Tweet
Several well-known VPN providers - including Surfshark, TurboVPN and VyprVPN - are among six brands called out for a risky practice that potentially undermines user security.
As part of its Deceptor programme, security research firm AppEsteem found that providersā apps install a trusted root certificate authority (CA) cert on usersā devices and some providers even fail to obtain usersā consent for doing so.
AppEsteem recently expanded its programme to include VPN providers, researching VPN apps to look for deceptive and risky behavior that could harm consumers.
[HEADING=1]Not good practice[/HEADING]
AppEsteem also pointed out that popular VPN provider Surfshark installs its root CA cert on the userās device even when the user cancels the installation. Surfshark clearly mentions the use of its own trusted root certificate āsolely to connect to VPN servers using the IKEv2 protocolā.
TechRadar Proās security expert, Mike Williams, stated āInstalling trusted root certificates isnāt good practice. āIf itās compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications.ā
[IMG alt=āA screenshot of surfshark one security suite setup screenā]https://cdn.mos.cms.futurecdn.net/ZM...HfLw9hidL9.jpg
(Image credit: Future)
[HEADING=1]What are the risks of installing an additional trusted root certificate?[/HEADING]
Root CA certs are the cornerstone of authentication and security in software and on the Internet. Theyāre issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are.
The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device.
Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.
This applies to software applications, websites or even email. Anything from a man-in-the-middle attack to installing malware is possible, as illustrated by hacks in 2021 in Mongolia and in 2020 in Vietnam where CAs were compromised.
The power that Root CA certs have over a userās device is why state actors like Russia have been pushing citizens to install their new root CA, a move that EFF describes as āpaving the way for a decade of digital surveillanceā.
The six VPN providers that were found to install root CA certs on user devices are Surfshark, Atlas VPN, VyprVPN, VPN Proxy Master, Sumrando VPN and Turbo VPN. Two of the better known providers on the list, Surfshark and Atlas VPN, both recently joined NordVPNās parent company Nord Security. However, NordVPN was not among the named providers.
[HEADING=1]Why would a VPN company want to install a trusted root certificate?[/HEADING]
We donāt believe thatās necessary even for IKEv2 compatibility, and most top-rated VPNs do not do this.
Read more
> Moving the VPN industry forward: a Q&A with NordVPN
When an additional root CA cert is installed by a VPN provider, you are relying only on the providerās encryption and authenticity checks, as the trusted root certificate can overwrite the encryption and authenticity checks of the actual service youāre using (e.g. Mozilla Firefox, WhatsApp).
This makes it possible for the VPN provider to intercept and monitor essentially all your traffic, in a worst case scenario. Weāve reached out to Surfshark, Atlas VPN and VyprVPN and will update the article when we hear back.
[ul]
[li]Make sure you stay protected with the best business VPN around[/li][/ul]
Continue readingā¦
As part of its Deceptor programme, security research firm AppEsteem found that providersā apps install a trusted root certificate authority (CA) cert on usersā devices and some providers even fail to obtain usersā consent for doing so.
AppEsteem recently expanded its programme to include VPN providers, researching VPN apps to look for deceptive and risky behavior that could harm consumers.
[HEADING=1]Not good practice[/HEADING]
AppEsteem also pointed out that popular VPN provider Surfshark installs its root CA cert on the userās device even when the user cancels the installation. Surfshark clearly mentions the use of its own trusted root certificate āsolely to connect to VPN servers using the IKEv2 protocolā.
TechRadar Proās security expert, Mike Williams, stated āInstalling trusted root certificates isnāt good practice. āIf itās compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications.ā
[IMG alt=āA screenshot of surfshark one security suite setup screenā]https://cdn.mos.cms.futurecdn.net/ZM...HfLw9hidL9.jpg
(Image credit: Future)
[HEADING=1]What are the risks of installing an additional trusted root certificate?[/HEADING]
Root CA certs are the cornerstone of authentication and security in software and on the Internet. Theyāre issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are.
The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device.
Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.
This applies to software applications, websites or even email. Anything from a man-in-the-middle attack to installing malware is possible, as illustrated by hacks in 2021 in Mongolia and in 2020 in Vietnam where CAs were compromised.
The power that Root CA certs have over a userās device is why state actors like Russia have been pushing citizens to install their new root CA, a move that EFF describes as āpaving the way for a decade of digital surveillanceā.
The six VPN providers that were found to install root CA certs on user devices are Surfshark, Atlas VPN, VyprVPN, VPN Proxy Master, Sumrando VPN and Turbo VPN. Two of the better known providers on the list, Surfshark and Atlas VPN, both recently joined NordVPNās parent company Nord Security. However, NordVPN was not among the named providers.
[HEADING=1]Why would a VPN company want to install a trusted root certificate?[/HEADING]
We donāt believe thatās necessary even for IKEv2 compatibility, and most top-rated VPNs do not do this.
Read more
> Moving the VPN industry forward: a Q&A with NordVPN
A sneak peek inside a NordVPN server
IP proxy network vs VPN: Which is right for you?
This makes it possible for the VPN provider to intercept and monitor essentially all your traffic, in a worst case scenario. Weāve reached out to Surfshark, Atlas VPN and VyprVPN and will update the article when we hear back.
[ul]
[li]Make sure you stay protected with the best business VPN around[/li][/ul]
Continue readingā¦