Click here to visit Original posting
Update: Below is the official statement we received from Surfshark.
When using the Surfshark root certificate, customers put their trust only in a VPN provider and not a third-party agency that can be compromised. Over the past years, we’ve seen numerous cases where third-party CAs were discredited. Surfshark is a trusted cybersecurity company and ensuring the security of our products and the privacy of our customers is our core goal. Building that trust is paramount to us. As for AppEsteem’s evaluation, we’ve closely cooperated with the company in quickly fixing the highlighted issues. All of them have already been fixed and all Windows users should soon receive an updated version of the app. Also, we’ve been working on turning off the no longer popular IKEv2 protocol and focusing all our efforts on supporting Wireguard and OpenVPN protocols. This will eliminate the need to install the certificate.
Several well-known VPN providers - including Surfshark, TurboVPN and VyprVPN - are among six brands called out for a risky practice that potentially undermines user security.
As part of its Deceptor programme, security research firm AppEsteem found that providers’ apps install a trusted root certificate authority (CA) cert on users’ devices and some providers even fail to obtain users’ consent for doing so.
AppEsteem recently expanded its programme to include VPN providers, researching VPN apps to look for deceptive and risky behavior that could harm consumers.
Not good practice
AppEsteem also pointed out that popular VPN provider Surfshark installs its root CA cert on the user’s device even when the user cancels the installation. Surfshark clearly mentions the use of its own trusted root certificate “solely to connect to VPN servers using the IKEv2 protocol”.
TechRadar Pro’s security expert, Mike Williams, stated “Installing trusted root certificates isn’t good practice. ‘If it’s compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications.”
What are the risks of installing an additional trusted root certificate?
Root CA certs are the cornerstone of authentication and security in software and on the Internet. They’re issued by a certified authority (CA) and, essentially, verify that the software/website owner is who they say they are.
The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device.
Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.
This applies to software applications, websites or even email. Anything from a man-in-the-middle attack to installing malware is possible, as illustrated by hacks in 2021 in Mongolia and in 2020 in Vietnam where CAs were compromised.
The power that Root CA certs have over a user’s device is why state actors like Russia have been pushing citizens to install their new root CA, a move that EFF describes as “paving the way for a decade of digital surveillance”.
The six VPN providers that were found to install root CA certs on user devices are Surfshark, Atlas VPN, VyprVPN, VPN Proxy Master, Sumrando VPN and Turbo VPN. Two of the better known providers on the list, Surfshark and Atlas VPN, both recently joined NordVPN’s parent company Nord Security. However, NordVPN was not among the named providers.
Why would a VPN company want to install a trusted root certificate?
We don’t believe that’s necessary even for IKEv2 compatibility, and most top-rated VPNs do not do this.
When an additional root CA cert is installed by a VPN provider, you are relying only on the provider’s encryption and authenticity checks, as the trusted root certificate can overwrite the encryption and authenticity checks of the actual service you’re using (e.g. Mozilla Firefox, WhatsApp).
This makes it possible for the VPN provider to intercept and monitor essentially all your traffic, in a worst case scenario. We’ve reached out to Surfshark, Atlas VPN and VyprVPN and will update the article when we hear back.