Can a VPN carry out a Man-In-The-Middle Attack?

If the reader needs to ask this question, then I’d suggest that the question should first be translated into a similar question, which the reader more-probably needs the answer to:

‘Can software which claims to be a VPN, intercept the user’s data or carry out a MITM attack?’ A way in which some software can attack its user is by misleading him or her, about what its nature is. In order to assess this question quickly, I’d ask two more questions about the software:

  • We know that Windows, Mac and Linux computers have a large variety of installed libraries, that make up the core of how each O/S works, which under Windows are .DLL-Files, and which under Linux consist finally of .SO-Files. Does this software replace any of those existing libraries with its own versions?
  • Does this software install anything, such as Browser Extensions, which may change the way the browser behaves?

If the answer to either of these two questions was ‘Yes’, then in fact, this software has an opportunity to perform a MITM.

If the answer to both questions was firmly ‘No’, then the possibility is more likely, that this software really is ‘just a VPN’, in which case it should not be able to perform a MITM.


Why? Because, as long as we are connecting to a Website the URL of which begins with ‘httpS://’, and not ‘http://’, what a healthy browser will do is to encrypt its traffic to and from the site, using a public key, for which only the intended site has the private key, needed for decrypting the exchanged data. This is already being done by mainstream browsers, on the assumption that one or more of the connecting pieces of the Internet are insecure or untrustworthy. In the case where a link in this chain actually performs its own encryption, well that’s just another insecure link according to the way data is secured.

Data can be encrypted more than once, and, assuming that different encryption keys are being used each time, taking data which was already encrypted, and encrypting it again, does not by itself compromise the security of the data. The resulting stream just needs to be decrypted twice again, each time using the appropriate keys, each of which is held by a different party, to translate the data back into its clear-text form, in this case finally on the Web-server.

Therefore, VPN software operating as it should, ends up passing through any data that has been encrypted using a shared secret between the browser and the server, as though this data just consisted of random bytes. But, a VPN will add a layer of encryption to it. It can also be said conversely, that, given the encryption of the VPN, the browser adds its layer of encryption.

But what of software that confuses its users into installing special browser extensions, or library-overrides? Well, such software could have as its special behaviour, to cause the client to bypass its own encryption, only applying whatever encryption the so-called VPN may apply, and also doing what any client could do, which is, to connect to the server using encryption that exists between the VPN and the server, as a proxy. A computer which has been modified in this way is essentially hacked.



PrintFriendly Button

In the bottom left-hand corner of each of my postings, the reader will see a little icon that has a printer-symbol on it, and the word “Print”. This icon can be used either to print the posting in question, or to save it to a PDF File, on the reader’s computer. In fact, the reader can even delete specific paragraphs from his local copy of my posting – since plausibly, the reader might find some of my postings too long to be printed in their entirety.

Some time ago, I had encountered a situation where Not code belonging to this plug-in, but Rather the URL which hosts the service, was showing me a warning in my browser, that ‘unknown URLs’ were trying to run scripts.

My own Web-browser has a script-blocker, which will display scripts to me which a page is trying to display, but which I did not authorize.

Certain features which I use on my blog, are actually hosted by the Web-site of 3rd parties, whose scripts may run, just because my page includes their widget.

The first time I noticed this I went into an alarm-mode, and removed the button from my blog quickly, thinking that maybe it was malware. But some time after that, I installed an additional extension to my blogging engine, called “WordFence”. This is an extension that can not only scan the (PHP-) code present on my own server for viruses and other malware, but that can also just scan whatever HTML my blogging engine outputs, for the possible presence of URLs to sites that are black-listed, regardless of how those URLs ended up being generated by my blogging engine.

Once I had WordFence installed, I decided that a more-Scientific way to test the PrintFriendly plug-in, would be to reactivate it, while WordFence is scanning my site. If any of the URLs produced by this plug-in were malicious, surely WordFence would catch this.

As it stands, the PrintFriendly button again displays URLs which belong to parties unknown to me. But as it stands, none of those URLs seem to suggest the presence of malware. I suppose, that the hosts of PrintFriendly rely on some of those scripts, to generate income? Since I’m not required to pay, to use their button.



The PrintFriendly Button Is Back.

One of my less-commendable habits, is to add plugins to my WordPress blog, which might not be necessary, but which might OTOH be useful after all.

There is now a button at the bottom, left-hand side of my postings, which has a little printer icon, which my readers can click, in order to obtain a printable version of my postings.

There was an earlier point in time, when I took this plugin to be potential malware, because its presence in the browser causes scripts to run from other domains, and I did not think it wise, to be inviting scripts to run as part of my blog, which I do not know the purpose of, and which exist, because the Web-site of a plugin, includes another Web-site I know nothing about, which runs a script. So at that time, I went into high alert for no other reason, installed a whole security suite named “WordFence”, and removed the “PrintFriendly” plugin from my site.

Since then, my confidence in the security of my own site has improved – in spite of the fact that I’m still installing plugins – and I’ve come to think that my reaction back then might have been a bit unscientific. After all, even though I could know for certain that this unidentified script was being loaded onto my browser – which subsequently blocked it – I had no sure way of knowing it contained malware. The script in question may simply have had as purpose, to provide some sort of funding to the site that hosts PrintFriendly.

If the reader clicks on this icon, he’ll see that a floating window pops up, from which he can choose how – or if – he wants to print my posting. That floating window will only appear, if the reader allows his browser to run scripts from ‘’. That floating window is still hosted on the other party’s server – belonging to PrintFreindly and not to me – and because that floating window is being hosted on their server, it also represents a resource which they need to pay for in some way, even though I’m not paying them.

Now, WordFence has a feature (enabled on my blog), that is called a ‘Front-Side URL Scan’. In short, instead of only scanning my plugin folders for trouble, this feature examines all the URLs which the home-page of my blog sends to the would-be browsers, and compares those URLs to blacklists of known malware. I will next be able to see, whether the URL in question was actually blacklisted – by anybody other than me. If it was, this plugin will disappear again from my blog.

But for now, I’m giving this plugin another chance.



I am confident that my site is secure again.

What happens from now on, is that ‘WordFence‘ performs routine security scans of my blog. It then emails me with reports.

According to the latest report, emailed to me overnight as I slept, my blog had one issue, out of hundreds of potential issues: One of my plug-ins needed an upgrade.

Of course, I would have seen that this plug-in required an upgrade anyway, as soon as I checked my Dashboard this morning, which showed me the same result.