Hacker News new | past | comments | ask | show | jobs | submit login

I've never used these VPN services before. Is it possible for them to MITM a connection?



Yes, they can install certificates that enable MitM.

That's one reason why I never use custom clients for VPN services. That is, no binaries.

I just get the OpenVPN PKI stuff, and use stock OpenVPN.


> Yes, they can install certificates that enable MitM.

Well, only if you give them permission to. Just use a non-provider specific client and you're okay.


I don't use them, so I don't know whether they'd ask specifically about the TLS cert. It might just be something about "web security" or whatever.

And about using stock clients, that's what I said :)

From openvpn.net or in Linus distros or in pfSense, for example.


Not if it is an encrypted connection and you are using a third party client, no. PIA supports OpenVPN and IPsec (IKEv2, iirc), for which most operating systems already have r either native or popular trusted and secure clients for.


Sorry, I must be missing something obvious so please let me know, but VPNs are literally MITM: they terminate your encrypted connection with the client and stablish a new connection with the outside world from their end. So doesn't matter if the client is trusted, they can do whatever with the data before relaying it to the outside and before encrypting and sending back to the client.


> VPNs are literally MITM: they terminate your encrypted connection with the client and stablish a new connection with the outside world from their end

I think you misunderstand how VPNs work.

They tunnel, not terminate traffic. It is effectively a NAT service, with extra steps.

Take the scenario of a TLS connection to www.example.com:443 [1.2.3.4:443]

Connection A: Direct to the internet through my ISP.

I'll make an outbound connection to 1.2.3.4:443, and the IP that the remote sees will be the public IP that my ISP has assigned me. All traffic on that TLS connection is encrypted and my ISP can't view the content.

Connection B: Using a VPN Service

I'll make an outbound connection to 1.2.3.4:443, and the IP that the remote sees will be the public IP that my VPN Service has assigned me. All traffic on that TLS connection is encrypted and neither my ISP or the VPN provider can view the content.

In both scenarios, the TLS Connection is direct to 1.2.3.4:443, and my client will and should verify that the presented certificate is for cn=www.example.com (or a SAN with that cn), and signed by one of the Root CAs that my computer/software trusts.


Thank you, I wrote "with the client", but I meant "with the server". Your description cleared some misunderstandings I had.


What about an unencrypted HTTP connection, or any unencrypted connection whatsoever?

Couldn't those be MiTM'd?


Yes. But whoever is in the path of your connection to the server you're talking to can man in the middle you.

It's your fault if you're trusting an unencrypted connection.


Yes, just like your current ISP can without VPN.


Certainly, but the thread is about encrypted connections.


What you are describing is a proxy server and not a VPN.


> but VPNs are literally MITM

I don't tunnel 0/0 to them. You don't have to either. I only tunnel my BitTorrent traffic through them [...].




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: