rwbradley wrote:
bwanshoom wrote:
dshinnick, look up a man-in-the-middle attack. If someone controls your connection to the internet (e.g. they own the router) they can make you think you're talking to your bank, but you're not. It's not hard to fake a website that looks like BOA, for example. Phishing attackers do this all the time. And most people wouldn't know a good certificate from a bad one. There have been numerous cases of certificate authorities (someone your browser trusts implicitly by default even though you've never heard of 99% of them. Do you trust the Chinese government? Your browser did...until last month) being hacked and issuing bogus but perfectly valid certificates.
There are malicious hotspots that do this kind of thing. Someone on this forum mentioned they owned a WiFi Pineapple which does everything I just mentioned.
As has been noted numerous times in this thread, the likelihood of this occurring is quite small but it's non-zero. Depending on how paranoid or cautious you are you might care or you might not.
Well described. I think you stated it far more clearly than my feeble attempts.
Well now hold on... you can't have it both ways! You agree 100% that hacking certificates is occurring all the time and Man In the Middle attacks are easy BUT not where it applies to VPN's?
rwbradley wrote:
1) Paid VPN services are based on a model of trust, just like Certificate Authorities who issue the SSL certificates to the banks, or even the Banks themselves. They would go out of business if they are not trustworthy.
So it's OK to trust certificates for a VPN but not for banks :? You wholeheartedly agree that a MIM attack could make me think I am talking to BOA but the same MIM attack can't pretend to be my VPN service? I must be missing some subtle difference!
Dave
