It is known that a VPN is a great tool to secure personal data and passwords from hackers and third parties. We put our trust that a VPN service will increase the privacy of our browsing experience and that our login credentials will stay secure and unseen. However, we do not completely turn the blind eye on the private information we pass to a VPN and we are aware that it might get stolen. But can a VPN really take your passwords and see all the private data?
Table of Contents
Can VPN see your personal data?
In theory, all your personal data might be seen once it is routed via a server that is managed by the VPN company. But not all private information can be viewed, it highly depends on the security protocol used during the connection to a website. However, it is unlikely that a reliable VPN would spy on your private data.
How can VPN steal your private data?
It is true that your private information can be seen by a VPN provider, but that is not an easy task to do even when you have control over the internet traffic. However, there are a few ways a VPN can actually steal this private data. There is an easy way and a more advanced way to do this depending on the security configurations of the website you are trying to reach.
Intercepting connection made with HTTP
Back in the days, an unsecured protocol called HTTP (HyperText Transfer Protocol) was used to connect to the websites. This protocol would exchange messages and commands between the browser and the webserver so they could communicate. This protocol is still a base of many connections that happen over the internet, however, it is not secure. All the messages exchanged with HTTP protocol are sent in plain, human-readable text hence the information can be easily seen and stolen. To tackle this issue a new version of this protocol was developed called HTTPS (HyperText Transfer Protocol Secure). This protocol is very secure and the traffic is encrypted that no one who intercepts it can see the actual data sent. In modern browsers, a secured or unsecured connection is marked by a lock symbol once you visit a website like this:
Nowadays there are still websites that use HTTP instead of HTTPS. All the data and personal information sent over the unsecured HTTP connection can be intercepted and seen by a VPN provider. VPN encrypts everything in a secured connection tunnel, but that means it can also decrypt and read the data as well. Seeing private information that easily can only happen on HTTP connection, with HTTPS it’s a different story.
Installing fake certificates
There’s a different story when an HTTPS connection is made using a VPN. This connection between your browser and the website is secure and the trust is established using certificates. A VPN encryption is considered additional encryption on top of already encrypted HTTPS traffic, and here’s a principal scheme of how does it work:
It is this double encryption that actually keeps your data private from ISPs and hackers. Even though the HTTPS connection is highly secure on its own, but it is possible for a VPN provider to crack it by installing their own certificates on your device.
Installing fake certificates on your device would often require administrative privileges and one way a VPN provider could do it is by offering to install you a compromised and malicious VPN application. Fake certificates would allow them to intercept and decrypt HTTPS traffic for inspection and re-encrypt it before sending it onwards. Such a scheme is used by untrustworthy shady VPNs that are either free or made in China. A VPN that would intercept and monitor private HTTPS traffic would likely get caught quickly and would run out of business, therefore any reputable and well-known VPN would never do that.
Can VPN see your banking login credentials
PayPal or a bank as financial institutions have to comply with high-security regulations, therefore they use HTTPS protocol whenever trying to login to your account. It is very hard to compromise such security for a VPN provider, therefore it can not see any of your financial login credentials.
Can VPN steal your passwords that you type
The only way a VPN could steal your password is when a website uses an unsecured HTTP connection. This way your password would be seen in plain text once you try to log in. Passwords are mostly saved locally on your browser and just typing into a field would not expose it to a VPN, so it can not steal your it this way.
Free VPNs steal and sell your personal data
Many free VPN and Proxy providers do gather and steal your data. They do that because running a VPN service for free is not a sustainable business model. They grab, take and collect personal data that is later sold to third parties and advertiser networks. Free VPNs are not that trustworthy and are not recommended to use for privacy.
It is well known that China has implemented content censorship and monitor all internet activities. Trustworthy and non-China based VPNs are banned there, instead, only China-made VPNs are allowed to be used. This is because just like the free ones, Chinese VPNs most likely to monitor and collect data of their users and either sell it to advertisers or report to the government, therefore, China-based VPNs are not recommended.
Which VPNs are trustworthy
Putting trust in a VPN provider that would not steal any passwords or monitor your personal information has to be a serious choice. A reputable VPN that would protect your login credentials and won’t collect your information must have al least these components:
Well known and long time in business
Has a strict and proven no-log policy
Based out of surveillance alliances (non-US based)
Here are some reputable VPNs that meet those criteria and are well known in the VPN market:
Using a trustworthy VPN your private information and passwords are safe, however, it is still theoretically possible for a VPN provider to see your data. One way is to intercept and monitor unsecured HTTP connection and the other, a difficult way, is by installing fake certificates on your device. The latter technique is used mainly by free and shady VPN services that steal and sell your data. However, there are a few reputable VPN providers that have a strict no-log policy and existing for a long time in VPN business. These VPNs are the best to use when you want to keep your browsing activities really private.
CyberWaters is a mixed crew of cyber security enthusiasts with a keen interested in data privacy, security and technology behind it. We provide cyber security related content and give advise on best practices and tools how to stay safe and secure online.