Windscribe VPN's VPN servers seized by the SBU weren't encrypted

Canadian VPN provider Windscribe has not used encryption to protect its VPN servers, which were recently seized by the Ukrainian Security Service (SBU). It was thanks to the lack of encryption that the SBU managed to forge the Windscribe servers, intercept and decrypt the traffic passing through them.

Windscribe announced earlier this month that two of its servers located in Ukraine were seized as part of an investigation into an incident that took place a year ago. The servers running the OpenVPN software were configured to use outdated settings that were deemed vulnerable back in 2018 (the vulnerability allowed third parties to decrypt data).

“There was an OpenVPN server certificate and its private key on the disk of one of these two servers. Although we encrypt servers in sensitive regions, these two specifically ran a legacy stack and did not use encryption. We are currently implementing a plan to address this issue, ”Windscribe said in its July 8th notice.

Windscribe's recognition highlights the risks associated with the explosive growth of VPN services in recent years, many of which involve unknown companies.

In addition to the lack of encryption, Windscribe also uses data compression to improve network performance. In 2018, the Voracle attack was presented at the Black Hat conference in Las Vegas, which involves the use of hints left as a result of compression of data transmitted over OpenVPN. A few months later, the OpenVPN developers dropped this feature.

Previous Post Next Post