Public WiFi: should you use a VPN if you only use HTTPS sites?

I got this question from a friend, so thought I would post these thoughts in case they help others too.

Okay – so to VPN or not to VPN on a public wi-fi network….

I guess, in the end, it all comes down to the security concerns you have.

Before discussing details, I’ll start by saying that I do not often personally connect to a VPN when using a public WiFi network, despite having one Purdue hosts that I could use.

The technical difference between VPN and HTTPS comes down to the layer of the network stack where the encryption takes place. A VPN would encrypt all traffic leaving your machine, but moreover, would direct it all to your VPN provider (your desktop, as the article suggests). Once it reaches your desktop, it will travel over the desktop’s normal network path to the rest of the internet. HTTPS, on the other hand, is
applied to a specific and single network connection between your mobile device and a given server.

So, considering only traffic to HTTPS sites, let’s look at what information is leaked.

  • With the VPN, all traffic is destined for your desktop. On the one hand, this is good, because no one can tell what sites/services you
    are using. None of your network traffic, except that which was to setup the VPN, is readable on the public network. There are, however,
    two kinds of things which are leaked. (1) the volume and pattern of traffic you use. [There is no solution for this. But you should be
    aware that it is viewable to all, and there may be profiling techniques which can be applied to learn things based on this.] (2) the fact that you have a connection with your VPN provider. From a privacy standpoint, this in fact may be a very serious concern, because if you are using your desktop as your VPN, then it may very precisely identify who you are, where you live (see an article today in Ars Technica on mapping based on an IP, etc.
  • With HTTPS, only the web traffic to the given server(s) is encrypted. In particular, other information is leaked. (1) The IP addresses of all the sites you connect to, which may identify who you bank with, who you work for, who your email provider is, etc. (2) The DNS queries you issue, which would make it even easier to identify what sites you are visiting, without having to reverse-map an IP-to-hostname, when the IP may have multiple hostnames. (3) More precise information about your traffic patterns, since it is subdivided by destination rather than being aggregated in the VPN case. (4) Some HTTPS sites will include static content or images from a non-encrypted source (some browsers warn about such things). This information of course would also be unencrypted.

Next, consider the other traffic your mobile device may be sending. For example, if it participates in any convenience networks (i.e. Bonjour
for peer host discovery), this traffic will all be present too, and may or may not be encrypted, based on the service.

Another consideration is the exposure to attack your device has. In both cases, your device is connected to the wireless network. However,
in the VPN case, the default settings of the device may be generally more secure, since the wireless network wouldn’t need to support some of
the extra traffic. It becomes harder to launch an attack, since the machine is mostly looking for traffic from the VPN, and will ignore most
local traffic. HTTPS leaves any such services (e.g. iTunes listening for connections from the Remote.app on the iPhone) listening.

Finally, there is the cost. VPN adds an extra layer of overhead, and an extra layer of places where things can go wrong. Also, all traffic is
going through your desktop, which may significantly reduce the bandwidth you can achieve, and add latency. (And of course, an HTTPS site when using a VPN is being encrypted twice – once at the HTTPS layer, and once at the VPN layer). Further, the choice of a VPN vs HTTPS may have other unpredictable effects – a wireless network provider may block VPN traffic, or possibly deprioritize it. Or they might do the same for HTTPS traffic (though deprioritizing is more likely than blocking in this case).

Okay, one more consideration – which is the quality of the encryption. Both technologies can provide a range of encryption quality, so
vigilance must be used in ensuring effective encryption is used. Some browsers will warn about weak SSL configurations on servers, but VPN
encryption quality is generally less well verified.

Hope this helps,
Chip