14 DAY TRIAL // Windscribe, an IT company that sells privacy protection tools, said the VPN servers that were recently seized by Ukrainian authorities, were not encrypted, allowing the government to transfix their servers as well as capture and decrypt communications that went through them, according to Ars Technica.
The company announced earlier this month that two servers hosted in Ukraine had been seized as part of an investigation into suspicious activity a year ago. Windscribe's admission highlights the risks associated with the proliferation of VPN services in recent years. The threats linked with the risks are significant, and many business owners have yet to learn about them.
Besides the lack of encryption, the company uses data compression to improve network performance. Research presented at the 2018 Black Hat Las Vegas security conference uncovered an attack called Voracle that exploited compression features to decrypt data encrypted by VPN based on OpenVPN. A few months later, the feature of OpenVPN became obsolete.
Windscribe denied these safeguards primarily by not adhering to standard industry norms, especially since they were accused of using configurations obsolete since 2018. The company did try to reduce the effect by outlining the conditions an attacker would have to meet in order to succeed.
The privacy tools provider said it is in the process of revamping its VPN product to provide more security. Below are some examples:
- Implementation of the forked Wireguard version as the main VPN protocol.
- Activating new application capabilities such as changing the IP addresses without disconnecting the program, request the specific IP, and multi-hop R.O.B.E.R.T. client-side rules not recorded in any database.
- Deploying a resilient backend authentication to allow VPN servers to work, even if the core infrastructure is completely out of operation.
- Continued use of its existing OpenVPN certificate authority for a new certificate that follows industry best practices, including the usage of a CA.
- Transitioning all servers to work with no hard disk backup as in-memory servers. This means all data is held or generated live only in RAM and cannot be retrieved after a machine is shut down or restarted.
The seizure of the Windscribe servers is a strong reminder that the core VPN security measures are important practices that the company has not yet applied. As a result, individuals who rely on unknown or untested solutions to mask their Internet activity from prying eyes run the risk of being exposed.