This is exactly what I asked on primedice announcement thread yesterday. I knew about TOR and that it can get your account compromised if you're not careful and you can end up getting your coins stolen but I was confused about VPN. Thanks for this.
Great post. It should also be noted having a SSL does NOT make a website more "trustworthy" at all. Anyone can purchase a SSL and they're usually pretty cheap. I only bring this up because I've seen other sites try to mislead visitors before with SSL.
If hacker uses a SSL to impersonate a site, will the site address still show up as it does originally in the address bar? I mean the green/blue glowed up name with the favicon and the padlock? Ex.
If you are not using SSL, the URL will look correct, but there will not be a padlock, and the url will start with http:// rather than https://
If you are using SSL, there will be a padlock and https and your connection is encrypted and you are reasonably safe. Just pay attention to any popups you might get about "expired ceritificates" and such, and also check the fingerprint of the SSL cert for extra safety as OP mentioned.
I would recommend the browser addon
HTTPS Everywhere, which will check the fingerprints automatically for you and also force your browser to use SSL on most websites. This will mitigate the risk of this kind of attack significantly without you needing to do anything.
Note that this kind of attack can happen to anyone using the internet, however it is most frequently seen on Tor, VPN's, proxies and public wifi as it is easier for an attacker to get "in-the-middle" of your internet connection. The NSA have used backbone internet routers to execute these attacks, these routers relay vast amount of the internets traffic so they can do this to almost any connection, so this kind of thing can happen to anyone.
