Privacy tools vendor Windscribe said it failed to encrypt company VPN servers recently seized by authorities in Ukraine, a mistake that allowed authorities to impersonate Windscribe servers and capture and decrypt traffic passing through it.
The Ontario, Canada-based company said earlier this month that two servers hosted in Ukraine had been seized as part of an investigation into activity that had taken place a year earlier. The servers running the OpenVPN Virtual Private Network software were also configured to use a setting that was deprecated in 2018 after security research revealed vulnerabilities that could allow malicious parties to decrypt data.
“On the disk of those two servers was an OpenVPN server certificate and its private key,” a Windscribe representative wrote in the July 8 post. “While we have encrypted servers in highly sensitive regions, the servers in question were running a legacy stack and were not encrypted. We are currently executing our plan to address this.”
Windscribe’s admission underscores the risks of an explosion of VPN services in recent years, many from companies few people have heard of. People use VPNs to route all their internet traffic into an encrypted tunnel, to prevent people connected to the same network from reading or manipulating data, or to detect the IP addresses of the two communicating parties. The VPN service then decrypts the traffic and sends it to its final destination.
By not following standard industry practices, Windscribe has largely negated these security assurances. While the company tried to play down the impact by laying out the requirements an attacker would need to meet to be successful, those conditions are exactly the conditions VPNs must protect against. Specifically, Windscribe said, the conditions and possible consequences are:
- The attacker has control over your network and can intercept all communications (privileged position for MITM attack)
- You are using a legacy DNS resolver (legacy DNS traffic is unencrypted and subject to MITM)
- The attacker has the ability to manipulate your unencrypted DNS queries (the DNS entries used to pick an IP address from one of our servers)
- You are NOT use our Windscribe applications (our apps connect via IP and not DNS entries)
The potential impact to the user if all the above conditions are true:
- An attacker could see unencrypted traffic in your VPN tunnel
- Encrypted conversations such as HTTPS web traffic or encrypted messaging services are not affected
- An attacker could see the source and destinations of the traffic
It is important to remember that:
- Most internet traffic is encrypted (HTTPS) within your VPN tunnel
- No historical traffic is at risk thanks to PFS (perfect forward secrecy) that prevents decryption of historical traffic, even if one owns a server’s private key
- No other protocols supported by our servers are affected, only OpenVPN
Three years late
In addition to the lack of encryption, the company also uses data compression to improve network performance. Research presented at the 2018 Black Hat security conference in Las Vegas revealed an attack known as Voracle, which uses clues left in compression to decrypt data protected by OpenVPN-based VPNs. A few months later, OpenVPN discontinued the feature.
The privacy tools maker said it is reviewing its VPN offerings to offer better security. Changes include:
- Ending the use of the current OpenVPN Certificate Authority in favor of a new one that “follows industry best practices, including using an intermediate Certificate Authority (CA)”
- Transfer all servers to run as in-memory servers without hard drive backup. This means that all data that the machines contain or generate resides exclusively in RAM and cannot be accessed after a machine is shut down or rebooted.
- Implementation of a forked version of Wireguard as the primary VPN protocol
- Implementation of “resilient authentication backend” to keep VPN servers functioning even if core infrastructure fails completely
- Enabling new application features such as the ability to change IP addresses without disconnecting, requesting a specific and static IP address, and “client-side multi-hop ROBERT rules that are not stored in any database”
In an email, Windscribe CEO Yegor Sak explains the steps his company is taking. They contain:
1. All keys required for the server function are no longer permanently stored on any of our servers and exist solely in memory after being deployed
2. All servers have unique ephemeral certificates and keys generated by our new CA and rotated
3. Each server certificate has uniquely identifying Common Name + SANs
4. New OpenVPN client configurations enforce server certificate X509 name verification using common name which is unique.
He was unusually candid about the course, writing:
In the meantime, we have no apologies for this omission. Security measures that should have been put in place were not. After conducting a threat assessment, we believe the way this was handled and described in our article was the best step forward. It affected as few users as possible while transparently addressing the improbable hypothetical scenario resulting from the seizure. No user data was or is at risk (the attack vector to exploit the keys requires the attacker to have full control over the victim’s network with several requirements described in the article above). The hypothetical situations outlined can no longer be exploited as the final CA suspend process was already completed last week on July 20.
It is not clear how many active users the service has. However, the company’s Android app lists over 5 million installs, an indication that the user base is likely large.
The seizure of the Windscribe servers underscores the importance of the kind of basic VPN security hygiene that the company has failed to follow. That, in turn, highlights the risks that arise when people rely on little-known or untested services to protect their internet usage from prying eyes.