They can do active attacks on you, as most people don't actively attempt to ban and absolutely block unencrypted connections (and there are also sometimes attacks on SSL stacks anyway); and like... SSL isn't really designed to protect the content of your connection anyway: due to size and timing attacks, people have deployed practical implementations of stuff like "figure out where I am looking at on Google Maps" and "figure out what movie I am watching on Netflix", and while I haven't seen a practical implementation of it yet, "learn too much about my search queries due to find-as-you-type".
(Also, if I see you making requests to some websites I can correlate it to others, just on hostname, which I would get from SNI/TLS, not DNS: like, you go to news.ycombinator.com followed by some other websites that are currently on the front page of Hacker News, I can now guess with high likelihood you are clicking on specific website links you just saw.)
As for "the VPN provider can also do that", that is like saying "what can a random stranger do with your secrets that someone you know well can't?", which is "true" sure, but not really interesting: being able to choose the company on whom you rely for security is extremely useful: I don't really have choice over my ISP, but I have choice over my VPN, and so you can't really say "these VPNs are shadier than my ISP" unless you can show the best of all VPNs is shadier than my ISP.
Meanwhile, for many people, your "ISP" on a given day might be "the local coffee shop" or "an airport" or "your brother's friend Bob": people talk about "ISP" as if it always means "AT&T", but I see even extremely technical people who "should know better" happily using WiFi provided by conferences, which is just crazy to me... you are way more likely to get messed with in some scary way by people close enough to you for it to matter than by some random entity.
> SSL isn't really designed to protect the content of your connection anyway: due to size and timing attacks, people have deployed practical implementations of stuff like "figure out where I am looking at on Google Maps" and "figure out what movie I am watching on Netflix", and while I haven't seen a practical implementation of it yet, "learn too much about my search queries due to find-as-you-type".
A VPN won't protect you from these sidechannel attacks.
Not by default, but it could. Send a monolithic stream of 1500 byte packets with some padding to obfuscate transfer rates and you can really disrupt that kind of thing.
(Also, if I see you making requests to some websites I can correlate it to others, just on hostname, which I would get from SNI/TLS, not DNS: like, you go to news.ycombinator.com followed by some other websites that are currently on the front page of Hacker News, I can now guess with high likelihood you are clicking on specific website links you just saw.)
As for "the VPN provider can also do that", that is like saying "what can a random stranger do with your secrets that someone you know well can't?", which is "true" sure, but not really interesting: being able to choose the company on whom you rely for security is extremely useful: I don't really have choice over my ISP, but I have choice over my VPN, and so you can't really say "these VPNs are shadier than my ISP" unless you can show the best of all VPNs is shadier than my ISP.
Meanwhile, for many people, your "ISP" on a given day might be "the local coffee shop" or "an airport" or "your brother's friend Bob": people talk about "ISP" as if it always means "AT&T", but I see even extremely technical people who "should know better" happily using WiFi provided by conferences, which is just crazy to me... you are way more likely to get messed with in some scary way by people close enough to you for it to matter than by some random entity.