1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • New research reveals Surfshark, TurboVPN, VyprVPN are installing

    From TechnologyDaily@1337:1/100 to All on Tue Apr 19 16:45:03 2022
    New research reveals Surfshark, TurboVPN, VyprVPN are installing risky root certificates

    Date:
    Tue, 19 Apr 2022 15:26:10 +0000

    Description:
    Security design flaw paves the way for surveillance or man-in-the-middle attacks.

    FULL STORY ======================================================================

    Several well-known VPN providers - including Surfshark , TurboVPN and VyprVPN - are among six brands called out for a risky practice that potentially undermines user security.

    As part of its Deceptor programme , security research firm AppEsteem found that providers apps install a trusted root certificate authority (CA) cert on users devices and some providers even fail to obtain users consent for doing so.

    AppEsteem recently expanded its programme to include VPN providers, researching VPN apps to look for deceptive and risky behavior that could harm consumers. Not good practice

    AppEsteem also pointed out that popular VPN provider Surfshark installs its root CA cert on the users device even when the user cancels the installation. Surfshark clearly mentions the use of its own trusted root certificate solely to connect to VPN servers using the IKEv2 protocol.

    TechRadar Pro s security expert, Mike Williams, stated Installing trusted root certificates isnt good practice. If its compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications. (Image credit: Future) What are the risks of installing an additional trusted root certificate?

    Root CA certs are the cornerstone of authentication and security in software and on the Internet. Theyre issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are.

    The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device.

    Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.

    This applies to software applications, websites or even email. Anything from
    a man-in-the-middle attack to installing malware is possible, as illustrated by hacks in 2021 in Mongolia and in 2020 in Vietnam where CAs were compromised.

    The power that Root CA certs have over a users device is why state actors
    like Russia have been pushing citizens to install their new root CA , a move that EFF describes as paving the way for a decade of digital surveillance.

    The six VPN providers that were found to install root CA certs on user
    devices are Surfshark, Atlas VPN, VyprVPN, VPN Proxy Master , Sumrando VPN
    and Turbo VPN . Two of the better known providers on the list, Surfshark and Atlas VPN, both recently joined NordVPNs parent company Nord Security. However, NordVPN was not among the named providers. Why would a VPN company want to install a trusted root certificate?

    We dont believe thats necessary even for IKEv2 compatibility, and most top-rated VPNs do not do this. Read more

    Moving the VPN industry forward: a Q&A with NordVPN



    A sneak peekinside a NordVPN server



    IP proxy network vs VPN: Which is right for you?

    When an additional root CA cert is installed by a VPN provider, you are relying only on the providers encryption and authenticity checks, as the trusted root certificate can overwrite the encryption and authenticity checks of the actual service youre using (e.g. Mozilla Firefox , WhatsApp).

    This makes it possible for the VPN provider to intercept and monitor essentially all your traffic, in a worst case scenario. Weve reached out to Surfshark, Atlas VPN and VyprVPN and will update the article when we hear back. Make sure you stay protected with the best business VPN around



    ======================================================================
    Link to news story: https://www.techradar.com/news/new-research-reveals-surfshark-turbovpn-vyprvpn -are-installing-risky-root-certificates/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)