You didn't solve anything, you just moved some bits around. Do not say "what about warning fatigue", when a VPN does not solve warning fatigue.
-
-
The threat model I'd assume for an average user is "dumb attacker with a wifi pineapple or equivalent". That's easy for someone in a coffee shop. I don't expect a low-resource attacker to have the capability to MITM traffic out of a VPN server.
1 reply 0 retweets 1 like -
Your threat model is very confused, a physically nearby attacker willing to break the law who can only MITM one protocol (TLS) but not another (IPSEC, whatever). So you send all your bits to shady middleman instead?
2 replies 0 retweets 0 likes -
I'd base my threat model based on what is off-the-shelf available. The number of attackers capable of buying a COTS tool (wifi pineapple) is orders of magnitude larger than folks who can write or even compile custom software.
2 replies 0 retweets 1 like -
I'd hope users use a corporate VPN or a GCE/AWS/hosting provider for a VPN, not pay $1/month to a sketchy company I agree that sketchy VPN providers change the balance on this. Admittedly maybe it's unrealistic for me to expect users with real VPN endpoints can't grok cert errors
1 reply 0 retweets 0 likes -
That's more than unrealistic, that's just plain impossible.... come on
1 reply 0 retweets 0 likes -
That's fair, and I'll definitely concede that point. I do think for corporate users it's maybe reasonable, but outside of that the only folks using reliable servers are probably smart enough not stay on TLS sites and not ignore cert errors in potential hostile environments
1 reply 0 retweets 0 likes -
LMFAO you are ones of the most important and technical gifted hackers... and get involved in the same dumbs discussions about how to protect end users as the rest of the members of the community. just pointing out that... you guys still are awesome
1 reply 0 retweets 0 likes -
Replying to @Crisofilaxxx @tylerni7 and
Fighting misinformation like "everybody needs a vpn", or "SMS 2FA prevents phishing" from well-meaning people is a real challenge. What's your proposal, just let the bad advice flow and chill?
1 reply 0 retweets 1 like -
FWIW, I'd also say SMS 2FA (while obviously not a great form of 2FA) does raise the bar for phishing, and is therefore a net positive. :P
2 replies 0 retweets 0 likes
You sure say "raise the bar" a lot.
-
-
I think that's all most of security is at the end of the day. I don't think it's "is this secure: yes or no" it's "how many resources would an attack take to succeed" and work up from there until your security level matches the threats you expect. Is that a controversial opinion?
0 replies 0 retweets 3 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.