Can you visit HTTP sites safely with vpn?

if a site doesn’t support HTTPS for some reason, could you still visit safely with a vpn?

HTTPS does a few things. First, it makes sure traffic between you and the web server can’t be read by others on the network. Second, it makes sure nobody can modify the back and forth traffic. Third, it helps ensure you’re really connected the the site you intend.

With HTTPS and no VPN and eavesdropper can still see what site you visited but can’t see what pages you viewed, downloaded, etc.

With a VPN, eavesdroppers between you and the VPN provider can’t see what site you visited. The VPN also prevents reading or modifying your traffic, similar to what HTTPS does.

Now, when we take away HTTPS but keep the VPN, you’ve still got confidentiality and integrity protection between you and the VPN provider, but not from the VPN to the web server.

So a few vulnerabilities are left:

  • You could be visiting a bogus site even though the URL is correct.
  • If your browser sends identifying information (via tracking cookies, because you logged in, etc.) then an eavesdropper or the site owner can tell it’s you.
  • If they can tell it’s you then they know what pages you visited.
  • They can potentially modify the data you send or receive.

Before you panic, it’s important to put this into perspective.

Vulnerabilities aren’t the same as risks. To get risk you need an asset you want to protect (money, secrets, etc), someone to exploit the vulnerability (a “threat actor”), a probability of success (high/medium/low), and consequences of success.

For example, if I visit a weather site using plain HTTP, NSA could find out I checked my hometown weather. So what? Crooks could modify the page so I think it will be 95° instead of 65°. Again, so what?

Serious situations do exist but I find most boogeymen go away when people take the time to really analyze their risks.

There’s no point in doing a bunch of work to mitigate a negligible risk. Save that time/money/effort for the big risks.

If you are just browsing the site then VPN is enough, but if you provide any data on it it is only protected from your PC to VPN server. When going out of the VPN tunnel (between the VPN server and the HTTP server) the traffic is not encrypted so you are still in a potential risk of man in the middle attack.

so by using a vpn and avoiding logins, you should be safe using HTTP sites?

so if i just browse a http site, but don’t log in or give info on it i’m safe?
or do i still send any kind of unencrypted data when surfing these sites

Probably, but part of what I’m trying to get across is there is no single definition of “safe.” What’s safe for me isn’t always safe for you and vice versa.

Your browser can still identify you even when you don’t log in. The advertising industry has gotten very good at identifying us and collecting information about us.

Think about who might be interested in the sites you visit and what might happen if they find out.

If you look at a weather site and Walmart tries to sell you suntan lotion as a result, that’s no big deal. If you look at gay porn in a country where being gay can get you thrown in jail, maybe don’t visit the site at all.

In between there are other mitigations you can use to reduce your risk like Firefox containers, Privacy Badger, or NoScript, just to name a few.

From how I understand it, the HTTP site only sees the VPN IP as long as you do not provide any more information about yourself.

i understand, but i’ll do what i can to mitigate my privacy leaks as much s possible. i made changes to firefox based on privacytools.io

from recommended add-ons to about:config

how well equipped am i surf the internet now
(hopefully secure as possible).

In the case of sending data through HTTP on a public network, that data can be seen in plaintext if the packets are sniffed. If you are connected to a VPN on the public network, your data would be encrypted, sent to VPN server, then sent unencrypted from VPN server to destination?

So if someone had access to the destinations network, they could see this traffic, but I’m not fully understanding what type of scenario that would be.

It’s true the IP address the site sees is the VPNs and not yours.

A major way people are identified online is with tracking cookies from Facebook, Doubleclick, etc.

Sounds like you’re probably done the basics everyone should do. For most people in most countries, that’s sufficient.

If you’re still worried the next step is to go through a threat modeling exercise.