Love your videos dude. A lot of technical videos can be boring when the person is yapping in a monotone voice. You have a great voice to listen to, and as an American you sound so much smarter just with the accent 😂
I've long since stopped concerning myself with encryption being broken and started asking myself if I can trust all the trusted root certificates that came pre-installed on my computer.
Thanks for posting this as a counter argument to all the various VPN ads we've seen. One tiny bit to note for anyone hosting a webservice viewing this; HSTS is something that has to be explicitly configured for the site on the web server. Unfortunately we see an awfully low adoption of HSTS across the web, so please take a moment and enable HSTS for your web sites! Any bank or major service provider does of course support HSTS so the arguments in the video is still valid even though we see an overall low adoption of HSTS.
After I see what website somebody is on I can use a device that I built and designed myself that after a couple clicks will force their computer into shutdown mode for low voltage when the confused person bring the computer back up I will be waiting with pre-made websites exactly the same as the ones they were on also there are people which I haven't figured this one out yet but I have witnessed it with my own eyes but there are people who can make a mock HTTPS site and then restrict anyone from accessing the real site she put a blur box over her code when she was showing me so that I couldn't steal her trick but I didn't need to steal her trick I just needed to know it was possible the biggest flaw in the human mind is believing that just because we don't know or understand something that makes it impossible when in reality impossible is just a big word thrown around by small man who find it easier to live in the life and dogma they've been given than to explore the ability to create a solution to the problem themselves
People getting mad because you just explained why the October Awareness Cybersecurity Month content they've been reusing for the last 15 years is deprecated.
Thanks for this Marcus, I'll be pinging this to my family every time I get asked to set up a "firewall" for when they take their laptops on holiday 🙃 Do you have a podcast or recommendations for podcasts?
MITM attacks aren't a thing of the past. MITM isn't only related to wifi attacks. There's too many MITM attacks to name, both physical and virtual that are still working everyday. I just had an attack, someone stole my debit card with a card skimmer at a ghetto gas station here in L.A. and tried to spend $300 at a gucci store.
Why I dislike a VPN is that your connection becomes slow and since internet in the Netherlands is expensive , a mediocre connection becomes even slower sure you can go higher but at those prices it just can't be afforded.... also you just have to trust the VPN well I trust my ISP more than opinions VPN providers that you also have to pay extra for. Nice explanation Marcus, even I didn't know everything .....
The weakest layer on your system will be the potential avenue for attack. Attackers always find a way and most of the time it wont be detected for significant period. Id say always have multy layered defensive posture and never relax and say im 100% secure. I agree with Marcus H.
This is an AWESOME video that in effect covers another issue: Why you probably don't need to worry about unencrypted wifi (no password) on the plane or in the hotel. Only comment I'd make is that depending upon the browser in some circumstances, there is a dependency on the user not ignoring and clicking through browser errors. You might have touched on this (am multi-tasking during the video).
In modern wifi, the traffic between your device and the wifi access point is still encrypted even without a password. The password is for authentication (i.e. it just limits the set of users that can avail of the wifi to those who have the password).
one of my jobs uses Cisco Umbrella to MITM my https, but they provided the laptop, and they don't let me have admin on it. :-) (yes, you covered this at 18:55) personally, instead of going so in-depth on the algorithms and ciphers and SSL / TLS versions, if I were to do a version of this video, I think I'd just emphasize: "If you install the latest version of windows 11, or latest Mac OS X, and you make sure your operating system updates are recent, and you install the latest version of Firefox or Chrome or Edge or Brave, then you don't need VPN." I did appreciate how you covered HSTS. But the rest of it I thought was pretty deeply technical for a general audience.
That's some interesting information. I never knew your browsers will tell it to never use http after you visit a website via that way once. And that it also has built in security to help secure your data on public wi-fi and that hsts protects you a rouge network. Sub'd
For the most part, yeah, if your apps and OS are up to date and properly configured, hackers won't be able to get to your bank account. But this article centers on HTTP+TLS, and there are many other apps and services using unencrypted and potentially unsecure protocols, starting with DNS (that AFAIK, most people use without encryption nowadays): hackers can know for example the sites you visit viewing DNS requests, and use that info to increase the chance of a social engineering attack. Also most people is not security aware, and I am sure many people needing to do for example a quick bank transfer, would disregard the security warning (the same that many people click without thinking on Windows UAC prompts). So I still recommend using a VPN to connect to public WiFi. While it's true you probably don't need a VPN to stay secure on public WiFi, "probably" is not the same as "certainly".
Why spoof a WIFI and record network traffic if you can just shoulder surf someone? Also an attacker with mitm access don't need DNS to record what sites you access. The TLS ClientHello packet exposes the websites name in clear text in the SNI field. As far as I know encrypted SNI is still not widely adopted.
If you mean Root CAs, I have another video that will go more into SSL inspection, but I may do a dedicated video that goes in depth into the tech behind it.
I fully agree with this video, that said. there is probably a few workflows or use cases where a VPN might be good idea. for example connecting to a work network, or a very high profile person wanting or needing to protect there real location. or maybe they need an extra layer of security ontop of all that; though i would be doubtful of how much real security gains you may get but hey. i am in favor of the last mile protecting itself.
If privacy is the primary concern, use TOR. If additional security is the concern, setup a VPN connection back to your home network. The only real uses for a VPN subscription are changing location for geo-fencing, or sailing the high seas without your ISP seeing the traffic details.
Well guys. This guy knows what's he's talking about. No like the others. But who's buying UA-cam ads stuff... Seriously... Who TF is doing that in 2025?
Well…. Hypothetically if one were to try and hack a persons WiFi and they are using a VPN. It is harder to see packets, and track where they are coming from.
All using VPN with HTTPS traffic does is encrypt already encrypted data. So between a VPN Server and a Website, the HTTPS isn't decrypted, just the communications channel itself isn't encrypted, which doesn't effect HTTPS. In cybersecurity, you don't rely on one method of protecting your data, rather a lot of different methods, which is called defence-in-depth. Obviously sending sensitive data over unencrypted channels is not good for your security, but it isn't enough to say a VPN isn't needed in the scenario where unencrypted data is being sent over public Wi-Fi. By using a VPN, you are doing what you can to protect yourself in the environment you are in. Besides, web traffic is not the only traffic being transmitted when using a computer. Applications in use on phones, laptops, and tablets could be using unencrypted traffic to send data, so by using a VPN you are ensuring that you are protecting your traffic where you can to make up for all of this. Otherwise you would have to know exactly how each program on your computer is sending data and whether they are using encryption.
I'd recommend reading Googles BeyondCorp strategy for Zero Trust security. Google ditched VPNs over a decade ago for their workforce, switching to externally exposed HTTPS-based sites. Like, yeah, what you're saying is technically possible, but what’s the actual risk here? Google isn’t the only security powerhouse that’s tossed VPNs out the window. They're just one of many companies that realized VPNs don’t really do much to protect you on sketchy networks anymore. VPNs still have their uses, no doubt. But for the average person in a Western country? They're mostly just security theater with little real benefit.
Good work, Marcus. The sooner this business model built on fear-mongering dies, the better IMHO. I strongly suspect that the kind of person who ises VPN-as-a-Service will also be gullible enough to install a root certificate or click past a security warning, given the flimsiest of pretexts, thus rendering transport security useless for them.
great vid! would love an explanation of how encryption protocols exchange keys without user interaction. doesnt the key exchange have to happen unencrypted?????????????????? good topic for a future vid.
I don't use public wifi as I've got too good mobile data to bother.. but I'm interested in your view here on other protocols. This video is only talking about web and it's not only your video that has this focus but a lot of the world. Imagine the persons email server not using encryption... and lots of people put stuff on the internet that shouldn't be there.. :)
Would a VPN not continue the same HTTPS transmission it received from the client, and sent it through to the server? That's not going to become decrypted on the VPN would it? Since simply using a VPN doesn't mean installing a certificate to the browser, so, it'll be using the one that the site has given still? *continues watching*. Please correct me if I missed something there!
I remember watching a video on what it takes to MITM HTTPS. The video's scenario was a corporate network, or fast home network, just to get illustrate how difficult it would be with high speed and stable connections. It would require software to be installed on the client (SSLLOGKEYFILE or whatever env var it is + tcpdump I guess + an info stealer) listening to all the HTTPS keys (seeds? I forget) on the client machine (which would only be able to decrypt outgoing from client to server, and never server to client), and the info stealer would have to send the key fast enough to a MITM I guess to match it with the correct request, otherwise that's a bunch of manual work. Something like that anyways. And unless the MITM person has access to the root certificate, they'll never be able to decrypt traffic from server to client... Not that you'd need to if you have the clients cookie etc though (obviously sent with every client to server request). *continues watching* idk much about the pineapple...
Great video Marcus! Sounds like I need to go back and study this topic again, no worries! Had fun the first time! Ed Harmarsh has got a great video that's an in depth dive into how all the SSL/TLS protocols work, it doesn't go into MITM, but it's very interesting nonetheless. Though it costs like $250USD iirc. It teaches a lot. I wont endorse it on your channel, but if your viewers are interested, it's an option to check out and see if it's a thing you'd like to study or not. Fun topic! Thanks Marcus!
I use VPN for the geolocation so I can access content for my subscription while abroad. Also because I have a network hard drive that I connect to while away from home.
Don't trust it. Tor was compromised in 2013 after the browser bundle was released for update with some changes. It had all defaults for privacy set to the lowest they could be and enabled scripts to be run. Websites were hacked by security services and anyone connecting to Freedom Hosting found they were being identified by having their real IP reported back to law enforcement. In future releases after this was "discovered" by users, the project put settings back to a higher security level. Unfortunately that change of display did nothing to change program settings and they stayed at lowest security. It was a clever way to use the Tor Browser Bundle to facilitate Operation Onymous and catch a lot of Tor users. Other ways of doing it were to add code to files, make them call home and identify the real user IP and computer/Network details. Law enforcement altered files to make them fetch resources or force upgrades to law enforcement systems. Those updates woukd be used for remote access. People on forums started asking how to use firewalls to block outgoing communications, the one thing to appear was people offering advice on this, they were mainly police asking what exactly the user wanted to block. This identified people with a lot to hide. There were even exploits used on video files, by altering them slightly to make them connect to deal with new file extensions for example, that went in the clear, not over Tor, so identified people. It was similar for picture files, it was easy to identify who viewed them, and the biggest laugh was those cropping photos never had a clue the entire picture was sent and could be recovered. There are lots of ways to identify Tor users, some logged into sites with their real details, others through traffic staining.
Please continue with Reverse Engineering for Beginners & its fundamentals, & please try explaining the theory side behind it..for example what are registers, heaps, stack, pointers, instructions etc. so basics of x86 assembly & then how could that knowledge be implemented into actual reversing static or dynamic, something that's legal to do haha..i only found 2 tutorials on x86 assembly fundamentals & they're very hard to follow & understand & not speaking of online courses etc they cost an insane amount of money
There is more risk such as yes website is loaded initially by https but even if one request(image loading) is insecure it will send request unsecured with cookie data, but modern browsers protects also from this by so called mixed content security. no insecure request is allowed when website is loaded via https. but we are still left with some risks. when we bootup computer requests are always sent without our notice. for example VLC media player in past used http for software update. the client wouldn't know that. we have softwares and most people dont know what configuration they have. Also many website doesn't use HSTS configuration. In the end as long as OS and softwares are up to date and firewall is configured correctly and you don't sit all day in cafe you are fine without VPN
@@MalwareTechBlog Yes, it's. But as we have seen as lately in December. Both Microsoft and Google have had problems with proxies attacks on 2FA. If you can do that as late as December and Google have not solved this yet, do you expect this can't happen with a rogue Wi-Fi. Companies are so lousy to implement security, specially on web servers. Even easy and free ones, that i have lost faith in some IT people.
You aren't really forced to install any 'government' root certificate at all. They CAN NOT see if you do from your typical web traffic. This is government's problem: they put down unenforceable laws. If they tell: everyone install this certificate and tell ISP's: do a TLS MITM with the same certificate - secured version of web site is no longer avaiable, it is better not to go there.
What about encryptig DNS traffic? It's one of the benefits of VPN I can think of. I don't want my neighbour in the hotel casually use wireshark and see what I'm visiting based on my dns queries.
@@MalwareTechBlog Not entirely. It solves it for DNS, but not for TLS. When initiating a TLS handshake the client sends the server name in clear text as part of the Client Hello packet. There is ongoing work to encrypt this field but I'm not sure what the status is though. I just tried it on my up to date macbook, using the latest Brave version and it does not encrypt the SNI field when talking TLS1.3. So when it comes to privacy I think there's still an argument to be made in favor of VPN, especially for people living under serious threat. But for anyone else, and especially in the context of security rather than privacy, you are on-point.
I’d think best practice for webmasters in the year 2025 is to just block inbound connections (especially to port 80) & only allow https (443). I don’t know… seems incredibly simple. Is there any reason for any website today to ever utilize http / port 80?
ive never used a vpn for years, as i figured, i have no money and if their smart enough to hack me, a VPN wont save me 😂 but thanks for keeping us up to date with current security methods as i didnt know them
It's true that a lot of the concerns are overblown, but it's hard to ensure that all apps/connections use TLS properly and there is always the chance of being impacted by a 0-day vulnerability before it is addressed. If you trust the VPN more than the hotspot, it's still beneficial to use the VPN imo.
@@MalwareTechBlog I think my memory might have been combining 2 stories into one, but last year there was both a case of someone impersonating airport wifi and using a portal page to steal people's email/etc credentials, and there was a case of a 0-day affecting TP-Link routers allowing RCE. I agree it isn't *likely* for the average person to have issues (assuming everything that matters is encrypted via TLS), but I still see enough benefit in using a VPN for it to not be completely pointless or paranoid.
No, the traffic on website isn't unecrypted when you use vpn, NOT AT ALL! It is still encrypted on your computer and there is no point on the way where it is unecrypted! its just doubly encrypted by vpn to pass the data through tunnel, but definitely no communication with website is unecrypted... and http was a problem not so long ago, it was actually google and their chrome that demanded all websites to start using https, but very big number of them werent using https not so long time ago, like something around 2018.... so until then it was very real threat
u not lying!! i lived in central tx for a few years, shoulda stayed there too! east coast has the worst winters.. leave this madness for the europeans!
@@MalwareTechBlog oh, I misunderstood the convo about moving to Texas in an older live that I was watching earlier, and took it out of context. I thought it sounded like a good idea though initially. 🤔 Texas is a way better place in the big picture. Oh well lol my bad. Maybe you should consider it anyway 😆 xD Take care.
great video and i love the message about shady vpns but i would say it would help if u added a message about enterprise users who must be on company vpn - i can totally see a sales guy using this video to tell me “but it doesn’t really help me to be on company vpn” 💀
This video should be retitle because I can do a lot with somebody that's at public Wi-Fi... There's still plenty of information contained inside the packets headers that is not encrypted even with even with hypertext transfer protocol secured. Not to mention when you're in public Wi-Fi the hacker has a physical access to you which means they can pick over your shoulder and see what website you are visiting then use AI to make a quick mock-up of that website that looks identical then I can reroute said traffic to my site instead. We used to post UA-cam videos on how to do things until everybody started copying videos and making it public knowledge now the real vulnerabilities of wireless information and the internet we just keep to our f****** selves whether their black hats or white hats like myself not going to tell you how I do these things but those are just a couple of examples if people look up to you for it knowledge maybe it's a good idea not to give them a false sense of security. There is only one way to be safe on public Wi-Fi.. using a device that has never once since it was manufactured stored any private data I call it a burner device or a ghost device. The other option is you can just never use public Wi-Fi
The truth is you can never secure a network the only thing you can do is observe and respond to ever think that the network is secured and can't be hacked is irresponsible especially for a quote unquote ethical hacker you should have had to take the same schooling and certification that I did which means your job is literally hacking into networks for a living like me at the bottom line if you do your footprinting right you will get in bottom line end of story every time because that is literally the name of the game... Just saying but I don't know nothing I'm just a big time stupidstoogenoob
@@MalwareTechBlog the beauty about being a programmer if you can write new programs and nobody news about them the subject of this video also realies and almost depends on there being no zero days however zero days are a real thing and they actually happen
Bypassing geoblocks are quickly becoming the winner. As states pass laws that result in adult sites blocking them, there are huge surges in searches for VPNs. Not to mention Netflix and other streaming media sites.
I respect your expertise as a programmer and cybersecurity researcher, but I have some disagreements. Saying you don’t need a VPN in places like cafes or airports because the likelihood of an attack is low is like saying you don’t need to lock your front door because the chance of someone testing it is slim. Even though the odds are low the logic behind not taking precautions seems flawed. Some VPN companies depending on their TOS and country laws may work for most users. However using private proxies or running your own VPN server would be more secure. The attacks you mentioned are valid concerns and while the chances of a MITM attack on random individuals are low, that doesn't mean we should drop our guard because of a low likelihood.
I'm not sure how you came to that conclusion. I made one single comment about the likelihood of an attack being low, meanwhile the other 21 minutes of the video were me explaining how even if you were on a compromised network, modern security protocols would prevent a man-in-the-middle attack from obtaining sensitive information.
This video is not wrong. The only thing I would query is at the 3:41 mark, why would traffic between the VPN server and website be ‘potentially unencrypted’. My understanding is that traffic would still be HTTPS, secured with TLS. Unless the VPN provider had somehow installed their own CA cert on your machine and were able to inspect it, I don’t see why that traffic would be any less secure than it would be without a VPN. Edit: Yeah, I don’t agree with what you say in that part of the video. You say traffic is only secured between the client and VPN server and that isn’t true. The end to end connection would still be secured via HTTPS, the encryption provided by a VPN is on top of that, not instead of. Your traffic routed between the VPN server and website would still be HTTPS.
@@georgec2932 In that part of the video, he's talking about an scenario where you rely on VPN for encrypting HTTP traffic instead of HTTPS encryption. Since it is HTTP traffic, the traffic between VPN server and the web server would be unencrypted.
So disappointed this wasn't sponsored by NordVPN
Sponsored by *redacted*
You explain technical concepts in such plain and simple english its really nice love your videos
Love your videos dude. A lot of technical videos can be boring when the person is yapping in a monotone voice. You have a great voice to listen to, and as an American you sound so much smarter just with the accent 😂
No fear mongering, but technical details explained for the masses... Feels oddly out of place in today's internet 😅
Thank you, sir!
huh?
The reason i still buy and used a paid vpn is to get past geoblocking and throttling from ISPs especially in middle eastern and asian countries.
How does your ISP throttle you? Isn’t their connection local?
@@imeaniguess.6963 they throttle certain types of traffic like youtube, torrents etc. With a VPN everything gets unrestricted.
That's pretty much the only valid reason to use a commercial VPN service. The issue is, most VPN ads say that you need one to be secure online.
@@imeaniguess.6963they look at the ip and decide to brick your connection
I just use my own Wireguard setup, deployed in cloud, in a region which gives me the IP I need.
I've long since stopped concerning myself with encryption being broken and started asking myself if I can trust all the trusted root certificates that came pre-installed on my computer.
Bro, that's dark 😅
Thanks for posting this as a counter argument to all the various VPN ads we've seen.
One tiny bit to note for anyone hosting a webservice viewing this; HSTS is something that has to be explicitly configured for the site on the web server. Unfortunately we see an awfully low adoption of HSTS across the web, so please take a moment and enable HSTS for your web sites!
Any bank or major service provider does of course support HSTS so the arguments in the video is still valid even though we see an overall low adoption of HSTS.
I even have preload active.
After I see what website somebody is on I can use a device that I built and designed myself that after a couple clicks will force their computer into shutdown mode for low voltage when the confused person bring the computer back up I will be waiting with pre-made websites exactly the same as the ones they were on also there are people which I haven't figured this one out yet but I have witnessed it with my own eyes but there are people who can make a mock HTTPS site and then restrict anyone from accessing the real site she put a blur box over her code when she was showing me so that I couldn't steal her trick but I didn't need to steal her trick I just needed to know it was possible the biggest flaw in the human mind is believing that just because we don't know or understand something that makes it impossible when in reality impossible is just a big word thrown around by small man who find it easier to live in the life and dogma they've been given than to explore the ability to create a solution to the problem themselves
People getting mad because you just explained why the October Awareness Cybersecurity Month content they've been reusing for the last 15 years is deprecated.
2:02 love the "Dear loyal users.." statement, especially the apology with a five dollars McDonald's gift card! Chef's kiss!
Your videos (and your posts) are a breath of fresh air. Informative, on topic, no BS. Thanks!
Awesome video. I'm gonna use the video same as you. I've been so tired of argueing with people about VPNs and public wifis.
Thank you for showing and a good explanation 💯👍🙏👏👏👏
I like the way you explain things! 🤙🤙
Thanks 🙏
Thanks for this Marcus, I'll be pinging this to my family every time I get asked to set up a "firewall" for when they take their laptops on holiday 🙃 Do you have a podcast or recommendations for podcasts?
It's honestly comforting to know that MITM attacks are a thing of the past
Honestly your thumbnail should say something about how MITM are a thing of the past
But they are not. Prolly considering Wifi but we are using MitM scenarios very often in penetrationtesting, for example for ntlm-relaying attacks.
@@iHakku_D9 your first recommendation should be stop using NTLM
MITM attacks aren't a thing of the past. MITM isn't only related to wifi attacks. There's too many MITM attacks to name, both physical and virtual that are still working everyday. I just had an attack, someone stole my debit card with a card skimmer at a ghetto gas station here in L.A. and tried to spend $300 at a gucci store.
Why I dislike a VPN is that your connection becomes slow and since internet in the Netherlands is expensive , a mediocre connection becomes even slower sure you can go higher but at those prices it just can't be afforded.... also you just have to trust the VPN well I trust my ISP more than opinions VPN providers that you also have to pay extra for.
Nice explanation Marcus, even I didn't know everything .....
The weakest layer on your system will be the potential avenue for attack. Attackers always find a way and most of the time it wont be detected for significant period. Id say always have multy layered defensive posture and never relax and say im 100% secure. I agree with Marcus H.
This is an AWESOME video that in effect covers another issue: Why you probably don't need to worry about unencrypted wifi (no password) on the plane or in the hotel. Only comment I'd make is that depending upon the browser in some circumstances, there is a dependency on the user not ignoring and clicking through browser errors. You might have touched on this (am multi-tasking during the video).
In modern wifi, the traffic between your device and the wifi access point is still encrypted even without a password. The password is for authentication (i.e. it just limits the set of users that can avail of the wifi to those who have the password).
Here's a usecase for VPNs. In Australia, ISPs are required by law to retain user metadata, urls, timestamps etc. VPNs conceal the metadata from ISPs.
Great, clear explanation that even a non-tech person can pretty much follow. Thanks.
Subbed thx for sharing your knowledge
Excellent explanation!
Great message! Thanks a lot, Marcus
Thanks Marcus, great explanation 👏👏👏👏
one of my jobs uses Cisco Umbrella to MITM my https, but they provided the laptop, and they don't let me have admin on it. :-) (yes, you covered this at 18:55)
personally, instead of going so in-depth on the algorithms and ciphers and SSL / TLS versions, if I were to do a version of this video, I think I'd just emphasize: "If you install the latest version of windows 11, or latest Mac OS X, and you make sure your operating system updates are recent, and you install the latest version of Firefox or Chrome or Edge or Brave, then you don't need VPN."
I did appreciate how you covered HSTS. But the rest of it I thought was pretty deeply technical for a general audience.
I was waiting for the, "now a word from our sponsor Nord VPN"😂
same hahahaiuhkjhlkmjlk
That's some interesting information. I never knew your browsers will tell it to never use http after you visit a website via that way once. And that it also has built in security to help secure your data on public wi-fi and that hsts protects you a rouge network. Sub'd
For the most part, yeah, if your apps and OS are up to date and properly configured, hackers won't be able to get to your bank account. But this article centers on HTTP+TLS, and there are many other apps and services using unencrypted and potentially unsecure protocols, starting with DNS (that AFAIK, most people use without encryption nowadays): hackers can know for example the sites you visit viewing DNS requests, and use that info to increase the chance of a social engineering attack. Also most people is not security aware, and I am sure many people needing to do for example a quick bank transfer, would disregard the security warning (the same that many people click without thinking on Windows UAC prompts).
So I still recommend using a VPN to connect to public WiFi. While it's true you probably don't need a VPN to stay secure on public WiFi, "probably" is not the same as "certainly".
As Marcus said, you are still transfering the risk to how well the VPN manages that security. So you are definitely noy 'certainly' secure either.
Why spoof a WIFI and record network traffic if you can just shoulder surf someone?
Also an attacker with mitm access don't need DNS to record what sites you access. The TLS ClientHello packet exposes the websites name in clear text in the SNI field. As far as I know encrypted SNI is still not widely adopted.
Wow the random certificate thing seems interesting ! Maybe the topic for the next video ?
If you mean Root CAs, I have another video that will go more into SSL inspection, but I may do a dedicated video that goes in depth into the tech behind it.
@@MalwareTechBlog Yes great !!!
you're a hero 🗿
Marcus = good man in the middle
I fully agree with this video, that said. there is probably a few workflows or use cases where a VPN might be good idea. for example connecting to a work network, or a very high profile person wanting or needing to protect there real location.
or maybe they need an extra layer of security ontop of all that; though i would be doubtful of how much real security gains you may get but hey.
i am in favor of the last mile protecting itself.
If privacy is the primary concern, use TOR. If additional security is the concern, setup a VPN connection back to your home network. The only real uses for a VPN subscription are changing location for geo-fencing, or sailing the high seas without your ISP seeing the traffic details.
so i have to take ddos attacks like a champ?
The problem with clickbaits like these is people actually believe them without watching the whole thing or not understand the whole concept of vpns...
If your're making security decisions based on UA-cam thumbnails, then it's purely a skill issue
Well guys. This guy knows what's he's talking about. No like the others. But who's buying UA-cam ads stuff... Seriously... Who TF is doing that in 2025?
You bounce between “browser” and “app” for ex “banking app”; can we assume that HSTS is honored by apps that aren’t a browser?
Apps usually don't really even need to rely on HSTS because they often hardcode URLs and certificates
Well…. Hypothetically if one were to try and hack a persons WiFi and they are using a VPN. It is harder to see packets, and track where they are coming from.
All using VPN with HTTPS traffic does is encrypt already encrypted data. So between a VPN Server and a Website, the HTTPS isn't decrypted, just the communications channel itself isn't encrypted, which doesn't effect HTTPS. In cybersecurity, you don't rely on one method of protecting your data, rather a lot of different methods, which is called defence-in-depth.
Obviously sending sensitive data over unencrypted channels is not good for your security, but it isn't enough to say a VPN isn't needed in the scenario where unencrypted data is being sent over public Wi-Fi. By using a VPN, you are doing what you can to protect yourself in the environment you are in.
Besides, web traffic is not the only traffic being transmitted when using a computer. Applications in use on phones, laptops, and tablets could be using unencrypted traffic to send data, so by using a VPN you are ensuring that you are protecting your traffic where you can to make up for all of this. Otherwise you would have to know exactly how each program on your computer is sending data and whether they are using encryption.
I'd recommend reading Googles BeyondCorp strategy for Zero Trust security. Google ditched VPNs over a decade ago for their workforce, switching to externally exposed HTTPS-based sites.
Like, yeah, what you're saying is technically possible, but what’s the actual risk here? Google isn’t the only security powerhouse that’s tossed VPNs out the window. They're just one of many companies that realized VPNs don’t really do much to protect you on sketchy networks anymore.
VPNs still have their uses, no doubt. But for the average person in a Western country? They're mostly just security theater with little real benefit.
Good work, Marcus.
The sooner this business model built on fear-mongering dies, the better IMHO.
I strongly suspect that the kind of person who ises VPN-as-a-Service will also be gullible enough to install a root certificate or click past a security warning, given the flimsiest of pretexts, thus rendering transport security useless for them.
7:41 what about mobile phones?
great vid! would love an explanation of how encryption protocols exchange keys without user interaction. doesnt the key exchange have to happen unencrypted?????????????????? good topic for a future vid.
It'd probably need to be its own video as it's a somewhat complicated topic
This is an excellent video and should be required viewing for any UA-camrs who take money from VPN companies.
I don't use public wifi as I've got too good mobile data to bother.. but I'm interested in your view here on other protocols. This video is only talking about web and it's not only your video that has this focus but a lot of the world. Imagine the persons email server not using encryption... and lots of people put stuff on the internet that shouldn't be there.. :)
Any modern email sever should also be using SSL/TLS. This applies to anything sending sensitive information.
@@MalwareTechBlog Yeah, should ;) I'll pop in when you stream :) Easier to chat there 👍
Would a VPN not continue the same HTTPS transmission it received from the client, and sent it through to the server? That's not going to become decrypted on the VPN would it?
Since simply using a VPN doesn't mean installing a certificate to the browser, so, it'll be using the one that the site has given still?
*continues watching*. Please correct me if I missed something there!
I remember watching a video on what it takes to MITM HTTPS. The video's scenario was a corporate network, or fast home network, just to get illustrate how difficult it would be with high speed and stable connections. It would require software to be installed on the client (SSLLOGKEYFILE or whatever env var it is + tcpdump I guess + an info stealer) listening to all the HTTPS keys (seeds? I forget) on the client machine (which would only be able to decrypt outgoing from client to server, and never server to client), and the info stealer would have to send the key fast enough to a MITM I guess to match it with the correct request, otherwise that's a bunch of manual work. Something like that anyways.
And unless the MITM person has access to the root certificate, they'll never be able to decrypt traffic from server to client... Not that you'd need to if you have the clients cookie etc though (obviously sent with every client to server request).
*continues watching* idk much about the pineapple...
Great video Marcus! Sounds like I need to go back and study this topic again, no worries! Had fun the first time!
Ed Harmarsh has got a great video that's an in depth dive into how all the SSL/TLS protocols work, it doesn't go into MITM, but it's very interesting nonetheless. Though it costs like $250USD iirc. It teaches a lot. I wont endorse it on your channel, but if your viewers are interested, it's an option to check out and see if it's a thing you'd like to study or not.
Fun topic! Thanks Marcus!
I use VPN for the geolocation so I can access content for my subscription while abroad. Also because I have a network hard drive that I connect to while away from home.
You might want to look at your audio settings in the edit. Audio is in right channel only.
It's definitely playing on both channels, but the right channel does seem slightly louder for some reason.
yeah audio is slightly weird and low volume playing from speakers, great video content regardless
Audio is good, its a problem on youre end.
@@MalwareTechBlog you were playing on my right-hand monitor so seemed perfectly placed audio to me
Thank you! Now if I could just get people who make policy at my organization to listen and agree, we'd all be better off.
How about TOR browser?
Don't trust it. Tor was compromised in 2013 after the browser bundle was released for update with some changes. It had all defaults for privacy set to the lowest they could be and enabled scripts to be run. Websites were hacked by security services and anyone connecting to Freedom Hosting found they were being identified by having their real IP reported back to law enforcement.
In future releases after this was "discovered" by users, the project put settings back to a higher security level. Unfortunately that change of display did nothing to change program settings and they stayed at lowest security.
It was a clever way to use the Tor Browser Bundle to facilitate Operation Onymous and catch a lot of Tor users.
Other ways of doing it were to add code to files, make them call home and identify the real user IP and computer/Network details.
Law enforcement altered files to make them fetch resources or force upgrades to law enforcement systems. Those updates woukd be used for remote access.
People on forums started asking how to use firewalls to block outgoing communications, the one thing to appear was people offering advice on this, they were mainly police asking what exactly the user wanted to block. This identified people with a lot to hide.
There were even exploits used on video files, by altering them slightly to make them connect to deal with new file extensions for example, that went in the clear, not over Tor, so identified people. It was similar for picture files, it was easy to identify who viewed them, and the biggest laugh was those cropping photos never had a clue the entire picture was sent and could be recovered.
There are lots of ways to identify Tor users, some logged into sites with their real details, others through traffic staining.
I think that it would be a better video if you’d explain upfront in which cases VPN do make sense.
But what about WiFi sniffing on the same network?
Wi-Fi sniffing is just another term for what's explained in the video
my right ear love this
Will watch the video later but are you safe from the firestorm happening right now?
Yup, all safe thanks!
Any potential risks regarding DNS in this case?
They could see your DNS queries if you don't enable DoH
@@MalwareTechBlog Thanks for answering ❤ I guess that's a privacy concern and not a security concern per se
How connect to something and you dont want them knowing your home IP? With socks proxies? Vpn?
Please continue with Reverse Engineering for Beginners & its fundamentals, & please try explaining the theory side behind it..for example what are registers, heaps, stack, pointers, instructions etc. so basics of x86 assembly & then how could that knowledge be implemented into actual reversing static or dynamic, something that's legal to do haha..i only found 2 tutorials on x86 assembly fundamentals & they're very hard to follow & understand & not speaking of online courses etc they cost an insane amount of money
but the mobile networks and devices are not vulnerable?
5:30 using google servers?
There is more risk such as yes website is loaded initially by https but even if one request(image loading) is insecure it will send request unsecured with cookie data, but modern browsers protects also from this by so called mixed content security. no insecure request is allowed when website is loaded via https.
but we are still left with some risks. when we bootup computer requests are always sent without our notice. for example VLC media player in past used http for software update. the client wouldn't know that. we have softwares and most people dont know what configuration they have. Also many website doesn't use HSTS configuration.
In the end as long as OS and softwares are up to date and firewall is configured correctly and you don't sit all day in cafe you are fine without VPN
Hey man, good video but the audio mix is broken. Your voice originates behind my right ear instead of front and center.
Use VPN until HSTS become more familiar
The problem is if you not only set up a rough wi-fi, but also a proxy so you can pretend to be the receiver end.
That is the same attack as the one explained in this video and it doesn't work.
@@MalwareTechBlog Yes, it's. But as we have seen as lately in December. Both Microsoft and Google have had problems with proxies attacks on 2FA. If you can do that as late as December and Google have not solved this yet, do you expect this can't happen with a rogue Wi-Fi. Companies are so lousy to implement security, specially on web servers. Even easy and free ones, that i have lost faith in some IT people.
@@thomasedin764 Entirely different type of proxy. Has nothing to do with public wifi nor can it be done via public wifi.
Also, encrypt your dns requests and disable proxy auto discovery. Damn i am watching too many cybersecuirty videos ...
what about government forcing you to install their root certificate?
You aren't really forced to install any 'government' root certificate at all. They CAN NOT see if you do from your typical web traffic.
This is government's problem: they put down unenforceable laws.
If they tell: everyone install this certificate and tell ISP's: do a TLS MITM with the same certificate - secured version of web site is no longer avaiable, it is better not to go there.
What about encryptig DNS traffic? It's one of the benefits of VPN I can think of. I don't want my neighbour in the hotel casually use wireshark and see what I'm visiting based on my dns queries.
Enabling DNS Over HTTPS (DoH) solves that without a VPN
@@MalwareTechBlog Not entirely. It solves it for DNS, but not for TLS. When initiating a TLS handshake the client sends the server name in clear text as part of the Client Hello packet. There is ongoing work to encrypt this field but I'm not sure what the status is though.
I just tried it on my up to date macbook, using the latest Brave version and it does not encrypt the SNI field when talking TLS1.3.
So when it comes to privacy I think there's still an argument to be made in favor of VPN, especially for people living under serious threat. But for anyone else, and especially in the context of security rather than privacy, you are on-point.
@@backmanfyiencrypted client hello is enabled by default in Firefox. Not sure how much support there is for this but it was introduced a while ago
Then why are the bad guys still using the same techniques?
They're not
I’d think best practice for webmasters in the year 2025 is to just block inbound connections (especially to port 80) & only allow https (443). I don’t know… seems incredibly simple. Is there any reason for any website today to ever utilize http / port 80?
ive never used a vpn for years, as i figured, i have no money and if their smart enough to hack me, a VPN wont save me 😂 but thanks for keeping us up to date with current security methods as i didnt know them
Marcus is going to war against big VPN.
18:39 that person asked a good fukin question, an implication of relevant knowledge to the topic at hand (:
VPN's are useful when you want to appear as a user in a different country....
It's true that a lot of the concerns are overblown, but it's hard to ensure that all apps/connections use TLS properly and there is always the chance of being impacted by a 0-day vulnerability before it is addressed. If you trust the VPN more than the hotspot, it's still beneficial to use the VPN imo.
People using 0days on public Wi-Fi is not a realistic threat for the average person
@MalwareTechBlog Maybe not at like Starbucks, but I can see it in other contexts like airports for example
Are there any reported cases of that happening?
@@MalwareTechBlog I think my memory might have been combining 2 stories into one, but last year there was both a case of someone impersonating airport wifi and using a portal page to steal people's email/etc credentials, and there was a case of a 0-day affecting TP-Link routers allowing RCE. I agree it isn't *likely* for the average person to have issues (assuming everything that matters is encrypted via TLS), but I still see enough benefit in using a VPN for it to not be completely pointless or paranoid.
Those are two completely different incidents
W
would have been hilarious if at the end you said this video is sponsored by xyz vpn.
👍
1:59
real ones know this man saved the internet. and likely saved the world.
Ye boiiii
more hutchens talks please, you got me leveling up my brain
No, the traffic on website isn't unecrypted when you use vpn, NOT AT ALL! It is still encrypted on your computer and there is no point on the way where it is unecrypted! its just doubly encrypted by vpn to pass the data through tunnel, but definitely no communication with website is unecrypted... and http was a problem not so long ago, it was actually google and their chrome that demanded all websites to start using https, but very big number of them werent using https not so long time ago, like something around 2018.... so until then it was very real threat
Yo man I heard you are moving from LA to Texas! Good idea man TX is way better than SoCal. Probably on all levels. Anyway good luck, love the content.
u not lying!! i lived in central tx for a few years, shoulda stayed there too! east coast has the worst winters.. leave this madness for the europeans!
Not sure where you heard that, but I'm definitely not moving to Texas.
@@MalwareTechBlog oh, I misunderstood the convo about moving to Texas in an older live that I was watching earlier, and took it out of context.
I thought it sounded like a good idea though initially. 🤔 Texas is a way better place in the big picture.
Oh well lol my bad. Maybe you should consider it anyway 😆 xD
Take care.
@@LimitedState I was thinking of moving to a different country, but not within the US.
@@MalwareTechBlog Got it. Yeah that was my misunderstanding. Good luck regardless of your endeavors. :)
great video and i love the message about shady vpns but i would say it would help if u added a message about enterprise users who must be on company vpn - i can totally see a sales guy using this video to tell me “but it doesn’t really help me to be on company vpn” 💀
_PST🌃1AM Jan 15th 2025_
youre the goat
Uhmm you can just Host one yourself? Wireguard will do just fine.
This video should be retitle because I can do a lot with somebody that's at public Wi-Fi... There's still plenty of information contained inside the packets headers that is not encrypted even with even with hypertext transfer protocol secured. Not to mention when you're in public Wi-Fi the hacker has a physical access to you which means they can pick over your shoulder and see what website you are visiting then use AI to make a quick mock-up of that website that looks identical then I can reroute said traffic to my site instead. We used to post UA-cam videos on how to do things until everybody started copying videos and making it public knowledge now the real vulnerabilities of wireless information and the internet we just keep to our f****** selves whether their black hats or white hats like myself not going to tell you how I do these things but those are just a couple of examples if people look up to you for it knowledge maybe it's a good idea not to give them a false sense of security. There is only one way to be safe on public Wi-Fi.. using a device that has never once since it was manufactured stored any private data I call it a burner device or a ghost device. The other option is you can just never use public Wi-Fi
You can't reroute websites, the browser will issue an insecure connection warning because you don't have a valid certificate. AI is irrelevant here.
A vpn won’t protect you against someone looking over your shoulder
The truth is you can never secure a network the only thing you can do is observe and respond to ever think that the network is secured and can't be hacked is irresponsible especially for a quote unquote ethical hacker you should have had to take the same schooling and certification that I did which means your job is literally hacking into networks for a living like me at the bottom line if you do your footprinting right you will get in bottom line end of story every time because that is literally the name of the game... Just saying but I don't know nothing I'm just a big time stupidstoogenoob
@@MalwareTechBlog the beauty about being a programmer if you can write new programs and nobody news about them the subject of this video also realies and almost depends on there being no zero days however zero days are a real thing and they actually happen
i have enough of all theses VPN ads on UA-cam. all these bullshit, they only use of a VPN for the masses is to torrenting Linux ISOs
Bypassing geoblocks are quickly becoming the winner. As states pass laws that result in adult sites blocking them, there are huge surges in searches for VPNs. Not to mention Netflix and other streaming media sites.
This video is wrong in many ways. It’s genuinely hard to watch.
I respect your expertise as a programmer and cybersecurity researcher, but I have some disagreements. Saying you don’t need a VPN in places like cafes or airports because the likelihood of an attack is low is like saying you don’t need to lock your front door because the chance of someone testing it is slim. Even though the odds are low the logic behind not taking precautions seems flawed.
Some VPN companies depending on their TOS and country laws may work for most users. However using private proxies or running your own VPN server would be more secure.
The attacks you mentioned are valid concerns and while the chances of a MITM attack on random individuals are low, that doesn't mean we should drop our guard because of a low likelihood.
I'm not sure how you came to that conclusion. I made one single comment about the likelihood of an attack being low, meanwhile the other 21 minutes of the video were me explaining how even if you were on a compromised network, modern security protocols would prevent a man-in-the-middle attack from obtaining sensitive information.
Nothing beat Ethernet, Wifi is worthless, about security
Click bait! VPN has its place and use cases. Just because a site uses HTTPS doesn’t mean it’s 100% secure.
Weird video.
If you say so
You’re wrong
Then give the correct version
Super compelling argument, how long did it take you to come up with?
Gigachad
This video is not wrong. The only thing I would query is at the 3:41 mark, why would traffic between the VPN server and website be ‘potentially unencrypted’. My understanding is that traffic would still be HTTPS, secured with TLS. Unless the VPN provider had somehow installed their own CA cert on your machine and were able to inspect it, I don’t see why that traffic would be any less secure than it would be without a VPN.
Edit: Yeah, I don’t agree with what you say in that part of the video. You say traffic is only secured between the client and VPN server and that isn’t true. The end to end connection would still be secured via HTTPS, the encryption provided by a VPN is on top of that, not instead of. Your traffic routed between the VPN server and website would still be HTTPS.
@@georgec2932 In that part of the video, he's talking about an scenario where you rely on VPN for encrypting HTTP traffic instead of HTTPS encryption. Since it is HTTP traffic, the traffic between VPN server and the web server would be unencrypted.
Hi Marcus, I love to work for you as my boss and create a cybersecurity firm here in the Philippines, of course with your leadership.