Surfshark, TurboVPN and more are secretly undermining security
Six major Virtual Private Network firms have been shown to be installing root certificates that could open up users' computers to surveillance.
In a similar way to Apple's iCloud Private Relay, VPNs are intended to protect users by routing all data through a trusted service that encrypts personal information. Six of the best-known VPN firms, however, have now been shown to be doing this in a way that could be compromised.
According to TechRadar, the six were uncovered by security research firm AppEsteem. Each installs a trusted root certificate authority (CA) on users devices, and it's this that can be risky.
"Installing trusted root certificates isn't good practice," said Mike Williams, security expert at TechRadar. "If it's compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications."
It means that even if a user is using a service that is itself encrypted, the VPN provider and potentially bad actors, could overwrite that encryption and intercept all data.
The six VPN vendors reported to be doing this are:
A spokesperson for Surfshark has responded to TechRadar, claiming that the issue has been addressed, although only referring directly to Windows.
"[We've] closely cooperated with [AppEsteem] in quickly fixing the highlighted issues," said the spokesperson. "All of them have already been fixed and all Windows users should soon receive an updated version of the app."
While the Mac is not mentioned, the spokesperson described other efforts that will help Apple users.
"Also, we've been working on turning off the no longer popular IKEv2 protocol and focusing all our efforts on supporting Wireguard and OpenVPN protocols," continued the spokesperson. "This will eliminate the need to install the certificate."
Read on AppleInsider
In a similar way to Apple's iCloud Private Relay, VPNs are intended to protect users by routing all data through a trusted service that encrypts personal information. Six of the best-known VPN firms, however, have now been shown to be doing this in a way that could be compromised.
According to TechRadar, the six were uncovered by security research firm AppEsteem. Each installs a trusted root certificate authority (CA) on users devices, and it's this that can be risky.
"Installing trusted root certificates isn't good practice," said Mike Williams, security expert at TechRadar. "If it's compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications."
It means that even if a user is using a service that is itself encrypted, the VPN provider and potentially bad actors, could overwrite that encryption and intercept all data.
The six VPN vendors reported to be doing this are:
- Surfshark
- Atlas VPN
- VyprVPN
- VPN Proxy Master
- Sumrando VPN
- Turbo VPN
A spokesperson for Surfshark has responded to TechRadar, claiming that the issue has been addressed, although only referring directly to Windows.
"[We've] closely cooperated with [AppEsteem] in quickly fixing the highlighted issues," said the spokesperson. "All of them have already been fixed and all Windows users should soon receive an updated version of the app."
While the Mac is not mentioned, the spokesperson described other efforts that will help Apple users.
"Also, we've been working on turning off the no longer popular IKEv2 protocol and focusing all our efforts on supporting Wireguard and OpenVPN protocols," continued the spokesperson. "This will eliminate the need to install the certificate."
Read on AppleInsider
Comments
They insisted on keeping my credit card data or wanted to cancel the service I had already paid for.
Although I had disabled auto-renewal.
Their "support" team is deaf and helpless.
I am not surprised they have other bad habits.
Stay away from Surfshark.
With most, you are exchanging snooping from your telco for snooping from Belarusian companies and telcos. Not exactly an upgrade in privacy.
Would that include Proton VPN?