VPNs are accessed by the user with credentials so that the information is encryp

Question

VPNs are accessed by the user with credentials so that the information is encrypted. There are credentials that you download to allow this. Since you don't physically, in person get the credentials from the VPN provider they have to be downloaded which means using the internet. Now I know HTTPS is used but HTTPS is weak at best. Government organizations can look at HTTPS data and they don't have to immediately either. Your ISP is logging your web traffic anyway even if it's encrypted, they might break it in the future. How can you secure the actual security key/certificate which you are receiving from your VPN....

I realize this might not be possible without an in person physical exchange but isn't this a security killer for VPNs? This will protect you from rogue unsecured public WiFis and such but your ISP and government agencies will be able to get the VPN credentials which you downloaded through HTTPS.

Is there a way around this? Are there other techniques that combat this?

Explanation / Answer

First of all, HTTPS, if implemented correctly is not weak. Second of all if you are on the radar of a government, your last worry should be that they start decrypting your HTTPS traffic using a MiTM. If they are really interested in you, strong crypto won't be able to protect you from getting wrenched to the knee.

Most secure VPNs solutions use strong symmetric crypto to secure the communication for which the encryption key is exchanged between client and server using the same SSL/TLS protocol as used for HTTPS. So if you are worried that they can brake SSL/TLS in the future then you should equally be worried that they can break the SSL handshake your VPN uses to set up a secure connection, regardless if they were able to get your credentials or not.

Related Questions

Navigate

• Browse (All)
• Browse V
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.