Firefox’s free VPN will offer 50 gigabytes of monthly data, which is pretty generous for a browser-based VPN. A Mozilla account is required to make use of it, which isn’t a hardship (they’re free), but is a point of friction some may wish to know upfront.
How long before that data gets sold?
-1 year
Data is encrypted over VPN tunnel by design.
The data is indeed encrypted, but both you and the VPN provider have the keys - that’s why they advertise no-logs policies, because they have access to the data you send, such as which website you’re attempting to visit.
Can a VPN provider do man in the middle attacks if they wanted to? Like sniff my /api/login calls and get my password? My gut tells me yes but I don’t know enough to be sure, I feel.
When you connect to a secure https site, then no. When you connect to unsecured http, then yes.
Firefox has its own cert store for https, and could theoretically impersonste other websites by adding their own and then sniff your traffic. But thats not how vpn providers typically work, and thered be huge backlash if they were to do that unprompted.
We had a proxy server at work that would route all internet traffic and scan for viruses, blocked urls or other traffic patterns, depending on your network rules. It did work on https and SSL traffic, because you had to accept the cert from the proxy server in your browser. So your traffic was encrypted between proxy and webserver, and proxy and your computer, but unencrypted on the proxy server itself. It would be similar with a VPN. Plus, if you control the browser you could just ship the required certs with the update…
Generally not. Anything with authentication would be using HTTPS encryption. So there will be two layers of encryption: the VPN encryption and the web site’s HTTPS encryption. The VPN provider can’t replace the HTTPS encryption because your browser would identify it as being encrypted with the wrong certificate and it would block the connection.
Although…given that they control the browser, too, I suppose they could code it to remove those safeguards, but that would not go unnoticed for long.
When you use a VPN, it basically replaces your ISP as the intermediary who can snoop all your traffic, so the real question is who do you trust more: your ISP or Mozilla?
What I was thinking was that the VPN would be able to sniff the key exchange hand shake thing that HTTPS does in order to setup the connection, and use the data during the handshake to basically recreate the cryptographic key used for the connection later. So then it’d be able to just decrypt all traffic and reencrypt it again after passing through. Seamlessly to both ends.
Is that a thing in theory?
assume the VPN provider is adversarial
now re-run your analysis
This is true regardless. HTTPS encryption keeps a man in the middle from seeing your URL. They just get the domain name, which is a lot, but it isn’t your credentials.
If you have to install any closed-source software to use the VPN, the answer is oh hell yes, they can install a root cert. If they are clever they can remove it when you disconnect, so it will not be noticed by most people.
Even if they require no proprietary install, by definition the VPN knows every IP address you connect to. Even if you use DoH. Even if you use Quad9 DNS. The VPN knows you visited midwestsluts.com
If you want privacy, either spin up your own selfhost OpenVPN, or use the Tor nodes myself and other volunteers pay for, to make free for you to use.
Tor node operators can’t tell what site you are visiting (if they run an exit node they can see the site – but don’t know your IP; if they run a Guard/proxy node they can see your IP, but can’t tell anything about what sites you visit or what data you get)
What if the gov has access to both tor nodes, cloudfare infrastructure and mozilla servers?
Joke’s on them, because half the web is behind CloudFlare now.