CyberGhost is a Romanian VPN company that is generally well-regarded in the security world. The service is particularly notable for its rather good free option. There have been recent reports, however, that are somewhat troubling…
CyberGhost installs a root certificate
A recent update to CyberGhost’s desktop and Android software offers a number of new features. These include:
- Block malicious websites
- Block ads
- Block online tracking
UPDATE: Before publishing this article, ProPrivacy.com reached out to CyberGhost,
"The Fiddler Root Certificate was used in CG5 in order to block advertising and other stuff client side also for HTTPS. This is no longer supported and CG6 does not install a root certificate. All filters are now server side and do not touch HTTPS."
It is good to hear that the new version of CyberGhost's software does not install a root certificate. The decision to do this in the first place, however, remains questionable.
What is a root certificate?
When you visit an HTTPS secured website your connection is secured using SSL/TLS encryption. In addition to this, the website will present your browser with an SSL certificate. This shows that it (or more accurately ownership of the website’s public key) has been authenticated by a recognized Certificate Authority (CA).
In Windows you can check which root certificates are installed using the Microsoft Management Console
If a browser is presented with a valid certificate then it will assume a website is genuine. It will then initiate a secure connection and display a locked padlock in its URL bar to alert users that it considers the website genuine and secure.
So what’s the problem?
If CyberGhost has installed a root certificate then it can easily perform a Man-in-the Middle (MitM) attack on your all SSL -encrypted web traffic:
- It can intercept your traffic and present itself as the website you think you are visiting.
- Because of the installed root certificate, your system will accept this.
- CyberGhost can then decipher all data sent over the HTTPS connection (including, for example, your bank account details).
- It can then re-encrypt your data and pass it transparently onto the website you are visiting
- And vice-versa
Not only can CyberGhost do this, in fact, but its new features seem to rely on this in order to work! CyberGhost promises to keep no logs at all, but we just have to trust its word about this (see later).
To some extent this is true of every no-logs VPN service. But the fact that CyberGhost installs a root certificate on your system means that it has access to much more sensitive information than is usually the case. I.e. All your HTTPS-encrypted traffic.
This is a lot more information than your ISP can ever see.
UPDATE: "Additionally the root certificate was randomly and uniquely generated client side and is not a risk of security. See Fiddler for more details."
What can I do about it?
If you do not opt to use CyberGhost’s new Internet Protection features, then it will not install a self-signed Fiddler root certificate on your system. I’m not sure whether turning off these features if already enabled then deletes the root certificate. But it is worth checking, and manually removing it if necessary.
The Fiddler certificates are even labeled "D0_NOT_TRUST"!
Is CyberGhost logging hardware ID?
A concerned reddit user contacted CyberGhost about this issue,
“Just asked their support and they said this is how they monitor and keep your subscription computers in place for example; if your current subscription is limited to 1 computer, they use this information to pair it to their end so it knows you using your '1 machine and knowing how many connections to cyber ghost you have'. So you cant go over your computer limit and so forth..”
This is not standard practice for a VPN provider, as this information can be checked using its user authentication server. Logs for which can then be immediately discarded by a provider offering a true no-logs service.
By keeping such logs CyberGhost is clearly violating its oft-stated claim that it keeps no logs…
UPDATE: "The hardware id is a secure hash of some system components to track the number of unique users to optimize our server infrastructure. As it is a hash it's not possible to reverse identify a users computer. it's also not associated with any date, time, account or usage behavior etc."
The fact remains that CyberGhost does indeed log system components. It claims these logs are hashed, but we have only its word for this. Furthermore, even when hashed, this data constitutes a unique fingerprint of each users' hardware.
CyberGhost may not be doing anything major wrong (other than lying about keeping logs). Its behavior, however, appears to be shady in the extreme.
Of particular concern is the root certificate. The reason for its installation appears innocuous enough – to enable advanced Internet Protection features. And that may, indeed, be all CyberGhost is using it for.
Being a root certificate, however, means that you must place a huge amount of trust in CyberGhost to not abuse its power to spy on everything you do on the internet.
For me… no thanks!
UPDATE: As has already been noted, a root certificate is not installed by CyberGhost 6, the latest version of CyberGhost's software.