35
Does a VPN used on a smartphone with Wi-Fi disabled (mobile data only enabled) provide any sort of protection? (beehaw.org)
submitted 2 weeks ago by hedge@beehaw.org to c/technology@beehaw.org
65 comments fedilink hide all child comments

I've never completely understood this, but I think the answer would probably be "no," although I'm not sure. Usually when I leave the house I turn off wifi and just use mobile data (this is a habit from my pre-VPN days), although I guess I should probably just keep it on since using strange Wi-Fi with a VPN is ok (unless someone at Starbucks is using the evil twin router trick . . . ?). I was generally under the impression that mobile data is harder to interfere with than Wi-Fi, but I could well be wrong and my notions out of date. So, if need be, please set me straight. 🙂

top 50 comments
sorted by: hot top controversial new old
[-] dfyx@lemmy.helios42.de 28 points 2 weeks ago* (last edited 2 weeks ago)

Commercial VPNs as a security measure are pretty much a scam, at least in the way they are marketed.

These days, basically any web traffic is encrypted through HTTPS. Even on an untrusted network, nobody will be able to see the actual content (passwords, personal data) of what you're doing. DNS spoofing isn't viable either as any fake site they would send you to would lack the right certificates to establish a convincing HTTPS connection. So all someone can see is what servers you're connecting to, either by logging your DNS requests (can be prevented by using some form of encrypted DNS like DNS over HTTPS) or the IP addresses you connect to. And honestly, how much value does one get out of knowing that there's someone on their network who browses beehaw.org, supergreatbank.com and bigtiddygothgfs.to with no information to connect that to an actual person?

Unless you routinely use shady open Wi-Fi networks - and I'm talking about something that may have been setup on purpose by a malicious actor, not your local supermarket - to do security-critical stuff, you don't need a VPN. Also, if you trust your mobile data provider less than a company that tricks people into thinking you absolutely need their product to secure your data, you should get a different mobile data provider.

Now, there are use cases for VPNs but those are more along the lines of accessing stuff that's not available in whatever region you're currently in.

See also Tom Scott's video on the topic. It's a few years old but still relevant.

Edit: there is of course also the use case of hiding illegal stuff. In that case, I will not give any advice. Put some onions on top of your router or something, that's probably cheaper and more reliable.

Edit 2: just to make this entirely clear, I'm talking about commercial VPNs like NordVPN, Surfshark and whoever else pays YouTubers to advertise for them. If you host your own VPN, some of the downsides may not be as relevant. Though I would assume that anyone who even considers hosting their own VPN has enough technical knowledge about how networking works to know about the pros and cons.

[-] jet@hackertalks.com 15 points 2 weeks ago

Do you want a random third party looking at all of your mail before you pick it up? Even if they can't open the envelope, having somebody else write down every message that comes in who it's from and who it's too and how frequent it is, that creep me out.

If you're uncomfortable with a third party looking at your mail, it's very reasonable to not one third party's looking at your internet traffic. It's the same thing.

[-] dfyx@lemmy.helios42.de 22 points 2 weeks ago

A commercial VPN provider is just another random third party.

[-] jet@hackertalks.com 18 points 2 weeks ago* (last edited 2 weeks ago)

You get to choose them. You can research them. They don't have a geographic monopoly on your internet connection. That gives you more control, and then more incentives to do the right thing

If you pay for your VPN using crypto, then they can't tie it to your name, when they're reselling the traffic it's harder to tie it to an identity

https://www.privacyguides.org/en/basics/vpn-overview/

A VPN has many advantages, including:

  1. Hiding your traffic from only your Internet Service Provider.
  2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
  3. Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
  4. Allowing you to bypass geo-restrictions on certain content.

VPNs can provide some of the same benefits Tor provides, such as hiding your IP from the websites you visit and geographically shifting your network traffic, and good VPN providers will not cooperate with e.g. legal authorities from oppressive regimes, especially if you choose a VPN provider outside your own jurisdiction.

[-] towerful@programming.dev 3 points 2 weeks ago

If you pay for your VPN using crypto, then they can't tie it to your name, when they're reselling the traffic it's harder to tie it to an identity

Surely that only works if you have personally mined the crypto yourself.
And if you only use that wallet for paying for the same VPN service.
Crypto isn't anonymous, the ledger of all transactions (IE the Blockchain) can be read by anyone.

load more comments (1 replies)
[-] to55@discuss.tchncs.de 6 points 2 weeks ago

That, unlike your ISP, isn’t obligated by law to log the connections you make (‘data retention’). Depending on the jurisdictions.

[-] to55@discuss.tchncs.de 6 points 2 weeks ago

HTTPS, sure. But your ISP can and will create a pretty comprehensive social graph about you using only metadata (server IPs or hostnames). Where I live, all home networks basically have a static IP. Also, besides a commercial incentive, ISPs are also mandated to log your connections. VPNs are not.

load more comments (1 replies)
[-] tobogganablaze@lemmus.org 24 points 2 weeks ago

Usually when I leave the house I turn off wifi and just use mobile data

I would stronly recommend that you set your wifi to only join trusted networks. That way you can also just leave the wifi on and not have it connect to every random network it encounters.

[-] ISOmorph@feddit.de 6 points 2 weeks ago* (last edited 2 weeks ago)

I would still recommend turning wifi off when leaving home for privacy reasons (which can easily be automated). The process to identify if a network is trusted or not requires a handshake. So leaving wifi on makes you trackable by the wifi network operators and the apps on your phone with access to your wifi, wether you connect a network or not.

[-] HeartyBeast@kbin.social 22 points 2 weeks ago

You’re hiding your traffic route from your mobile operator and giving it instead to your vpn company who swear they are honest

[-] rudyharrelson@kbin.social 20 points 2 weeks ago* (last edited 2 weeks ago)

I run my own wireguard VPN at home and connect to it from my phone when I'm traveling.

Grants me privacy (but not anonymity) from my mobile carrier. Sure, my home ISP still sees my VPN's traffic, but that's still one less company able to monitor my web traffic when I'm mobile.

[-] HeartyBeast@kbin.social 5 points 2 weeks ago

Running your own VPN in that situation is a good use-case agreed - assuming you trust yourself :)

[-] ahal@lemmy.ca 8 points 2 weeks ago

I'm experienced enough to know that out of my mobile carrier and ISP, I am the least trustworthy operator.

load more comments (1 replies)
[-] giloronfoo@beehaw.org 3 points 2 weeks ago

Same. Also feels a bit safer connecting to public wifi.

load more comments (2 replies)
[-] twinnie@feddit.uk 14 points 2 weeks ago

Your provider will just see encrypted traffic (mostly), so yes it will provide protection.

[-] jmcs@discuss.tchncs.de 8 points 2 weeks ago

Only if you trust your VPN service more than your mobile Internet provider.

[-] eleitl@lemmy.ml 6 points 2 weeks ago

You forget that nation-states control your ISP. And of course you can choose your VPN provider or run your own.

[-] dfyx@lemmy.helios42.de 7 points 2 weeks ago

Your provider will just see encrypted traffic (mostly) anyway, so no it will not provide protection. The only thing that you're now hiding from your provider is which servers you're connecting to. Instead you're showing that info to a VPN company whose main business practice is scaring people into buying a product they probably don't need. Think about who you would trust more.

[-] eleitl@lemmy.ml 6 points 2 weeks ago

The provider and national TLAs will see all traffic that is in cleartext and meta traffic which is even more valuable. It can also actively tamper with that traffic. So you're technically incorrect and you assume your threat model is universal. It's not. And, of course, there are use cases for Tor, whether with or without VPN.

[-] dfyx@lemmy.helios42.de 3 points 2 weeks ago* (last edited 2 weeks ago)

While my threat model is not universal, it comes close, at least for the average user which OP seems to be from their question. In practice, there is very little unencrypted traffic these days and in the case of that traffic you will have to ask yourself if your (commercial) VPN provider is more trustworthy than your ISP.

If you need to ask if you need a VPN there's a 99% chance that you don't. There are certainly a few use cases for both commercial VPNs and TOR (see my other comment) but to even be aware that those apply to you, you probably already have enough technical knowledge to approach the question from the direction "I want to do XYZ, how can I be more secure?" and not "I've heard of VPNs, do I need one?"

[-] eleitl@lemmy.ml 8 points 2 weeks ago

My national government has no business knowing which protocols I use to contact which endpoints and tamper with that traffic. Wrapping up that information in a tunnel is a good first protection layer.

[-] dfyx@lemmy.helios42.de 5 points 2 weeks ago

If you're using a commercial VPN from a provider who can legally operate in your country, your national government can just as easily get that information from them as from your ISP.

[-] jet@hackertalks.com 6 points 2 weeks ago

Correct. But that's no reason to make it easy for them. Burglars can break my windows and climb through and steal my stuff. I'm still going to lock my doors

[-] eleitl@lemmy.ml 3 points 2 weeks ago

How would a national government (not TLAs) target particular individuals in a large number of users and what information can they gather given e.g. https://mullvad.net/en/help/no-logging-data-policy ? So perhaps not quite as easily as ordering a tap.

[-] to55@discuss.tchncs.de 3 points 2 weeks ago

While ISPs are in many jurisdictions obligated to log your connections (data retentions laws), VPN providers are not.

[-] jet@hackertalks.com 3 points 2 weeks ago

Even though most data traffic is encrypted who you're talking to is not encrypted.

So a third party can observe, who you're talking to, how much data you're sending to them, how frequently you talk to them....

The classic example is if you start visiting a suicide prevention website, even though they don't know the content that you're being served, they can guess oh you're having mental issues. We should revoke your security clearance... Etc

load more comments (1 replies)
[-] ulkesh@beehaw.org 6 points 2 weeks ago

Your replies all make a very big assumption that the only connections being made, by people who are advocating VPNs, are over https (or possibly ssh) and thus VPN isn’t necessary. There exists more services than that some of which aren’t end-to-end encrypted (many messaging apps, for example).

Also, I agree that at the end of the day, a user is trusting someone not to snoop. But given that ISPs have been proven to snoop (for various reasons), I personally will put my trust in a VPN provider that I have researched and one that has shown a considerable resilience against outside forces. Mullvad comes to mind here.

Yes, a VPN is probably overkill if all the user is doing is using a web browser, nowadays. But it is useful beyond just setting up a tunnel for access.

[-] brie@beehaw.org 5 points 2 weeks ago

Although it is possible that some messaging apps send completely unencrypted messages, most (reputable) non-E2E apps are probably still using HTTPS. It just means that when the message arrives at the messaging app's servers, they can decrypt the message and store it in plaintext.

[-] ulkesh@beehaw.org 4 points 2 weeks ago

That’s true, thank you.

Some other possible unencrypted services people use today… email over non-SSL (which still does exist). Bittorrent. Non-SSL NNTP, which is also still supported. And DNS.

Of course much of that has options of securing, but the point is that a VPN shifts the trust of them not being secure over to an entity that may be more trustworthy.

And sometimes that becomes the path of least resistance for people.

I use a VPN for access to my house (inbound), but also to prevent my ISP from ever snooping on anything for certain services (inbound and outbound) — content, headers, metadata of any kind. I trust Mullvad right now much more than I trust my ISP.

Not everyone’s use case is the same. But that doesn’t mean it is somehow invalid as some posts here have alluded to. Though, I do agree with some posts here that the commercialization of VPNs is playing on people’s possibly-unfounded fear (NordVPN and the like, putting ads seemingly everywhere acting like everyone is watching).

[-] to55@discuss.tchncs.de 3 points 2 weeks ago

A VPN doesn’t do much to protect HTTP connections.

load more comments (4 replies)
[-] jet@hackertalks.com 13 points 2 weeks ago* (last edited 2 weeks ago)

Using a VPN for your mobile traffic protects your mobile traffic from Flow analysis from your mobile operator. So that is a strict net benefit.

[-] Coasting0942@reddthat.com 8 points 2 weeks ago

Protection from what?

If it’s your phone leaking your location, then yes and also disable location services and Bluetooth as well.

You mention interference. Mobile data can be interfered from miles away at the phone company. Same for your home internet.

[-] noorbeast@lemmy.zip 7 points 2 weeks ago* (last edited 2 weeks ago)

Any public data exchange has an element of risk, but the management/priority of that risk relates to your relevant risk matrix/profile.

Any exposed data transverses via a provider, be it mobile or Wi-Fi is pertinent, if you are concerned about provider vulnerabilities and exposure, be it Wi-Fi or mobile, use a VPN and related encryption.

[-] dfyx@lemmy.helios42.de 3 points 2 weeks ago

Or don't. Unless you know that your provider is working against your best interests, a VPN provider is just as likely to be compromised as your cable or mobile ISP.

[-] Moonrise2473@feddit.it 7 points 2 weeks ago

Only if you live in a country like russia, china, iran, north korea or south arabia

[-] UndercoverUlrikHD@programming.dev 6 points 2 weeks ago

What sort of protection are you after? Your VPN should encrypt your data to make it more difficult to snoop on your activity. I wouldn't trust any random WiFi hot-spot just because you got a VPN encrypting your traffic though.

[-] A1kmm@lemmy.amxl.com 9 points 2 weeks ago

Note that VPN is just trusting a different network.

If you trust your VPN provider not to misuse your unencrypted traffic / inject exploits, but not your mobile phone provider (or any other network provider you might roam onto), then a VPN provider could help.

If you trust your VPN provider less than the mobile phone provider, the situation is reversed - you would be better not to use a VPN.

If you trust them equally, there is probably no point using a VPN (except for the roaming situation, which could be forced in certain circumstances).

[-] hedge@beehaw.org 2 points 2 weeks ago

Before answering your first question (I'm actually not sure how to answer! I'll have to think about it 🤔)--my laptop has wifi, which transmits and receives radio waves to/from my router; my router is connected to a cable (broadband cable? I guess? Not DSL at any rate), which is connected to the internet (and there's also a MODEM in there somewhere too). My laptop doesn't have the ability to connect by mobile data which uses, I guess?, cell phone towers, but my smartphone can use both. So they're two different systems is I guess what I'm getting at, and I was never clear on how or if a VPN provided any sort of basic privacy if it was only using cell towers. This is a potentially really dumb question (the head injury doesn't help 🤕), but remember, William Gibson used to think that computers were powered by these gleaming magical crystals (or so he claims), before he looked inside one and discovered that it was basically just a floppy plastic record spinning around really fast.

[-] jlh@lemmy.jlh.name 9 points 2 weeks ago* (last edited 2 weeks ago)

The first step in security is to answer who you're defending against. Someone stealing your phone? A cop with a STINGRAY device? All the security decisions you make are based on your initial threat model.

Generally, home internet, wifi, and cellular data are considered safe against passers-by (assuming your wifi password is strong). However, they are also assumed to be eavesdropped on by your ISP and government. Details of your internet traffic can then also be revealed by your ISP to other people during legal action, such as if you're being investigated for piracy.

There are ways to further protect your internet traffic from being snooped on, even from your ISP and government, by using things like HTTPS, DNS over HTTPS, and of course, VPNs.

[-] hedge@beehaw.org 2 points 2 weeks ago

✔HTTPS 👍

✔VPNs 👍

I thought DNS over HTTPS (DoH!) was not recommended for some reason . . . My VPN provider claims to be using its own DNS servers.

[-] dfyx@lemmy.helios42.de 5 points 2 weeks ago

Please note that the comment you're replying to is leaving out a crucial piece of information: if your VPN provider is legally allowed to operate where you live, your government or law enforcement can get your data from them just as easily as they can get it from your ISP.

(Sorry for repeating myself but security is an important topic so I'd rather correct incomplete or misleading information in multiple comments than have someone miss the crucial part because they read only one sub-thread)

[-] jlh@lemmy.jlh.name 5 points 2 weeks ago* (last edited 2 weeks ago)

Definitely! If your VPN keeps logs, is in a surveillance-friendly jurisdiction, etc, then details of your internet traffic can be revealed by your VPN. I recommend Mullvad, paid with cash, for the most security. It can also help to pick VPN servers outside of the most egregious jurisdictions, like picking EU servers over US or HK servers.

load more comments (8 replies)
[-] jlh@lemmy.jlh.name 4 points 2 weeks ago* (last edited 2 weeks ago)

DoH is meant to hide your internet activity from your ISP/cell-provider since DNS is otherwise unencrypted. If you trust your VPN, then you can trust unencrypted DNS.

[-] rudyharrelson@kbin.social 3 points 2 weeks ago

Definitely not a stupid question! Networking infrastructure is complex. I've been working in IT for years and still find myself scratching my head at times going, "Wait, how does the OSI model work again?"

Connecting to a VPN on your phone while using mobile data basically means the cell phone tower handling your data only sees encrypted data. Whoever your VPN provider is will see your traffic instead of the cell tower.

However, in modern times it's fair to be wary of backdoors and exploits that can compromise your device and render the VPN encryption moot. There's not much that regular people can really do to mitigate that possibility other than not use a phone.

If you're interested in learning more networking fundamentals, I'd recommend starting with the OSI model and its layers.

A handy mnemonic I whipped up with ChatGPT last year for better remembering the order of the layers:

Precise Data Navigation Takes Some Planning Ahead

[-] interdimensionalmeme@lemmy.ml 3 points 2 weeks ago

The spyware in your radio firmwarr always has direct internet access and it won't use your vpn

load more comments (2 replies)
load more comments
view more: next ›
this post was submitted on 16 May 2024
35 points (100.0% liked)

Technology

37211 readers
614 users here now

Rumors, happenings, and innovations in the technology sphere. If it's technological news or discussion of technology, it probably belongs here.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
Los@beehaw.org
coldredlight@beehaw.org
SemioticStandard@beehaw.org
TheRtRevKaiser@kbin.social
remington@beehaw.org