Possible security flaw with PIA VPN

Hey Logan, Wendel, Pistol, and Qain. I've been watching you guys on YouTube for a while and I made an account here today and I look forward to being a part of this community. :)

Anyways, I bought a VPN membership from Private Internet Access earlier today and I found a possible security vulnerability. If you download the VPN client while logged into the Client Control Panel you get a custom download with your account information already filled in. Maybe I'm wrong, but I was thinking that if you download this while on an unsecure connection (which is probably the case for most first time users) and are under a man-in-the-middle attack then anyone with the know how could get your login information from the client. As soon as I noticed this it had me thinking... If they'd allow something like this to occur then why should I trust them to keep my internet traffic private?

Maybe I'm wrong or being paranoid, but what's your guys' opinions on this?

Thanks for the time. :)

this would be a great question to ask them when logan interviews them.



"If you download the VPN client while logged into the Client Control Panel you get a custom download with your account information already filled in." I could not replicate this.

In addition, every link I clicked on, including the actual download link for their installer_win.exe was all over https as in "http over ssl/tls" as in "secure http". How exactly are you 1) getting the custom information pre-filled (include OS, exact steps starting from their homepage, screenshots) 2) a download link that is over plain-text http?

Any decent web-browser should let you copy the download link from their download manager. So like, right-click->copy download link. Can you confirm that link is over http and not https please?

Considering the data is encrypted between your computer and their server log in credentials shouldn't make the server less secure. 

Unless the encryption keys were intercepted.  I

The link you were clicking on (The one they give you when you sign up/is in your email (cant remember which) is a custom EXE that's configured to automatically have that information. Thats why they tell you its YOUR installation, and that the link will expire.

i think that people get a bit to paranoid realy.. do you realy believe that pia or whatever vpn service, does not log or monitor your traffic? offcourse they do.

That's a conflicting statement, haha.

You said that people were too paranoid, then gave a reason for people to be paranoid..

There are additional benefits to a VPN service besides browsing anonymously.

Regardless of those, I think most of us understand that there is a large or more than likely chance that they do monitor the traffic, and that's fine. I highly doubt they log the information, though.

It's over HTTPS, I don't know why I forgot to take that into account. Derp.

When you sign up they send you a link that's valid for 24 hours that has your account information included in the installer. Also, when you are logged into the Client Control Panel the download link includes your account information. If you aren't logged it's just a generic download.

^ That's what I said.

I've read several places that PIA uses IP sharing. That means that multiple people can use a single public facing IP at the same time and their network equipment then splits that traffic up and routes it where it needs to go. Supposedly this makes it impossible to link a customer to a certain IP address, and, in turn, that makes it impossible to keep logs. I don't know if this is true, but I asked Logan to put the question in his interview. We'll see if it makes it onto his list and what PIA has to say.