Choosing an off-the-shelf VPN service, is it safe to access my Gmail, Paypal, ... accounts?
The accounts are accessed via https, but I don't know if with a VPN there is one secure channel between my computer and the https server, or two, i.e [me] <-> [vpn server] <-> [https server]
If it is the latter case, could the VPN admin see unencrypted traffic between me and https server?
HTTPs connections can only really be validly done between the client and https server.
If the VPN admin was able to decrypt the traffic, they would have to have a valid SSL certificate purporting to be from the server's domain, with a private key that is valid for the certificate. This shouldn't be possible as long as the root certificate authorities enabled in your browser are safe. To be sure of this, keep your browser up to date.
If a man-in-the-middle was to do the latter method you mention without this, your browser would complain of an invalid certificate.
When using HTTPs/TLS/SSL site traffic is encrypted between your browser (or the application initiating the connection) and the web server that is serving pages to you. This means that if any intermediary attempts to "listen" to your requests/responses all they will see is encrypted traffic.
This encryption model is the same regardless of whether you are using a VPN or a standard internet connection.
The only secure option would be to use a real VPN. One of the better ones that works on every operating system is OpenVPN. I have been using Road Warrior VPN as my VPN provider for the last couple of years. The reason I say to use a real VPN like OpenVPN is because it is not possible to have someone do a Man-in-the-middle attack on you.
Like the others have said this is going to typically be secure. But I'll throw this out there just for completeness as no one else mentioned this.
If the vpn service in question also requires a proxy then it is possible that the proxy uses a trusted ssl certificate to insert itself in the middle of this communication. But it would require that your computer trusts the proxy's CA (certificate authority). This would require that you install the VPN service's Proxy's CA cert into your browser. This could also be done using a Group Policy in a Windows Domain. So assuming you're talking about a 3rd party service as setting it up doesn't involve a step of trusting a CA either in your browser or in your OS's CA keyring then your traffic is safe. Keep in mind that there are some legit reasons to do this as it is typically done so the data stream can be scanned by the intrusion prevention and anti-virus/malware engines.
But the https request in such a situation would look like this.
[me]<->[vpn server]<---->[proxy]<-->[website]
| |
proxy spoofed ssl cert website ssl cert
So everything between [me] and [proxy] is secured using a spoofed certificate signed by the proxy's trusted CA and everything between the [proxy] and the website is using the original website's certificate. So there's an oppertunity in this case to access the data on the proxy unencrypted.
