[drvdevd]

I haven't actually looked at the code yet, but to be fair, if your connection through any VPN is completely encrypted (e.g. HTTPS only), then it's not much different to most ISPs...

They can grab metadeta but this is already being done with all the traffic we generate anyway, one should assume.

[neurostimulant]

Aren't VPN networks can specify DNS server the client should use after the connection established? That would allows DNS spoofing and MITM attacks.

[kijin]

Even with DNS spoofing, you can't MITM an encrypted connection with pinned public keys. That includes Google, GitHub, most social networks, and any SSH host to which you have previously connected.

Almost everything I do while on the move falls into this tamper-proof category. It's been a while since I stopped caring which Wi-Fi I connect to. I just borrow anyone's connection and tunnel right through.

[noja]

> That includes Google, GitHub, most social networks, that includes Google, GitHub, most social networks,

Nearly all websites do not using pinning.

[drvdevd]

So you would still need a trusted cert though right for the TLS MITM? And presumably SSH is not affected any more than on the open internet?

Anyway, while these may be valid attack vectors, since I started getting traffic injected by my ISP a few years ago, and DNS hijacked for advertising, my level of trust has dropped to the same as that of some $VPN, wherever, or $WIFI.

But that's just my opinion.