1

I've just seen a Youtube video with an advertisement for NordVPN in which they claim that NordVPN would protect passwords when people are on potentially malicious coffee shop WLAN.

That seems strange to me as basically all websites use HTTPS today. At least all I care about (e.g. banking, email, e-commerce, ...).

I assumed that this means the connection is encrypted - meaning an attacker can see which websites I'm using / how much traffic goes there, but not the content of that traffic.

The design of the TLS handshake should also ensure that there is no issue in the very beginning of the communication:

  • I assumed the key exchange was first done with Public-key-cryptography (where it doesn't matter if the attacker reads it) and later with symmetric cryptography (for efficiency).
  • I also thought that certificates were used to ensure I am actually talking with the service and not with a man-in-the-middle.

Do I have a wrong assumption?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Martin Thoma
  • 3,902
  • 6
  • 30
  • 42
  • 1
    *" key exchange was first done with Public-key-cryptography (where it doesn't matter if the attacker reads it) and later with symmetric cryptography (for efficiency)"* - not exactly, but maybe your phrasing is only shortened in a misleading way. Key exchange is done using public key cryptography as you stated correctly. Encryption and integrity protection is then done using the key material from the key exchange - and here symmetric encryption is used for efficiency (and other reasons). – Steffen Ullrich Sep 24 '22 at 08:21
  • This has been asked many, many times here. If you change your search term from "wlan" to "wifi", as per my edit, you will better find the advice you are looking for. – schroeder Sep 24 '22 at 13:28

0 Answers0