VPN Servers Seized by Ukrainian Authorities Weren’t Encrypted
upstart writes:
VPN servers seized by Ukrainian authorities weren't encrypted:
Privacy-tools-seller Windscribe said it failed to encrypt company VPN servers that were recently confiscated by authorities in Ukraine, a lapse that made it possible for the authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them.
The Ontario, Canada-based company said earlier this month that two servers hosted in Ukraine were seized as part of an investigation into activity that had occurred a year earlier. The servers, which ran the OpenVPN virtual private network software, were also configured to use a setting that was deprecated in 2018 after security research revealed vulnerabilities that could allow adversaries to decrypt data.
On the disk of those two servers was an OpenVPN server certificate and its private key," a Windscribe representative wrote in the July 8 post. Although we have encrypted servers in high-sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently enacting our plan to address this."
[...] By failing to follow standard industry practices, Windscribe largely negated [...] security guarantees. While the company attempted to play down the impact by laying out the requirements an attacker would have to satisfy to be successful, those conditions are precisely the ones VPNs are designed to protect against.
[...] It's not clear how many active users the service has. The company's Android app, however, lists more than 5 million installs, an indication that the user base is likely large.
Read more of this story at SoylentNews.