Online security tools
 

I usually on public wifis while traveling, and, after reading a few shocking stories of how people get hacked through these open networks, I got concerned. I already own Surfshark, Bitdefender and Lastpass, but is it enough? Do I need something like TOR?

Probably not.

Even if you're doing online banking on airport wifi, the more likely ways you're going to get hacked are:

1. the dude watching over your shoulder as you type your password
2. someone hacking your bank or a merchant with whom you've done business
3. someone hacking another website that stored passwords in cleartext and using the password elsewhere (but you'd never use the same password on that dodgy forum for owners of 1984 Pontiac Fieros as you use for your bank... right?)

TLS (the encryption behind https, etc.) is quite secure and essentially every legitimate organization uses it these days. The alleged dangers of public wifi are, IMO, grossly overstated in 2019.

Moderator's Action
 

The Practical safety and Security Issues forum is for discussing topics directly related to travel, including security screening, travel documents, customs and immigration, personal safety during transportation and in hotels, and securing personal property while traveling.

Discussions of cyber security and safeguarding computers, cell phones and other electronics from hackers and malware belong in the Travel Technology forum.

Please follow this thread as if moves there.

TWA884
Travel Safety/Security co-moderator

Completely agree. That said, VPNs are so inexpensive nowadays, and I appreciate the peace of mind it gives me to use one when using public wifi

That is one of the reasons VPN is so popular.

This is probably true, but aside from the obvious benefit of location swapping to use Geo-locked things, a VPN is kinda like a condom. Sure, the chances of you getting an STD from connecting to that random free public hotspot in $RANDOM_CAFE is pretty slim, but why take the chance? I do not connect to public WiFi anywhere without a VPN active. With the VPN, sure there's also an amount of blind trust, BUT I can at least research the VPN to determine the level of risk involved and make a generally informed opinion on whether or not to trust them, where I cannot really easily verify that "Maid Cafe Public WiFi" and "Maid Cafe Public WiFi 2" are legitimate APs. It's just risk mitigation IMO and running a TLS encrypted connection across an also encrypted VPN session moves that risk from Killed By An Out Of Control Bus to Killed By Falling Space Station Debris territory.

Note, for #1 above, I, personally, don't type critical things where people can easily see them without being noticed, and my laptop always has a security screen on it which minimizes the "over the shoulder" viewers. But unlike the average person, I lean very far to the paranoid side of situational awareness.
For 2, there's NOTHING you can do to mitigate that, so it's not a concern at all.
For 3, that's why I use LastPass and a purely random password for every single account I have.

Connecting to a network is not going to give you malware*. That's just plain silly.

*assuming you are like 99.9% of the population and a nation state's intelligence service isn't after you

Of course not, the malware comes from the token rings...

That said though, the actual point was that you can't know or really vet that MyCafeWifi and MyCafeWifi are both legit, or know that one is legit and the other is someone doing a MITM faking an access point. So using a VPN when you do connect to MyCafeWifi is just an added layer of protection.

As for the assumption... I hope so, but you don't necessarily have to think you're a surveillance target, for instance, maybe the Chinese intelligence apparatus can decrypt traffic passing through my VPN, and likely they do not care, but when I'm in China I absolutely do not connect to anything without a VPN running.

Fun experiment. Go to a hotel with a travel router and give your travel router an SSID that is eerily similar to the legit hotel WiFi. Maybe something like "Marriott_Guest" vs "Marriott-Guest" and then just wait and see how many people try connecting to it unaware that it's not the right AP.

But yeah, 99% of all people really do have little to worry about that TLS doesn't already address, and like I said, personally I lean more to the paranoid side of things.

As you said, TLS addresses the MITM issues you raise. Use a VPN if you want; as far as I'm concerned they are a waste of money unless you're trying to access something the local network forbids (like getting through the Great Firewall) or want to appear to be in a different place because of geographic restrictions on what you're trying to access.

Out of curiosity, what VPNs do you use when connecting from McD or Starbucks (DataValet...a managed wifi service)? Up here, if I am using one of the "big-box" free Wifi, I find PIA and Nord won't connect. I haven't really researched it, but I'm curious if anyone has already figured out a way to make the two work together.

Getting through the GFC is painful with a VPN. If you use a recognised provider, it can take a long time to establish a connection to one of the entry points. I've had cases where I connect to the hotel wireless and watch the VPN client take its jolly sweet time connecting so I could access my emails. The last few times it took between 30-60 minutes before the connection established.

TLS helps, but in most cases it still relies on the user to notice if something is wrong. Other related things like HSTS help improve that, but there are still holes.

It's a few years old and there have been improvements, but this post from a similar thread here a few years ago explains some of the issues, even with SSL/TLS.