Earlier this month, Ukranian authorities confiscated two Virtual Private Network (VPN) servers in the region as part of an investigation into a 2020 incident. They turned out to be unencrypted.
The Company Behind It
Privacy tools firm Windscribe admitted in a blog post that it failed to do proper encryption for these servers. As a result, the authorities were able to impersonate the servers and extract and decrypt the traffic passing through the system.
The post also mentioned that the disk of the two servers contained an OpenVPN server certificate along with its private key.
A Windscribe representative further explained they earlier found the servers have not undergone encryption.
“Although we have encrypted servers in high-sensitivity regions, the servers in question were running a legacy stack and were not encrypted,” he added.
According to a report by Arstechnica, this incident has started to raise questions on the safety of VPNs. This comes as a pressing concern, considering the rise of VPN providers in recent years. These instances increase the possibility that other privacy companies might be carrying the same risk.
The outlet further explained that failure to encrypt servers defies the purpose of strong VPN protocols to protect users. When these standard industry practices aren’t followed, the security guarantee for users is ultimately taken away.
Windscribe, however, went on to assure the public that they are “currently enacting their plan to address this”.
In response to the incident, Windscribe announced that it is now in the process of overhauling its systems for overall security improvement.
In an email, Windscribe Director Yegor Sak shared some of the steps that the company is taking:
- All servers will be in-memory, which means the required keys are no longer stored permanently.
- Digital certificates and keys generated from Windscribe’s new CA will be short-lived.
- Each certificate will have a unique identifying Common Name + SANs.
- New OpenVPN client configurations – they will enforce server certificate X509 name verification via the common name which is unique.
Windscribe has amassed over five million downloads on the Play Store. Even with this massive client base, such missteps are still unavoidable among VPN providers. That is why users must always scrutinize even the best VPN services to ensure security.