2

When I am on "public networks" that I don't trust much (for instance in my school) I use a VPN to ensure my privacy.
From what I understand, any non-HTTPS connection could be read by the VPN company, but are other secured services still secure ? For instance, would logging in to PayPal or my iCloud account still secure (unreadable by the VPN company) as long as I have a certified HTTPS connection to those services/websites ?

Thank you.

EDIT : By the way, from what I understand, any man-in-the-middle attack would be impossible to do if the connection is signed by a trusted certificate authority, but I am still wondering if I could have missed something.

Pop Flamingo
  • 185
  • 7

2 Answers2

3

Yes, a https connection (TLS/SSL) will be secure against snooping by your VPN provider, although they will know the IP address of the website you're connected to, so they will be able to run reverse DNS and likely at least figure out what domain you went to.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
  • Ok thank you ! I was mainly concerned by having my password stolen but It's okay than ! – Pop Flamingo Apr 24 '16 at 07:48
  • This answer is mostly right but you can find some exceptions here: https://security.stackexchange.com/questions/77241/are-vpns-vulnerable-to-active-man-in-the-middle-attacks - I've removed my previous answer since I was mistakenly thinking about Proxy servers. That said, do not use a proxy service assuming you will have the same protections as a VPN. They are not the same thing. – Nosajimiki Nov 21 '18 at 22:42
  • @Nosajimiki The answer you reference is about setting up an encrypted connection between the client and the VPN server, this question is about whether the VPN can snoop on an encrypted connection and a website when the traffic goes through the VPN. These topics are entirely separate. – AndrolGenhald Nov 22 '18 at 00:30
3

The contents of HTTPS connections are protected from non-trusted networks. Using CA signed certificates is a strong mitigation against MITM attacks which would compromise your password on a non-trusted network.

From a more holistic perspective it might not be safe to treat a VPN provider as merely an non-trusted IP network if they give you client software (or app) to install for making a connection. This software could easily install a new trusted root CA on your device to snoop https traffic. It could also install a keystroke logger, or anything else.

Not considering the client software would definitely be a missed thing. If the provider uses a standard VPN protocol for which your device already has client software, or you can download the client software from a trusted third party, then your https connections would be secure from the VPN. Installing a program they provide... you better trust them fully.

(Even if you fully trust the VPN provider, https is still important because it protects your info after it exits the VPN to the full internet)

trognanders
  • 2,925
  • 1
  • 11
  • 12
  • Use an official release of the OpenVPN client to avoid these risks. – Sterling Beason Nov 22 '18 at 00:51
  • Thank you! That's indeed something important to take into account! I recently discovered that iOS has a security feature enabling an app to only accept its own certificates, making it impossible to override these settings even with configuration profiles. I guess this is the sort of mechanisms that provide good security against the sort of risks you are describing! – Pop Flamingo Nov 23 '18 at 00:27
  • @TrevörAnneDenise Privacy is pretty strict in iOS, and it definitely runs a pretty tight ship about trusting third party certificates. My understanding is that you must specifically opt in for each one through the settings app. There is definitely a spectrum though, with other platforms allowing new certificates to be added with innocuous sudo-s or UAC authorizations. Using a builtin VPN or an official build of OpenVPN is definitely safer; remember there are *"jailbroken"* iPhones. – trognanders Nov 23 '18 at 05:54