VPN root certificates leaves you more vulnerable to snooping

Commercial Virtual Private Network (VPN) service providers promise security and anonymity in their marketing; but they ask you to trust them more than any other company on the web. Have they earned their customers’ trust when they position themselves to intercept all of their encrypted network traffic?

Your operating system, web browser, and applications all absolutely trust a group of Certificate Authorities (CA) to verify that the right web server answered our connection attempts and that the software we install haven’t been modified after the software vendor put it together.

I’m not going to go too far into all the details of the technology, intrigues, drama, and politics that govern the web of trust and the absolute trust our operating systems, browsers, and applications place in their Root Certificate Stores. I’ll keep it brief and say that the preinstalled list of certificates on your computer is governed by a strict set of policies and is monitored closely by the security community. The list is maintained by your operating system vendor (Apple, Google, Microsoft, or often by the Mozilla Foundation in the case of Linux and *BSD.)

You should never need to install any additional Certificate Authorities into your operating system’s root certificate store/keychain. That is to say, you shouldn’t download and double-click on a root certificate file and install it into the Windows Certificate Manager, MacOS Keychain, or similar.

Your employer may have you install their own CA on their computers and devices to be able monitor their network, and intercept any email or message — even those sent over encrypted connections. Which is why you generally shouldn’t login to any website with a company issued device as they may intercept passwords and monitor what you do on these websites. If your employer owns the device, they can do what they damned please with it (within the limits of privacy laws — which are sadly lacking outside of Europe.)

Your VPN service providers often ask their users to install their Certificate Authority root certificate (or they just do it for them as part of their installation process.) Any CA installed on the operating system level is implicitly trusted to vouch for any website, email server, app, etc. that has been signed by it.

A VPN service tunnels all your traffic from your network and into a network controlled by your VPN provider. In other words, they’re perfectly positioned to perform attacker-in-the-middle attacks and strip off the encryption from your network traffic and seal it back up again after they’ve had a peek at its contents. There’s no technical restriction limiting them from doing this once they’re installed into your operating system’s root certificate store.

Security experts would scoff at this article believing it would be obvious to anyone that a VPN service can perform this type of attack against their own customers. However, VPN service providers generally don’t explain the inherent security risks with using their service as part of their marketing campaigns. I haven’t been able to find any serious writing on this subject, so it would be difficult for VPN customers to find resources to educate themselves about the risks.

To violate customer trust to intercept banking information or stay true to our marketing promises?

The top VPN service providers earn roughly 1,80–3,50 USD per month per customer. (Notably, VPN services will often have high marketing costs from reoccurring revenue shares as high as 20–40 % with their partners and affiliates.) A VPN provider would quite possibly lose all their paying customers if they got caught stealing credit card information, login credentials, or sold information about their customers browsing habits to third-parties. However, who says not all VPN providers do this?

The perfect surveillance operation from any national security agency would involve little more than establishing a low-cost high-performance VPN service provider, and some targeted marketing campaigns to attract desired targets.

It’s also easy for your VPN to run a more targeted attack against a specific user. They already have your credit card information, email address, and other account information. When you logon to their service, you could be triggered as a high-value target and could forgo their regular services in favor of a service that interfered with your network traffic.

A VPN can even do automatic targeted tests to determine whether your operating system trusts their certificate with a high level of certainty. One such test could involve waiting for Windows Update requests, intercepting and resigning those, and seeing whether the client drops the connection or carries on with the update check. Windows would normally silently log a security warning that something were off with Windows Update, and retry later without informing the user. I’m sure a determined soul could find another such background service that doesn’t even trigger a silent log message anywhere on the system.

Why do VPNs use these potentially dangerous certificates?

Some VPN protocols require the use of certificates. The VPN service provider needs to be able to issue per-device or per-user certificates signed by a Certificate Authority to operate the service. Other protocols optionally uses certificates, and most commercial VPN services opt to use them when that’s an option. When applied correctly, certificate based encryption is several orders of magnitude more secure than a username and weak password.

The root certificate files aren’t dangerous until you install them into your operating system and your operating system and programs begin to trust them.

The certificates can be used with no risks as long as their use is limited to specialized software and never installed into the operating system. Unfortunately, the VPN software that VPN services push on their users often rely on the host operating system’s VPN handling or else rely on its cryptographic functions and key store.

That being said, you shouldn’t install software from your VPN provider as they’ll often install the root certificate into your operating system. You can, however, find VPN client software — such as the OpenVPN client — that are happy to read the VPN’s root certificate from a file and doesn’t rely on it being installed. These programs are often difficult to configure will also be unsupported by the VPN provider’s support team.

So, what is the alternative?

You can look for a VPN service provider that support IKEv2 EAP/PEAP username/password authentication without requiring you to install a root certificate. Look in their knowledge base/customer support portal for manual IKEv2 setup instructions for your operating system and scan for mentions of installing any certificates.

Please also note that some VPN provides arbitrarily limits IKEv2 usage to iOS only. (Which suggests they prefer you install their certificates … .)

IKEv2/IPsec with EAP user/password authorization is supported in recent versions of Android (third-party app required), iOS, Linux, MacOS, and Windows 10 (some extra work needed to work around an EAP authentication bug.)