What can a VPN provider see *exactly*?

Hey guys! :smiley:

I surprisingly couldn’t find a clear answer on the FAQ or with a quick online search to the simple but vital question of what a VPN provider can see compared to an ISP when it comes to the actual data I send and receive.

Ofc as the middle man they see my real IP (which they claim they don’t log) and where I send data (whether we trust them or not to keep no logs of that is up to each individual). But what about the actual, readable data ?

Can they see the content of my text messages, the file names or content of my sensitive work paperwork PDFs, the pictures I send to friends or post online?

I was under the impression (actually 150% convinced) that my ISP couldn’t see any of that (because encrypted by https) and could only see where I send data to and receive data from (aka my traffic, but without being able to read any actual data).

First of all, is that true? And second, does that apply the same way to the VPN, or are they (either the VPN or the ISP, or both) see any readable data I send or receive when I use or don’t use a VPN ? If so, what readable data can they see exactly ?

Thanks :smiley:

You are correct. Any website protected with https obscures the contents of your traffic. They can see what site you’re on and they can see how much traffic is coming and going between you, but not the plain text details of your traffic, so no individual page visits, file transfers, messages, etc. Now, they can make some inferences based on traffic analysis, so for example if you visit free movies(dot)info or whatever and then your traffic spikes, they can probably infer that you’re downloading large files from that website, but they won’t know which ones.

There might be some exceptions to this however. I’ve heard stories in recent months about some ISPs requiring users to add custom trusted certificates to their machines, or intercepting and manipulating web traffic to place ads on web pages not affiliated with them. I don’t exactly understand why things like this wouldn’t break the TLS handshake, but I’ve heard a lot of rumors about a handful of ISPs doing stuff like this, so if your ISP has ever prompted you to install a certificate from them, that “might” give them some way to execute a MitM attack and intercept and decrypt your website traffic.

Oh they can see your colors of your underwear :slight_smile:

I have removed my comments and submissions in protest to a growing number of poor decisions made by Management of Reddit.

HTTPS is nowhere near all the data your device sends or receives.

Exactly, and there’s a lot of traffic going to and coming from non standard ports. Not everything runs on port 80 and 443.

I would be interested reading the article. We at Safing build a new protocol to address many of the flaws that came with the adoption of VPNs for privacy. But I would like to read what a VPN provider would argue they do so that they can’t log…

Our goal was to build a system where even if a node would log, nothing can be achieved.
The SPN splits traffic across multiple servers and makes multiple hops so no server has any useful data.