I am having a disagreement with a friend concerning how best to defend oneself against an evil twin attack at the local coffee shop, airport, or hotel. According to what I have read it is best to always use a VPN when connecting to a public network period. My friend claims that it is sufficient to just connect to websites that support HTTPS connections. Who is right and why? Thanks!
Asked
Active
Viewed 656 times
3
-
3Given that you typed (typoed?) "HTTP" instead of "HTTPS" in the question... there's clearly some risk of you making an unscured HTTP request when you meant to use HTTPS. – CBHacking Sep 14 '19 at 01:08
-
Don't know what you mean. I typed HTTPS twice and I meant it :) – dlherrin Sep 14 '19 at 11:05
-
1@dlherrin Conor fixed it for you, but [you did](https://security.stackexchange.com/revisions/218020/1) type HTTP in the title :) – AndrolGenhald Sep 14 '19 at 22:09
-
Sorry, my bad. I didn't know Conor could do that. – dlherrin Sep 15 '19 at 11:26
1 Answers
8
In general, HTTPS should be enough as long as you don't do anything crazy like installing extra trusted root certificates, or bypassing warnings because you want to see the page.
But, that assumes only HTTPS sites are visited, and there is NO OTHER network activity. How many apps do you have that use the network in the background? Do you know if all of them encrypt their communications? How often do you explicitly type https://? If you browse the web normally you'll be vulnerable to sslstrip.
So yes, in theory just visiting HTTPS site is ok, but if you're on a malicious network, you probably don't want to risk something slipping by you.
AndrolGenhald
- 15,436
- 5
- 45
- 50
-
-
2Also, whoever owns the network will be able to see the hostnames you're connecting to (via SSL SNI), and when and how much you're communicating with them. This information would be hidden with a VPN. – Yogu Sep 20 '19 at 18:37