Hello,
I’ve been traveling for a bit lately and always connected to my mobile data hotspot and then do corporate VPN, when working on company computer.
Recently I stumbled upon an article saying that public WiFi + trusted VPN is completely safe. So my question is - is it actually completely safe? My understanding would be yes, since whole traffic goes through the VPN, but still big part of me tells me not to do it.
What do You guys think?
So, public WiFi is frankly not the danger it used to be anymore. Practically every application uses TLS+HSTS now – if you run a sniffer on public WiFi now you’ll find the traffic is all very boring. 10 years ago I would have never used public WiFi without a VPN – but now it’s really not much of an issue.
Public WiFi with a correctly configured VPN is very safe. Nobody is reading that traffic except from your company or by standing over your shoulder and looking at your screen. Nothing is “completely” safe, but I’d say that the marginal benefit of using VPN over mobile hotspot instead of VPN over public WiFi is basically zero.
Depends on your threat model, nothing is ever perfectly safe.
For example see this recent attack on VPNs.
Nothing is ever “completely safe,” but in the majority of cases, that’s “safe enough.”
I think you should ask your corporate IT guys. If they’re like me, they’ll say that’s perfectly fine.
Many articles out there will explain all of the dangers of doing this, how attackers will MitM you and steal your banking information etc. Most if not all of these articles tend to contain affiliate links for popular consumer VPN software…
As someone who roughly follows a personal threat model, I consider public WiFi use ok in general (at least for the past few years), even without a VPN of any sort. Of course, there are minor privacy implications to that, e.g. everyone else in the area can see my connection metadata at least. With a VPN, even better perhaps.
This threat model also heavily leans on the baseline assumption that the services I connect to will properly use e.g. TLS, in which case any local attacks (including TunnelVision) are largely irrelevant.
That said, it would be interesting to do a real-world study in 2024 about what weaknesses still exist for popular OSes on untrusted networks, e.g. captive portal redirects and such.
It also depends on the type of VPN. Full Tunnel VPN is what you’re thinking of and will encrypt traffic from you to wherever the endpoint of the vpn is.
However, there’s also split-tunnel VPN which does practically nothing but give you access to remote resources (such as a shared drive or office365). Traffic to/from those remote resources is encrypted but basic other traffic like your Facebooks or YouTubes is not.
You should be relatively safe, but check with your IT and/or security team to check corporate policies. There are additional issues to consider while working in public, such as the ability to view your screen (buy a privacy screen) and listen in on your phone calls (use a headset).
There are situations where a malicious actor connected to the same network *could* use complicated poisoning and spoofing to cause issues for you. But those are relatively high-skill and targeted attacks. Generally speaking, a VPN over public wifi is safe enough. The big security threats of yesteryear’s public wifi have been largely resolved.
Unless China is out to get you personally, you should be alright doing this.
The only potential caveat to this is any public wifi near any hacking conventions. Don’t get onto anything public when DEFCON is in town for example.
Haven’t seen this one. Not sure if I understood it correctly, but it seems easy to mitigate - connect to public WiFi on Android device and use it as hotspot, then connect computer to the hotspot and connect to the VPN
Yeah, I meant whole traffic going through tunnel. Have to connect to VPN to actually use internet.
There’s no functional difference between WiFi at a cafe or near a security convention. In either situation you should assume it’s a malicious access point and prepare accordingly (TLS everywhere, VPN, don’t ignore certificate warnings, etc.).
Sure, but the point isn’t this specific one, but that nothing is ever 100% safe.
You can connect to Wi-Fi and have a hotspot running at the same time?
Got it. In that case it depends on your threat surface as other commenters have said. It all depends on who you’re trying to hide from.
Well yeah, using WiFi data instead of mobile data
Ah, IOS devices cannot do this. Interesting.