When away from home I use Xfinity hotspot for both phone and PC. There are always two choices, one with the padlock and one without. I use only the one with the padlock. I’m not looking to hide my content from my ISP. I assume that provides the equivalent to a VPN if my goal is to be secure from the typical risks associated with travel wifi and achieve the same level of security I get with my home, encrypted router. I realize that most sensitive sites use https anyway, so it might not be necessary?
I often find using the secure XFINITY SSID is problematic so I use a VPN and have more flexibility. Don’t just blindly trust the TLS will protect you on a public network, as there are multiple ways to attack the protocol and you may miss the indicators or have a misconfiguration. The XFINITY SSID encrypts the link to the hotspot but in many environments there can be unprotected Ethernet segments between the hotspot and the carrier.
VPNs cost a few bucks a month these days, I’d “just do it”
You’re presenting a false choice - uh yea I don’t trust an untrusted VPN. There’s nothing interesting there, if you are positing an untrusted VPN. So what. Don’t use it if you don’t trust it.
And as one who daily deals with the risks attacks and mitigation’s of TLS issues over large ISP scale networks I can absolutely, without reservation, tell you that reputable internet infrastructure, once you’re at the facility egress point, can absolutely be trusted more than what the dingbats may or may not have cobbled together at your small business office, coffee shop, airport, apartment building, or other similar environment. End of discussion.
Yes, it should as long as your connection is encrypted to Xfinity it will be secure with your ISP. Also there is ways to Snoop on https traffic (port 443)
The risks are close to zero, especially as pretty much all transactions occur over HTTPS, and so I wouldn’t bother using a VPN. Additionally, even I were to feel it necessary to use a VPN, I’d use a home-brewed solution, not a third-party app from a Bartovia-based company with unclear ownership. While those apps do have their uses - circumventing geo-blocks, for example - they don’t do much to boost your security. A good read:
This is not accurate. Secured Xfinity hotspots are only secure over the WiFi link and does not provide other security guarantees getting from the hotspot to your destination. And yes, TLS can be ‘snooped’
I’d be interested in how you arrive at “the risks are close to zero” metric when the security of the network environment is unknowable last the AP. I’ll read the article but I also find “they don’t do much to boost your security” hard to justify. Provide a concrete example?
Edit: looked at the article:
“So when should I use a VPN?
When you are on a hostile network (eg. a public WiFi access point, or an ISP that is known to use MITM) a VPN can work around that.”
Exactly. Past the encrypted WPA2 link, the public environment should be considered hostile. Even TLS, over an easily tapped public wire line, can be broken in so many ways that it would be folly not to use a VPN to get you safely out of the building
While nothing is a silver bullet -not VPNs, not TLS - and it’s good to know and consider the risks and limitations inherent in the design of your countermeasures, you can’t assert that “VPNs don’t do much…” - because “How much” depends on your threat model.
.
Oh, I see thanks. I figured Xfinity could have at least made a VPN connection to there customers Verizon, AT&T and Google Fi is. That’s just sad. Then yeah I would subscribe to an VPN service than.
Secured Xfinity hotspots are only secure over the WiFi link and does not provide other security guarantees getting from the hotspot to your destination.
Yup. Just like your wireless network at home. And you don’t need to either a VPN there either.
I’ll limit my comments here to third-party VPN apps as home-brewed solutions are obviously a completely different kettle of fish.
I’d be interested in how you arrive at “the risks are close to zero” metric…
Millions of people use public WiFi every day without being compromised. It’s not without risk, but the risk is very small.
…when the security of the network environment is unknowable last the AP.
You could say the exact same thing about any network.
It comes down to this: would you prefer to rely on HTTPS/TLS as millions do perfectly safely every day or would you rather route your data through a Bartovia-based VPN which, for all you know, may be operated by a criminal enterprise? Which is riskier?
Yea a WPA2 WiFi link does not a VPN make. Better than nothing obviously though.
You have control over your Ethernet wiring at home but not at a public facility. There may be unsecured wireless links too for that matter.
In your home the WiFi router either is part of or is wired to your (cable) modem using a wire that you can vouch for, You have no control over, or awareness of, how secure the path is from the WiFi hotspot to their network/ISP connect.
HENCE: VPN is advisable regardless. It’s NOT just like at home.
You’re just reasserting what I asked you for metrics about. No, the risk is not “very small” the risks are substantial -
Choosing an untrusted public network vs an untrusted VPN provider is a false choice and uninteresting. Of course don’t trust a VPN that you don’t trust - I don’t see where that argument adds any value to parsing the risks, benefits, of real solutions.
I deal with issues related to TLS risks, attacks, misconfigurations, abuses, and mitigations at ISP scale every day and promise you that public facility infrastructure can not be trusted at anywhere near the level of the network infrastructure between the ISP ingress point through to REPUTABLE TLS endpoints. Period.
You have control over your Ethernet wiring at home but not at a public facility.
You have control over the wires inside your home. Using a third-party VPN app from a Bartovia-based company with unclear ownership really doesn’t do anything at all to bolster your security in this particular situation. If you really want to use a VPN, it makes much more sense to use a home-brewed solution.
Yea but that’s a different matter altogether, I’m not discussing relative merits of specific VPN solutions. I use two that I’m satisfied with. Ever been to Bartovia? The nightlife rocks, the bars are open all night and those Bartovian girls…!
and those Bartovian girls
…bring a whole new meaning to the word “dirty”.