Seller of privacy tools, Windscribe, failed to encrypt company VPN servers recently seized by Ukrainian authorities. This fault allowed the authorities to imitate Windscribe servers and collect and decode traffic travelling through them.
Earlier this month, the company announced that two servers located in Ukraine were confiscated as part of an investigation into behaviour that occurred a year ago. The servers, which ran the OpenVPN software, were also set to utilise a setting deprecated in 2018 following security research that identified flaws that could allow adversaries to decrypt traffic.
“On the disk of the two servers was an OpenVPN server certificate and accompanying private key,” a Windscribe official said in a post on July 8. “Although we have encrypted servers in high-risk areas, the servers in question were running a legacy stack and were not encrypted. We are now setting our plan in place to address this.”
Windscribe severely compromised security claims by failing to follow established industry standards. While the firm attempted to minimise the damage by outlining the circumstances that an attacker would need to meet to be successful, those are precisely the situations in which VPNs should protect users. Windscribe said that the events and probable effects are as follows:
- The attacker has control over your network and can intercept all communications (privileged position for MITM attack)
- You are using a legacy DNS resolver (legacy DNS traffic is unencrypted and subject to MITM)
- The attacker can manipulate your unencrypted DNS queries (the DNS entries used to pick an IP address of one of our servers)
- You are NOT using our Windscribe applications (our apps connect via IP and not DNS entries)
The potential impact for the user if all of the above conditions are true:
- An attacker would be able to see unencrypted traffic inside of your VPN tunnel.
- Encrypted conversations like HTTPS web traffic or encrypted messaging services would not be affected.
- An attacker would be able to see the source and destinations of traffic.
It’s important to remember that:
- Most internet traffic is encrypted (HTTPS) inside of your VPN tunnel
- No historical traffic is at risk thanks to PFS (perfect forward secrecy), which prevents decryption of historical traffic, even if one possesses the private key for a server
- No other protocols supported by our servers are affected, only OpenVPN.
Three Years Late
In addition to not using encryption, the company uses data compression to increase network efficiency. Voracle is an attack described in research presented at the 2018 Black Hat security conference in Las Vegas. Voracle uses hints left behind in compression to decrypt data secured by OpenVPN-based VPNs. OpenVPN deprecated the feature a few months later.
The provider of privacy solutions has stated that it is upgrading its VPN product to give improved security. Among the changes are:
- Abandoning its current OpenVPN certificate authority in favour of a new one that “follows industry best practices, including the usage of an intermediate certificate authority (CA).”
- All servers are being converted to function as in-memory servers with no hard disk backup. This implies that any data stored or generated by the computers live exclusively in RAM and cannot be retrieved after being turned off or restarted.
- As the primary VPN protocol, a forked version of WireGuard is being used.
- They deploy a “resilient authentication backend” to allow VPN servers to function even if the core infrastructure is entirely down.
- Adding new application features such as the ability to change IP addresses without disconnecting, request a particular and static IP address, and “multi-hop, client-side ROBERT rules that are not recorded in any database.”
Windscribe Director Yegor Sak elaborated on the actions his company is taking in an email. They are:
- All keys required for server function are no longer stored permanently on any of our servers and exist solely in memory after they are put into operation
- All servers have unique short-lived certificates and keys generated from our new CA, which are rotated
- Each server certificate has uniquely identifying Common Name + SANs
- New OpenVPN client configurations enforce server certificate X509 name verification using the common name, which is unique.
He was remarkably open about the lapse, writing:
In the meantime, we make no excuses for this omission. Security measures that should have been in place were not. After conducting a threat assessment we feel that the way this was handled and described in our article was the best move forward. It affected the fewest users possible while transparently addressing the unlikely hypothetical scenario that results from the seizure. No user data was or is at risk (the attack vector to make use of the keys requires the attacker to have full control over the victim’s network with several prerequisites outlined in the above article). The hypothetical situations outlined are no longer exploitable because the final CA sunset process was already completed last week on July 20th.
It is unknown how many active users the service has. The company’s Android app, on the other hand, has over 5 million installations, indicating that the user base is likely big.
The Windscribe servers’ seizure emphasises the need for basic VPN security hygiene, which the company refuses to deliver. That, in turn, highlights the hazards presented when people rely on little-known or untested services to protect their Internet usage from prying eyes.