0

Hi,I do not work in IT security and hence am asking some general questions here.

I read https://security.stackexchange.com/a/172821/266785 and have questions that would appreciate answers.

Is my understanding below correct?

  1. So if the password also works without internet, like iPhone lock-screen passcode, it will not be leaked over unsecured internet.

  2. Most Passwords that need to be validated over internet, if it is a legit websites like Facebook and Robinhood, then it is likely to be encrypted. So entering password to legit sites that encrypts is likely to be safe even over unsecured internet.

I use VPN from untrusted provider for shadow-socks. I consider web traffic over it insecure, while many consider VPN as a securer way to browse internet. Is it actually safer than I think?

  • Your HTTPS traffic is decently safe on an untrusted VPN, but you're leaking the hosts you visit (by IP and usually by name), possibly some OS and/or browser fingerprints (they'll know your IP, OS, and browser), and they could run some frequency analysis to guess at your content in certain circumstances. If that's unacceptable, find a more trustworthy provider or switch to using Tor. Your HTTP traffic is fully visible to them. – Adam Katz Sep 07 '21 at 19:24

1 Answers1

1

Your understanding is correct. Approximately no websites or apps expect (or accept) passwords over plain text anymore (though there are a few exceptions, such as email servers and routers or other embedded devices). Treating a VPN where you don't control the server as a potentially-hostile network is the right move, but protocols intended for security even on hostile networks - such as the TLS protocol that underlies HTTPS and most other network encryption these days - are fine (so long as they're used correctly, validating the server certificate and so on).

The main ways a VPN can be more secure than not using one are:

  • You hide your location from the server you're talking to. This isn't perfect anonymity by far, but it helps.
  • There's basically nothing people on your local network can do to attack your traffic - even unsecured traffic - without first breaching the VPN. Since a local network is often in an unsecured location like an airport or cafe, and people might be looking around in real life to see who they can attack, there can be some advantage here even if the VPN provider is merely untrusted (as opposed to known malicious).
  • It's possible to hide servers (or other hosts) such that they're not available on the public Internet, and only on the LAN. A VPN can let trusted clients - but nobody else - onto that LAN from anywhere.

On the flip side, a VPN server has a guaranteed man-in-the-middle position on your connection. So, anything that's vulnerable to MitM attacks (anything plain text, some weak old versions of SSL/TLS, some software and protocols that have weak security) can be carried out by the owner of the VPN software. Doesn't mean it will be, though; after all, the owner of the router in any public Internet access network has the same position, and most of those are fine.

CBHacking
  • 42,359
  • 3
  • 76
  • 107
  • Thanks. It clears. Could you please elaborate on the exceptions such as email servers and routers or other embedded devices? I guess it does not include email, like gmail, login pages? – user266785 Sep 07 '21 at 05:11
  • Most (though not actually all) webmail systems are over HTTPS. Certainly the big ones (Gmail, Office 365, etc.) are. However, connecting from a desktop (or mobile) email client to an email server (typically IMAP or sometimes POP3 for received mail, and SMTP for sending mail) is more likely to be insecure. It is *possible* to use TLS for such servers, and many mandate doing so, but on others it's merely optional and some don't support it at all (or do, but without valid certificates). Home network routers and various other connected devices also usually don't support TLS well, if at all. – CBHacking Sep 07 '21 at 11:19