And does that change whether using a VPN or not? With VPN I’d assume its the same.
Secure against whom?
If it’s from a random thief, both are about equality secure, they rely on proven cryptographic methods.
If it’s from somebody powerful enough to make an ISP bend the knee, then they are equally insecure because those cryptographic methods assume you trust the underlying infrastructure. If you do not though, then yes using a VPN will help as you are adding your own level of encryption on top.
About the same.
Mobile networks have their own security problems that wifi doesn’t, but wifi has security problems that mobile networks don’t.
Using a VPN does help secure your “last mile” connection but then you need to trust the VPN provider.
At the end of the day Ken Thompson’s lecure Reflections on Trusting Trust applies
Decrypting the 4g/5g network will require a key from the telecommunications company. I argue it’s insignificantly less secure because a malicious actor can intercept it and decrypt it if they manage to steal the key from the company.
Practically, only your government would be able to get a copy of the key. But they’d also be able to watch your actual cable internet as well. And when your government gets interested in you then you fucked all the way up.
But wouldn’t a VPN be encrypting my cable internet traffic? (Same for VPN on the phone)
Using a VPN makes the original question redundant. The VPN would have everything super encrypted for either home wifi or home 4g/5g. Your question transforms into “can i trust this vpn company”
That depends where your VPN is.
Say you access a VPN located over seas from your phone while on mobile data. Then your traffic is encrypted and your mobile data provider (for your phone) should only see traffic to one IP address.
Say you access the same VPN while at home connect to wifi or Ethernet on a PC (or on your phone), then your ISP should only see traffic to the one IP address (that’s located over seas).
Now let’s say your are tech savvy enough to run a Wireguard setup and or Tailscale setup at home and make your own VPN. Then you access that from work or from overseas with a mobile phone or laptop. All your traffic should now show as connecting to your homes IP address directly, but keep in mind your home ISP provider then sees you connecting to sites like Google, Facebook, or Lemmy.
But what if I VPN into my home network and redirect that traffic through a provider’s VPN…
It’s going to depend on what types of data you are looking to protect, how you have your wifi configured, what type of sites you are accessing and whom you are willing to trust.
To start with, if you are accessing unencypted websites (HTTP) at least part of the communications will be in the clear and open to inspection. You can mitigate this somewhat with a VPN. However, this means that you need to implicitly trust the VPN provider with a lot of data. Your communications to the VPN provider would be encrypted, though anyone observing your connection (e.g. your ISP) would be able to see that you are communicating with that VPN provider. And any communications from the VPN provider to/from the unencrypted website would also be in the clear and could be read by someone sniffing the VPN exit node’s traffic (e.g. the ISP used by the VPN exit node) Lastly, the VPN provider would have a very clear view of the traffic and be able to associate it with you.
For encrypted websites (HTTPS), the data portion of the communications will usually be well encrypted and safe from spying (more on this in a sec). However, it may be possible for someone (e.g. your ISP) to snoop on what domains you are visiting. There are two common ways to do this. The first is via DNS requests. Any time you visit a website, your browser will need to translate the domain name to an IP address. This is what DNS does and it is not encrypted by default. Also, unless you have taken steps to avoid it, it likely your ISP is providing DNS for you. This means that they can just log all your requests, giving them a good view of the domains you are visiting. You can use something like DNS Over Https (DOH), which does encrypt DNS requests and goes to specific servers; but, this usually requires extra setup and will work regardless of using your local WiFi or a 5g/4g network. The second way to track HTTPS connections is via a process called Server Name Identification (SNI). In short, when you first connect to a web server your browser needs to tell that server which domain it wants to connect to, so that the server can send back the correct TLS certificate. This is all unencrypted and anyone inbetween (e.g. your ISP) can simply read that SNI request to know what domains you are connecting to. There are mitigations for this, specifically Encrypted Server Name Identification (ESNI), but that requires the web server to implement it, and it’s not widely used. This is also where a VPN can be useful, as the SNI request is encrypted between your system and the VPN exit node. Though again, it puts a lot of trust in the VPN provider and the VPN provider’s ISP could still see the SNI request as it leaves the VPN network. Though, associating it with you specifically might be hard.
As for the encrypted data of an HTTPS connection, it is generally safe. So, someone might know you are visiting
lemmy.ml
, but they wouldn’t be able to see what communities you are reading or what you are posting. That is, unless either your device or the server are compromised. This is why mobile device malware is a common attack vector for the State level threat actors. If they have malware on your device, then all the encryption in the world ain’t helping you. There are also some attacks around forcing your browser to use weaker encryption or even the attacker compromising the server’s certificate. Though these are likely in the realm of targeted attacks and unlikely to be used on a mass scale.So ya, not exactly an ELI5 answer, as there isn’t a simple answer. To try and simplify, if you are visiting encrypted websites (HTTPS) and you don’t mind your mobile carrier knowing what domains you are visiting, and your device isn’t compromised, then mobile data is fine. If you would prefer your home ISP being the one tracking you, then use your home wifi. If you don’t like either of them tracking you, then you’ll need to pick a VPN provider you feel comfortable with knowing what sites you are visiting and use their software on your device. And if your device is compromised, well you’re fucked anyway and it doesn’t matter what network you are using.
Depends from surface of attack u mean here.
I would argue is less secure because there’s more potential for signals to be intercepted, and you are only in control of a portion of the network (the other half being in control of your service provider)
When you’re on you’re own Wi-Fi you’re usually much closer to your access point and in your home where you control the network (which has less range) and the space around it.
Either way the difference is minimal as both can be intercepted and attacked