

Of course, if your specific VPN included the installation of some local software, and you have reasons to believe that this software could be ill-intentioned towards you, then all bets are off. This still relies on a proper instantiation crucially, you shall mind the browser warnings, because if you allow your connections to use an unverified server certificate, then security goes down the drain. SSL has been designed to resist an hostile Internet.

To a slight extent, a corrupt VPN would make the task a bit easier for the attacker because, by construction, all your packets will go through the VPN, but this does not change the situation in a qualitative way. The VPN is a "private network": it is protected against the large Internet but if the VPN is itself an evil entity, then you are back to where you began. If you have very sensitive data that you're worried about the best thing would be not to put in on the Internet (or on any Internet-connected machine) even in encrypted form.Ī VPN is no more hostile than the Internet "in general". So you have to decide who you're more worried about - the VPN provider or your ISP/government. Of course, if you don't use a VPN you are subject to a MITM attack from your ISP and, depending on your country's network topography, your government. For example, certificate authority Trustwave (at least) once issued a certificate to a company which allowed that company to perform undetectable man-in-the-middle attacks on any SSL communication going through that company ( ). Most man-in-the-middle attacks can be detected by carefully checking the sites' certificates, but every once in a while there's a new attack that even the most vigilant user won't be able to detect. But since the VPN has access to the SSL/TLS encrypted content it is a position to mount a man-in-the-middle attack. VPNs are not able to decrypt SSL/TLS traffic between the user and sites accessed through the VPN.
