Does a VPN used on a smartphone with Wi-Fi disabled (mobile data only enabled) provide any sort of protection?
I've never completely understood this, but I think the answer would probably be "no," although I'm not sure. Usually when I leave the house I turn off wifi and just use mobile data (this is a habit from my pre-VPN days), although I guess I should probably just keep it on since using strange Wi-Fi with a VPN is ok (unless someone at Starbucks is using the evil twin router trick . . . ?). I was generally under the impression that mobile data is harder to interfere with than Wi-Fi, but I could well be wrong and my notions out of date. So, if need be, please set me straight. 🙂
Your provider will just see encrypted traffic (mostly) anyway, so no it will not provide protection. The only thing that you're now hiding from your provider is which servers you're connecting to. Instead you're showing that info to a VPN company whose main business practice is scaring people into buying a product they probably don't need. Think about who you would trust more.
The provider and national TLAs will see all traffic that is in cleartext and meta traffic which is even more valuable. It can also actively tamper with that traffic. So you're technically incorrect and you assume your threat model is universal. It's not. And, of course, there are use cases for Tor, whether with or without VPN.
While my threat model is not universal, it comes close, at least for the average user which OP seems to be from their question. In practice, there is very little unencrypted traffic these days and in the case of that traffic you will have to ask yourself if your (commercial) VPN provider is more trustworthy than your ISP.
If you need to ask if you need a VPN there's a 99% chance that you don't. There are certainly a few use cases for both commercial VPNs and TOR (see my other comment) but to even be aware that those apply to you, you probably already have enough technical knowledge to approach the question from the direction "I want to do XYZ, how can I be more secure?" and not "I've heard of VPNs, do I need one?"
My national government has no business knowing which protocols I use to contact which endpoints and tamper with that traffic. Wrapping up that information in a tunnel is a good first protection layer.
If you're using a commercial VPN from a provider who can legally operate in your country, your national government can just as easily get that information from them as from your ISP.
Correct. But that's no reason to make it easy for them. Burglars can break my windows and climb through and steal my stuff. I'm still going to lock my doors
How would a national government (not TLAs) target particular individuals in a large number of users and what information can they gather given e.g. https://mullvad.net/en/help/no-logging-data-policy ? So perhaps not quite as easily as ordering a tap.
Even though most data traffic is encrypted who you're talking to is not encrypted.
So a third party can observe, who you're talking to, how much data you're sending to them, how frequently you talk to them....
The classic example is if you start visiting a suicide prevention website, even though they don't know the content that you're being served, they can guess oh you're having mental issues. We should revoke your security clearance... Etc
It’s not just all about encrypting traffic. Many people connect to the internet over a static IP most of the time from their home network. A VPN provides protection against tracking in this case.
Your replies all make a very big assumption that the only connections being made, by people who are advocating VPNs, are over https (or possibly ssh) and thus VPN isn’t necessary. There exists more services than that some of which aren’t end-to-end encrypted (many messaging apps, for example).
Also, I agree that at the end of the day, a user is trusting someone not to snoop. But given that ISPs have been proven to snoop (for various reasons), I personally will put my trust in a VPN provider that I have researched and one that has shown a considerable resilience against outside forces. Mullvad comes to mind here.
Yes, a VPN is probably overkill if all the user is doing is using a web browser, nowadays. But it is useful beyond just setting up a tunnel for access.
Although it is possible that some messaging apps send completely unencrypted messages, most (reputable) non-E2E apps are probably still using HTTPS. It just means that when the message arrives at the messaging app's servers, they can decrypt the message and store it in plaintext.
Some other possible unencrypted services people use today… email over non-SSL (which still does exist). Bittorrent. Non-SSL NNTP, which is also still supported. And DNS.
Of course much of that has options of securing, but the point is that a VPN shifts the trust of them not being secure over to an entity that may be more trustworthy.
And sometimes that becomes the path of least resistance for people.
I use a VPN for access to my house (inbound), but also to prevent my ISP from ever snooping on anything for certain services (inbound and outbound) — content, headers, metadata of any kind. I trust Mullvad right now much more than I trust my ISP.
Not everyone’s use case is the same. But that doesn’t mean it is somehow invalid as some posts here have alluded to. Though, I do agree with some posts here that the commercialization of VPNs is playing on people’s possibly-unfounded fear (NordVPN and the like, putting ads seemingly everywhere acting like everyone is watching).
Wouldn't the lan level be the most important part to protect when accessing http website? How likely are your connections to be hijacked once you are outside of your VPN tunnel?
I don’t know how likely that is. But I was a bit too quick in my judgement, on public networks a VPN does ass significant protection to HTTP connections. Not really on home networks, mobile networks or well-secured public/office networks though.
I honestly don’t know how much risk your data is at after leaving the tunnel. Luckily most things are HTTPS now.