- Joined
- Jun 28, 2020
- Messages
- 6,488
- Reaction score
- 712
- Points
- 212
- Awards
- 2
VPN services install root certificates that can be used by attackers to spy on users.
![[IMG]](https://www.securitylab.ru/upload/iblock/cd3/cd3a7d881e75673899d3bac222090ab8.jpg)
Six major VPN companies install root certificates that can be used by attackers to spy on users.
VPNs are designed to protect users by routing all data through a trusted service that encrypts personal information. However, according to an investigation by AppEsteem, it became known that six of the most famous VPN services (Surfshark, Atlas VPN, VyprVPN, VPN Proxy Master, Sumrando VPN and Turbo VPN) do this in an extremely dangerous way. Each service installs a trusted root CA on users' devices, putting their privacy at risk.
Installing trusted root certificates is not a good practice. If the certificate is compromised, the attacker will be able to forge more certificates, impersonate other domains, and intercept user communications.
This means that even if the user is using a service that is itself encrypted, the VPN provider and cybercriminals can overwrite that encryption and intercept all data.
A Surfshark spokesperson said the issue has been resolved, although it only affects systems running Windows.
Six major VPN companies install root certificates that can be used by attackers to spy on users.
VPNs are designed to protect users by routing all data through a trusted service that encrypts personal information. However, according to an investigation by AppEsteem, it became known that six of the most famous VPN services (Surfshark, Atlas VPN, VyprVPN, VPN Proxy Master, Sumrando VPN and Turbo VPN) do this in an extremely dangerous way. Each service installs a trusted root CA on users' devices, putting their privacy at risk.
Installing trusted root certificates is not a good practice. If the certificate is compromised, the attacker will be able to forge more certificates, impersonate other domains, and intercept user communications.
This means that even if the user is using a service that is itself encrypted, the VPN provider and cybercriminals can overwrite that encryption and intercept all data.
A Surfshark spokesperson said the issue has been resolved, although it only affects systems running Windows.