Comment:
I thought this article gives a balanced view if we should VPN with a public Wifi network, instead of the normal VPN vendor selling fears.
Summary:
Evil Twin Attacks - Not a major threat anymore
What is it?
Evil twin attacks involve hackers setting up fake Wi-Fi networks that mimic legitimate ones in public places. Once connected, attackers can spy on your data.
Why was it scary?
Before 2015, most online connections weren’t encrypted, making your data vulnerable on such networks.
Why isn’t it a major threat anymore?
- HTTPS encryption: Most websites (85%) now use HTTPS, which encrypts your data, making it useless even if intercepted.
- Let’s Encrypt: This non-profit campaign made free website encryption certificates readily available, accelerating the widespread adoption of HTTPS.
Are there still risks?
- Non-HTTPS websites: A small percentage of websites (15%) lack HTTPS, leaving your data vulnerable.
- WiFi sniffing: Although not as common, attackers can still try to intercept unencrypted data on public Wi-Fi.
Should you still be careful?
- Use a VPN: Even with HTTPS, your browsing history can be tracked by Wi-Fi providers and ISPs. A VPN encrypts your data and hides your activity.
- Be cautious with non-HTTPS websites: Avoid entering sensitive information like passwords on such websites.
Overall:
HTTPS encryption has significantly reduced the risks of evil twin attacks. While vigilance is still recommended, especially when using unencrypted websites, it’s no longer a major threat for most web browsing.
Once you connect to this fake network, the attacker can intercept the unencrypted data you transmit over it, including sensitive information like your usernames and passwords, credit card numbers, and other personal data.
So essentially the blog post says that you should make sure you only use HTTPS does with trustee certificates (padlock and no warning from the browser). This is good advice.
On the “your ISP can see what site you access” now I’m pretty sure that when we’re talking about open wifi, which we are, they can register your DNS lookups, IP-addresses and ports used by your computer but that doesn’t mean they automatic know who you are, especially if you never logged in with credentials that can be traced to your person.
While VPN, generally speaking, is a good solution it essentially just means that while you might use 15 different open wifi providers during a month (=inconclusive information about you spread among 5-15 different operators), centralizing all your internet activity to one single VPN provider (= extremely conclusive information about you) also has risks and a backside.
Good information on the “Evil Twin problem” but in my opinion the focus should be on educating people on how to recognize when the browser is connected to a site without a trusted certificate and what to do/ not to do then rather than promoting VPN.
An evil twin can easily fake the VPN service, popup a browser window with “https://ProtonVPNUpdate.ru” and a request the use to update the VPN client.
If the user fail t recognize that the site is running HTTP or HTTPS without a trusted certificate there’s a risk that the user will follow the instructions from “Proton VPN” (“But it was their logo and it also had PayPal on the site…”) and connect to the Evil Twin VPN Server.