Have you noticed all the ads say “Hackers can spy on your connection when you log into your bank at Starbucks.”
That’s complete FUD. HTTPS completely avoids this issue (especially with a bank). Very few websites use HTTP now.
While VPNs do have their valid use (preventing your ISP from spying, changing geolocation, and private networks for eg, work), most of the marketing is spreading misinformation.
I've seen stats for a couple of the biggest VPNs. Massive majority of their traffic is just switching geolocation restrictions (US Netflix and similar).
They don't tend to advertise that. Some do, but it's not their main message, because "prevent ISPs from spying" is cleaner.
iCloud+ does not solve this, so there will be a sustained need for VPNs, particularly those that invest effort into into avoiding Netflix blacklists.
> “Hackers can spy on your connection when you log into your bank at Starbucks.”
I've also heard this from a reputable news source (NPR) in the past few years, even though it hasn't been true for banks for at least 15 years, ~5 for most websites.
This is true, but note that, for example, on iOS an application can't do that without prompting. Now, most people would probably hit “Approve” if one of their security products said it was necessary.
> Many consumer VPNs install a client, and it would be trivial to ship a new trusted certificate with it.
A lot of browsers have their own root chain, and also now do certificate pinning, so will (IIRC) only accept specifically designated certs for particular sites (doesn't Google/Chrome/Gmail do this?).
That wouldn’t change that clicking the lock icon in your browser would show the same certificate on every website, and that this certificate was universally valid. Pretty obvious…
Not really, because, you can use on-demand certificate issuance.
Hell, if you really want to, you can even name your certificates the same as existing certificates and the only way to detect the forgery would be to compare the actual public keys (and who does THAT).
I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.
> I feel like I'm writing an evil roadmap here, but, you can even do multiple root certs with different names and trust them all, do a whole "fake" PKI infrastructure which would be impossible to detect unless you were comparing the actual keys.
Yeah, just imagine being beholden to some federal statue impropriety (easiest in taxes) and running one of the these vpn organizations...
If and when browsers start requiring pre-certificate transparency logging, anything like this should no longer be possible to pull off, since none of the fake certificates would be able to contain a stapled pre-certificate "signoff" from a trusted CT log.
On the other hand, a lot of VPNs provide proprietary client software (even though all the major OSes have built-in support for the common VPN protocols such as IPSec, L2TP, etc) so they could very well sneak the root cert in there too.
You’re “protecting” yourself against Starbucks monitoring you by establishing a secure connection to a grey market entity with more of an interest in your activity.
