Researchers Again Show How Major VPNs Quietly Undermine User Security
from the first-do-no-harm dept
Given the seemingly endless privacy scandals that now engulf the tech, telecom, and adtech sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to try and protect themselves in the wake of scandals, breaches, and hacks.
Unfortunately, many consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bulletproof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.
A Consumer Reports study late last year took a look at 16 top VPN providers, and found that the majority of them misrepresented their products or their data retention practices, and many of the companies actually put consumer privacy at greater risk. Only a quarter of the VPNs looked at clearly indicated how long they retain user browsing and other data.
Other VPNs simply don’t provide particular stellar security, despite marketing claiming that’s the entire reason they exist. For example, Surfshark, TurboVPN, Sumrando VPN, and several other VPN providers were recently accused of installing a trusted root certificate authority (CA) cert on user devices, often without user knowledge or approval.
This risky root certificate opens the users of these VPNs to increased risk of man in the middle or other attacks:
The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device.
Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.
For consumers, determining what VPN provides useful security and what VPN is a privacy and security dumpster fire isn’t easy, especially given how so many VPN reviews are little more than affiliate kickback blogspam. So while quality VPNs are still definitely useful, experts increasingly point out that unless you know what you’re buying and really need the protection, they’re often just not worth it.
Filed Under: consumers, privacy, privacy scandals, root cert, vpn
Comments on “Researchers Again Show How Major VPNs Quietly Undermine User Security”
This is why I’m rarely an early adopter of anything new. Most people who know me would put it down to me ‘disliking change’ because of my autism, but it’s really because so many issues don’t come to light until something is a few years old. Hell, even TOR has its issues, and those weren’t known about until around 2016.
Huh?
It seem quite weird to link a site basically saying “pretty much all your ISP gets to see is that you’re online now, and going through a VPN” as supporting a “have a universe of ways to track you anyway” claim.
Going over the report, it does look like the one VPN that’s an exception in almost every category in Mullvad. So, if you need a VPN, that one might be worth looking in to. Don’t have any personal experience with it, though.
Headline is bogus
There’s a lot of misinformation and exaggerations about VPN. VPN’s do nothing to stop websites and companies tracking you as you browse the web. They don’t make you completely anonymous. If you suspect that the CIA or some other corrupt agency with government backing is coming after you, VPN’s can be a small part of a comprehensive security in depth strategy but by themselves they aren’t going to do a whole lot to protect you.
But that doesn’t mean they’re useless. I’m seeing a lot of articles like this that pooh-pooh VPNs by pointing out what they don’t do, without really addressing what they DO do.
This is like an article that points out that a dead bolt doesn’t prevent anyone from picking up a rock, knocking out your window and crawling in your house with a title of “Researchers again show how dead bolts quietly undermine house security.”
Re: deadbolt don't
A deadbolt actually improves the security of the house. It doesn’t undermine it, and no article is saying it does.
The article is saying a lot of VPNs leave a housekey under a rock near your house guarded by the VPN’s private key – and if the private key leaks … you’re buggered.
Re: Re:
Even if you assume that’s an accurate comparison, then if the private key leaks, you’re in exactly the same position as you would have been in if you’d not used a VPN in the first place. Neither your comment nor the article suggests any way that your security is weakened by using a VPN. As I noted before, a lot of people overestimate the protection provided by a VPN, and pointing out what it doesn’t do is perfectly valid. Claiming that it undermines – IE weakens – your security in comparison to not using one at all is simply false.
Re: Re: Re:
No, you’re in a much worse position. The protections of HTTPS go out the window, more or less.