Following last month’s seizure of a couple of its VPN servers in Ukraine, security tools provider WindScribe shockingly revealed that the seized servers weren’t encrypted.
While WindScribe contends that no user data is at risk since it doesn’t log any activities, the unencrypted server had an OpenVPN server certificate along with its private key.
In a blog post Windscribe’s founder Yegor Sak admits that anyone with the private keys could have impersonated the Windscribe servers to capture and decrypt traffic passing through them.
- Here’s our list of the best VPN services
- These are the best VPN services for Windows 10
- Also take a look at our roundup of the best VPN services for Mac devices
“Although we have encrypted servers in high sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently enacting our plan to address this,” wrote Sak.
Misconfigured servers
According to Sak, the seized servers were part of an old investigation into an activity that occurred over a year ago.
While sharing the plans to address the incident and improve Windscribe’s OpenVPN infrastructure, Sak revealed that their OpenVPN server and client configuration used the compress parameter.
By Sak's own admission, the compress parameter was deprecated in 2018 after security researchers revealed that it could be exploited to allow adversaries to decrypt data.
For its part though, Windscribe has assured that it has “no reason to believe” that the servers were compromised or that any unauthorized access took place before the seizure.
Furthermore, Sak has promised to get their replacement server stack audited by a third-party to ensure it is completely sound.
- We’ve also rounded up the best business VPN services
