1

What are the security risks that someone using HTTPS (everywhere) + DoH is vulnerable to, comparing to someone using a "trusted" VPN?

hft
  • 4,910
  • 17
  • 32
Luis Vasconcellos
  • 113
  • 6
  • Without a VPN or a proxy, your ISP (or hotspot, etc.). will be able to see (or guess) what websites you are visiting, what debian packages you are installing, etc. This might or might not be a problem, depending on where you live, your threat model, and your paranoia level. – reed Jan 20 '21 at 13:44

2 Answers2

3

A VPN provides an encrypted tunnel from the VPN client to the VPN exit. All that somebody in the path of the tunnel (like the ISP) can see is that there is some traffic between client and exit, including how much traffic and some timing. With HTTPS + DoH the application payloads and DNS lookups are encrypted too, but much more meta data are visible: the IP address of the servers visited, the domain names accessed since the majority of the TLS handshakes still use plain SNI (and no ESNI), the communication pattern to specific servers instead of only the aggregated traffic between VPN client and VPN exit etc. Based on these available information an active man in the middle can with a VPN only block the whole VPN, but with HTTPS + DoH do more targeted blocking for specific domains and IP addresses.

But with both VPN and HTTPS it is not possible to modify the traffic, only gain more (HTTPS+DpH) or less (VPN) information and do more (HTTPS+DoH) or less (VPN) targeted disruption of the traffic.

hft
  • 4,910
  • 17
  • 32
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

In addition to the accepted answer, a VPN will protect you when using protocols such as telnet, ftp, gopher, ntp, smtp, imap, pop3, lpd, afp and so on. Some of those protocols have their own encryption options, but those may or may not be available to you. The Internet is not just http(s).

Mike Scott
  • 10,118
  • 1
  • 27
  • 35