InfrequentFlyer

Hi, I understand the benefits of using a travel router to share connections where you might pay/connection. I understand using a VPN to get around geographic limitations.

But is there any security benefit to using a travel router WITHOUT a VPN, say in a hotel or coffee shop? This is where I get confused. Are they only helping protect me from other people (not the hotel operators or coffee shop owners, who, let's say we trust) if and only if I am also using a VPN?

So as far as security --- does a travel router with no VPN = connecting to public or hotel wifi directly?

Thanks

gfunkdave

There is no security impact on using your own router vs connecting to the underlying wifi/ethernet directly.

Your browsing and transactions are secured either way using TLS (addresses that start with https). That's the important thing.

InfrequentFlyer

So if I connect my laptop to the hotel wifi, there's no (security) benefit of using a router in-between the connection, unless I also use a VPN?

gfunkdave

Correct, and your internet provider (VPN, hotel, Comcast, whatever) can always see your unencrypted traffic. Actual security is accomplished via encryption between your computer and the website/service you're accessing.

InfrequentFlyer

thank you for the courteous reply. i already bought a little travel router and just signed up for a free VPN to try it out the next time we go on vacation.. if nothing else, it will make connecting our 2-4 devices easier, and give me a project to learn about..

Qwkynuf

Wouldn't there be some NAT advantage, keeping other users on the same WiFi from seeing your devices? Not talking about sniffing traffic, more about poking at any ports that might be open.

gfunkdave

Sure, but tablets/phones/PCs these days default to having their firewalls block everything anyway. Also the network engineer in me is forced to say that NAT isn't intended as a security feature. The main issue is people either sniffing unencrypted traffic or tracking what you're doing. But with how pervasive TLS is becoming, that becomes less and less possible.

Castoreum

"Travel routers" use 4G, same tech as a cell phone, not the wifi.

No real security benefit though. If a site uses HTTPS you are protected regardless of who listens.

VPNs can be helpful in some cases, but if you don't think anyone is targetting you specifically it's probably sufficient to install the HTTPS Everywhere extension.

(It makes sure sites like Gmail and FT that use FT won't fall back to plain, unencrypted HTTP).

Personally I choose to use a VPN when travelling, since so many sites (even ones you'd think are important) either don't use HTTPS, or have "mixed content". It's also hard to tell sometimes if a certificate error is due to an improperly configured captive portal (the thing you click "I agree to the TOS" or log in on), or a malicious attack.

Also if you're especially paranoid, DNS leaks where you're visiting. It's my understanding that a good VPN does DNS on their end, hiding where you're visiting from the network operator.

Metadata can give a lot of information, so I choose not to

docbert

Travel routers, in the sense that the term is normally used, definitely use Wifi. Wifi on the "client" side (normally encrypted Wifi), and either ethernet, Wifi (normally unencrypted public wifi) or possibly (but rarely) 4G on the uplink side.

No, not really. (As you clearly understand given your mention of HTTPS Everywhere). You are protected as long as your communication to the site uses HTTPS. Your bank might use HTTPS, but if someone is intercepting your traffic then it's possible you were silently redirected to a different site that's not using HTTPS, or is using HTTPS, but is not your bank. Rather than repeat what I've said here before, I'll just point to this previous post.

HTTPS Everywhere certainly helps with this problem, as do new things like HSTS (which forces your browser to always use HTTPS for specific sites automatically, without HTTP Everywhere), but for the average person it's still far too easy to have your traffic going somewhere other than where you're expecting and not realize it...

kennycrudup

Yup. Every now and then the WN elite free-WiFi login page throws an cert error and because it's way too easy to spoof that I keep retrying 'till the lock comes up.

I should probably plug "NeverSSL" here- as it eponymously states, it doesn't use SSL so it's perfect for being the first site you open after connecting to a captive-portal network to bring up the TOS page (if any).