But a cybersecurity expert does. That's the point. If you know those things, VPNs become obsolete, for most people. So why not teach people about it, instead of promoting VPNs?
And can you really trust an extremely profit focused company, that is built on user data, more than your local Café? If you're in China, sure, use a VPN, they're the lesser evil. But most spots don't have the resources or expertise to analyze and sell or otherwise misuse your logs. VPN companies not only do, most rely on it.
If you're a highly targeted person, it's another story, but in that case your only hope is Tor or a new identity.
So why not teach people about it, instead of promoting VPNs?
Ok then, in the meantime the rest of us will use a fucking VPN? I don't know what "encrypted DNS" means, and I'm 99% you're going to respond with either "whaaaaat you don't know something that 99.999% of other people also don't know? Clearly you are too dumb for the internet" or else "oh sure I'd be glad to explain that! It's real simple, see when you have a Rosendin gembal, it befrazzles the gesticulators of your brangles (link to a Wikipedia article on brangles). So you just have to re-delineate the scanditrons to break the tensor lines in your scintrins! You can code a fairly simple app from scratch to do it, and there's a FOSS program someone made to help you identify the cabangs in your computer's lenticles: (link to a github page that is literally just a transcription of an eldritch god screaming in binary)"
VPNs are extremely user friendly and they are happy to explain in layman's terms exactly what they do and how they work. If there's a better way, it's locked behind years of techie knowledge.
And most users don't know what a VPN is. In both cases, they're not gonna learn anything about it. Except you need to pay for a VPN, after figuring out which one is kinda trustworthy instead of snakeoil, while encrypted DNS is a simple setting on any OS. Nothing more. You don't need whole articles to explain what your product does and why you respect privacy and blah, while not saying a single word that's true. It's a simple setting. VPNs are not only user friendly, they're a full ripoff for most people and snakeoil. They don't explain what they do in "laymans terms", most of them just blatantly lie. Anything for the cash. If you want an explanation of encrypted DNS:
A DNS is kind of like your GPS. It translates an address into something more usable, e.g.. like your GPS translates '123 Baker Street, Washington' into coordinates, so you can use it on a map, for example. A DNS does the same, but for the internet: It translates "google.de" into a format that is actually readable and usable to the computer. However, to translate "google.de" you need to reach out to someone else, that knows the address. The thing is, if someone just pretends to give the right answer, but in fact gives you their own address, you may end up at the wrong website, or in the GPS example, at the wrong house. So instead of visiting your actual bank's website, you're going to visit someone else's website, which looks basically the same, except once you log into your bank account the attacker can read that and steal all your money. In the GPS example, you would now be at the slaughterhouse instead of Disneyland. An encrypted DNS just means that you specify exactly whom you will trust, for example google, and that you want your communication with google to be encrypted, so no one can even read which website you want to visit.
If someone doesn't understand this, they wouldn't understand what a VPN is, even broken down to bare concepts. So for those people: It makes you safe just trust me just set this setting, no app, no account, no money required. Because that's the level a typical VPN company argues on.
It seems like your whole threat model is avoiding DNS poisoning, which is fine, but I fail to see how you can compare using DoH/DoT to a VPN.
so no one can even read which website you want to visit.
Except for the DNS provider (in your example, Google, so... yikes), the operator of the network you're on (since the destination IP can be rDNS'd or WHOIS'd, or simply grabbed from the Host header if your browser still tries HTTP first). Any traffic that is not encrypted will be snoopable. Traffic volume and connection times to each destination can be analyzed.
By contrast, a VPN will also use secure (if you trust the provider ofc) DNS servers for your requests, plus making all of the traffic completely opaque except for "going to this server".
no app, no account, no money required
You can also make your own, free VPN service with a little technical knowledge.
Encrypted DNS doesn't solve everything. Handshake for TLS sessions is still in clear, you can usually see the SNI, and since we are talking about Wireless, usually this data is available to anybody who is in the vicinity, not just the network owner. This already means that you can see what sites someone is visiting, more or less. TLS 1.3 can mitigate some of this (for those who implement ESNI, but you don't know that beforehand).
Also TLS works until the user is not accepting invalid certificates prompts (HSTS doesn't work for everything) and there are still tons of HTTP-based redirect (check mailing newsletters and see how many first send you to an HTTP site, for example) that can be used for MiTM attacks.
A VPN moves the trust to a single provider that you can choose, which is much better than trusting every single WiFi network you can attach to and the people connected to it, I would say.
Also if you pay for the VPN (I pay Proton), it's not true that the company business is based on user data, they are based on subscriptions.
But most spots don't have the resources or expertise to analyze and sell or otherwise misuse your logs.
Most spots don't have also the resources or expertise to secure their own spot. As I remember, cheap routers used in public places may contain a lot of vulnerabilities.
encrypted DNS
Will it help me if I'm using LbreTorrent do download piracy content on my phone? Or how it would help me to hide my location from mobile apps that extract location from IP?
No. That's a whole different use case. We're discussing what most people in a public network should do. Some people, such as whistleblowers, journalists etc. maybe should use a VPN. For you grandparents, it would be pure snake oil. And even as such an endangered person, choosing the wrong, so almost all, VPNs would be even more dangerous.
For your problems, a VPN could be useful, even though for the former I would use the usenet or soap2day-like sites, which do not have you seed that content. If you still want to share it, then use a VPN. ONLY for the torrent process, not for anything else, as that would still be bad for privacy and security, as the VPN company could, and most WILL, surveil and log you. And for the latter problem, don't use such apps except in closed environments or without internet access.
And for the latter problem, don't use such apps except in closed environments or without internet access.
While that is a right answer, I do not want to avoid such apps because I need them. I need my mobile bank app, I need google camera, sometimes I need Google maps, etc. For me using VPN to hide my real IP from greedy apps and to hide DNS requests from the cracked public WiFi is still a good tradeoff between security, privacy and my own user experience.
If it works for you, and you found a VPN provider you can trust, or at least have the feeling of that, great! That is one of the very rare use cases where VPNs are not only useful, but actually have a purpose.
On a broader scale, most people won't find a trustworthy VPN, and would use it for way more than they need to, essentially giving all data to the VPN company now, instead of just to the local Café or google.
And for the bank app, there is no replacement. Google's camera can be replaced by OpenCamera, or just disallowed to access the internet, and google maps can almost perfectly be replaced by organic maps
I have Pixel with GrapheneOS and I tried most of FOSS camera apps, but all of them are still far behind the GCam. I hope one day there will be a good replacement, but not today.
I'm using Organic / OsmAnd for most of use cases and daily navigation. But if you need to find a specific office, shop, food or ATM nearby you still need GMap from time to time...
It supports via GMS sandbox. So, I can install google camera, maps, bank app, insta360 app, an app for my bike computer, etc. But in that case I prefer to use Proton VPN that hides my real IP from all these apps and also block some tracker endpoints.
Lmao, we're not worried about the cafe. We're worried about the man in the middle. And yeah with enough tech knowledge you can set up an encrypted tunnel home and use your normal connection from there. But most people aren't that tech savvy
If you're not relatively tech savy, a typical VPN IS the man in the middle. That's the problem. A VPN, in itself, is very good. But as you said, non-tech savy users won't be able to set up a VPN themselves, so they need to trust a company to route all their traffic, be their DNS server, not log anything, not be hacked and not give any data to current or future totalitarian governments. Not even I could recommend any VPN company that fulfills enough points there, especially the security related ones.
For the average person, data sales aren't the worry. Heck their phone is already recording everything. The worry is straight up criminal enterprise, like keylogging bank passwords. If the VPN company is doing stuff like that then they're going to eat a RICO charge. Most people really don't care that their data gets sold.
And then just setting a private DNS and checking "the little lock at your address bar" fully prevents any digital sniffing of your credentials. No VPN needed.
People can't learn not to throw trash in the street, climate change that is backed by decades of science is a problem, or hell, they can't even learn to effectively not click on super suspicious phishing links.
How on earth are they going to learn about implementing encrypted DNS when most barely know the difference between a browser and a computer.
Lol look at statistics of smokers. Waaay more than 0.01% of people in any given country and 90% of smokers throw cigarette butts on the ground. That is just that one example.
If you have ever traveled to the southern US, oof.
I've never really understood that argument. Most VPN software I've seen forces your DNS through the VPN as well which would bypass a public Wi-Fi's attempt to DNS poison.
I use a VPN anytime I'm not on my home network just because it's a super easy way for me to force my DNS to my own custom DNS with Adblock listing on the machine that's running the VPN endpoint.
It's wireguard, and it connects to a direct IP address. If someone tries to redirect or otherwise man in the middle of the connection wireguard will simply fail to establish a connection. Thanks to the fact that it uses a similar idea to pgp where the client and server already have each other's public keys and there's not really an unencrypted initial handshake even the initial talking has a form of encrypted communication thanks to the key pairings.
So like, my vpn is definitely proving security. Whether or not every random ass VPN you can buy is smart enough to force all DNS over the VPN or anything else I guess I can't say for sure maybe it's not common and that's why but it definitely can be used to help automate some security measures when using a public network
But a cybersecurity expert does. That's the point. If you know those things, VPNs become obsolete, for most people. So why not teach people about it, instead of promoting VPNs?
And can you really trust an extremely profit focused company, that is built on user data, more than your local Café? If you're in China, sure, use a VPN, they're the lesser evil. But most spots don't have the resources or expertise to analyze and sell or otherwise misuse your logs. VPN companies not only do, most rely on it.
If you're a highly targeted person, it's another story, but in that case your only hope is Tor or a new identity.
Proton is a non profit.
But Proton Bad? I don't understand. The armchair security nerds on Lemmy want me to hate something.
I agree here. It's clear that some people here really want me to be outraged at SOMEONE, but dont seem to really understand who or why.
Ok then, in the meantime the rest of us will use a fucking VPN? I don't know what "encrypted DNS" means, and I'm 99% you're going to respond with either "whaaaaat you don't know something that 99.999% of other people also don't know? Clearly you are too dumb for the internet" or else "oh sure I'd be glad to explain that! It's real simple, see when you have a Rosendin gembal, it befrazzles the gesticulators of your brangles (link to a Wikipedia article on brangles). So you just have to re-delineate the scanditrons to break the tensor lines in your scintrins! You can code a fairly simple app from scratch to do it, and there's a FOSS program someone made to help you identify the cabangs in your computer's lenticles: (link to a github page that is literally just a transcription of an eldritch god screaming in binary)"
VPNs are extremely user friendly and they are happy to explain in layman's terms exactly what they do and how they work. If there's a better way, it's locked behind years of techie knowledge.
And most users don't know what a VPN is. In both cases, they're not gonna learn anything about it. Except you need to pay for a VPN, after figuring out which one is kinda trustworthy instead of snakeoil, while encrypted DNS is a simple setting on any OS. Nothing more. You don't need whole articles to explain what your product does and why you respect privacy and blah, while not saying a single word that's true. It's a simple setting. VPNs are not only user friendly, they're a full ripoff for most people and snakeoil. They don't explain what they do in "laymans terms", most of them just blatantly lie. Anything for the cash. If you want an explanation of encrypted DNS:
A DNS is kind of like your GPS. It translates an address into something more usable, e.g.. like your GPS translates '123 Baker Street, Washington' into coordinates, so you can use it on a map, for example. A DNS does the same, but for the internet: It translates "google.de" into a format that is actually readable and usable to the computer. However, to translate "google.de" you need to reach out to someone else, that knows the address. The thing is, if someone just pretends to give the right answer, but in fact gives you their own address, you may end up at the wrong website, or in the GPS example, at the wrong house. So instead of visiting your actual bank's website, you're going to visit someone else's website, which looks basically the same, except once you log into your bank account the attacker can read that and steal all your money. In the GPS example, you would now be at the slaughterhouse instead of Disneyland. An encrypted DNS just means that you specify exactly whom you will trust, for example google, and that you want your communication with google to be encrypted, so no one can even read which website you want to visit.
If someone doesn't understand this, they wouldn't understand what a VPN is, even broken down to bare concepts. So for those people: It makes you safe just trust me just set this setting, no app, no account, no money required. Because that's the level a typical VPN company argues on.
It seems like your whole threat model is avoiding DNS poisoning, which is fine, but I fail to see how you can compare using DoH/DoT to a VPN.
Except for the DNS provider (in your example, Google, so... yikes), the operator of the network you're on (since the destination IP can be rDNS'd or WHOIS'd, or simply grabbed from the Host header if your browser still tries HTTP first). Any traffic that is not encrypted will be snoopable. Traffic volume and connection times to each destination can be analyzed.
By contrast, a VPN will also use secure (if you trust the provider ofc) DNS servers for your requests, plus making all of the traffic completely opaque except for "going to this server".
You can also make your own, free VPN service with a little technical knowledge.
VPNs are 95% about privacy, not security. So all encrypted DNS does is security? What I want from a VPN is fewer companies accurately spying on me.
Encrypted DNS doesn't solve everything. Handshake for TLS sessions is still in clear, you can usually see the SNI, and since we are talking about Wireless, usually this data is available to anybody who is in the vicinity, not just the network owner. This already means that you can see what sites someone is visiting, more or less. TLS 1.3 can mitigate some of this (for those who implement ESNI, but you don't know that beforehand). Also TLS works until the user is not accepting invalid certificates prompts (HSTS doesn't work for everything) and there are still tons of HTTP-based redirect (check mailing newsletters and see how many first send you to an HTTP site, for example) that can be used for MiTM attacks.
A VPN moves the trust to a single provider that you can choose, which is much better than trusting every single WiFi network you can attach to and the people connected to it, I would say.
Also if you pay for the VPN (I pay Proton), it's not true that the company business is based on user data, they are based on subscriptions.
Most spots don't have also the resources or expertise to secure their own spot. As I remember, cheap routers used in public places may contain a lot of vulnerabilities.
Will it help me if I'm using LbreTorrent do download piracy content on my phone? Or how it would help me to hide my location from mobile apps that extract location from IP?
No. That's a whole different use case. We're discussing what most people in a public network should do. Some people, such as whistleblowers, journalists etc. maybe should use a VPN. For you grandparents, it would be pure snake oil. And even as such an endangered person, choosing the wrong, so almost all, VPNs would be even more dangerous.
For your problems, a VPN could be useful, even though for the former I would use the usenet or soap2day-like sites, which do not have you seed that content. If you still want to share it, then use a VPN. ONLY for the torrent process, not for anything else, as that would still be bad for privacy and security, as the VPN company could, and most WILL, surveil and log you. And for the latter problem, don't use such apps except in closed environments or without internet access.
While that is a right answer, I do not want to avoid such apps because I need them. I need my mobile bank app, I need google camera, sometimes I need Google maps, etc. For me using VPN to hide my real IP from greedy apps and to hide DNS requests from the cracked public WiFi is still a good tradeoff between security, privacy and my own user experience.
If it works for you, and you found a VPN provider you can trust, or at least have the feeling of that, great! That is one of the very rare use cases where VPNs are not only useful, but actually have a purpose.
On a broader scale, most people won't find a trustworthy VPN, and would use it for way more than they need to, essentially giving all data to the VPN company now, instead of just to the local Café or google.
And for the bank app, there is no replacement. Google's camera can be replaced by OpenCamera, or just disallowed to access the internet, and google maps can almost perfectly be replaced by organic maps
I have Pixel with GrapheneOS and I tried most of FOSS camera apps, but all of them are still far behind the GCam. I hope one day there will be a good replacement, but not today.
I'm using Organic / OsmAnd for most of use cases and daily navigation. But if you need to find a specific office, shop, food or ATM nearby you still need GMap from time to time...
Doesn't Graphene not support Gapps at all?
It supports via GMS sandbox. So, I can install google camera, maps, bank app, insta360 app, an app for my bike computer, etc. But in that case I prefer to use Proton VPN that hides my real IP from all these apps and also block some tracker endpoints.
Not all Google apps require Play services btw. And many work without internet access.
Lmao, we're not worried about the cafe. We're worried about the man in the middle. And yeah with enough tech knowledge you can set up an encrypted tunnel home and use your normal connection from there. But most people aren't that tech savvy
If you're not relatively tech savy, a typical VPN IS the man in the middle. That's the problem. A VPN, in itself, is very good. But as you said, non-tech savy users won't be able to set up a VPN themselves, so they need to trust a company to route all their traffic, be their DNS server, not log anything, not be hacked and not give any data to current or future totalitarian governments. Not even I could recommend any VPN company that fulfills enough points there, especially the security related ones.
For the average person, data sales aren't the worry. Heck their phone is already recording everything. The worry is straight up criminal enterprise, like keylogging bank passwords. If the VPN company is doing stuff like that then they're going to eat a RICO charge. Most people really don't care that their data gets sold.
And then just setting a private DNS and checking "the little lock at your address bar" fully prevents any digital sniffing of your credentials. No VPN needed.
People can't learn not to throw trash in the street, climate change that is backed by decades of science is a problem, or hell, they can't even learn to effectively not click on super suspicious phishing links.
How on earth are they going to learn about implementing encrypted DNS when most barely know the difference between a browser and a computer.
99.9% of people don't throw trash in the street.
At least in most countries.
Lol look at statistics of smokers. Waaay more than 0.01% of people in any given country and 90% of smokers throw cigarette butts on the ground. That is just that one example.
If you have ever traveled to the southern US, oof.
Then they won't know what a VPN is either.
I've never really understood that argument. Most VPN software I've seen forces your DNS through the VPN as well which would bypass a public Wi-Fi's attempt to DNS poison.
I use a VPN anytime I'm not on my home network just because it's a super easy way for me to force my DNS to my own custom DNS with Adblock listing on the machine that's running the VPN endpoint.
It's wireguard, and it connects to a direct IP address. If someone tries to redirect or otherwise man in the middle of the connection wireguard will simply fail to establish a connection. Thanks to the fact that it uses a similar idea to pgp where the client and server already have each other's public keys and there's not really an unencrypted initial handshake even the initial talking has a form of encrypted communication thanks to the key pairings.
So like, my vpn is definitely proving security. Whether or not every random ass VPN you can buy is smart enough to force all DNS over the VPN or anything else I guess I can't say for sure maybe it's not common and that's why but it definitely can be used to help automate some security measures when using a public network