TLS interception

Was trying out a freemium VPN for testing purposes and when I ran the Vpnalyzer app, it stated this:

  • Your VPN performs active TLS Interception, which could potentially lead to Man-In-The-Middle Attack.

Can someone ELI5 what this means, and if this is ‘normal’ for a VPN? There’s zero context provided.

1 Like

I don’t know what that app is referring to, but typically TLS interception means you install a root certificate from someone (in this case your VPN provider) on your device, and then they can use that certificate to decrypt your traffic and inspect it.

That definitely is not normal behavior for a VPN, and it is very unsafe for your security if that is what is going on.

7 Likes

Link to actual paper: https://www.ndss-symposium.org/wp-content/uploads/2022-285-paper.pdf it’s part of the VPNalyzer website.

This tool looks to be like an automated scanning tool a bit like Hardenize is to PKI/email etc.

And yes, the VPN application should not be installing root certs, that’s essentially what Onavo did.

2 Likes

If it’s not normal I am not sure, I have seen many universities and companies doing that. And indeed, terrible idea. Massive red flag, do not buy into it.

1 Like

Installing a root certificate from someone and routing all your traffic through them is almost like having them beside you, seeing your screen.

1 Like

For what it’s worth, I get the same result when I run ProtonVPN. So I think it’s a false alarm from VPNalyzer.

If you didn’t install a root CA it does seem unlikely, although a custom VPN client could install one as part of the install process in theory.

If you’re setting it consistently regardless of VPN it’s possible something else on your system is intercepting TLS traffic, which is worth investigating. Or yeah, it could be a false positive.

You can check the root certificates in the settings.

1 Like

I’m almost sure it’s difficult for an app to install a root certificate on an Android.

Even if you grant it root access you probably need at least to type your password.

A malicious app cannot install a root certificate seamlessly on Android i think, well I hope so

1 Like