Hello everyone, I hope everyone is doing great.
I am new to vpns and cybersecurity so I got a few questions.
- Are there any safety/privacy cons in using a paid vpn shared ip address?
- I want to mainly use a protection against my college’s public wifi, and I don’t know what is really better (the north (I reckon this word is banned here)) Vpn or Norton 360 Deluxe. And is Norton 360 Deluxe safe? why isn’t it log free? Is (the north (I reckon this word is banned here) Vpn safe? )(like will my private information like passwords be secure in a year after I for example cancel the subscription)
- Is it even worth using a vpn or any kind of protection for my causes?
Thanks for any of the advices. I appreciate all responses and I hope you all have a wonderful day!
Most VPNs are not actually log free even if they claim to be. Using a VPN on your college’s public wifi is a good idea since it will prevent other people on the wifi from snooping on you.
To be honest logging isn’t that big of an issue if you aren’t doing anything you shouldn’t be. Basically the VPN will keep your university and other students around you from accessing what you send over the public wifi.
I think Nord VPN is one of the companies that is more private, claims to have no logging but I still never believe that completely with any company.
You say you want a VPN for “protection” against your college’s public wifi. Protection from what exactly? In other words, what is an example of a threat you are looking to protect against? What do you think a VPN does to protect against those threats?
It will be a lot easier to give you advice based on the answers to these questions.
“Using a VPN on your college’s public wifi is a good idea since it will prevent other people on the wifi from snooping on you.”
nah TLS does that. It is likely that every site they are visiting encrypts packets from client to server, and nowadays it is increasingly common for DNS to be encrypted by default too.
Thank you! Loved to hear your opinion. Anyone else?
Consider looking into Tails OS if you want the technical challenge/learning. For a (slow) extra private experience go Tor → public VPN (like proton) → final destination. Tor masks entry IP from VPN and VPN masks use of Tor
My private information like passwords.
Sorry I didn’t explain well of course TLS keeps people from snooping on you, but it’s not always perfect especially with public wifi. On a public wifi network a man in the middle attack can bypass the security TLS provides and a VPN would prevent malicious snooping or interception of TLS traffic. Hopefully a college would manage their wifi well enough that you wouldn’t have to worry but if you’re paranoid a VPN adds an extra layer of protection.
A VPN really won’t protect you in that use case. Further, if just a username/password is all that prevents an attacker from accessing your account, you’re already in bad shape.
Always check to see if the service you wanna use supports some form of 2FA and definitely make use of it when possible.
On top of that, make sure you use a password manager. It will help you make sure ALL your passwords are unique (and they should all be unique from each other!)
A password manager and better use of 2FA is the solution to the use case you’re describing, not a VPN 
I’ll mirror what SoCleanSoFresh said and recommend you save the money on the VPN and instead get yourself a good password manager (KeePass or Bitwarden would be my top recommendations) and an authentiactor app (or even better, a hardware security key like yubikey). Take the time to use *unique* random passwords for every internet account and enable the strongest form of 2FA offered. This is by far the best thing you can possibly do to protect passwords and accounts.
As for concerns about network snooping, make sure you always connect to the wifi using a modern fully updated device and browser. If you have any devices that are no longer supported by the OEM, this means take the money you were going to spend on a VPN and spend it on a new device instead! For browsers, Chrome or Edge on Windows 10/11 is a great choice. Enable auto updates.
Never share any personal data no matter what with any website that does not display a secure connection. Go into browser security settings and check “Always use secure connections” (in Chrome, in Firefox I think it’s called HTTPS only mode). Modern browsers are very good at making a lot of user facing noise when something isn’t quite right with the certificate of the site you’re connecting to, so take it seriously if the browser says something is wrong.
If you connect to a fake malicious site with a valid TLS certificate, a VPN won’t help you and neither will any of the above precautions, with one exception: A hardware security key like a yubikey is the only surefire way to prevent phishing. If you don’t need to buy a new device, then take the money you were going to spend on a VPN and buy a yubikey! (Actually, buy two, because backups are important.) And of course, be cautious of links. Save important sites as bookmarks and always access them that way for extra caution.
Don’t listen to any VPN company marketing telling you that your browsing sessions are not secure without their product. They’re lying to you so you’ll pay them. Updated device + good browser + HTTPS only + password manager + 2FA + healthy caution, and you’ll be a lot better off.
I think in order to do this they would need to trick you into connecting to a malicious hotspot or a malicious site. What other attack vectors should one be concerned about?
Could also be performed by access to network infrastructure by a hacker if it’s not properly secured or uses default passwords (which is shockingly common even in reputable organizations).
Right but even with full network access all packets are still encrypted client to server. So I think the attacker would need to connect you to the wrong server, which a modern browser would pick up, or else try to leverage their network access to attack your client, like downgrade TLS, poison DNS, stuff like that. Modern browsers should have mitigations against such things. But I’m honestly curious now.
Can you think of a specific attack vector that would bypass an updated chrome browser + TLS setup but not bypass a VPN?
Very true, in most situations TLS is enough. What about a BEAST or CRIME attack though? Pretty sophisticated, but in certain situations those could affect a regular TLS encryption but not VPN traffic if that wasn’t the target. While BEAST and CRIME attacks can be made on VPN traffic too, suppose the external attack was just directed at regularly encrypted traffic, wouldn’t VPN traffic be safe?
BEAST should not be a concern since it only affects TLSv1.0 and SSL. Most websites today don’t support these, and frankly any that can be considered secure only supports TLSv1.2 and higher.
CRIME is a client side attack that is mitigated in current browsers.
Perhaps there could be more niche attacks based on these that still work against up to date clients and servers, but at this point I would argue we really are reaching a high level of sophistication.
Basically at this point, yes you probably don’t have to worry but I don’t think it would cause any harm to have a VPN in addition to standard security protocols on public WiFi.
Also what about WPA2 vulnerability with KRACK? Most public wifi isn’t using WPA3.
Yeah weak public wifi encryption could be a valid concern. But since TLS encryption happens on the client (e.g. the browser application), it still would not be able to snoop on those packets without attacking the client or impersonating the server. It could at least snoop on metadata and be a big step closer to attacking clients, however.
You are right that a VPN won’t hurt your security in this case. I just don’t like the marketing around them. The downside is paying money for at most extremely marginal gains.
Most valid use case of a VPN is unlocking region blocked content lol.
I agree they are marketed to do a lot more than they actually do and the average consumer probably doesn’t need one for security, but if you are paying for one for region unlocking might as well take advantage of the small security benefit too. But in OP’s case it sounds like they just want security? So perhaps TLS is enough if the university maintains its wifi well.
For sure. Hopefully there is enough information for them here to make an appropriate educated decision based on their goals 
It was also fun to talk with you and think about all the different vulnerabilities, most probably a bit sophisticated but still interesting to consider.
