Several well-known VPN providers – including Surfshark, TurboVPN and VyprVPN – are among the six brands singled out for a risky practice potentially undermining user safety.
As part of his Deception programsecurity research firm AppEsteem has found that vendor apps install a trusted root certification authority (CA) certificate on user devices, and some vendors don’t even get user consent to do so.
AppEsteem recently expanded its program to include VPN providers, scouting VPN apps for deceptive and risky behavior that could harm consumers.
Not a good practice
AppEsteem also pointed out that popular VPN provider Surfshark installs its root CA certificate on the user’s device even when the user cancels the installation. Surfshark clearly mentions using its own trusted root certificate “only to connect to VPN servers using the IKEv2 protocol”.
Tech Radar ProSecurity expert Mike Williams said, “Installing trusted root certificates is not good practice. “If compromised, it could allow an attacker to forge more certificates, impersonate other domains, and intercept your communications.”
What are the risks of installing an additional trusted root certificate?
Root CA certificates are the cornerstone of authentication and security in software and on the Internet. They are issued by a Certified Authority (CA) and essentially verify that the owner of the software/website is who they claim to be.
Installing an additional root CA certificate potentially compromises the security of all your software and communications. When you include a new trusted root certificate on your device, you allow the third party to collect almost all data transmitted to or from your device.
Additionally, an attacker who steals the private key belonging to a trusted root CA can generate certificates for their own purposes and sign them with the private key.
This applies to software applications, websites or even emails. Everything from a man-in-the-middle attack to installing malware is possible, as hacks in 2021 illustrate in Mongolia and in 2020 in Vietnam where certificate authorities have been compromised.
The power that Root CA certificates have over a user’s device is why state actors like Russia Pushes Citizens to Install Their New Root CAa decision that the EFF describes as “setting the stage for a decade of digital surveillance”.
The six VPN providers that have been found to install root CA certificates on user devices are Surfshark, Atlas VPN, VyprVPN, VPN Proxy Master, Sumrando VPN, and Turbo VPN. Two of the most well-known providers on the list, Surfshark and Atlas VPN, both recently joined NordVPN’s parent company, Nord Security. However, NordVPN was not among the providers named.
Why would a VPN company want to install a trusted root certificate?
We don’t think this is necessary, even for IKEv2 compatibility, and most top-rated VPNs don’t.
When an additional root CA certificate is installed by a VPN provider, you only rely on the provider’s encryption and authenticity checks, because the trusted root certificate may override the encryption and authenticity checks of the actual service you are using (e.g. Mozilla Firefox, WhatsApp).
This allows the VPN provider to essentially intercept and monitor all of your traffic, worst-case scenario. We have contacted Surfshark, Atlas VPN and VyprVPN and will update the article when we get back to you.