my takeaway here is to ignore pop-up windows that urge me to turn on the VPN. With the VPN turned on, some websites make me check a box to say I'm human, so the VPN adds time to my usage. Some "benefit!"

I haven't looked into it much, but AFAIK using a VPN service to spoof region-locking for streaming services i

Not something I need to do.

The only thing I use a VPN for is a Wireguard setup between my phone and home, mainly to use my Pi-Hole resolver when I'm out.

So here you control the entire connection. I don't have a simiilar use case.

So overall I'm glad I asked. I learned something today.

 

[Nicklebon]

VPN or not, I would not go to such a website. Or if somehow a link sent me to such a website, I would immediately leave it.

to be clear BLS said hotspot not website. As far as a sketchy or more to point malicious website goes, visiting would be enough. How long you stay matters not.

Norton VPN is included in the overall price for the software. But my takeaway here is to ignore pop-up windows that urge me to turn on the VPN. With the VPN turned on, some websites make me check a box to say I'm human, so the VPN adds time to my usage. Some "benefit!"

That is generally the side effect of websites detecting an address used by commercial VPNs. This would almost certainly not happen with a personal VPN as described by BLS.

In general aside from the ability to change your geolocation, which can certainly be of value, all commercial VPNs do is change your exit ramp onto the Internet. Meaning you exchange your trust in a known entity, your ISP, for an unknown entity, your VPN provider and their ISP, at least one of which is already engaged in semi-questionable shady marketing tactics.

 

[philb2]

to be clear BLS said hotspot not website. As far as a sketchy or more to point malicious website goes, visiting would be enough. How long you stay matters not.



That is generally the side effect of websites detecting an address used by commercial VPNs. This would almost certainly not happen with a personal VPN as described by BLS.

In general aside from the ability to change your geolocation, which can certainly be of value, all commercial VPNs do is change your exit ramp onto the Internet. Meaning you exchange your trust in a known entity, your ISP, for an unknown entity, your VPN provider and their ISP, at least one of which is already engaged in semi-questionable shady marketing tactics.

Years ago, never mind exactly how many, I was the product manager for for a large US company where we OEMed Check Point Firewall-1. Back then VPN was an extra-cost item,and it was a hot seller. But back then it was all user to corporate server.

I was pretty technical for a product manager, so I understood how VPNs work.. Recently I got to thinking about VPNs for the use case where people access a public website. And it didn't really add up forme.

As a relatively technical product manager I even earned a CISSP cert, which was really for engineers, admins, etc. I didn't know any other product managers who had a CISSP. I passed the first time I took the test, which (back then) had only a 40% pass rate.

 

[SamirD]

Years ago, never mind exactly how many, I was the product manager for for a large US company where we OEMed Check Point Firewall-1. Back then VPN was an extra-cost item,and it was a hot seller. But back then it was all user to corporate server.

I was pretty technical for a product manager, so I understood how VPNs work.. Recently I got to thinking about VPNs for the use case where people access a public website. And it didn't really add up forme.

As a relatively technical product manager I even earned a CISSP cert, which was really for engineers, admins, etc. I didn't know any other product managers who had a CISSP. I passed the first time I took the test, which (back then) had only a 40% pass rate.

Yeah, the whole idea of a vpn (or secure connection between both ends over http) is where ip6 is supposed to save us. Or this https everything that's being used even on static sites that have no need for it. I think if there is data that is sensitive, the Internet is the last thing that it needs to come close to.

 

[Nicklebon]

Years ago, never mind exactly how many, I was the product manager for for a large US company where we OEMed Check Point Firewall-1.

Please tell me your boxes were not bright green or depend on an add in accelerator card.

Going to add that a VM still lives on my ESXi box named SR-XP-Test. The SR standing for secure remote.

 

[Nicklebon]

Yeah, the whole idea of a vpn (or secure connection between both ends over http) is where ip6 is supposed to save us. Or this https everything that's being used even on static sites that have no need for it. I think if there is data that is sensitive, the Internet is the last thing that it needs to come close to.

The whole HTTPS everywhere thing is getting worse. Encrypted client hello (ECH) is going to make web filtering a nightmare. The plus side is it will either force businesses to finally break down and do TLS inspection or push everyone to fully managed endpoints.

 

[SamirD]

The whole HTTPS everywhere thing is getting worse. Encrypted client hello (ECH) is going to make web filtering a nightmare. The plus side is it will either force businesses to finally break down and do TLS inspection or push everyone to fully managed endpoints.

Or just go back to http for non-critical stuff, like I wish they would! I don't see any reason why a static site needs https.

 

[Nicklebon]

I don't see any reason why a static site needs https.

The same reason we have DoT and its bastard should be killed cousin DoH ... ISPs behaving badly. The assholes started with answering nxdomain with ads and went downhill from there. The entire community should have raised hell when that started but instead the unwashed masses thought it useful.

 

[SamirD]

The same reason we have DoT and its bastard should be killed cousin DoH ... ISPs behaving badly. The assholes started with answering nxdomain with ads and went downhill from there. The entire community should have raised hell when that started but instead the unwashed masses thought it useful.

Yeah, I see that, but geocities was huge and they were serving up ads so I guess that wasn't a big deal?

 

[OFaceSIG]

The same reason we have DoT and its bastard should be killed cousin DoH ... ISPs behaving badly. The assholes started with answering nxdomain with ads and went downhill from there. The entire community should have raised hell when that started but instead the unwashed masses thought it useful.

I have DoT configured on my pfsense for all clients in my house. Web filtering DNS over TLS from cleanbrowsing specifically since I have little kids. I too really dislike DoH going direct from browsers.