Ankit Banerjee / Android Authority
TL;DR
- Some popular VPNs are employing questionable security practices.
- These VPNs leave their users vulnerable to attack.
A new report indicates some popular virtual private networks (VPNs) may be leaving users exposed to a significant security risk.
VPNs are a popular option for businesses and consumers alike, providing a measure of security and privacy when browsing the web. Unfortunately, a new report by AppEsteem has found that a number of popular options — including Surfshark, Turbo VPN, Atlas VPN, VyprVPN, VPN Proxy Master, and Sumrando VPN — put their users at risk with questionable practices.
AppEsteem discovered that all six of the listed VPNs installed their own root certificate. A root certificate is an important component in cryptography and encryption, essentially proving the validity of an encryption key. Because a root certificate is self-signed, the most trusted ones are issued by established certificate authorities (CA).
Read more: What is a VPN and why do you need one?
Rather than using a root certificate from a trusted CA, each of the six VPNs installed its own self-signed root certificate. While this may not seem like an issue, it leaves users of those VPNs vulnerable to attack since root certificates give the issuers the ability to capture almost any data a computer sends and receives. That risk is why it’s critical to trust the CA implicitly and try to limit the number of root certificates installed on a device.
In addition to the privacy implications, self-signed root certificates also represent a point of possible attack by bad actors, hackers, and rogue governments. Rather than attack a high-profile CA, a hostile entity would only need to compromise the VPN provider and its self-signed certificate to then compromise any devices with that certificate installed. As a result, it’s a highly questionable practice for a VPN provider to use their own certificate, rather than one from a trusted CA.
Unfortunately, at least in Surfshark’s case, installing its Trusted Root Certificate wasn’t the only questionable practice. Surfshark also installs the Surfshark TAP Driver Windows app, Avira, and Open VPN, all without asking for permission.
To make matters worse, Surfshark continues with the installation of its Trusted Root Certificate even if the user cancels the installation process. The app also runs numerous processes in the background and fails to completely remove those processes when uninstalled.
See also: How to use a VPN
Surfshark contacted TechRadar to let them know it was working with AppEsteem to address the issues raised. The company defended its use of its root certificate — despite the fact that top-tier providers don’t do this — although it said it is working on deprecating the IKEv2 protocol, which “will eliminate the need to install the certificate.”
Despite the changes Surfshark has committed to, users would do well to wait for third-party confirmation that all six of these providers have made the necessary changes to be compliant with industry best practices. Consumers interested in the best VPN security would do well to look at Mullvad or NordVPN instead.
