OP - welcome. Sorry, wasn't trying to be offensive. Was pointing out that your requirement was about protecting yourself when connecting to high risk networks. This is a nuanced area filled with fear, uncertainty, and doubt (FUD). It's' tricky even for smart, technical people who know enough to be dangerous - think WEP designed by Engineers, not cryptographers.
SoontobeXProgrammer is correct, but I was referring to the Black Hat security conference. I should have mentioned DEFCON - the two are usually hosted in Las Vegas back to back weeks. You'd be well advised to not connect to wifi in that crowd.
"Security" traditionally referred to properties of: confidentiality, integrity, and availability (CIA) and has grown to Authentication, Authorization, and Accounting (AAA) in Cisco-land. To me, the implied topic of your question was asking to address
integrity - not getting malware on your phone/computer, and integrity +
confidentiality for your web traffic so snoopers can't see your business, get your password, hijack/use your account, etc. Privacy overlaps the above, but is a bit different - somewhat "up and coming" as far as I can tell.
Hawkeye correctly points out that "https" - really, I think we're talking about TLS 1.3, which provides end-to-end secure connections indicated by the the browser "green lock", has a number of strong security features to mitigate previous types of network based attacks. I'm surprised he didn't bring up "perfect forward secrecy" and "ephemeral keys" as well to prevent "replay attacks" (re-transmitting old communication) and for cases where cryptographic keys are compromised in the future for recorded traffic.
There are different VPN protocols, but conceptually they work similarly to a TLS/https "secure tunnel". The main difference is that the VPN is usually configured to pass (encapsulate) all your traffic, whereas the secure tunnel is between endpoints, such as you and your bank. Both have their uses. Hawkeye correctly points out that VPNs often get incorrectly thrown where not applicable (e.g. secure connection into an insecure network) - this is frustrating and often hard to communicate (as you may have noticed).
To your privacy question. This gets extremely nuanced, especially if you are concerned about being tracked by resourced organizations such as nation states, governments, or folks with money. The "Ad Tech" industry (including social media) developed to monetize this. It's pretty creepy if you look into it. Basically aggregation of tracking data with databases. You don't need to know what data is being passed for tracking (payload, often encrypted). Flow data is usually sufficient (who you're talking to, when, where, for how long). VPNs used as we're discussing flow all your traffic through them. So your ISP only sees the VPN, but the VPN provider gets all the traffic before routing it. They can't see "inside" the https communication, but they get more than enough for tracking purposes. This is why you might be suspicious of "free" VPN services. You are the product. Combine this with cookies, profiles, tracking accounts, and other data - including what sites might track, browser plugins, etc, and you get a pretty complete picture of what's going on. Add smart phones to the mix and you might get: accurate location data, call and text records, purchase history, etc, etc. Privacy browsers (like Brave) attempt to mitigate adware running on sites, clean cookies, separate things, etc.
You might also be suspicious of Kasperky, Norton/Symantec, etc. While they provide endpoint protection, they also act as enormous sensor networks that report back to the mother ship. You're trading off who you trust. For most people, they probably provide a significant net positive in malware protection. However, consider that they get good, widespread information that could be monetized. There are huge secondary markets for that sort of thing.
I could put the "tin foil hat" on and go much farther...but hopefully you get the idea.
bhwabeck3533 wrote: ↑Tue Jun 15, 2021 6:42 am
I'm back. I'm the OP.
> I am a retired 65 year old male with and engineering degree and possess decent technical capabilities (from an IT perspective)
> My devices to be protected are my Lenovo Yoga 730 laptop running Windows 10 with Kaspersky security software and Samsung (Android) smartphone
> I always employ a Verizon hotspot while traveling to access the internet (Chrome is my primary browser, Firefox is secondary)
> My school of hard knocks includes getting hacked at a Starbucks in Lafayette, LA three years ago... an experience I intend to avoid in the future
> Had to Google "https"....Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet
I've enjoyed the banter between Shorty, Gadget, and Hawkeye (and others)... thanks, my knowledge has multiplied through your thoughtful contributions to this thread. Interestingly, I am in the same position I was at the time of the original/initial post (OIP). I was not aware the "hotspot" option which I have employed was going to be endorsed by the experts. I'd like to understand more about the "privacy" vs "security" implications of browsing the internet both from home or away from one's "secure ISP-provided portal".
PS....What is "Black Hat"?