At the outset I must mention that I am quite ignorant about tech...with that admission out of the way, I have often wondered whether downloading VPN software exposes me to spyware or other malware? After all the VPN vendor can track my usage, record my banking passwords and so on.

So how can one get around that without slowing down my laptop and without being a tech wizard? I travel a lot, which is why the peceived need for a VPN - but I wonder whether I would be leaping from the pan to the fire?

Some of the VPN vendors (e.g. Astrill) have strong connections to China - isn't that the place where all the dragons live?

It depends on the VPN provider in question. The name brand ones are among the more trustworthy. I think it would be a bad idea indeed to sign up for a proxy or VPN provider based in China without a strong tradition of and commitment to privacy.

Why do you think that just because you tunnel through a VPN, that they record your banking passwords?

Skepticism is not unhealthy

In the OP, you said you were not a tech wizard, otherwise I would have encouraged you to set up a VPN server of your own. It can be done on your home router if you're not looking for a lot of performance.

I really do wonder how many VPN services are NSA/CIA/FBI/whoever honeypots

Crap, they know what I'm into?!

Dear Father, I have sinned.

If you have a secure connection with the site the VPN server has no way of decrypting your data. The whole point of encyption is to keep the man in the middle from sniffing your packets, it doesn't matter if it's going through a VPN or not.

The VPN will find out where you are going, though.

I don't agree with this. In fact, if you have a VPN server, then the service provider is well situated to be able to decrypt your data, if they had the time and inclination (and computing resources) to do so. So it is quite important to trust your VPN provider.

Normal traffic routes all over the internet, there is no guarantee someone can get all of the packets and reassemble it into a coherent piece. The only exceptions are the intermediary who is carrying the traffic, i.e. your ISP, and see (and potentially logs/stores) all packets, and if you use a VPN - the VPN provider.

Think of it like a shredder - if you shred and put the confetti into multiple bags and dispose of it, your data is pretty safe, right? Well, yes, unless the shredder is scanning the paper and sending it off somewhere just before it shreds.

For risk minimization purposes, I choose to trust my ISP (generally meaning a telecom) over a commercial VPN provider - which means I generally don't use a commercial VPN, unless I need an IP address from a different geography. I trust my employers VPN much more than a commercial solution, and use it for my important transactions like Online Banking when I am overseas, as I follow up on work email (limited personal use clause and all).

Are you aware of how PKI/https/certs etc works?

I'd be a lot more concerned about Chinese and Russian hacker honeypots.

99.9x% of the time within large time windows of operation, your traffic to a given server will route through the same intermediaries.

Regarding paranoia about the insecurity of https, as long as your browser and website are using TLS 1.2 with a good cipher and block mode, no need to worry too much. Do remember to change your passwords periodically if you're super-paranoid in case someone decides to decrypt your passwords transmitted via today's secure ciphers years from now when today's ciphers are compromised.

The black hat would normally go after the data entering a place of interest--say, a bank.

Proper crypto is only attacked by obtaining the key by some means, not by grabbing packets and cracking it.

I have some understanding of how encryption works - I am also aware of something called brute force attacks, which only requires a sufficient number of data points for verification before they are compromised.

I think the advice about periodically changing passwords is sound.

Going out on a bit of a limb here, but I suspect most of the data being sent in an https session is predictable just by looking at the URL - Anyone with access to the same institution's web page with a different set of valid credentials could see what is the expected content (i.e. the frame/text of the web page). The only varying/interesting pieces are the personalized bits of information.

I agree with this, but I think the question is whether the intermediaries have interest/capability to collect data and try to compromise the security. Which is why I generally trust telco and ISPs, because I personally believe I am not a person of interest, i.e. these companies are not being asked by the govt to track me. That makes my information part of a large data stream, and thus is less likely to be subjected to a directed attack.