Computer Help and Support

Using an untrusted VPN service is adding risk to your environment, not reducing it. I personally would
never trust a VPN service in Hong Kong or any totalitarian state. Hell, I usually don't trust them anyway
and use them only for specific testing.

The VPNs act as a relay for you and cause the remote system (that you're using) to see the VPN address instead of yours.

But as a result, all of your traffic goes to the VPN servers who "see" all of your packets. It's a great single-point of attack for someone that wants to spy on your traffic.

Normally the contents of your traffic will be encrypted until it reaches the final destination. But just the contents, not the envelope containing the "to" and "from" addresses that direct the packet to its destination. The VPN service will know both your real network address and which site you are using.

And they'll also (usually) see your domain-name system lookups. E.g. when your computer looks up the network address for "whistle-blower.com" or "top.secrets.newspaper.com". The VPN service will know when you're connecting with those sites.

And of course, there's the issue that most VPN services want you to install *their* software on your device(s). So who knows what malware it contains if the VPN service is evil or compromised.

And then there is "man in the middle" where if the VPN is seriously evil, it can pretend to be the site you want to connect with and decrypt all of the traffic ... including the contents.

For more a little more info ...

https://security.stackexchange.com/questions/20948/can-a-vpn-decrypt-my-ssl-traffic#20955