VPNs do have some legitimate uses. Encrypting traffic over malicious networks (e.g. your average airport wifi) is probably the most common one for the average legal user. Getting an IP address in a given country is another sometimes legal use.
I honestly don't know if you can do this with your average commercial vpn, but the technology is also good for many things like setting up virtual networks (hence the name) so you can do things like access your home computer from anywhere without exposing it to the internet.
Just how insecure is airport WiFi these days with SSL and HSTS? I don't normally worry about it, and suspect people who still counsel against it of lazy FUD.
I'd notice pretty quickly if someone was MITMing all of my traffic. I guess they could MITM a third-party Javascript site that wasn't being served with HSTS. Normally that would just give them all the information I already give to Google or Facebook and the hundred other shitbags that run JS on the sites I browse, but if they got really lucky they could pretend to be some third-party payment provider that didn't use HSTS or I hadn't used before.
Personally I don't worry about it, but I wouldn't blame other people for doing so.
A browser is a very complex tech stack and it wouldn't surprise me in the slightest if there were vulnerabilities exploitable with a MITM. An airport would be a natural place to try and attack computers, lots of people with lots of money many of whom are doing things like moving that money around and many of whom won't think twice about connecting to an unsecured public hotspot.
There's also all the other apps on your computer, how frequently do you think electron-app-foo-bar updates it's chrome version and what are the chances it's using one outdated enough that there are known openssl vulnerabilities against it?
I don't think third party non-HSTS traffic is that much of a concern these days, both firefox and chrome block http traffic from https pages by default.
I’d be more concerned about other stuff, which a vpn doesn’t solve. Look up SMB relay attacks, netbios, and Responder. An average win10 laptop will disclose creds to anyone
I don't know of any company that would be using a public VPN service for anything related to work. Typically "work VPNs" are running on systems that the employer controls, set up by someone employed by the company, and meant solely for employees to connect to - there is no reason any company would want or need to use a public VPN provider for their corporate network VPN. It just doesn't make any sense to me why you would suggest it.
I do the same, but again using remote AWS (free) servers. Which is funny sometimes, I realize that some website are suddenly in german because I am using my Berlin server, instead of my US one.
