PaulB wrote:I thought most people using VPNs wanted to hide who they are or where they are. (ICBW)
That's the main reason I use it - for accessing iPlayer when I'm outside the UK (!)
Originally VPN's were mostly used in a corporate context to allow people to connect to the servers in the office, when servers talked various insecure protocols. Nowadays, most businesses are using Office 365 over the internet anyway, so VPN business use has become more niche for legacy systems (particularly SCADA which are often insecure).
VPNs have also developed a role in masking a user's true location - for example bypassing regional controls on content, or less legitimate reasons for hiding your tracks.
It used to be recommended to use VPN's for web-browsing on insecure networks. The use of http (not https), basic pop3/imap (not the encrypted version used nowadays), etc allowed data in transit to be observed, and in some cases you could 'sniff' session tokens from http parts of Google, that allowed you to access https parts. But as services have implemented end-to-end encryption nowadays I think that's overkill for normal usage.
Banks design websites and apps on the assumption that the network that they'll be used on is insecure. Some of the heuristic techniques they use for fraud checking may get upset by VPNs (particularly if the VPN makes you appear to be outside the UK).
As a public network provider, what can I see if you don't use a VPN to access https sites? Typically I can see DNS look-ups (domain name), and therefore can tell what sites/services you are accessing (just the domain name, not the full URL). I'll then see that a series of https sessions exist from your device to some remote locations. Again I can use this to infer that you're using Gmail, reading the Daily Wail, etc - but I can't see your login details nor what specific web-pages you're accessing, or any content going back and forth. If you access any insecure sites (http), then I can see everything.
If you connect via a VPN, I will probably just see one DNS look-up for the VPN end-point, and then just see one or more VPN tunnels that exist to a remote location. So I don't know if you're reading the Daily Wail or the Guardian.
Ultimately https over VPN is probably more secure than https without - but unless you're doing something particularly sensitive or embarrassing, or being specifically targeted - IMHO https is adequate.
On a final note - routing your web traffic over a VPN doesn't automatically make your laptop any less vulnerable to hacking via the wifi network - i.e. someone else on the same network wants to hack into your device. This depends on a combination of your firewall setting and the VPN client and how it is configured. Both the Windows and Mac built-in VPN clients, leave the device exposed to the LAN even when connected to a VPN. So if you're running any services like file sharing, Music sharing, SSH, etc locally, these will still be accessible to others connected to the same LAN. (Unless the LAN has implemented client isolation, which is increasingly common). In this regard Windows tends to be a bit better than Macs in that by default it hides such services from unknown networks, until you explicitly tell it that this is a trusted network (the Private / Public thing it asks you from time to time).