VPN service / benefits / Downsides

@exaCORE
if you do use public Wi-Fi you should:

  • use an always random MAC address
    • my Brace does this by default
    • GrapheneOS and DivestOS do this by default
  • use a generic or blank hostname
    • on Linux localhost will typically result in no hostname being set/advertised
    • GOS/DOS do this by default
    • note most Android systems will reuse previous DHCP states too, GOS/DOS won’t
  • don’t give any information to the captive portal
    • they’ll often accept anything for an email/name if they ask
  • ensure all software is updated
  • use a system wide encrypted DNS
    • encrypted DNS doesn’t help with privacy here, but does provide integrity of the results
    • consider using browser encrypted DNS too for benefit of ECH where supported
      • if ECH is used, then privacy is benefited
  • set your browsers to forced HTTPS mode
    • do not access HTTP content
  • use a proper browser
    • a few forks disable critical security checks like CRLite/OCSP/CT
  • ensure your firewall is set proper:
    • for Windows Public should be ok, someone else can confirm
    • last I used Mac OS X, it had a stealth option
    • for firewalld or ufw set inbound to drop
    • ensure no unnecessary ports are opened
    • ensure any running services have proper authentication/access controls
  • remember anyone on the network can (try to) toy with your traffic
  • remember anyone listening on the radio can observe all past/present/future traffic
    • WPA2/3-EAP and WPA3-PSK largely mitigate this
  • you can use Qubes on a supported machine to isolate the network interface to its own virtual machine
    • otherwise you should at least ensure the networking daemons are sandboxed
      • brace does this for wpa_supplicant

These should largely be done regardless of public/private/friends/etc.

I personally use public Wi-Fi sometimes, but I route everything over Tor and/or a trusted VPN (while still doing the above).

See also: https://media.defense.gov/2021/Jul/29/2002815141/-1/-1/0/CSI_SECURING_WIRELESS_DEVICES_IN_PUBLIC.PDF

12 Likes