Is my ISP capable of spying on me through my VPN using certificates?

DarkSpace-Harbinger

So, long story short my University decided to add a new password protected WiFi for students specifically here on campus. Compared to the old network, it is authenticated using student credentials and it is about 2x faster than the original network that is open to everyone.

Problem is, I'm not sure whether or not authenticating with my student credentials actually somehow implants a certificate on my device for them to track me with. I am currently using a SSL 443 configuration on Android 24/7 and i show no leaks.

I think even if there were some sort of certificate implanted for MiTM in this logon process, it would likely still be unable to decrypt my actual VPN traffic. Maybe the SSL session itself, but not the actual OpenVPN traffic inside. I included a picture of the login screen below in the event it offers any helpful insight.

So my question really is this: As long as my VPN is on, am i safe? Or is my traffic being intercepted and decrypted and spied on just by using this network?

My paranoia is probably getting the better of me, but time and time again network admins, ISP's, gov agencies and others continue to surprise us.

Staff

I think even if there were some sort of certificate implanted for MiTM in this logon process, it would likely still be unable to decrypt my actual VPN traffic. Maybe the SSL session itself, but not the actual OpenVPN traffic inside. I included a picture of the login screen below in the event it offers any helpful insight.

Hello!

Totally correct. To go further, in Eddie we have even removed the server certificate verification in stunnel, because the additional SSL/TLS tunnel is not required to provide data protection or integrity. It must only punch a hole through which then OpenVPN can break free. All the packets security and integrity is up to this second OpenVPN tunnel inside the stunnel tunnel.

So, we don't want that stunnel verifies the certificate and breaks the connection. Let the censors and the voyeurs believe that they can inspect your traffic through the certificate hoax, and use this fact at your advantage. You just need to be aware that they can detect OpenVPN fingerprint (this issue can be resolved with tls-crypt, which is currently available on Chara and Castor only but will be widely deployed later in April and early May).

Kind regards

DarkSpace-Harbinger

I think even if there were some sort of certificate implanted for MiTM in this logon process, it would likely still be unable to decrypt my actual VPN traffic. Maybe the SSL session itself, but not the actual OpenVPN traffic inside. I included a picture of the login screen below in the event it offers any helpful insight.

Hello!

Totally correct. To go further, in Eddie we have even removed the server certificate verification in stunnel, because the additional SSL/TLS tunnel is not required to provide data protection or integrity. It must only punch a hole through which then OpenVPN can break free. All the packets security and integrity is up to this second OpenVPN tunnel inside the stunnel tunnel.

So, we don't want that stunnel verifies the certificate and breaks the connection. Let the censors and the voyeurs believe that they can inspect your traffic through the certificate hoax, and use this fact at your advantage. You just need to be aware that they can detect OpenVPN fingerprint (this issue can be resolved with tls-crypt, which is currently available on Chara and Castor only but will be widely deployed later in April and early May).

Kind regards

Thanks for the reply.

I must ask, in a similar situation where SSL tunnel is NOT used, would i have to consider my data compromised under a certificate system even though i am connected to the VPN through traditional OpenVPN?

Similarly, is it possible tls-crypt protection can be added to the inner OpenVPN layer of a SSL Tunnel in the future?

Staff

I must ask, in a similar situation where SSL tunnel is NOT used, would i have to consider my data compromised under a certificate system even though i am connected to the VPN through traditional OpenVPN?

No, and you will be unable to punch a hole. Your OpenVPN client will refuse connections to begin with.

However, as you know, data to and from HTTPS servers will be compromised and visible, if you allow them to poison the chain of trust of your system (often, in a corporate environment, the employee/office computer, property of the company, is already compromised, of course).

Similarly, is it possible tls-crypt protection can be added to the inner OpenVPN layer of a SSL Tunnel in the future?

It is already, have you tested it? With Eddie, use SSL tunnel to port 443, entry-IP 4 (when you configure this connection mode, you will see that only Castor and Chara will be available, all the other servers will appear in red and not available).

Kind regards

DarkSpace-Harbinger

I must ask, in a similar situation where SSL tunnel is NOT used, would i have to consider my data compromised under a certificate system even though i am connected to the VPN through traditional OpenVPN?

No, and you will be unable to punch a hole. Your OpenVPN client will refuse connections to begin with.

>Similarly, is it possible tls-crypt protection can be added to the inner OpenVPN layer of a SSL Tunnel in the future?

It is already, have you tested it? With Eddie, use SSL tunnel to port 443, entry-IP 4 (when you configure this connection mode, you will see that only Castor and Chara will be available, all the other servers will appear in red and not available).

Kind regards

Hmm... I can connect just fine to the network i mentioned with both traditional OpenVPN and SSL Tunnel. Does that mean the network is not intercepting secure traffic via a certificate and that i am secure?

I'm still using the stable release at the moment. I might test it out later, but for now i use different servers daily that unfortunately do not yet have these experimental options implemented yet.

Flx

we don't want that stunnel verifies the certificate and breaks the connection.

That is what happens in Tomato routers.

Flx

I think even if there were some sort of certificate implanted for MiTM in this logon process, it would likely still be unable to

In simpler terms. They know your student name, device you use(android), the time you login/logoff and some other minor details.

decrypt my actual VPN traffic.

Not really. All they will see/know is the source IP(android client/IP) and the server IP you connect to. From there all data tcp/udp etc. they see is the AirVPN server IP send/receive data to/from the Internet.

@staff

they are correct about this

Keksjdjdke

So, long story short my University decided to add a new password protected WiFi for students specifically here on campus. Compared to the old network, it is authenticated using student credentials and it is about 2x faster than the original network that is open to everyone.

Problem is, I'm not sure whether or not authenticating with my student credentials actually somehow implants a certificate on my device for them to track me with. I am currently using a SSL 443 configuration on Android 24/7 and i show no leaks.

I think even if there were some sort of certificate implanted for MiTM in this logon process, it would likely still be unable to decrypt my actual VPN traffic. Maybe the SSL session itself, but not the actual OpenVPN traffic inside. I included a picture of the login screen below in the event it offers any helpful insight.

So my question really is this: As long as my VPN is on, am i safe? Or is my traffic being intercepted and decrypted and spied on just by using this network?

My paranoia is probably getting the better of me, but time and time again network admins, ISP's, gov agencies and others continue to surprise us.

An passive attacker should be able to use website fingerprinting even when using a VPN.

more info on Tor's Blog

https://blog.torproject.org/experimental-defense-website-traffic-fingerprinting

DarkSpace-Harbinger

So, long story short my University decided to add a new password protected WiFi for students specifically here on campus. Compared to the old network, it is authenticated using student credentials and it is about 2x faster than the original network that is open to everyone.

Problem is, I'm not sure whether or not authenticating with my student credentials actually somehow implants a certificate on my device for them to track me with. I am currently using a SSL 443 configuration on Android 24/7 and i show no leaks.

I think even if there were some sort of certificate implanted for MiTM in this logon process, it would likely still be unable to decrypt my actual VPN traffic. Maybe the SSL session itself, but not the actual OpenVPN traffic inside. I included a picture of the login screen below in the event it offers any helpful insight.

So my question really is this: As long as my VPN is on, am i safe? Or is my traffic being intercepted and decrypted and spied on just by using this network?

My paranoia is probably getting the better of me, but time and time again network admins, ISP's, gov agencies and others continue to surprise us.

An passive attacker should be able to use website fingerprinting even when using a VPN.
more info on Tor's Blog

https://blog.torproject.org/experimental-defense-website-traffic-fingerprinting

I'm more focused on ISP monitoring/surveillance

Keksjdjdke

I'm more focused on ISP monitoring/surveillance

Its still possible for a large ISP to Accomplish this Type of passive traffic analysis. A Successful attack was accomplished shown in this paper."older study"

http://lorre.uni.lu/~andriy/papers/acmccs-wpes11-fingerprinting.pdf

Edited ... by Keksjdjdke

Flx

I'm more focused on ISP monitoring/surveillance

What? You didn't know they do monitor/analyze all data traffic..in real-time.

1.The sign in picture provided by you looks like Sign in to a RADIUS server or similar.

2.Tablets/Android of the sort I don't trust them(My opinion).

Finally to get to the bottom of this "scenario".

Yes they can spy on you if they want, regardless if you have your VPN connected.(very easy to do on tablets/android)

@mods post this or not

.

DarkSpace-Harbinger

I'm more focused on ISP monitoring/surveillance
What? You didn't know they do monitor/analyze all data traffic..in real-time.
1.The sign in picture provided by you looks like Sign in to a RADIUS server or similar.
2.Tablets/Android of the sort I don't trust them(My opinion).
Finally to get to the bottom of this "scenario".
Yes they can spy on you if they want, regardless if you have your VPN connected.(very easy to do on tablets/android)
@mods post this or not

.

So what your saying is the only way to prevent my uni from spying on me is to use another network, and that I'll never be safe using school internet even with a VPN no matter what?

EDIT: I've read some of that paper that was attached. It seems that the attack mentioned is based on traffic analysis. For my ISP to know what websites i access, they would have to be able to tap the VPN server itself. What the ISP can do is determine traffic type. For example they can always do traffic analysis and determine if a VPN user is browsing, downloading or torrenting etc. Just not what website they are accessing, what they are downloading, or what they are torrenting or from where.

LZ1

Hello!

I think the definition of "spy on" needs to be clarified, as it otherwise just encourages FUD. There's a difference between some meta-data about when something happened and actual content of messages/communications attached to a specific person, after all.

DarkSpace-Harbinger

Hello!

I think the definition of "spy on" needs to be clarified, as it otherwise just encourages FUD. There's a difference between some meta-data about when something happened and actual content of messages/communications attached to a specific person, after all.

Just saying....

LZ1

They're not lying - it's why there's SSL for instance. Or SSH.

Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. OpenVPN is already a VPN solution based on SSL/TLS. However, Deep Packet Inspection lets your ISP recognize the you are using an OpenVPN connection. Adding an additional SSL to connect OpenVPN over SSL is useful in all cases in which you wish to have all the security and features of OpenVPN, while at the same time you don't want to let your ISP know that you're using OpenVPN,

Not to mention the regular FAQ explanation.

VPN is an acronym of Virtual Private Network. Our VPN extends the private network across the Internet. It enables your computer (the "client") to send and receive data across the Internet through dedicated nodes ("the VPN servers") as if those data were an integral part of the private network. This is achieved through a point-to-point OpenVPN (in routing mode) connection. The connection is encrypted and each packet is authenticated both by your client and our servers, so that nobody (including your ISP) between your computer and the VPN server can see the data you transmit and receive, the real origin and destinations of such data, and, last but not least, can inject forged packets into your stream of data. The picked encryption cipher meets higher-than-military security requirements.

Staff also already dismissed some of your other worries and I would say it's likely you're already better protected than 99% of your campus. So I'm not sure what more you really want - use a burner phone for your uni stuff?

And also, if your threat model includes a nation state, then you'd need to be doing a lot more than just using this one product

DarkSpace-Harbinger

They're not lying - it's why there's SSL for instance. Or SSH.

Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. OpenVPN is already a VPN solution based on SSL/TLS. However, Deep Packet Inspection lets your ISP recognize the you are using an OpenVPN connection. Adding an additional SSL to connect OpenVPN over SSL is useful in all cases in which you wish to have all the security and features of OpenVPN, while at the same time you don't want to let your ISP know that you're using OpenVPN,

Not to mention the regular FAQ explanation.

>
VPN is an acronym of Virtual Private Network. Our VPN extends the private network across the Internet. It enables your computer (the "client") to send and receive data across the Internet through dedicated nodes ("the VPN servers") as if those data were an integral part of the private network. This is achieved through a point-to-point OpenVPN (in routing mode) connection. The connection is encrypted and each packet is authenticated both by your client and our servers, so that nobody (including your ISP) between your computer and the VPN server can see the data you transmit and receive, the real origin and destinations of such data, and, last but not least, can inject forged packets into your stream of data. The picked encryption cipher meets higher-than-military security requirements.

Staff also already dismissed some of your other worries and I would say it's likely you're already better protected than 99% of your campus. So I'm not sure what more you really want - use a burner phone for your uni stuff?

And also, if your threat model includes a nation state, then you'd need to be doing a lot more than just using this one product

My threat model does not include a nation state. Just the university/ISP.

My problem is the quote below claims that no matter what, your ISP will always be able to spy on you even through a VPN

I'm more focused on ISP monitoring/surveillance
What? You didn't know they do monitor/analyze all data traffic..in real-time.
1.The sign in picture provided by you looks like Sign in to a RADIUS server or similar.
2.Tablets/Android of the sort I don't trust them(My opinion).
Finally to get to the bottom of this "scenario".
Yes they can spy on you if they want, regardless if you have your VPN connected.(very easy to do on tablets/android)
@mods post this or not

.

LZ1

I think you should disregard his statement until he qualifies it with further information and/or sources, as until then, it is just that: a claim, with nothing to back it up.

You're also free to take what other precautions you like, such as using Tor or another VPN and thereby achieve partition of trust, such that you don't even need to trust Air.

Coupled with other measures such as different browser protections, other software measures and good awareness of your actions security-wise, you'll be doing really well by most common standards.

Do you for example use the stock ROM on your Android phone or did you research more appropriate alternate ROMs. My point being that it's good to look at multiple solutions if you're so worried/interested.

Maybe at some point you also need to trust the technology, until you're shown a good reason not to? So you don't lose sleep .

It honestly sounds like you're fine. Especially when/if you use the Eddie client on desktop. In case you missed it, you might also like to read Staffs rebuttal of a somewhat well known article.

Is my ISP capable of spying on me through my VPN using certificates?

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation