Every time someone talks about how public wifi is safe to use without a VPN due to things like HTTPS and HSTS, some random person replies with "man-in-the-middle attack" because they don't actually know what that is, and therefore don't understand that HTTPS and HSTS address specifically that. - ThreadSky

malwaretech.com • 75 days ago

Every time someone talks about how public wifi is safe to use without a VPN due to things like HTTPS and HSTS, some random person replies with "man-in-the-middle attack" because they don't actually know what that is, and therefore don't understand that HTTPS and HSTS address specifically that.

Comments

joocifer.bsky.social•75 days ago

As long as the target website redirects all browsers back to https from http using the Strict-Transport-Security directive (eg HSTS.)

If it doesn't, or it requests that change via http not https to try to be 'helpful' to the older browser, then a type of MIM can slip in.

ceylene.bsky.social•75 days ago

Okay, but what if I really want to spread fear and panic in the population and make them think they're always at risk despite the #1 way of being hacked now being social engineering?

radianthostility.bsky.social•75 days ago

Your crusade against basic privacy remains as fascinating as it is bizarre.

annular.bsky.social•75 days ago

Traffic is secured end-to-end but knowing that your “end” (phone, laptop, etc.) was on that network at that time gives anyone snooping valuable data about your whereabouts and patterns. Sheesh… watch a single spy movie, people.

zipwhaa.bsky.social•75 days ago

They do, but the options a MIM situation provides to make your life sad are bountiful. It is just human nature to underestimate how secure you really are. I know your IP, I’m scanning your machine and finding vulnerabilities in real time.

makemake.site•75 days ago

VPNs are actively less secure than public wifi

noram25.bsky.social•75 days ago

MITM can intercept handshakes, and thus renders HTTPS moot. Never, ever, do sensitive things on public computers.

Logging into a router requires a handshake. aircrack-ng and airreplay intercepts these and uses a dictionary to crack the password. While not exactly MITM, it provides an example.

onetoomany.bsky.social•75 days ago

In theory I would feel safe relying on HTTPS and HSTS.
In practice, I'm many-burned many-shy on security hubris, and would turn on a VPN.

cyb3rmaniak.bsky.social•75 days ago

300 character limit. Still got heat from both sides. Impressive.

My 2 cents - VPNs do not keep you safe. They are over-rated when it comes to security or privacy.

MITM attacks are not the only ones out there.

There are people who will use HTTP and won't know any better, or read warning messages.

msmagicdishes.bsky.social•75 days ago

I once had a developer set the calling port for his application to 443 assuming that the communication would be automatically encrypted.

There was no SSL/HTTPS functionality anywhere in the code base. He just thought the little lock icon in IE meant comms were encrypted

That was in 1999.

0 trust

lysanntranvouez.bsky.social•75 days ago

Well, I would partially blame IE here how showing a little lock icon without any SSL going on? I don’t remember what it looked like back then, though.

msmagicdishes.bsky.social•75 days ago

The lock icon just checked for port 443 it had no way to know whether the traffic was encrypted or not.

In 1999 they were still using ftp and telnet *thrashes* and we were high on the 32 bit supply

Ahh, those were the days. I miss the wild wild SFBA

csapidus.bsky.social•75 days ago

Bulkheads protected the Titanic so well that lifeboats were thought unnecessary.

kev-knczk.bsky.social•75 days ago

Do you have an article that explains it in simple terms and that you would recommend? I want to learn about this to better understand it. Thanks.

tadikas.bsky.social•75 days ago

This video does a pretty great job at explaining this.
https://www.youtube.com/watch?v=WVDQEoe6ZWY

kev-knczk.bsky.social•74 days ago

Thanks, I will check that out :)

stual.bsky.social•75 days ago

Don't forget DNS isn't over tls...

akgood.bsky.social•75 days ago

If you're using a modern browser then actually it probably is.

https://support.mozilla.org/en-US/kb/firefox-dns-over-https https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html

stual.bsky.social•75 days ago

Ah good. But that only makes it safe from people on the WiFi.... Not from Google ;)

toonspin.nl•75 days ago

I feel like people may be thinking about what happened with DigiNotar, which is a MitM attack but a very different one. If I understand that one correctly (it's not easy to Google how it worked) VPNs may protect you from that one but only because they offer DNS-hijacking-as-a-feature.

speerical.bsky.social•75 days ago

My understanding is that VPNs have actually become a target, and new designs are being used to access through them.

Wasn't there a whole breach of one of the big VPNs recently?

sir-papillon.bsky.social•75 days ago

Unless I’m mistaken, isn’t the major risk fake WIFI which looks legitimate by the name?

dubbaewwteeeff.bsky.social•75 days ago

That's *a* risk, but it doesn't allow decryption of HTTPS.

Asymmetric cryptography lets you verify the party you're taking to (the little lock on the browser bar), and also encrypt your data so it can only be read by that party.

The fake WiFi can capture your packets in between, but not read them.

pmacustodio.bsky.social•75 days ago

Not all internet is HTTP based

dubbaewwteeeff.bsky.social•75 days ago

To attack successfully this way you'd need the target to accept a fake certificate that you have the private key for - then you can make a connection to the website, impersonate it, and pass the traffic along in both directions while you record all of it.

robbiepieguy.bsky.social•75 days ago

They heard "man in the middle attach" somewhere and were told it was a way of getting around https. They then, instead of doing a little research, consider themselves and expert on a topic - with a Facebook degree and a minor in youtube.
Dunning Kreuger.

robbiepieguy.bsky.social•75 days ago

sorry about the spelling mistakes , thought I could fix them.

robbiepieguy.bsky.social•75 days ago

can't edit my own post????

telecomone.bsky.social•75 days ago

HTTPS and HSTS do reduce, but don't eliminate, the risk of man-in-the-middle attacks on public Wi-Fi. While they encrypt data & verify servers, sophisticated attacks remain possible. Claiming public Wi-Fi is "safe without a VPN" is an oversimplification; a VPN offers an extra security layer.

telecomone.bsky.social•75 days ago

VPNs provide security but do not offer total protection. They require trust in the provider, do not guard against malware or phishing attacks, and can not protect compromised devices. Data exchanged with insecure websites remains vulnerable, and there is a risk of data leaks.

grimreapaa.bsky.social•75 days ago

Public WiFi is safe.

‘A man in the middle’ will just see all the numbers of everyone connected to the WiFi. A bunch of them. The attacker now has to take time to figure out which number (aka device) represents a person of value.

Jokes on you, I’m at Walmart.

chicagojcb.bsky.social•75 days ago

I suppose it depends on what is meant by "safe". There are some things I would not do on a public wifi, protocols or no.

nyebodnye.bsky.social•75 days ago

I think it's more the fact that public WiFi says "connection may not be secure" when you connect to it, so during the connection phase it might be insecure and you might give credentials away.

csundquist.bsky.social•75 days ago

Where can grammas learn to understand what you are talking about?

dogalmighty.bsky.social•75 days ago

TLS Termination.

nowjustsean.bsky.social•75 days ago

VPN will obscure the requests along with the content. If you need to secure who you are speaking with, VPN is needed.

ramblingfool.bsky.social•75 days ago

Still best to use VPN, also, grab a power only usb cable, so when you charge whilst away from safe shores, that is all you're doing 😋

alexiwolfe.bsky.social•75 days ago

USB Condom! Awesome little devices

snowone.fixate.social•75 days ago

VPN companies and AV providers should be held accountable for both lying to public and selling false protection.

C levels given criminal charges for fraud

pmacustodio.bsky.social•75 days ago

DNS

vikfro.bsky.social•75 days ago

Mobile apps are not as forced as modern browsers to use encryption, so you're still very much at risk. And both mobapps and webapps often use other protocols. Not sure if they suffer from MITM I'm not a cybersec expert but prolly. Anyway I don't see the point, always better to VPN in that situation

hannah.cat•75 days ago

not sure how the situation on Android is, but iOS apps aren't allowed to use plain http by default.

You can enable it with some flag, but only if you provide reasonable justification why you need to, and it triggers additional review, so I don't think most apps do it.

alanwatton.bsky.social•75 days ago

I still wouldn’t use public WiFi without a VPN, the amount of plain text data sent from apps in the background can leave you wide open for future believable phishing, just bc of the info gleaned

dynom.nl•74 days ago

Yeah at the very least force DNS resolvers to be what you want, instead of what is being handed out

xapper.bsky.social•75 days ago

Are there still instances where public WiFi isn't safe?

iainwithtwoiis.bsky.social•75 days ago

How many have you heard say that? I'm 32 working in IT and have never heard anyone talk about it once?

tazwake.bsky.social•75 days ago

Was this a joke?

dubbaewwteeeff.bsky.social•75 days ago

DNS requests can be captured unless you're doing something like DNS-over-HTTPS. Potentially that can clue an attacker into what sites or banks you use, as a lead-up to a targeted phishing attack or impersonation with public data.

It's not anywhere near the danger of a successful MitM attack though.

ox45tallboy.bsky.social•75 days ago

Both Chrome and Firefox use DoH. You can always set your DNS servers manually either on your device or in your router's DHCP settings. Google's DNS at 8.8.8.8 and 8.8.4.4 use DoH if you trust the public Wi-Fi router even less than Google.

1samm1.bsky.social•75 days ago

If it were intercepted that I hypothetically surfed to 🌽 hub, this would already make me a target for legal consequences and/or blackmail in the country I am at - so yes, a simple DNS request can have consequences even without being able to decrypt the following communication

dubbaewwteeeff.bsky.social•75 days ago

Good point.

khaineschosen.bsky.social•75 days ago

And? VPN's are for downloading pirated shit and avoiding geofencing

quasarj.bsky.social•75 days ago

I have never trusted HSTS, and I never will. I’ll never forgive it for the death of my boy.

ceilingcat.bsky.social•75 days ago

🖖

nocleverhandle.bsky.social•73 days ago

Firesheep was fun while it lasted.

wrigglenightbug.com•75 days ago

The last time I've heard of a real public wifi attack was a fake public wifi that used a captive portal with a login page and just took the login credentials. And that's an evil twin attack not an mitm

kv.codes•74 days ago

AND EVEN THEN, A VPN WILL NOT HELP AT ALL!!

tw33tzr4kidz.bsky.social•74 days ago

It will make you look better to people who don't know better.

wrigglenightbug.com•74 days ago

Well a VPN will help in the sense that it will just prevent you from even accessing anything

kv.codes•74 days ago

“Connect to WiFi before initializing VPN connection”

we’re so screwed

wrigglenightbug.com•74 days ago

and then once you do get connected you get IP banned from half the sites you wanna use

kv.codes•74 days ago

Sorry, Cloudflare blocked your reply.

joh.dev•75 days ago

I suppose VPN’s provide marginal security benefits with shady WIFI’s that are easily perverted by virtually all VPN services being shady.

I do use VPN when travelling, but only because my home router is my exit, i.e. it is convenient, actually secure and most importantly costs nothing

lenhart.digital•75 days ago

I once had people commenting that our guest WiFi in the office was a security risk because of a pretty simple password.
Well, all it does is connecting devices to the internet.

And I've seen Citrix clients that were not allowed to be used in public WiFis. They also expire passwords every 30 days...

brees-knees.bsky.social•75 days ago

This is relying on implementation at the server/service level, a VPN secures your wifi data regardless of what protections are implemented on the server side.

jototland.bsky.social•75 days ago

A VPN only secures data between the VPN provider and you. Do you trust everyone your data passes between the VPN provider and your bank? Do you trust the VPN provider itself? Commercial VPN providers are often very shady people I would never trust. Luckily, my data is usually protected by TLS.

leosstankytaint.bsky.social•75 days ago

Doesn't matter. I know their passwords.

jbentley-atx.bsky.social•75 days ago

My giveshitter is broken whether or not someone picks up the soccer memes I’m sending to my kid at the local coffee shop.

dirk1978.uk•75 days ago

Yes and no. HTTPS traffic when properly implemented with a modern browser and up to date TLS server side is protected. But that's only a subset of traffic your device will be sending and receiving.
Using an SSL VPN like openvpn to your own cloud instance / home server will encrypt everything.

posh.guru•75 days ago

Subset is a little light, a casual Wireshark would show its probably 90% of an average users traffic and the rest isn't sensitive.

Enterprise users however are probably still using raw unencrypted SQL fat clients from the 90s and thus different criteria.

dirk1978.uk•75 days ago

Yeah. Off the top of my head it's mostly DNS lookups and broadcasts like NetBIOS, zeroconf, bonjour, DHCP etc. The vast majority is HTTP/S and most unencrypted web connections will have a default redirect before anything else even if the browser doesn't automatically try 443 first.

oscaralmgren.bsky.social•75 days ago

I mean though, from a regular user pov, how many have set up a home server or own cloud instance?

Us mega techie guys: yes, maybe.
My aunt and other relatives: never.

dirk1978.uk•75 days ago

Yeah totally. If talking about remote workers lots will have a work VPN which will be SSL or IPSec. People on their own stuff, not so much.

imelven.bsky.social•75 days ago

it does become quite tedious and tiresome indeed

this.bearable.website•75 days ago

unencrypted DNS is still often a problem tho

yokai64.com•75 days ago

Me reading this with a VPN on a public network: 👁️👄👁️

malwaretech.com•75 days ago

Also popular is replying with "Wifi Pineapple" (which is a single brand of device for performing wifi man-in-the-middle attacks), making it clear they don't really have any understanding beyond watching a single hacking video on TikTok.

oracularhades.com•75 days ago

or mr robot

noram25.bsky.social•75 days ago

I think the most unrealistic thing about Unfriended Dark Web was the creation of the bitcoin wallet. It skipped a couple steps. Some of the linux commands were not native to linux, but would work using an alias. The backlog of webcam clips shows a prolonged intel stage, which is real in hacking.

noram25.bsky.social•75 days ago

Mr Robot was highly "holywood-ified", but the concepts there are reasonably realistic. The most realistic hacker movie I've seen is Unfriended Dark Web. Every tool, command, procedure, and reaction is scarily realistic. Mostly the hacks could be done using metasploit and some linux "alias" shortcuts

factsandsnacks.bsky.social•74 days ago

Robot did such a great job w the hacking. One thing it got absolutely right was the way it showed the importance of social engineering in the context of hacking.

No one just pounds on a keyboard for 30 seconds and shouts “I’m in!” They need actual access to people or devices.

tib3rius.bsky.social•75 days ago

sslstrip!!!111oneoneone

fulgurbellator.bsky.social•75 days ago

Inb4 POODLE

drunkendonuts.bsky.social•75 days ago

I'm just a rube that knows nothing but it's really a shame that TikTok has done that with *every* subject. All you need is great lighting and a confident voice. Also 300 jump cuts in a 1 minute video.

thevowel.bsky.social•75 days ago

it doesn’t matter if the subject is network security or college football - if the response is two words it’s almost certainly a dumb meme with no thought behind it.

amye.bsky.social•75 days ago

hawk tuah -- there, it proves the rule

anadarkocapital.bsky.social•75 days ago

But Kali Linux !

blackholefun.bsky.social•75 days ago

Worst thing that ever happened to Kali was for it to be in that show. I stopped telling people I used it at that. 😆

awesomepantsfilms.bsky.social•75 days ago

Slightly unrelated, but VPNs do hide your browsing data from your ISP, right? That’s the main thing I’m concerned about.

caveatruptur.bsky.social•75 days ago

Sure but why are you willing to trust a vpn provider?

awesomepantsfilms.bsky.social•75 days ago

👍

governorkilby.us•75 days ago

Can HTTPS with HSTS replace VPN? Yes!
Is anyone using HTTPS+HSTS correctly? No.
Is everyone using HTTPS correctly? No.
VPN is your only option for reliable security on public wifi.

fbarrio.bsky.social•75 days ago

I don't know man.. I may not be able to decrypt all the data it's being transferred, but sometimes knowing the origin, destination, size, datetime, is enough to get you in trouble.
I'm a sysadmin and if I start watching web logs of my firewalls, I wanna tear my eyes out. I DO NOT RECOMEND!

rotcityriot.bsky.social•75 days ago

My awareness of our cybersecurity is starting to make some people uncomfortable at work so I gotta reign that shit in back to "file goes on share drive :)" level before I get my ass fired

reused-corvid.protogen.club•75 days ago

Put a vampire tap on my school Ethernet cable for a class project. Similar experience.

nonchip.de•75 days ago

your school uses token ring?

cdcalandrabelle.bsky.social•75 days ago

😮 wat the .. wat about th weblogs make u wana tear ur eyes out ? 😮😭

fbarrio.bsky.social•75 days ago

well, you can see exactly what sites they are browsing... and people.. people are weird.
Imagine watching the logs of a public wifi.. let's say.. an Airport.. or a McDonalds.. or.. a HOTEL!
Things can get disgusting if you pay attention.

cdcalandrabelle.bsky.social•75 days ago

lol i kno . i thot u were yona b specific but yeah ..

fbarrio.bsky.social•75 days ago

not going to oust my clients over social media.. the most important quality of a sysadmin, is his trustworthiness.. sorry sister..

mishaniz.bsky.social•75 days ago

Reminded me of the story where someone used TOR to send a bomb threat to their university to try to get out of doing a final, only to get caught cause they were the only person on campus sending data to a TOR node at that exact time

robbinsa.me•75 days ago

good old WPA-PEAP

blenderbruv.bsky.social•75 days ago

Yea just yesterday I was in a redtoraunt with a friend and casually brought up variousinternet protocols waiter interrupted me and told me about a man in the middle attack

pi0.io•75 days ago

- HSTS is not enforced by default
- SNI is barely encrypted
- Domain typosquatting
- DNS (53) is unencrypted
- DPI and and traffic analyzers exist
- Shady VPNs everywhere also…

So yeah, content in more secure nowadays but if big brother wants to know what im into it’s ez.

pete-etep.bsky.social•75 days ago

I'm untouchable. I'm using a fake profile picture

pills-here.bsky.social•75 days ago

this.bearable.website•75 days ago

I feel like Tor is the only way to avoid a lot of this

wekuz.bsky.social•75 days ago

The DNS part can be easily fixed by forcing DoH (DNS over HTTPS). I have it setup on my laptop's browser, but I could do it system-wide if I really wanted

jakelandau.ca•75 days ago

I mean I use a VPN on public wifi, but it's just a self-hosted VPN on my own home network so I can use my stuff lol

blink182joel.bsky.social•75 days ago

Wireguard?

chillygills.bsky.social•74 days ago

I really wish HSTS would have been burnt at the stake in whatever nightmare hellscape it first appeared.

segfault4.bsky.social•75 days ago

Yeah for the most part. They won't be able to get things like credentials and cookies. But I still don't want the public networks know what I'm looking at. I use my home VPN anyway.

mgv11.bsky.social•74 days ago

You can mimick an access point to trick a client But what does that have to do with being in the middle?

chiefgyk3d.com•75 days ago

I generally fall in the "VPN is often overhyped or misunderstood" but I have seen a lot of websites improperly configured or patched, sometimes mixing HTTP and HTTPS content, running vulnerable versions of SSL/TLS, or more. I say people would benefit more from adjusting user behaviors

kalfeher.bsky.social•75 days ago

except for that clear text to set up TLS.

tbf, actually implementing MiTM reqs more than just seeing the sni. I bet most ppl wouldnt like that an observer can in fact see which hosts you connect to.

someday, hopefully soon ECH might mean that what ppl expect of TLS, will actually be true.

fullsendmic.bsky.social•75 days ago

How about TLS inspection/decryption?

dab.dad•75 days ago

If you can decrypt a TLS packet then you have the keys

elnawser.bsky.social•75 days ago

To add on: some argue that a VPN allows for synchronous encryption and, therefore, is less suseptible to eventual quantum bruteforcing.

Even if that were true, *most* of your connection will still use asynchronous encryption, so it's a moot point.

evelyn.woke.cat•75 days ago

i love youtubers literally just lying in their sponsorships.....no this isn't a crime drama hacking doesn't work like that,,,,🙄

moirapri.me•75 days ago

LMAO I dealt with this on a TikTok comment thread last year. The Dunning Krueger brigade always comes out in full force

c2snow.bsky.social•75 days ago

When a malignant narcissist is President & his abusive behavior glorified it has a social impact on many levels

codesandbeats.bsky.social•75 days ago

Excuse me the influencers have assured me that a VPN will somehow protect me from enterprise data breaches.

paranoidfactoid2.bsky.social•75 days ago

You're aware that DHCP sends a DNS resolver setting to the client, yes? And the resolver provides ip addresses to the client on name resolution. And if the IP address diverts to a secondary site, rather than the canonical, there's your man in the middle.

hervold.bsky.social•75 days ago

My understanding gets very fuzzy here, but I think there’s a cert chain extending to root DNS?

nicolas.grilly.com•75 days ago

Yes exactly.

natanael.bsky.social•75 days ago

Kinda.

The CA issues a cert for the specific set of domains which a domain owner can prove control over (this may be the top domain, or a list of subdomains, or ab wildcard cert for any possible subdomain, etc)

The CA does check the DNS values and validate up to the roots.

natanael.bsky.social•75 days ago

If you look at the actual certificate it has a cert chain from the issuing entity up to a root CA, and the client validates that the root is known and trusted and that every intermediate is authorized to sign the certificate that comes after it in the chain

opliko.dev•75 days ago

Resulting in a nice, unskippable HSTS error for your victim when they go to pretty much any site that matters.

Again: this is the exact scenario HSTS protects from. It's already widely deployed and there are even some entire TLDs that are preloaded.

paranoidfactoid2.bsky.social•75 days ago

DNS server points to a fake web host, which performs the fetch and modifies in stream for the client. Is getting a cert the issue here? I don't think so.

opliko.dev•75 days ago

It'd need to get a valid HTTPS response to the client as the client refuses anything that's not a valid HTTPS response for a site it has HSTS loaded on (with most things worth their salt being preloaded to the browser and the rest loaded on the first visit).

You'd need to compromise a CA first.

opliko.dev•75 days ago

(and by "valid HTTPS response" I mean "one using certs trusted by the user's browser", self-signed certs will not let you pass HSTS)

paranoidfactoid2.bsky.social•75 days ago

I'm aware of that. But you don't have to compromise the top level cert authority or use a self signed cert. You just need a valid cert.

paranoidfactoid2.bsky.social•75 days ago

Or just buy a cert.

opliko.dev•75 days ago

How do you intend on proving to the CA that you own the domain you're claiming to own?

catblanketflower.yuwakisa.com•75 days ago

They should be worried about Rubber Hose attacks

Where they take you in a back room and beat you with a rubber hose until you give them your password

The guy with the rubber hose may be the infamous man in the middle

misterantrope.bsky.social•75 days ago

https://xkcd.com/538/

catblanketflower.yuwakisa.com•75 days ago

The Man in the Middle watches

steve-i-am.bsky.social•75 days ago

If I recall correctly you have an interesting personal story, think I read it in Wired magazine perhaps. Would that be correct?

clawclawbite.bsky.social•75 days ago

This message brought to you by your local ISP & cell service providers. Trust us, we're totally not watching your packets and selling your data to data brokers! #privacy

quollified.bsky.social•75 days ago

Yeah, but HSTS doesn’t protect you from advanced man-in-the-middle attacks where two attackers throw your laptop back and forth over your head

nox-ludicro.bsky.social•75 days ago

That's a monkey-in-the-middle attack, which is extremely effective at compromising login credentials for Webkinz.

davidwewing.bsky.social•75 days ago

True, but how does that bypass peak-a-boo I see you encryption?

dfal.bsky.social•75 days ago

Not to be confused with the Malcolm-in-the-Middle attack, which is almost identical but both attackers need to be in your family

amias.net•75 days ago

Your not the boss of me

andrewfeeney.au•75 days ago

And you’re not so big

gremlyn27.bsky.social•75 days ago

Life is unfair

seven3.design•75 days ago

Malcolm In The Middle Attack:
Constantly responds with 11, 00, 01
Flushes memory
restarts auth
de-authorizes root

shahbanu.kawaii.social•75 days ago

neither does autog— oh

abbeystbrendan.com•73 days ago

amias.net•75 days ago

The public part is a reasonable precaution against such attacks.

robdoesthings.bsky.social•75 days ago

There’s break and inspect, but the likelihood of that happening on commercial public networks is pretty low.

dst2point0.bsky.social•75 days ago

If you’re online, behave as though everyone can see every you see, every thing you look at.

NOTHING can stop us, uh… um… THEM… yeah… them, from seeing whatever they want.

I’ll Mission Impossible isolated data that is offline. I got some bungee cord. 🤔
😬😈🦹‍♂️

taydex.com•75 days ago

Exactly, I'm using an encrypted DNS but that's it, I'm balling.

zogzac.bsky.social•75 days ago

Not an authory on VPN, but there is someone,exactly like me, but in another state that watches a lot of porn...

rotonen.bsky.social•75 days ago

Missing content on the internet:

* VPNs are for safely reaching home base
* Having a network perimeter is an anti pattern in this day and age
* L7 + identity (SSO / oidc), please

TLS changed the playing field. The layers of history are not well explained. Corporate legacy also confuses people.

michael-bond.bsky.social•75 days ago

Oh thanks for saying that. We're a 100% work from home company so we have no corporate network and the amount of time we waste in filling in cyber security certifications that assume, and ding us for not having, a trusted corporate network,and therefore a network perimeter , is unreal.

rotonen.bsky.social•75 days ago

Big ships turn slow. Thank you for taking one for the rest of us by being a speartip.

arjun.typescript.blue•75 days ago

Also VPN companies should be held accountable for all the misinformation they're spreading. Cuz this is getting out of hand.

michael-bond.bsky.social•75 days ago

An easier way make those YouTubers etc personally liable for the misinformation they spout in their ad reads.

pete-etep.bsky.social•75 days ago

impossible to enforce. they upload their videos via VPNs

waifurious.bsky.social•75 days ago

How exactly is it easier to legislate ten thousand random YouTubers reading ad copy than a handful of companies paying them to read it?

michael-bond.bsky.social•75 days ago

The advertiser's are big enough to challenge anything. The YouTubers on the other hand are small enough that you could easily catch and convict a few and the rest would crap themselves and fall into line.

arjun.typescript.blue•75 days ago

I atleast have tried hacking my own home network, and HSTS has never failed once. SSLstrip etc works if the page is old and doesn't redirect http. Though not guaranteed. Gotta understand how well security is taken sometimes.

blutulip.bsky.social•75 days ago

Highly recommend Proton VPN, protonmail, & Signal. All free, not selling here ☺️

sunshine.exploration.team•75 days ago

Why & how are they free?

blutulip.bsky.social•74 days ago

You'll have to ask them ☺
I upgraded to a subscription when Dumbo got elected last time. And, always hated giving Google access to everything. Having a non-google Calendar is great. I deleted about everything Google related I could, including browser.

entity-brewer.bsky.social•75 days ago

Proton has a free option, but it is quite limited. Proton makes money on paid subscriptions.

marnanightingale.bsky.social•75 days ago

Although "quite limited" has worked brilliantly for five years, I'm considering upgrading purely out of appreciation.

sunshine.exploration.team•75 days ago

I see

maristela.org•75 days ago

oh yeah? well have you considered radiometric photosynthesis

italianhorne.bsky.social•75 days ago

I think I got hacked with a man in the middle attack or the website was not legit

myalteredsoul.bsky.social•75 days ago

DNS Poisoning. ;-)

augustogoulart.bsky.social•75 days ago

Not me sending my data to a prime target for mitm so it doesn’t go through a network with a fraction of the traffic

charadeur.bsky.social•75 days ago

Ya somehow you have to get your certificate in their root store. Not impossible but a lot of work just to steal someones facebook account. And if you got that far just run a token stealer. I have a pineapple and it does more than just MiM but not anything that beats HTTPS.

faizan.theexpansionproject.com•75 days ago

But vpn = security … you tellin me all those ads are a lie

johnmu.com•75 days ago

BuT iT's SLoWeR thAn HtTp

michaellammer.bsky.social•75 days ago

but they said they were a cybersecurity analyst!

strawberryshinka.bsky.social•75 days ago

I just locate the router and ensure no man stands between it and myself while browsing

ceylene.bsky.social•75 days ago

Gotta plug into it next time with auxiliary cables.
The phone and internet companies don't want you to know that there are secret auxiliary ports on all devices. You just gotta open them up.

glennf.com•75 days ago

{ removes helm } But I am no man.

vluis217.bsky.social•75 days ago

Influencer marketing really is destroying critical thinking.

michdang.bsky.social•75 days ago

I also think a lot of people have false confidence. People feel comfortable declaring things publicly without really understanding what they’re saying

michdang.bsky.social•75 days ago

Rip, missed the comment below. Dunning-Kruger is the exact term

jtsres.bsky.social•75 days ago

Me thinky before speaky 😵‍💫

alex.barcelona•75 days ago

The craziest thing is that Honey, the influencer-backed scam that has also scammed the influencers themselves, is now being destroyed by (*checks notes*) an influencer. 🙃

dervish-candela.bsky.social•75 days ago

so the word is basically meaningless

desmondjohnson183.bsky.social•69 days ago

Nah, I disagree I think some will attack the approach, because people will follow influencers like sheep, but most know what they like, and can afford.

lsaiz.bsky.social•75 days ago

Yep, threat models should have a “best before”, you should update when circumstances change and they have changed a lot

https://t.co/54EaCvF7DQ

escamoteur.bsky.social•75 days ago

Unless someone manages to install a proxy on your client device it's absolutely safe

Comments

Posting Rules

Reply