HTTPS vs VPN - which is more secure

What does TLS do?

From wikipedia/HTTPS:

The principal motivations for HTTPS are authentication of the accessed website, and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering.

So the primary purpose of HTTPS is to protect your personal data.

What does a VPN do?

From wikipedia/VPN:

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

...

VPN technology was developed to provide access to corporate applications and resources to remote or mobile users, and to branch offices.

...

Internet users may secure their connections with a VPN to circumvent geo-blocking and censorship or to connect to proxy servers to protect personal identity and location to stay anonymous on the Internet.

So the primary purpose of a VPN is to connect to your company's network when you're out of the building. There is a secondary usage of VPNs to protect your anonymity (specifically your IP address) when accessing public websites.

Your questions:

The main kind of attack I am concerned about is having any secure information (such as passwords, bank details, mobile number etc...) I send to a website being intercepted by a "middle-man". Privacy is not as important an issue (e.g: can people see domains I visit).

You want the thing that HTTPS is good at. You are not interested in the thing that VPNs are good at. Sounds like there's no reason for you to use a VPN :)


This question is based on a wrong premise.

VPN’s do NOT protect you end-to-end. A VPN is basically a second encryption layer to wrap your normal traffic in, it is encrypted until the VPN endpoint (or exit node). This will “Protect the traffic from being readable” by any intermediate (your ISP mainly). They will see traffic is going from you to the VPN but nothing more.

HTTPS (HTTP with TLS) protects almost all data end-to-end. The data not encrypted are:

  • Source IP
  • Target IP
  • the Hostname connecting to (through the SNI extension allowing for tls with virtual hosting, as an example the URL “HTTPS://site.example.com/page/1” would have the following in clear text in the header for SNI “host: site.example.com”)

In order to do a MiTM attack (Man in The Middle), you need a certificate that your browser will accept as valid. (E.a. Issued by an authorized Certificate Authority). This is the same with a VPN.

In short. A VPN only gives a limited form of privacy by having many people using the same (set) of IP addresses. (Hiding in the crowd). HTTPS is about integrity, authenticity and identity (especially with client side certificates) Or in other words HTTPS ensures the data is not tampered with, is from the original source. And is known from who it came.

Tags:

Vpn

Tls

Recent Posts