Researchers Again Show How Major VPNs Quietly Undermine User Security
Given the seemingly endless privacy scandals that now engulf the tech, telecom, and adtech sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to try and protect themselves in the wake of scandals, breaches, and hacks.
Unfortunately, many consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bulletproof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.
A Consumer Reports study late last year took a look at 16 top VPN providers, and found that the majority of them misrepresented their products or their data retention practices, and many of the companies actually put consumer privacy at greater risk. Only a quarter of the VPNs looked at clearly indicated how long they retain user browsing and other data.
Other VPNs simply don't provide particular stellar security, despite marketing claiming that's the entire reason they exist. For example, Surfshark, TurboVPN, Sumrando VPN, and several other VPN providers were recently accused of installing a trusted root certificate authority (CA) cert on user devices, often without user knowledge or approval.
This risky root certificate opens the users of these VPNs to increased risk of man in the middle or other attacks:
The installation of an additional root CA cert potentially undermines the security of all your software and communications. When you include a new trusted root certificate on your device, you enable the third-party to gather almost any piece of data transmitted to or from your device.
Plus, an attacker who gets hold of the private key that belongs to a trusted root certificate authority can generate certificates for his own purposes and sign them with the private key.
For consumers, determining what VPN provides useful security and what VPN is a privacy and security dumpster fire isn't easy, especially given how so many VPN reviews are little more than affiliate kickback blogspam. So while quality VPNs are still definitely useful, experts increasingly point out that unless you know what you're buying and really need the protection, they're often just not worth it.