Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: How save is VPN when trying to get around the ISPs?
2 points by erikb on Jan 7, 2011 | hide | past | favorite | 3 comments
After reading in this other HN Thread (link on the bottom) I wonder how save it actually is to use VPN. To make the connection to your trusted VPN Server you also have to trust your ISP for the first information exchange, right? For a country used to handle this kind of situation (like the Chinese government, greetings from China btw) it should be no problem to MITM your VPN connection, or am I wrong?

The other discussion: http://news.ycombinator.com/item?id=2079223



When I'm connecting to the remote end of my VPN, I'm doing so on an encrypted connection, checking the certificate.

If the certificate has a mismatch, then the connection stops, and the VPN doesn't build up. Even if my ISP or government would play MITM, if I know the correct certificate of the other end (and, if all else fails, I can trust the VPN the first time around, and once inside, check the server's certificate locally, where there is no man in the middle, and compare it to what I received during the handshake earlier - if it's not the same, there's someone in between), there's no way they can fake that, to the best of my knowledge.


So at least on day one of using the VPN connection - when you download the client and set everything up - you need to trust your connection.


It takes about 10 minutes to download a VPN client (or, you could get one on CD or USB drive or whatever, from a trusted source, etc). Depending on the complexity of the VPN, it takes around an hour tops to make it work. And a few minutes to verify it's integrity.

If you can obtain the server's certificate from a trusted source, then it takes even less.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: