Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> MITM protection on public networks maybe?

How does this address the fact that the operators of the VPN can certainly modify any content they access over http on your behalf?



It's a question of how many entities you have to trust. There are many thousands of public networks around the world and millions of people using ISPs which tamper with traffic (especially on mobile networks). With the VPN, you only have to trust the VPN provider; without it, you have to review each network you use and its ISP. That doesn't mean that the VPN is automatically trustworthy, of course, but it's a single entity.


Note that you still have to trust the server's ISP and any intermediate ISP routing traffic from the VPN exit node to the server, if you're accessing a server over an insecure protocol.


Of course, but almost all of the tampering has happened on the client end historically, especially since this VPN is backed by Cloudflare who have widely distributed nodes. It’s still much better to deploy TLS everywhere but this shuts down most of the non-NSA attacks.


Absolutely, I just wanted to give the full picture.


The operators of the VPN in this case are also the developers of the browser. If they want to inject content they can do that without the VPN.


It's security by consolidation.


Security by consolidation to single point of failure, I might add.


The question is whether your basket is made of chains (one bad link), cables (many bundled wires), how many baskets there are, how many eggs in each, and how effective and trustworthy the guards are.

Simply shrieking "SPOF!!! SPOF!!!" lacks naunce after a while.

I've concerns with proposals such as this similar to what others are voicing on this thread. But if one considers the proposal in light of the present status quo for the typical person, then it's probably a net improvement.


I agree, and it's hard for me to trust the VPN more than my own ISP. Like yeah, someone else on this public coffee shop wifi network can waste a whole day finding a couple of random victims. Does that actually happen, idk. Have huge, reputable VPNs been hacked before, yes, and there's much greater incentive there. Either way I won't know, so it feels like they're selling snake oil.

"Microsoft" and "security" also don't go together in my head.


coffee shop hacking is usually done in an automated, at-scale fashion, often with a remote device that doesn't require an operator to be present or paying attention.

It uses lowest common denominator tactics. This VPN strategy is precisely for the lowest common denominator.

I don't understand how something can feel like snake oil when you haven't researched your own questions. I can sow doubt on anything; is it always justified?


Better than every public wifi access point being able to.


It's reducing the number of parties you have to trust from 'every hop along the path from the public wifi operator to the host' to 'cloudflare', and many site operators already trust cloudflare not to MITM them.


I don't think that CF already MITMs most of the internet is such a great argument for letting them MITM the rest.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: