RaisinCrazyFool

This would require the server’s certificate, which the VPN wouldn’t (generally) have access to.

The key part of this is that server certificates are trusted and verifiable. To the extent that’s true, the process is secure against man-in-the-middle attacks. That’s because the client browser can confirm that the server’s certificate is legitimate, and encrypt its own public key with that server’s public key, so nobody in the middle can read it.

If a man in the middle replaced the encryption keys with their own, then the client would know about it, because it can verify the server’s encryption key and of course it knows its own private key, which has never been transmitted over the wire.

You can read more details on the process here: https://www.ssl.com/article/ssl-tls-handshake-ensuring-secure-online-interactions/

Of course nothing is 100% secure. God only knows how many third parties (like government intelligence agencies) have compromised major certificate authorities. If you have access a certificate authority’s private keys, then you can spoof basically anything.

IP addresses do not map to URLs.

They might map to domains, but not necessarily.

The SSL/TLS encryption used on the web is designed to prevent that type of attack. It’s called “asymmetric encryption”, because a different key is used to encrypt and decrypt data. So each side has both a private and public key. You can broadcast your public key, and then anyone can use it to encrypt a message that only YOU can decrypt, with your private key. The private key never goes over the network, so the VPN provider can’t intercept messages meant for you.

It’s possible to spoof the server’s certificate and make your browser think it’s talking to a real server when it’s not. However, this is difficult, because certificates follow a chain of trust, so they’d either need to compromise one of the certificate authorities (plausible for state-level actors), or compromise your web browser/OS so that it trusts a fake authority (definitely possible for a browser/OS vendor, but again, it would be noticed, especially in an open-source product like Firefox).

There are lot of enterprise products out there that perform this kind of “attack” so that businesses can monitor their network traffic. They do this by requiring adding their certificate authority to the list of trusted certs in the OS. This is often called “deep packet inspection”. If you try to use these products without adding their certs, your browser will throw a fit every time you load a site because it will see that the certificate doesn’t match.

Generally not. Anything with authentication would be using HTTPS encryption. So there will be two layers of encryption: the VPN encryption and the web site’s HTTPS encryption. The VPN provider can’t replace the HTTPS encryption because your browser would identify it as being encrypted with the wrong certificate and it would block the connection.

Although…given that they control the browser, too, I suppose they could code it to remove those safeguards, but that would not go unnoticed for long.

When you use a VPN, it basically replaces your ISP as the intermediary who can snoop all your traffic, so the real question is who do you trust more: your ISP or Mozilla?

If the point is to burn calories, then shaving weight off your equipment is counterproductive.

But if it makes you want to ride more, then great!