Title, it would be great if someone explained to me how data is encrypted between you, a vpn and the destination server when using HTTPS
it would be great if someone explained to me how data is encrypted between you, a vpn and the destination server when using HTTPS
Think of the Internet as a lake, if you send something on a platform boat from one side to the other, everyone can see what that boat is carrying, that’s unencrypted http.
If you send the the same stuff inside trailers on the platform boat, everyone can see the trailers, but not what’s inside them, that’s https.
If you make a submarine tunnel, only those on the ends of the tunnel can see what goes through the tunnel, that’s a VPN. But if you still put what you’re sending inside trailers, even the people who can see the end side of the tunnel, cannot see what’s inside the trailer, that’s a VPN carrying https.
Short answer, no. Long answer, only if you accept untrusted certificates for HTTPS sites that shouldn’t flag up.
No, the vpn provider can only see that data is being sent to a https site but the data is encrypted.
Google what does the S in HTTPS stand for?
yes, there is the possibility. those saying no have not explained anything per the OP’s request.
to put it simply, without a vpn, your traffic goes from your browser to the site directly. you first went through handshakes that exchange keys, and the site’s certificate is presented to you. the browser then verifies it against your system’s trusted certificate storage, and tells you whether the site is authentic or not.
when using vpn, most times it acts as a client. In such case, your browser packages all the packets previously mentioned with another layer according to the vpn protocol, and send it to the vpn client first. Then the client send the packet to the remote vpn server, where the packets are stripped back to the original form, and the remote server connects to the actual site you are visiting. If your password is inside a tls packet (as you stated using https), then the remote server has no way of seeing it because the packets arriving are already tls encrypted.
However, if the vpn client installs any certificate in your system’s trust store, then the vpn client could very well intercept the server’s key in the exchange step and replace it with its own, and your browser would not be able to alert you because it thinks the certificate is authentic when verified against your system. It is called a man in the middle attack. Once you are using the vpn client’s fake key to communicate, it is just plain text in their sight.
The take away message is, always use https connections when using a vpn, and never install any certificate of unknown origin onto your system.
That is an awesome explanation.
I have to say that is the best non-technical explanation of this I have ever heard! Well done!
Quick caveat: The people on the end of the tunnel can intercept the encrypted (unseeable) traffic, and if your trailer (computer) is set to allow it they can decrypt (see) the data.
Obviously no reputable VPN provider would do HTTPS decryption, but ultimately you are running their software normally to make the VPN work, so they could slip something in.
I do know what it means, but i dunno much about vpns, i though maybe it somehow strips the tls ssl encryption between me and the destination server and only encrypts it when it arrives at the vpns server
I’m not sure how that would answer OP’s question.
Idk if that works though, you can’t just replace a certificate in a man in the middle attack. The webserver of that website is checking the certificate being used and it’s not going to accept an altered certificate.
what does installing a certificate even look like? a sort of prompt? a windows firewall allow/deny message?
What whut? Do you mean if your computer has been set to trust a fake certificate authority created by the VPN provider? Do you mean their VPN software could insert that CA into your root CA list?
A VPN (which is basically another hop after your computer and your ISP) cannot strip https encryption even if they wanted to. They just add another layer on top of your traffic. And that layer is also encrypted.
But, you just moved the goalpost. Previously, any non encrypted traffic could be intercepted by your ISP. And any metadata such as DNS requests. (If you use the DNS of your ISP)
Now, any non encrypted traffic can be seen by both your ISP and your VPN. And now your VPN can also sniff your metadata.
It encrypts the data anyway
yes, windows will ALWAYS prompt you when it detects a program trying to install a certificate into the trust store. Don’t just click yes without really knowing what it is trying to do.
linux user space program can’t modify the root access files anyway, so it will just fail. Don’t sudo stuff that you don’t know.
Does this count even for Browser Extentions? Given it asks for permission to read all data, my ‘fear’ is, that is actually tries to get that data as well, and it would probably be easier for a browser extension to do that, especially if you store data in your browser. (Now I’ll probably hear: Don’t store data in your browser 
)
You and I know that, but the question suggests to me that they don’t have a propper understanding of what that implies, hence why they’re asking for help. It just seems a bit mean spirited to say “google it lol” when they’re asking for help. Particularly so when many VPN providers have advertised themselves somewhat dishonestly, implying that your data is “out in the open” if you aren’t using a VPN, ignoring the fact that most things will be encrypted via HTTPS already. I can understand OP wanting to have their particular query explained to them.
For what it’s worth, being HTTPS doesn’t inherently mean the encryption between you and the destination hasn’t been undermined in some way. For instance, it isn’t inconceivable that a VPN provider’s client software would install a certificate to your computer which would allow them to effectively MITM you. Your browser would still display the green padlock and you wouldn’t be any the wiser unless you checked what certificate is in use by the website.
(Though I’m not aware of this being done by a VPN, and plus at the point you’ve installed any software, you’ve already committed to trusting them. But the principle still applies that “S is for Secure lol” is a somewhat naive response that neither explains anything nor is it fully correct.)
good question, following!