0

Security on public wifi

Does Nextdns protect me when I connect to insecure public wifi? Or do I need a VPN?

63 replies

null
    • Pro subscriber ✓
    • DynamicNotSlow
    • 2 yrs ago
    • Reported - view

    Protect against what?

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow Online threats, like malicious actors, hackers, snoopers etc. Anyone trying to steal sensitive info.

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Sohan Ray a VPN doesn’t protect against anything from that. If you use https connections, keep your system and hardware up2date then everything is fine. Using a more secured DNS service like NextDNS or Quad9 „only“ increase your protection. Same for encrypted vs non-encrypted DNS. 
       

      if you also don’t trust public wifi networks, just avoid it and use mobile network only. 

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow I can ensure a Https connection on browser, but what about the other apps ? I don't even know or can know whether they are using secure connections. Also , apart from DNS , HTTP, HTTPS is there any other type of network traffic?

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      DynamicNotSlow Also, I believe a VPN encrypts my entire traffic and hides me from the outside online world(changing my IP address and location info). That should keep away malicious actors,snoopers and hackers. So, how exactly are you saying that VPN doesn't protect from such threats? Could you elaborate?

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view

      Sohan Ray Yes. For example direct IP connections exists.

      If you own an iPhone you can verify app behavior with internal app privacy report.

      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 yrs ago
      • Reported - view
    • Hey
    • 2 yrs ago
    • Reported - view

    I'd say most of the time NextDNS should be enough, with the right options on in the security settings (should be on by default) it should block you from resolving internal domains and the fake websites that the VPN companies constantly use for advertising. So as long as you aren't connected to a internal website that could be used as the attack vector, it should be fine and with HTTPS you already get a layer of encryption.

    Most of the VPN advertising is honestly to scare the user into purchasing the solution to feel safer.

    If you have a place / connection that has a heavier firewall that's blocking websites heavily. A VPN can help, there are other parts like changing your IP that could be useful, but honestly, if you're thinking of pure security in a none invasive nation it's nothing that cortical and you shouldn't need it.

    But if you're in a nation where you don't feel safe with your data and it could be monitored it could help to use a VPN, but you'd also have to trust them with doing nothing bad, so you would need a Transparent company.

    Ive seen Surfshark lie right before their acquisition about the merger with Nord and there was another lie at the same time period so I wouldn't trust them in the slightest, wanted to put this in since these two are popular and I honestly would say avoid them at least.

    Overall, 90% of the time you won't need a VPN, there are uses but you don't need it as it's not that critical. Internet itself is safe enough and with NextDNS it should block their biggest claim about unsafe networks.

    Chrome let's you know if the encryption is disabled, so don't visit a none encrypted site, don't do anything critical to stay in the safe side and if you still want maximum security, use mobile data in terms of banks and other critical websites.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey whenever I connect to a network, using the sign in page, are those pages HTTPS encrypted always? Say there's a malicious hotspot posing as a legitimate one...will NextDns protect me?

      Also, I was looking at possible cases of malicious websites launching hacking attacks themselves, to take control of devices.

      So why are you saying that the merger between Nordvpn and surfshark was a lie? They say that Surfsahrk would be partenering with Nordvpn to improve themselves but operate independently as usual. Surfshark uses RAM only servers to make sure that no logs are kept. Its also recommended on places like Forbes and even other trusted reviewing websites like Techradar. So why do you say its not Trustworthy? I belive they are transparent about there strict no logs policy too.

      How would NextDns Block unsafe networks? like will it block if I am trying to connect to an unsafe network?

      Chrome or a browser does let know if a website is insecure. But what about the rest of the network traffic and all the other apps on the device? I don't believe they let know if they are using secure connections.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray for the Surfshark deal, about 3 days before acquisition WeVPN asked them on Twitter if they had any involvement with Nord since NordVPN started following them on Tiwtter, they declined and 3 days later the merger was announced. There was also another lie about their email compromising checks in the same time period so in less than a week, there were two lies that they admitted to when it was proven / done.

      So them merging isn't a lie but they lied about the merger and how their compromise check works, pretty sure it was something known and free that they claimed was their own technology.

      For the login pages, any website you go through your browser, Chrome, Firefox etc shows when it's not encrypted and Chrome warns you with a page that you have to manually accept the risks and go to the website. So you'll know when the site isn't properly secured.

      In terms of Public WiFis and if the site is compromised aka internal, there are two layers of protection one verifying the websites legitimacy and another setting that blocks internal IPs as far as I know. So you should be protected but I'd still use Mobile data for Banking and generally cortical sites / apps.

      For the last two questions, apps wouldn't let you know if they are coded badly hut any proper banking app should make sure that they are secure but if they don't again NextDNS has two layers to protect you.

       

      Overall, you should be protected for the most part, at worst you can also use your Mobile data for the important apps/sites.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey I see. But from my vantage point, I think a company cannot or at least safely choose not to confirm or say about any partnership with other companies until and unless its signed officially. Until then its their internal confidential affairs/matters.

      I didn't get the part you saying about their email compromising checks. What does that mean? Does it refer to their feature that checks if the users email or passwords have been compromised?

      For the login pages, any public wifi generally has like a local kinda sign in page which enables the user to connect to the network. I don't suppose NextDns can possibly confirm its legitimacy. Also, I don't know exactly if all such sign in web pages uses a internal IP or not. But if they do, NextDns blocking such IPs would actaully block all such pages not allowing users to connect to the network at all.

      Also, Nextdns may verify legitimacy to insecure connections, but such unencrypted connections might expose the user to attacks which may not even be from the website itself or at least not from its creator. I don't believe DNS encryption plays a part in it as there's no involvement of DNS once the connection to a domain is established.

      Using mobile data would be safe. Although I have noticed, wherever there are a few Public wifi hotspots, mobile data seem to not work or work with very slow connection speeds. I am guessing there's a lot of interference created by those wifi networks. Also, I have noticed such public wifi zones/areas usually have weak mobile connections too. Guess they setup the network in such zones especially for such reasons.

      Leaving all the above cases aside though, I believe a VPN can provide a privacy protection that DNS just can't.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Sohan Ray Also, using mobile data would be safe only if the mobile network uses  proper security protocols in its networks.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray A VPN doesn't provide additional security ontop of your existing security provided by the program developers and general security measures by the browsers.

      If the website was fake a VPN wouldn't help as it would be decrypted when it reaches the destination.

      A VPN only helps if the WiFi point isn't using a password and there is someone intercepting the connection but even then, any critical app and websites use HTTPS/TLS so it's encrypted already.

      The only time where it would help would be that you're using a none encrypted website on a WiFi that doesn't have a password. 

      NextDNS does block internal IPs by its DNS Rebinding Protection for the most part and it uses DNSSEC to verify the legitimacy ontop of that.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray Yeah the solution that they were using to check their users email/password and generally if they are compromised was told to be their own and later on showed that it was something that was already available for free and nothing special.

      For how they can't tell about the merger, they didn't have to lie and deny it. They could have given a vague answer or simply didn't answer at all, denying it shows ill intent in my opinion.

      Overall, there are only a few VPNs I would trust but even then, I don't use any as the benefits really are marginal, if you're planning on using it to bypass firewalls and restrictions based on your country it's useful, but if you're going to use it for security the benefits aren't much.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey Ok. So, how would the VPN help in case of non encrypted HTTP website?

      • Hey
      • 2 yrs ago
      • Reported - view

      To answer both your questions.

      https://www.cloudflare.com/dns/dnssec/how-dnssec-works/

      NextDNS would still block a fake HTTP site since DNSSEC is about the website you are looking for matching the domain that's returned, doesn't matter what sort of connection it is.

      Secondly, if the website was using HTTP you would have encryption added by the VPN, but any known and critical website/app will use HTTPS. But if it wasn't used and you still connected to that website, and you were connected to a WiFi without a password with someone actively trying to snoop in, that would be the only case where a VPN would actually change the end result.

      But even then, it wouldn't help you from connecting to a fake website, so the likelihood of it being useful would be about 1% or less.

      The site wouldn't use HTTPS and wouldn't stop or warn you, most apps even have protection against apps inside your device that try to bypass HTTPS let alone allowing a none secure connection to be made. So a poorly coded app, or not caring about the warnings would be the only way to be in danger.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray I'd like to add that this is exactly why I don't like most VPN providers, they use scare tactics to make the user feel as they are not secured properly and that if they aren't paying the company they will be in danger. You would be paying just inacse of a 0.01% chance of everything going badly where the devs mess up, the connection isn't encrypted, the WiFi isn't protected and you can't use your mobile data.

      Even then, you always have a choice of simy not going onto the cortical website if all of these situations are met.

      I'd like to say again, it's useful to bypass restrictions and firewalls but in terms of pure security, unless your govemrent is using DPI and other techniques to intercept your connection, it won't help.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey If I am connected to the HTTP website, how does a VPN change the end result exactly? since its HTTP, I believe a snooper can still see my activity or my personal details if I enter them on the website right?

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray if the website is a fake / an internal website spoofing as your bank for example, it wouldn't help in any way.

      If your actual bank or critical all was using HTTP to connect to its own servers on a none protected WiFi (without a password) with someone snooping the connection it would help. But again, the website / app devs would have to be crazy to let that happen in the first place.

      So if the snooper made their own fake/forged wsbsite they would see your details yeah. Even if you had a VPN.

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray So to put all of what I said in a single sentence, it wouldn't help much if at all, but if you still want it for other reasons where it's valid, I'd say get a good VPN service that you can actually rely with your private data.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey Ok. Also, I am not sure about this. Apart from DNS traffic, there is only HTTP and HTTPS traffic right? and no other types?

      • Hey
      • 2 yrs ago
      • Reported - view

      Sohan Ray That I can't comment on, pretty sure there is at least a few more types of connections but I don't know enough to comment concretely.

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Hey Seems this info is not common online. I tried to search about all types of online traffic that exists to determine what other types than HTTP are unencrypted,but no luck yet. 

      • Calvin_Hobbes
      • 2 yrs ago
      • Reported - view

      Sohan Ray smtp, ftp, telnet, icmp, snmp, just a few off the top of my head, there are likely several others 

      • Sohan_Ray
      • 2 yrs ago
      • Reported - view

      Calvin Hobbes Thanks. Anytime if you are able to procure a full list, do share.

Content aside

  • 2 yrs agoLast active
  • 63Replies
  • 1087Views
  • 5 Following