"ExpressVPN Client" certificate is not trusted

Although I am not experienced in these areas, I think I can provide some basic insight (may not be entirely accurate):

A 'certificate' is basically a digital file that says "Hey, I'm safe to use!" For example, when somebody wants to create a website, they 'sign' a certificate. However, these certificates can expire after a set amount of time. Usually, people are aware of their expiration dates, but some people neglect them and forget to re-sign.

In your case, you either have a 'counterfeit' certificate or ExpressVPN forgot to re-sign. Sure, if you trust your gut enough, you can continue to use the certificate. However, I'd advise you to do the following instead:

• Remove the ExpressVPN app from your Mac
• Go to ExpressVPN's website and re-download ExpressVPN
• If the same thing pops up again, it's likely that you're safe, just that ExpressVPN hasn't re-signed it.
• If you are still wary, just google 'ExpressVPN certificate error.' Try to see if others have recently been posting about it. I'm talking within the past few days.

An expired certificate doesn't really mean one definite thing. It could mean the owner simply forgot to re-sign, or it could mean that you downloaded a malicious ExpressVPN install from the wrong website.

Try this analogy. Let's say somebody wins a race and gets a ribbon. They show their ribbon to everybody, and everybody believes that they won the race because, well, they have the proof. Then, one day, the winner's ribbon gets blown away. They still did win the race, it's just that they don't have the proof anymore. Then, over time, less and less people will believe them since they don't have the proof. It's like that.

VPN clients are generally safe, just download them from the correct, trusted website.

I'd wonder whether the goal here is to decrypt and access your encrypted network traffic—I've operated various VPNs and VPN clients and VPN servers, and outside of a certificate to authenticate the client to the VPN server—which'd be a fairly unusual way to do implement authentication for a commercial VPN provider—there doesn't seem to be another reason to add a trusted certificate.

VPN clients in the app store inherently have access to all of your network traffic, and can—if the provider chooses—log, track, and monitor DNS traffic, as well as any unencrypted connections. And a trusted cert in your storage means that your client will establish a trusted connection to any server, whether an intermediate host intercepting traffic, or the intended destination of a network connection.

I'm skeptical about the value of a commercial VPN. If you really need encryption past the existing VPNs present within most apps, then there are open-source alternatives that allow you to run your own VPN server, which provides you with more control over what is logged, and what security is enabled.

Old Toad wrote:

MrHoffman will correct me if I'm wrong but we're referring to public vpn services. Running your own you have control over the privacy.

Correct. Private VPN clients and private VPN servers allow a client to connect to an organization's internal network, as if the client was directly connected to that private internal network. Traffic is encrypted from the client to the VPN server located on the organization's network. I use these to access restricted-access networks, too.

Commercial VPN services purportedly protect the first part of a network connection though even that's questionable as knowledge of the VPN credentials means those connections can be intercepted and decrypted. Commercial VPN providers concentrate traffic where it can be scanned and tracked and logged and—if the provider is inclined—unencrypted network traffic can be modified. Having a "virtual tap" directly into your network traffic effectively located right next to your Mac or your iPhone or your iPad is valuable to advertisers and others fond of mining your activity data, too.

Existing clients already encrypt most of the network traffic, such as traffic between the client device and Apple, and any traffic using HTTPS connections between the client and the web servers. Mail too is encrypted, so longer as SSL/TLS security is enabled. And most do use SSL/TLS security, as few mail providers now offer unencrypted access to the provider's mail servers. Making the VPN unnecessary.

If you really want to run a VPN server—something that's unnecessary for most folks—then learn more about Algo or Streisand. But to be blunt, unnecessary for most of us.

That I am seeing various reports of VPN network connections denied access to certain network functions leads me to believe that those VPN services services are intercepting and accessing even a user's encrypted traffic, too. This beyond the usual routing issues that can arise with any private or commercial VPN.

Some other reading on the topic:

https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa

https://www.michalspacek.com/i-dont-use-any-vpn-for-security-or-anonymity

JackHinkle wrote:

<snip>

VPN clients are generally safe, just download them from the correct, trusted website.

The client itself may be safe but the functionality and purpose of the VPN may not be. If it is a public VPN connection all your traffic traversing the VPN can be viewed, stored, sold buy the owners of the VPN server. This does not appear "safe" to me. Then after the VPN provider does what they want with your data, they dump it back onto the open Internet just as you would have without the VPN. If the VPN is providing a secure private point-to-point tunnel to a company or other institution's private network then it is "safe".

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

A VPN can do absolutely nothing to hide any data going between you and the site you're viewing since only half of the communication is encrypted. Anything going to the site from the VPN and back to it is in the clear, or the site you're accessing would have no idea what to do with the encrypted data.

A VPN has only two uses:

1. You're using it to send and receive content from a truly tunneled VPN at your place of employment. Only the servers at the office get the unencrypted data from you as output from the VPN. Anything coming back to you is encrypted. Meaning, anyone trying to capture data between you and the office will only ever see encrypted data. A hacker would have to somehow breach the business' server on the clear input/output side to get anything.

2. You're trying to hide yourself. Since a VPN encrypts what's coming back to you, it does a good job at hiding what IP address the data is going back to (and as the link mentions, even this doesn't do a good job of hiding you anymore). However, any and all VPN's log this data. If you do anything illegal and law enforcement tracks the clear data back to the VPN (and they can), they'll demand log data to see what IP address the data was output to. The site running the VPN will give you up. They aren't going to go to jail for what you do.

Are they safe? No, not really. They won't (or shouldn't) cause any issue with your Mac, but free VPNs are free for a reason. The owners are collecting data on everything you do as your data passes through their servers. Why else would it be free? Running those servers sure isn't free for them. They have to have a way to turn every user's data stream into income.

Are paid versions any better? No, and for the same reason. You have no idea what they're doing with your data.

Here's some food for thought: unless you're using a true VPN tunnel, such as between you and your employer's or bank's servers, they are useless from a privacy standpoint: Public VPN's are anything but private.  

i agree with Kurt Lang about VPN uses 1 and 2 are definitely not safe. but there is a 3rd reason to have one. living in Canada, a lot of U.S. content providers geo-lock their content so persons outside the U.S. cannot view it. but, ha ha ha, Canadians are legally allowed to use a VPN to view that content while at home. if that's what you want to use it for, that's fine. but i leave mine TURNED OFF at all times, and only use it to stream geo-locked content, because of the concerns about the safety of your data as it's likely flung far and wide as it's bouncing around all of the different servers. and i ALWAYS turn it off immediately after i'm done using it.

Hassasburun wrote:

Anyway,

Thank you guys for your valuable thoughts. I guess inexperienced users like me don't have much choice to hide network traffic, or surfing without profiling :(

Can you at least refer me a good website that shows how to use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption?

Best Regards.

To use https you just use https://apple.com rather than http://apple.com in the address bar of your browser. If the server is secure it will respond to the https request and your traffic is encrypted.

A VPN is not needed unless Mandated by Employer for off-site working or maybe for Banking purposes. Commercial VPN purport to keep your data private and secure - the Jury is out on this.

MrHoffman will correct me if I'm wrong but we're referring to public vpn services. Running your own you have control over the privacy.