Windscribe, a Canadian-based VPN provider, says it realized two of its servers that were seized last year by Ukrainian authorities were unencrypted, leaving open the possibility that, at least temporarily, someone could have accessed traffic.
Since discovering the incident earlier this month the company has been overhauling its infrastructure to improve security.
Asked by IT World Canada if the incident will impact its business, company co-founder Yegor Sak said that “it remains to be seen. However, so far our users were very receptive to our complete self-elected transparency in this matter, and we have not seen any spike in cancellations.”
In emailed responses to questions, Sak said the lack of encryption on the servers, which was supposed to protect the service and customers, “was a result of human error. We’ve altered our processes to prevent this from happening in the future.”
“We messed up, we researched a proper solution and implemented it. We could have avoided saying anything and be totally in-line with the ‘industry norm’ and you would never even hear about it. But that would go against the spirit of how we operate.”
Based in Richmond Hill, Ont., Windscribe has 63 servers around the world running the open-source OpenVPN virtual private network platform. The company promises to encrypt browsing activity, block ads, and unblock geographically restricted online entertainment content through those world-wide servers.
Asked if he is certain the servers in Ukraine are the only ones that aren’t encrypted, Sak replied, “This no longer matters, as we’ve deployed a stopgap solution last week which eliminates the need to store any keys or secrets on the VPN servers themselves.
“Regardless of its encryption state, no user data ever resided there, and as of last Friday no sensitive secrets exist on disk either. This gives us breathing room to implement the RAM-only servers … which is a superior solution to disk encryption, as it does not require for a hard disk to even exist.”
The incident began on June 24th, when Windscribe’s two hosted servers in Ukraine were seized by authorities as part of an investigation into alleged criminal activity in April, 2020, the company said in a blog describing the events. The hosting provider had failed to tell Windscribe that there had been an order to seize the servers.
“We have no reason to believe that the servers were compromised or that there was any unauthorized access before the seizure,” the company said in the blog. “As we do not log VPN traffic, no customer data from those servers while in operation are at any risk.”
However, it realized there was an OpenVPN server certificate and its private key on the disks of those two servers. “Although we have encrypted servers in high sensitivity regions, the servers in question were running a legacy stack and were not encrypted,” the company explained.
A custom certificate authority is used to verify that a customer’s computer is talking to the VPN server it thinks it is talking to, Sak explained. With OpenVPN, the certificate authority is distributed inside of the OpenVPN configuration.
“In extremely limited cases,” Windscribe admitted, someone with that private key, and “with a very high level of resources” and access to a customer’s network could impersonate a Windscribe VPN server and capture VPN tunnel traffic running through it. “The Ukrainian authorities have the hypothetical ability” to do that, it added.
It stressed that could only happen if all the following four conditions were met:
- the attacker has control over a customer’s network and can intercept all communications (otherwise known as a man-in-the-middle attack, or MITM);
- the customer is using a legacy DNS resolver (legacy DNS traffic is unencrypted and subject to MITM);
- the attacker has the ability to manipulate the customer’s unencrypted DNS queries (the DNS entries used to pick an IP address of one of Windscribe’s servers);
- and the customer isn’t using Windscribe applications. Windscribe apps connect by Internet Protocol and not DNS entries.
If all four conditions were met, someone with access to those servers would be able to see unencrypted traffic inside of a customer’s VPN tunnel. However, Sak said, traffic captured before the seizure cannot be decrypted, even if someone possesses the right key.
“Considering it took over a year to seize the servers,” Sak said in reply to our questions, “we’re fairly confident that the impact was extremely minimal or non-existent considering the requirements to execute any type of attack and the general competence of local law enforcement, who we spoke to.”
Once it realized the problem, Windscribe decided it had to drop the OpenVPN certificate authority “in favor of a brand new one that follows industry best practices,” the company blog says.” That includes using an intermediate certificate authority where a certificate is never valid for longer than 90 days. This change has been in place for a few weeks. The final step in shedding the old systems will take place August 3rd.
In addition, Windscribe plans to shift to in-memory-based servers from disk-based servers for added protection early in the fall. This will mean its servers and any data they contain or generate cannot be accessed after a machine has been shut off or rebooted.
Those using Windscribe’s desktop client applications for Windows, MacOS, iOS or Android, don’t have to do anything if they’re running the latest versions of the mobile apps, and any version of the Windows and Mac apps. Users of the Linux CLI client have to log out and log back in to get new configurations.
“Although a mistake was made, which we fully acknowledge,” Sak told us, “the fact that you even know about it should speak volumes. We’re being judged by a different standard, because of voluntary disclosure that is pretty much unheard of in the industry. Consumer VPN industry is highly toxic, and is shrouded in secrecy in terms of how companies operate, who owns them, and what is disclosed (and what isn’t).”