VPN servers seized by Ukrainian authorities weren’t encrypted

by
Dan Goodin
from Ars Technica - All content on (#5MM42)
vpn-tunnel-800x450.jpeg

Enlarge (credit: Getty Images)

Privacy tools-seller Windscribe said it failed to encrypt company VPN servers that were recently confiscated by authorities in Ukraine, a lapse that made it possible for the authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them.

The Ontario, Canada-based company said earlier this month that two servers hosted in Ukraine were seized as part of an investigation into activity that had occurred a year earlier. The servers, which ran the OpenVPN virtual private network software, were also configured to use a setting that was deprecated in 2018 after security research revealed vulnerabilities that could allow adversaries to decrypt data.

On the disk of those two servers was an OpenVPN server certificate and its private key," a Windscribe representative wrote in the July 8 post. Although we have encrypted servers in high-sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently enacting our plan to address this."

Read 8 remaining paragraphs | Comments

index?i=kmXPzhnemGk:gMVsJZwBMhs:V_sGLiPB index?i=kmXPzhnemGk:gMVsJZwBMhs:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments