VPN servers seized by Ukrainian authorities were not encrypted


A tunnel made of ones and zeros.

Privacy tool vendor Windscribe said it was unable to encrypt the company’s VPN servers that were recently seized by authorities in Ukraine, a lapse that made it possible for authorities to impersonate Windscribe servers and capture and decrypt passing traffic. through them.

The company based in Ontario, Canada saying Earlier this month, two servers hosted in Ukraine were seized as part of an investigation into the activity that had occurred a year earlier. The servers, which were running OpenVPN The virtual private network software was also configured to use a configuration that was deprecated in 2018 after security research revealed vulnerabilities that could allow adversaries to decrypt data.

“On the disk of those two servers was an OpenVPN server certificate and its private key,” wrote a Windscribe representative in the July 8 post. “Although we have encrypted servers in high-sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently implementing our plan to address this. “

Guarantees denied

Windscribe’s admission underscores the risks posed by an explosion of VPN services in recent years, many of them from companies few people have heard of before. People use VPNs to funnel all their Internet traffic into an encrypted tunnel, to prevent people connected to the same network from reading or manipulating data or detecting the IP addresses of the two communicating parties. The VPN service then decrypts the traffic and sends it to its final destination.

By not following standard industry practices, Windscribe largely voided those security guarantees. While the company tried to downplay the impact by setting the requirements that an attacker would have to meet to be successful, those conditions are precisely what VPNs are designed to protect. Specifically, Windscribe said, the conditions and possible consequences are:

  • The attacker has control over his network and can intercept all communications (privileged position to MITM attack)
  • You are using a legacy DNS resolver (legacy DNS traffic is not encrypted and is subject to MITM)
  • The attacker has the ability to manipulate your unencrypted DNS queries (the DNS entries used to choose an IP address from one of our servers)
  • Are DO NOT using our Windscribe applications (our applications connect via IP and not DNS entries)

The potential impact to the user if all the above conditions are true:

  • An attacker could see unencrypted traffic inside your VPN tunnel
  • Encrypted conversations such as HTTPS web traffic or encrypted messaging services would not be affected
  • An attacker could see the origin and destinations of the traffic.

It is important to remember that:

  • Most of the Internet traffic is encrypted (HTTPS) within your VPN tunnel
  • No historical traffic is at risk thanks to PFS (perfect forward secret) which prevents decryption of historical traffic, even if one owns a server’s private key
  • No other protocol supported by our servers is affected, only OpenVPN

Three years late

In addition to the lack of encryption, the company also uses data compression to improve network performance. Research presented at the Black Hat 2018 security conference in Las Vegas revealed an attack known as Voracle, which uses tracks left in compression to decrypt data protected by OpenVPN-based VPNs. A few months later, OpenVPN obsolete the characteristic.

The privacy tool maker said it is in the process of reviewing its VPN offering to provide better security. The changes include:

  • Suspend the use of your current OpenVPN certificate authority in favor of a new one that “follows industry best practices, including the use of an intermediate certificate authority (CA)”
  • Transition of all servers to function as in-memory servers without hard disk backup. This means that any data that machines contain or generate lives only in RAM and cannot be accessed once a machine has been shut down or rebooted.
  • Implementation of a forked version of Wireguard as the main VPN protocol.
  • Implement a “strong authentication backend” to allow VPN servers to function even if there is a total outage of the core infrastructure.
  • Enable new application features, such as the ability to change IP addresses without disconnecting, request a specific and static IP, and “multi-hop client-side ROBERT rules not stored in any database.”

In an email, Windscribe CEO Yegor Sak expanded on the steps his company is taking. They include:

1. All keys necessary for server function are no longer permanently stored on any of our servers and exist only in memory after they are put into operation.

2. All servers have unique short-lived certificates and keys generated from our new CA that are rotated

3. Each server certificate has a common name + unique identifier SAN

4. The new OpenVPN client configurations enforce verification of the X509 server certificate name using the common name which is unique.

He was unusually candid about the error and wrote:

In the meantime, we make no excuses for this omission. The security measures that should have been implemented were not. After conducting a threat assessment, we felt that the way this was handled and described in our article was the best advance. It affected as few users as possible while transparently addressing the unlikely hypothetical scenario resulting from the seizure. No user data was or is at risk (the attack vector to make use of keys requires the attacker to have full control over the victim’s network with several prerequisites described in the previous article). The described scenarios can no longer be exploited because the final CA expiration process was already completed last week on July 20.

It is unclear how many active users the service has. Of the company android appHowever, it lists more than 5 million installs, an indication that the user base is likely large.

The seizure of the Windscribe servers underscores the importance of the kind of basic VPN security hygiene the company failed to follow. That, in turn, underscores the risks that arise when people rely on little-known or unproven services to protect their Internet use from prying eyes.


arstechnica.com

Leave a Reply

Your email address will not be published. Required fields are marked *