this post was submitted on 06 Oct 2024
733 points (90.9% liked)

Technology

59689 readers
3200 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

you are viewing a single comment's thread
view the rest of the comments
[–] sugar_in_your_tea 13 points 1 month ago (1 children)

You can substitute "Tor" for "VPN" in the above and be largely correct. Tor acts like a VPN, but every packet goes through multiple hops, so an attacker would need to do quite a bit of work (i.e. compromise multiple nodes) to link traffic to you.

So:

  • TLS (https) - network owner can't see specific content, but can determine what sites you visit
  • VPN - network owner can't tell what sites you visit, but can tell you're on a VPN; VPN can tell what sites you visit, but not specific content
  • Tor - network owner can't tell what sites you visit, but can tell you're using Tor; Tor exit node operators can see what sites people using it visit, but can't attribute it to an individual user w/o a sophisticated attack

In most cases, TLS is perfectly fine, provided you make sure to not click through any TLS errors (i.e. certificate can't be validate => probable middle-man attack), and using a VPN is probably overkill. A VPN protects you from that middle-man attack, but honestly, if you're savvy enough to use a VPN, you're probably savvy enough to not get compromised by a middle-man attack. Likewise if you use Tor, you're probably savvy enough to not get compromised by a middle-man attack.

That said, I fully support using Tor and VPNs, I just won't go so far as to say someone is dumb for not using them on public Wi-Fi. Make sure you're connecting to a real Wi-Fi service and don't disable TLS protections and you're probably fine, from a security perspective. If you're likely to be targeted by a government agency, Tor is the bare minimum of what you should use.

[–] [email protected] 7 points 1 month ago* (last edited 1 month ago) (1 children)

Yup. The way I’ve always described it is this:

Http means your employer knows you watched porn on the company WiFi, and they also know which specific videos and what your username for the site is. If site security is particularly lax, they may even know your password.

Https means your employer can see you watched porn on the company WiFi, but they don’t know which video(s) specifically, and they don’t know your login info.

VPN means your employer only knows you connected to a VPN. They may be able to take educated guesses at what type of content you were viewing (streaming video, for example, has a pretty easily identifiable pattern of data transfer,) but they don’t know what video you were watching, or what site it was coming from. The VPN service knows you watched porn, but the aforementioned rules about http and https still apply; If you’re using https, they don’t know specifics.

Tor means even the VPN doesn’t know which specific video(s) you’re watching, because they just see a connection to another Tor node, which sees another tor node, which sees another tor node… Etc. In order to know what you’re watching, they would need to own every node in the chain. If they own both the entry and exit node they may be able to match it to you with a timing attack, (they see packets going into the Tor network at the same time they see packets coming out towards you). Again, they can make educated guesses based on pattern recognition, but they won’t have a clear picture without owning both your entry and exit nodes and performing a timing attack.

Now you can substitute “your employer” for anyone who is trying to get your info. Public WiFi spoofer, your ISP, etc…

[–] [email protected] 2 points 1 month ago (1 children)

Probably worth noting that, if you are using an employer owned system to watch said porn, they likely have software on the endpoint which will let them see what porn you are watching, regardless of HTTPS/VPN/Tor. Depending on how much your employer cares about such things, that may or may not come back to bite you. I've worked at places where we regularly reported on users watching porn on work computers, and I've worked at places where we only reported on users getting malware while browsing porn at work. But, never assume your activity isn't being monitored on employer owned systems.

[–] sugar_in_your_tea 1 points 1 month ago

Exactly. If it's company-issued, assume there's spyware installed. We recently added a certain level of spyware to ours to monitor system files (afaik it's not screen recording or anything like that) because these aren't company issued devices (we bought them separately.