VPN Software, any advice?

[Vertigo 7]

That's not how SSL works. CA's issue private certificates for websites/hosted applications where the administrators install them. Clients connecting to them are presented with the public key and that's validated against the CA where the private key is used to encrypt the traffic to you and decrypt the traffic from you while the public key is used to encrypt the traffic from you and decrypt the traffic to the service. The private key is never visible to anything other than the service hosting it. These keys are a matched pair and are useless without the other.


The only way someone could decrypt traffic to/from those sites/applications is if they obtain the private key. You can't just call yourself godaddy and suddenly have every private key godaddy has issued. If someone tries to insert themselves in between you and the resources you're accessing over SSL, if they can't decrypt the traffic and proxy the service you're reaching with the issued private key, your browser will throw all kinds of SSL errors. Even SSL deep packet inspection requires the private key to decrypt traffic without appearing to be a man-in-the-middle attack to your browser.

I'll further add no one can replace the CA certificates you have installed on your machine just by tooling around on the web. While CA certificates can be updated as part of routine patching, there's no VPN service that can override whatever CA certificates are installed on your machine or install ones for you. Even if they were able to, the signature on the certificates they were to install attempting to impersonate a legitimate CA would not match the signature on the issued certificates on whatever service you're trying to access and thus, back to SSL errors and what not.

[fiksal]

can't the browser be made to trust a new authority though?


the link I mentioned put it as:

The problem is, when an additional root certificate is installed by a VPN provider, the certificate can overwrite the encryption and authenticity checks of the service you’re using such as Mozilla Firefox, WhatsApp, as TechRadar reported.

And this can lead to security holes. “When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device,” TechRadar said.

[Vertigo 7]

not directly, no. You can ignore SSL warnings and connect to whatever anyway in some cases, though some of that is now even being locked down tightly depending on the error and won't even let you do that anymore. But the only way that you can install an untrusted certificate takes a bit more effort than just clicking the "connect anyway" button.

the link I mentioned put it as:

The problem is, when an additional root certificate is installed by a VPN provider, the certificate can overwrite the encryption and authenticity checks of the service you’re using such as Mozilla Firefox, WhatsApp, as TechRadar reported.

And this can lead to security holes. “When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device,” TechRadar said.

This is very misleading. Putting a root CA cert on your machine doesn't mean they can automagically decrypt every bit of traffic in and out of your machine. CA certificates just establish a trust for certificates that CA issues. And those issued certificates would not be on your machine unless you're hosting some site/service.

Maliciously speaking, if I were to slip a CA cert into your machine, I would setup a fake site to spoof like your bank or something, present you with a valid SSL cert issued by my nawty inc CA on the fake bank site and try to get you to put in your bank creds.

This is basic PKI in a nutshell...

site/service admin generates a certificate signing request (a lot of CA's do this for you by providing the info needed to generate the request)
The CSR is optionally signed - just to validate the CSR came from a trusted source
The CA processes the CSR to generate a public and a private key pair
Both keys are issued to the site/service admin to install

IF the CA is a well known CA, you already have the CA cert to validate the public key when you connect to the service. If not, your browser will tell you that the certificate chain can't be validated or what not. Your machine NEVER contacts the CA, its strictly relying on the root CA certificates you have installed. If you obtain the CA certificate and install it, then the error goes away and bob's your uncle.

[fiksal]

so installing new certificate requires a user action?

meaning in the examples above, one has to agree when let's say installing a VPN client?

[Vertigo 7]

Yes*, you generally cannot install random CA certs without knowing it outside of a business type network. Enterprise networks can push down internal CA certs to their client base without user knowledge but these are the system admins doing this.

*again, routine patching may update your CA stores.

It is possible some applications may want to install a root CA. But even if its malicious, they're either going to screw up your ability to validate certificates from well known CAs or they're trying to get you to visit a spoofed site to get something out of you.

[fiksal]

okay, thanks for the info, it clarifies it

[lionroot]

I completely agree with the take on SSL and how CA's function.

Anyway, I would recommend using individual proxies rather than VPNs. A lot of sites already can read the fact that you are using a VPN and restrict your access. Also, VPNs might bounce your connection through multiple servers, potentially slowing things down. With proxies, it feels more direct and responsive.

You can get them from proxys.io. They have the best pricings, and they are stable. Never had any problems.