

Ask HN: How save is VPN when trying to get around the ISPs? - erikb

After reading in this other HN Thread (link on the bottom) I wonder how save it actually is to use VPN. To make the connection to your trusted VPN Server you also have to trust your ISP for the first information exchange, right? For a country used to handle this kind of situation (like the Chinese government, greetings from China btw) it should be no problem to MITM your VPN connection, or am I wrong?<p>The other discussion: http://news.ycombinator.com/item?id=2079223
======
madhouse
When I'm connecting to the remote end of my VPN, I'm doing so on an encrypted
connection, checking the certificate.

If the certificate has a mismatch, then the connection stops, and the VPN
doesn't build up. Even if my ISP or government would play MITM, if I know the
correct certificate of the other end (and, if all else fails, I can trust the
VPN the first time around, and once inside, check the server's certificate
locally, where there is no man in the middle, and compare it to what I
received during the handshake earlier - if it's not the same, there's someone
in between), there's no way they can fake that, to the best of my knowledge.

~~~
erikb
So at least on day one of using the VPN connection - when you download the
client and set everything up - you need to trust your connection.

~~~
madhouse
It takes about 10 minutes to download a VPN client (or, you could get one on
CD or USB drive or whatever, from a trusted source, etc). Depending on the
complexity of the VPN, it takes around an hour tops to make it work. And a few
minutes to verify it's integrity.

If you can obtain the server's certificate from a trusted source, then it
takes even less.

