Surfshark, TurboVPN and more are secretly undermining security

In a similar way to Apple's iCloud Private Relay, VPNs are intended to protect users by routing all data through a trusted service that encrypts personal information. Six of the best-known VPN firms, however, have now been shown to be doing this in a way that could be compromised.

According to TechRadar, the six were uncovered by security research firm AppEsteem. Each installs a trusted root certificate authority (CA) on users devices, and it's this that can be risky.

"Installing trusted root certificates isn't good practice," said Mike Williams, security expert at TechRadar. "If it's compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications."

It means that even if a user is using a service that is itself encrypted, the VPN provider and potentially bad actors, could overwrite that encryption and intercept all data.

The six VPN vendors reported to be doing this are:

• Surfshark
• Atlas VPN
• VyprVPN
• VPN Proxy Master
• Sumrando VPN
• Turbo VPN

Surfshark and Atlas VPN are now merging with NordVPN, but Nord Security is not one of the firms listed as installing the certificate.

A spokesperson for Surfshark has responded to TechRadar, claiming that the issue has been addressed, although only referring directly to Windows.

"[We've] closely cooperated with [AppEsteem] in quickly fixing the highlighted issues," said the spokesperson. "All of them have already been fixed and all Windows users should soon receive an updated version of the app."

While the Mac is not mentioned, the spokesperson described other efforts that will help Apple users.

"Also, we've been working on turning off the no longer popular IKEv2 protocol and focusing all our efforts on supporting Wireguard and OpenVPN protocols," continued the spokesperson. "This will eliminate the need to install the certificate."