Can a VPN carry out a Man-In-The-Middle Attack?

If the reader needs to ask this question, then I’d suggest that the question should first be translated into a similar question, which the reader more-probably needs the answer to:

‘Can software which claims to be a VPN, intercept the user’s data or carry out a MITM attack?’ A way in which some software can attack its user is by misleading him or her, about what its nature is. In order to assess this question quickly, I’d ask two more questions about the software:

  • We know that Windows, Mac and Linux computers have a large variety of installed libraries, that make up the core of how each O/S works, which under Windows are .DLL-Files, and which under Linux consist finally of .SO-Files. Does this software replace any of those existing libraries with its own versions?
  • Does this software install anything, such as Browser Extensions, which may change the way the browser behaves?

If the answer to either of these two questions was ‘Yes’, then in fact, this software has an opportunity to perform a MITM.

If the answer to both questions was firmly ‘No’, then the possibility is more likely, that this software really is ‘just a VPN’, in which case it should not be able to perform a MITM.


 

Why? Because, as long as we are connecting to a Website the URL of which begins with ‘httpS://’, and not ‘http://’, what a healthy browser will do is to encrypt its traffic to and from the site, using a public key, for which only the intended site has the private key, needed for decrypting the exchanged data. This is already being done by mainstream browsers, on the assumption that one or more of the connecting pieces of the Internet are insecure or untrustworthy. In the case where a link in this chain actually performs its own encryption, well that’s just another insecure link according to the way data is secured.

Data can be encrypted more than once, and, assuming that different encryption keys are being used each time, taking data which was already encrypted, and encrypting it again, does not by itself compromise the security of the data. The resulting stream just needs to be decrypted twice again, each time using the appropriate keys, each of which is held by a different party, to translate the data back into its clear-text form, in this case finally on the Web-server.

Therefore, VPN software operating as it should, ends up passing through any data that has been encrypted using a shared secret between the browser and the server, as though this data just consisted of random bytes. But, a VPN will add a layer of encryption to it. It can also be said conversely, that, given the encryption of the VPN, the browser adds its layer of encryption.

But what of software that confuses its users into installing special browser extensions, or library-overrides? Well, such software could have as its special behaviour, to cause the client to bypass its own encryption, only applying whatever encryption the so-called VPN may apply, and also doing what any client could do, which is, to connect to the server using encryption that exists between the VPN and the server, as a proxy. A computer which has been modified in this way is essentially hacked.

Dirk