3

Choosing an off-the-shelf VPN service, is it safe to access my Gmail, Paypal, ... accounts?

The accounts are accessed via https, but I don't know if with a VPN there is one secure channel between my computer and the https server, or two, i.e [me] <-> [vpn server] <-> [https server]

If it is the latter case, could the VPN admin see unencrypted traffic between me and https server?

Majid Fouladpour
  • 269
  • 4
  • 19

4 Answers4

2

HTTPs connections can only really be validly done between the client and https server.

If the VPN admin was able to decrypt the traffic, they would have to have a valid SSL certificate purporting to be from the server's domain, with a private key that is valid for the certificate. This shouldn't be possible as long as the root certificate authorities enabled in your browser are safe. To be sure of this, keep your browser up to date.

If a man-in-the-middle was to do the latter method you mention without this, your browser would complain of an invalid certificate.

Andy
  • 3,705
  • 1
  • 19
  • 9
  • Well explained and wrong, if the VPN admin had "a valid SSL certificate purporting to be from the server's domain" they would not be able to decrypt data - they would need the actual and full SSL certificate the remote HTTPs server is using - and I doubt very much than any VPN admin is going to get their hands on that for gmail/paypal et al – MrEyes Dec 19 '10 at 00:33
  • oops, I meant the certificate and key, editing it now – Andy Dec 19 '10 at 09:31
  • They might not get the HTTPS server's private key, but if a disreputable root CA was to allow someone to create a ssl certificate with the paypal domain, they could man-in-the-middle. The likeliness of this is remote though. – Andy Dec 19 '10 at 09:36
1

When using HTTPs/TLS/SSL site traffic is encrypted between your browser (or the application initiating the connection) and the web server that is serving pages to you. This means that if any intermediary attempts to "listen" to your requests/responses all they will see is encrypted traffic.

This encryption model is the same regardless of whether you are using a VPN or a standard internet connection.

MrEyes
  • 313
  • 4
  • 14
0

The only secure option would be to use a real VPN. One of the better ones that works on every operating system is OpenVPN. I have been using Road Warrior VPN as my VPN provider for the last couple of years. The reason I say to use a real VPN like OpenVPN is because it is not possible to have someone do a Man-in-the-middle attack on you.

Shawn
  • 1
0

Like the others have said this is going to typically be secure. But I'll throw this out there just for completeness as no one else mentioned this.

If the vpn service in question also requires a proxy then it is possible that the proxy uses a trusted ssl certificate to insert itself in the middle of this communication. But it would require that your computer trusts the proxy's CA (certificate authority). This would require that you install the VPN service's Proxy's CA cert into your browser. This could also be done using a Group Policy in a Windows Domain. So assuming you're talking about a 3rd party service as setting it up doesn't involve a step of trusting a CA either in your browser or in your OS's CA keyring then your traffic is safe. Keep in mind that there are some legit reasons to do this as it is typically done so the data stream can be scanned by the intrusion prevention and anti-virus/malware engines.

But the https request in such a situation would look like this.

[me]<->[vpn server]<---->[proxy]<-->[website]   
                     |            |  
      proxy spoofed ssl cert   website ssl cert

So everything between [me] and [proxy] is secured using a spoofed certificate signed by the proxy's trusted CA and everything between the [proxy] and the website is using the original website's certificate. So there's an oppertunity in this case to access the data on the proxy unencrypted.

3dinfluence
  • 12,409
  • 2
  • 27
  • 41