I’d agree with you about HTTPS providing most of the benefit that VPN advertising focuses on if I hadn’t seen repeated direct evidence that even most technical users will blithely click through HTTPS errors’ “accept the risk” bypass. It’s as if knowledgeable users think “sure, this could be a man in the middle attack, but it’s most likely just a benign cert problem, because certs are hard.” Sigh.
To be frank that's also because the cause for an HTTPS certificate error ranges from "malicious hijack" to "misconfigured server setup" to "I lapsed the expiry date" to "I am using a self-signed certificate".
The degree of which these should be scares is not equivalent, yet browsers will treat all of these as equivalent even though they can distinguish between them in the error page. It just results in clickthrough fatigue, where technical users just ignore the warning because it's not worthwhile to deal with even when they really should.
Plus a VPN won't protect you from a malicious hijack, it just prevents them from grabbing your IP address.
The reason the browser doesn't differentiate between them is because the end result is the same - the cett doesn't match the browsers trusted store. The battle has beenosr on self signed certs at this point (unless you're an enterprise, at which point bundle them with your image).
The difference between a misconfiguration and a compromise is intention, both should be treated as equally suspicious.
The problems with clicking past those errors are typically not due to network sniffing but with whatever crazy shit is on the page they are going to.
The only two valid usecases of big VPNs like these are
1. Very mild security increase over public wifi
2. Shifting your risk from the ISP spying to mullvad or the VPN provider spying or slightly anonymizing if mullvad rotates IPs.
(2) is a real benefit because ISPs are pretty terrible, but it's still pretty minor in the grand scheme of most people's threat models.
3. You live in a country where your ISP is legally mandated to record all of your browsing history and make it available to the government.
4. You live in a country where certain websites are blocked because the government doesn’t agree with them, or because those websites don’t want to deal with your country.
There are some countries that block VPNs but there’s also many countries that don’t. For example, TPB is blocked in UK by court order but VPNs work just fine.
>if I hadn’t seen repeated direct evidence that even most technical users will blithely click through HTTPS errors’ “accept the risk” bypass
As far as I recall this is not possible on Chrome if you are MITM'd. If the cert presented doesn't match the cert in the HSTS cache, there is no option to bypass. If the server's cert is expired, then you do indeed see the option, but an expired certificate doesn't necessarily mean danger.
