William Gallagher
Six major Virtual Private Network firms have been shown to be installing root certificates that could open up users' computers to surveillance.
In a similar way to Apple's iCloud Private Relay, VPNs are intended to protect users by routing all data through a trusted service that encrypts personal information. Six of the best-known VPN firms, however, have now been shown to be doing this in a way that could be compromised.
According to TechRadar, the six were uncovered by security research firm AppEsteem. Each installs a trusted root certificate authority (CA) on users devices, and it's this that can be risky.
"Installing trusted root certificates isn't good practice," said Mike Williams, security expert at TechRadar. "If it's compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications."
It means that even if a user is using a service that is itself encrypted, the VPN provider and potentially bad actors, could overwrite that encryption and intercept all data.
The six VPN vendors reported to be doing this are:
- Surfshark
- Atlas VPN
- VyprVPN
- VPN Proxy Master
- Sumrando VPN
- Turbo VPN
Surfshark and Atlas VPN are now merging with NordVPN, but Nord Security is not one of the firms listed as installing the certificate (check the best VPN deals).
A spokesperson for Surfshark has responded to TechRadar, claiming that the issue has been addressed, although only referring directly to Windows.
"[We've] closely cooperated with [AppEsteem] in quickly fixing the highlighted issues," said the spokesperson. "All of them have already been fixed and all Windows users should soon receive an updated version of the app."
While the Mac is not mentioned, the spokesperson described other efforts that will help Apple users.
"Also, we've been working on turning off the no longer popular IKEv2 protocol and focusing all our efforts on supporting Wireguard and OpenVPN protocols," continued the spokesperson. "This will eliminate the need to install the certificate."
Christine McKee
Appleinsider Staff
Sponsored Content
10 Comments
Had a Surfshark subscription.
They insisted on keeping my credit card data or wanted to cancel the service I had already paid for.
Although I had disabled auto-renewal.
Their "support" team is deaf and helpless.
I am not surprised they have other bad habits.
Stay away from Surfshark.
Has anyone regularly used iCloud Private Relay?
I’ve used iCloud private relay since it became available. While I wouldn’t typically use it by itself, I’m slightly less concerned by the fact that I canceled my previous VPN subscription and haven’t chosen a new one yet.
As I keep saying, there's nothing private about most of these "VPN" services. They are proxies which use VPN technologies for the client-to-proxy leg of the connection.
With most, you are exchanging snooping from your telco for snooping from Belarusian companies and telcos. Not exactly an upgrade in privacy.
I got an Express VPN subscription a few years ago to use my movie streaming services for a few weeks in a foreign country. After I signed up, they demanded a scan of my driver’s license, but I protested like crazy and they eventually said they didn’t really need it, it had just been a mistake on their part. That was creepy enough that I have been leery of VPNs ever since.