0

While I'm at a coffee shop, I want to protect my data from inspection and manipulation, including destinations. In other words, the barista can only see that I am using bandwidth and cannot (meaningfully) manipulate or redirect me. So I find a VPN (tunnel) provider that I trust. I still see two potential issues:

  1. Bootstrapping. I need to sign into a captive portal, often over http, to get internet access in the first place. Surely until I establish the VPN connection my communication is vulnerable?

  2. Redundancy. If I use secure protocols for each task (https, sftp, ssh, Tor, encrypted XMPP...), surely my connection is just as safe without a tunnel?

Is there an implementation detail I'm missing? Or is it a matter of convenience (once the tunnel is established, I don't have to confirm each and every subsequent connection is secure)?

lofidevops
  • 3,550
  • 6
  • 23
  • 32
  • lots of similar question here: https://security.stackexchange.com/questions/18049/do-vpns-provide-sufficient-protection-over-public-wireless-networks?rq=1 and https://security.stackexchange.com/questions/96321/public-ap-how-to-reduce-vulnerability-window-between-captive-portal-and-startin?rq=1 and https://security.stackexchange.com/questions/103055/does-a-vpn-provide-any-security-benefits-over-sshuttle-or-a-vanilla-ssh-tunnel?rq=1 – schroeder Oct 12 '17 at 12:40
  • It all depends on what you want to secure with TLS - what threats do you want to counter? The 'threat' question is the core to your answers: define the threats you want to counter, THEN evaluate a technology against this threat. Otherwise, you end up making arbitrary comparisons. – schroeder Oct 12 '17 at 12:43
  • Bootstrapping: you have the vpn already set up on your laptop, don't you? So you know you can trust it. Redundancy: The vpn will protect your DNS queries. And not all sites use TLS. – allo Oct 12 '17 at 13:51
  • You're exposed to a "captive portal cloning attack" while establishing the VPN tunnel. You might be connecting to an attacker's access point where he cloned the real captive portal's original page; this clone could deliver poisoned javascript into your browser's cache that would still impact you even after you establish the VPN tunnel. – John Deters Oct 12 '17 at 13:51
  • @schroeder I've updated with threats I want to counter (visibility of my data and/or destinations) – lofidevops Oct 16 '17 at 00:08

1 Answers1

2

The redundancy issue isn't that big a deal in most cases. In any case, TLS requires careful configuration to be secure and this isn't always the case so using a VPN as well rarely hurts.

The captive portal issue though is, indeed, an ongoing problem. The best solution is to use a configuration that ONLY allows traffic from the VPN client to reach the Internet directly, everything else is forced to wait for the VPN to be active. There are various ways to do that but few clients implement them or at least implement them in a way that provides clear security. The CISCO client is one.

To mitigate the impact, you can configure the OS to only allow traffic to exit via the VPN which often uses a virtual network. You can also make sure that as much software as possible is completely closed before connecting to an untrusted Wi-Fi connection.

Julian Knight
  • 7,092
  • 17
  • 23