Researchers Again Show How Major VPNs Quietly Undermine User Security

from the first-do-no-harm dept

Given the seemingly endless privacy scandals that now engulf the tech, telecom, and adtech sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to try and protect themselves in the wake of scandals, breaches, and hacks.

Unfortunately, many consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bulletproof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.

Consumer Reports study late last year took a look at 16 top VPN providers, and found that the majority of them misrepresented their products or their data retention practices, and many of the companies actually put consumer privacy at greater risk. Only a quarter of the VPNs looked at clearly indicated how long they retain user browsing and other data.

Other VPNs simply don’t provide particular stellar security, despite marketing claiming that’s the entire reason they exist. For example, Surfshark, TurboVPN, Sumrando VPN, and several other VPN providers were recently accused of installing a trusted root certificate authority (CA) cert on user devices, often without user knowledge or approval.

This risky root certificate opens the users of these VPNs to increased risk of man in the middle or other attacks:

The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device. 

Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.

For consumers, determining what VPN provides useful security and what VPN is a privacy and security dumpster fire isn’t easy, especially given how so many VPN reviews are little more than affiliate kickback blogspam. So while quality VPNs are still definitely useful, experts increasingly point out that unless you know what you’re buying and really need the protection, they’re often just not worth it.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Researchers Again Show How Major VPNs Quietly Undermine User Security”

Subscribe: RSS Leave a comment
Naughty Autie says:

This is why I’m rarely an early adopter of anything new. Most people who know me would put it down to me ‘disliking change’ because of my autism, but it’s really because so many issues don’t come to light until something is a few years old. Hell, even TOR has its issues, and those weren’t known about until around 2016.

DanJ (profile) says:

Headline is bogus

There’s a lot of misinformation and exaggerations about VPN. VPN’s do nothing to stop websites and companies tracking you as you browse the web. They don’t make you completely anonymous. If you suspect that the CIA or some other corrupt agency with government backing is coming after you, VPN’s can be a small part of a comprehensive security in depth strategy but by themselves they aren’t going to do a whole lot to protect you.

But that doesn’t mean they’re useless. I’m seeing a lot of articles like this that pooh-pooh VPNs by pointing out what they don’t do, without really addressing what they DO do.

This is like an article that points out that a dead bolt doesn’t prevent anyone from picking up a rock, knocking out your window and crawling in your house with a title of “Researchers again show how dead bolts quietly undermine house security.”

DanJ (profile) says:

Re: Re:

Even if you assume that’s an accurate comparison, then if the private key leaks, you’re in exactly the same position as you would have been in if you’d not used a VPN in the first place. Neither your comment nor the article suggests any way that your security is weakened by using a VPN. As I noted before, a lot of people overestimate the protection provided by a VPN, and pointing out what it doesn’t do is perfectly valid. Claiming that it undermines – IE weakens – your security in comparison to not using one at all is simply false.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...