Dumb question I know but I didn’t see it asked already. If I use nord vpn, nord could theoretically unencrypt my traffic and see it. When I use AWS to create a VPN over the open VPN network, who can unencrypt my data? Amazon?
If it is Amazon that seems suspicious to me that one of the major companies that you’d be trying to keep your info from is the one with the key.
Anyways thanks for explaining.
f I use nord vpn, nord could theoretically unencrypt my traffic and see it.
Why do you believe this? If your traffic is going over SSL/TLS, your VPN doesn’t magically have the end server’s private key and ability to decrypt.
It sounds like you may not fully understand how VPNs or network encryption work.
It entirely depends on what certificate you use to encrypt the traffic…
You can leverage ACM which theoretically AWS would have access to - but any AWS entity accessing private certs in your account would be catastrophic to their business model…
You can still leverage ACM and just use it to store your own cert, which comes with the same risks, or you could pull the cert from another location that you control - which if you’re that worried about it would be the more ideal solution…
Unless you are risking some espionage or something incredibly illegal, you are going too far…
Let’s have a refresher on how VPNs work.
A VPN connection routes all your internet traffic via the VPN server, and only encrypts the traffic between your client machine and the VPN service itself. So in a sense the VPN provider HAS TO unencrypt your traffic for it to work. It also masks your IP address VPN behind the IP address of the VPN service.
From a privacy perspective this makes it as if you were browsing the web (or whatever you’re doing) directly on the VPN providers network. So it makes it impossible for anyone between you and the VPN provider (e.g. your ISP) to see what you’re doing, and it means websites you visit see the VPN provider instead of your home network as the source of the traffic. But the VPN provider has direct visibility into everything you do over their network, if they choose to look.
As for whether you’re better off with Nord VPN vs self hosted on AWS: Both companies have an explicit interest in not spying on you, because it would undermine their business model, and also some other reasons they could want to…
However putting on my paranoid hat I would be inclined to trust AWS more than any dedicated VPN provider for two reasons:
When I use AWS to create a VPN over the open VPN network, who can unencrypt my data? Amazon?
At some point your data becomes unencrypted and will transverse AWS’s network. Either internally in a VPC or through egress. They are going to see your traffic with or without the key. The question is do they care? No one at AWS is sitting there reading every packet you are sending. But they are looking for anomalous behavior since they do need to protect their network to protect themselves and other customers. Look up “shared responsibility model”
If it is Amazon that seems suspicious to me that one of the major companies that you’d be trying to keep your info from is the one with the key.
No one on the Amazon side of things has any insight or access into what is going on in a customer AWS VPC. And why do you care if Amazon has your info or not?
Nope not even kinda sorta. But it was my understanding that a VPN could theoretically unencrypt your traffic if they wanted to. Is that incorrect?
Nope nothing like that. Just misunderstood how a VPN works.
This is a wonderful post. Thank you. You’ve precisely gauged my level of ignorance on the subject and brought me up to a point that I feel informed enough to decide how to proceed. I’d upvote you more if I could. 
Thanks. As far as why do I care if Amazon has my info, personal browsing habits not being in the hands of major corporations seems like a pretty reasonable amount of privacy to ask for to me. Lol can a man want his “private tab” to be reasonably private without need for further justification?
I’m sure we all remember target advertising baby supplies to the pregnant teen before the dad knew. I think it can be hard to know what you want to keep private, or why, or from who until that information has been used in a way you didn’t expect.
#/u/spez can gargle my nuts
Question is what exactly you want to hide. If you connect over https (as you should) then service provider can’t see the data you transmit regardless of if you use vpn or not. That’s the whole point of SSL
That being said service provider can see where you connected - i.e. if this was about phone calls: they see when you made a call and what number you dialled but they don’t know what you were talking about
Now if you use vpn to connect to Amazon network, then you terminate encryption there and make ordinary connection to outside world - then Amazon would indeed be able to see where you connected. But as long as you use https they wouldn’t know what you transmitted
Yes, you are incorrect. There is more nuance to explore but for the purposes of your question, a vpn provider can not decrypt encrypted traffic.
When u send web traffic, there is data and headers( packages that hold data) the headers do get decrypted otherwise they wont know which way to send ur traffic. Your data however, remains encrypted i transit and gets decrypts when it reaches the web server.
The targeting of ads etc is due to google keyword search, 3rd party ads in webpages, dns and tracking… tons of them. This is the scary part and happens on ur browser not aws data centers decypting ur data to see what u r browsing( thats soo power consuming and not realtime).
So for eg. If u visit Salesforce Platform for Application Development | Salesforce US (http is open but https is encrypted*)
3rd parties in the network can see u went to site.com. Only ur browser and the end server know u visited /me/about.html
Obvisoly im talking in normal setup where u dont have ssl inspection or proxied traffic.
Hope this helps.
sounds like you dont know how VPNs work and get your tech news from MSNBC
VPN gives you the ability to access private network or to change location (you can also add N/W firewall if you want )..
What your expectation is privacy which is nearly impossible to have considering everything uses cookies, trackers etc to track you and show relevants ads etc…
What would those NSA boxes do, exactly?
I am pretty sure if NSA wanted to spy, they would have their spyware installed onto the management software that AWS employees use, that or direct access to the software - whether AWS is aware or not, it seems more logical than to (at best) go through petabytes of legitimate traffic to find what they are looking for.
HTTPS will still allow for a lot of traffic analysis, like the unencrypted dns request, where and how much traffic is going to the server.
Ok so if all I want to do is download the new fast and the furious movie for example, and I use my aws vpn, and the site I’m on is https, then my isp won’t know what I downloaded, Amazon either can’t or won’t look and the website will only have an ip address that isn’t mine, right?
In HTTPS (HTTP over TLS) the HTTP headers are in the encrypted part of the TLS packets. Unless the observer cracks the session key they can’t see the headers.
SNI (Server Name Indication) is different. During the TLS handshake the domain name you connect to is shared in cleartext. So the observer will be able to know that you visited thepiratebay DOT com or some other domain whose very visit would disclose more than you like.