What the Hell is CyberGhost Up To? Updated

CyberGhost is a Romanian VPN company that is generally well-regarded in the security world. The service is particularly notable for its rather good free option. There have been recent reports, however, that are somewhat troubling. In this article we ask is CyberGhost safe?

CyberGhost installs a root certificate

A recent update to CyberGhost’s desktop and Android software offers a number of new features. These include:

  • Block malicious websites
  • Block ads
  • Block online tracking

CyberGhost Internet Protection

In order to do this it, it seems CyberGhost installs a root certificate onto your system. This is not good.

UPDATE: Before publishing this article, ProPrivacy.com reached out to CyberGhost,

"The Fiddler Root Certificate was used in CG5 in order to block advertising and other stuff client side also for HTTPS. This is no longer supported and CG6 does not install a root certificate. All filters are now server side and do not touch HTTPS."

It is good to hear that the new version of CyberGhost's software does not install a root certificate. The decision to do this in the first place, however, remains questionable.

What is a root certificate?

When you visit an HTTPS secured website your connection is secured using SSL/TLS encryption. In addition to this, the website will present your browser with an SSL certificate. This shows that it (or more accurately ownership of the website’s public key) has been authenticated by a recognized Certificate Authority (CA).

Windows root certificates

In Windows you can check which root certificates are installed using the Microsoft Management Console

If a browser is presented with a valid certificate then it will assume a website is genuine. It will then initiate a secure connection and display a locked padlock in its URL bar to alert users that it considers the website genuine and secure.

So what’s the problem?

If CyberGhost has installed a root certificate then it can easily perform a Man-in-the Middle (MitM) attack on your all SSL -encrypted web traffic:

  • It can intercept your traffic and present itself as the website you think you are visiting.
  • Because of the installed root certificate, your system will accept this.
  • CyberGhost can then decipher all data sent over the HTTPS connection (including, for example, your bank account details).
  • It can then re-encrypt your data and pass it transparently onto the website you are visiting
  • And vice-versa

Not only can CyberGhost do this, in fact, but its new features  seem to rely on this in order to work! CyberGhost promises to keep no logs at all, but we just have to trust its word about this (see later).

To some extent this is true of every no-logs VPN service. But the fact that CyberGhost installs a root certificate on your system means that it has access to much more sensitive information than is usually the case. I.e. All your HTTPS-encrypted traffic.

This is a lot more information than your ISP can ever see.

UPDATE: "Additionally the root certificate was randomly and uniquely generated client side and is not a risk of security. See Fiddler for more details."

Fiddler is a legitimate network development tool, but its purpose is to intercept HTTPS traffic,

"Fiddler captures HTTP and HTTPS traffic and logs it for the user to review (the latter by implementing man-in-the-middle interception using self-signed certificates)."

What can I do about it?

If you do not opt to use CyberGhost’s new Internet Protection features, then it will not install a self-signed Fiddler root certificate on your system. I’m not sure whether turning off these features if already enabled then deletes the root certificate. But it is worth checking, and manually removing it if necessary.


The Fiddler certificates are even labeled "D0_NOT_TRUST"!

Is CyberGhost logging hardware ID?

A member of Wilders Security Forums last moths posted evidence that CyberGhost is logging the hardware ID of computers that have its software installed. These details include:

  • BiosId
  • BiosDate
  • VideoId
  • CpuId
  • BaseId
  • ComputerUsername




A concerned reddit user contacted CyberGhost about this issue,

Just asked their support and they said this is how they monitor and keep your subscription computers in place for example; if your current subscription is limited to 1 computer, they use this information to pair it to their end so it knows you using your '1 machine and knowing how many connections to cyber ghost you have'. So you cant go over your computer limit and so forth..

This is not standard practice for a VPN provider, as this information can be checked using its user authentication server. Logs for which can then be immediately discarded by a provider offering a true no-logs service.

By keeping such logs CyberGhost is clearly violating its oft-stated claim that it keeps no logs…

UPDATE: "The hardware id is a secure hash of some system components to track the number of unique users to optimize our server infrastructure. As it is a hash it's not possible to reverse identify a users computer. it's also not associated with any date, time, account or usage behavior etc."

The fact remains that CyberGhost does indeed log system components. It claims these logs are hashed, but we have only its word for this. Furthermore, even when hashed, this data constitutes a unique fingerprint of each users' hardware.


CyberGhost may not be doing anything major wrong (other than lying about keeping logs). Its behavior, however, appears to be shady in the extreme.

Of particular concern is the root certificate. The reason for its installation appears innocuous enough – to enable advanced Internet Protection features. And that may, indeed, be all CyberGhost is using it for.

Being a root certificate, however, means that you must place a huge amount of trust in CyberGhost to not abuse its power to spy on everything you do on the internet.

For me… no thanks!

UPDATE: As has already been noted, a root certificate is not installed by CyberGhost 6, the latest version of CyberGhost's software.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.


on April 17, 2018
Hello. On my computer Cyberghost still installs that Root Certificate, on version 6? If you look carefully when you are installing you see how it flashes on screen and it can be found from mmc. I have also asked this from Cyberghost. Why they want permission to identity files on phone when installing, no answer? On new Android phone you can´t see what is happening. But when i installed it on older Android 4.4 version phone, there you can see that permission.
Douglas Crawford replied to ekku
on April 17, 2018
Hi ekku, Hmm. I can't speak for Android as I don't have an older device to test this on, but I did just install CG into a clean Windows VM. As you can see from this screenshot, it does not appear to have installed any root certs...
Shark Laser
on March 4, 2018
Dear Douglas, now after did read all of your so called best VPN which gives in fact CG a very high rating likes AirVPN,NordVPN and the elite likes which seems to be very honest is totally wrong after all what did happened so far with CG incl. root ca, hash plus most shocking pass over to law enforcement copyright infringement data in conjunction with torrents and P2P networks likes Hide my Ass which is in my opinion and most other serious and sincere reviews allover the net a very, very negative and a very,very friendly said not transparent VPN service operation ! I primary use NordVpn, AirVpn & Zorro Vpn and they all by far the most decent and transparent companies around with a very good performance and high security combined in such instances with TOR the very best anyone could do to stay secure and private online. Surely, there are more around, but unfortunately so far I had no chance to test them currently. All in all it looks more for me that your site generates some profits somehow with CG . The only good thing there is that they operate from a country which was rejecting the EU Directive and even been warned from the European Commission to fined 30,000 EUR each day if not somehow implemented ! This was than done in english passed 2012 but than 2014 from EU Court declared as totally injustice for allover privacy concerns ! Seems like now where the European Commission seems like again on the wrong side of the our history with considered BTC future regulations . May be Romania is for that also on the right side of the history, but as I said that is the very only good reason spend any money with CG.
Douglas Crawford replied to Shark Laser
on March 5, 2018
Hi Shark, Please first note that we have never recommended HMA. Then please see my new CyberGhost Review. CG has improved dramatically over the last year (following massive investment from Crossrider) and there is now very little we can fault it for (although it could be faster). I am not happy about the stuff mentioned in this article (which I wrote, after all!), but our policy at ProPrivacy.com is to work with VPNs, using our influence in the VPN industry in order to improve their standards across the industry. Thanks to a series of criticisms from us (including this article) CyberGhost has worked hard to meet the high standards we require before we can recommend a service. Given this, we think it unfair to kick them for past "mistakes."
A CG user
on November 22, 2017
As for November/December 2017 - does the CG-client still create a unique hash of my hardware? I have just purchased a plan for another year. I find their server performance quit well. If not CG - which VPN-provider would be "safe" or "safer" then? Are ther fully transparent VPN-providers out there e.g. relying on 100% GPL-kind-of open-source-vpn-clients and so on?
Douglas Crawford replied to A CG user
on November 23, 2017
Hi A CG user, As far as I know, a hash is still created from users' hardware. AirVPN and Mullvad offer open source clients.
on September 13, 2017
Subject - CyberGhost VPN's own Adware / Tracking Cookie Status: Paid Subscription CyberGhost Support Not answering our email requests for help. In Sept. 2017 - Shortly after your CyberGhost (By a message in the software) persuaded us to download and install their newest VPN software - The Trouble Began. Therefore, am Very Concerned that CyberGhost has chosen Install CyberGhost VPN's own Adware / Tracking Cookie onto our Computer.
Douglas Crawford replied to Private
on September 13, 2017
Hi Private, Are you talking about a tracking cookie from visiting the CG website, or something else?
Show More Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the largest VPNs, voted best VPN by Reddit

Strong presence, no-logs policy