Windscribe VPN has announced that it is “sunsetting” its current OpenVPN certification authority in a bombshell post where it admits that it needs updating in order “to follow industry best practice.”
This is even more concerning for Windscribe users in Ukraine when you read down the article and discover this security issue has emerged as a result of two Windscribe servers in that country being seized.
Back on 24th June, two of Windscribe's Ukrainian servers went offline.
It was only when they reached out to the company which provides the servers for them that they were told they had been seized by law enforcement agencies after a judicial order as part of an investigation into activity that took place a year previously.
It is important to stress at this state that Windscribe do not believe that user data has been compromised. But they do admit that on these servers was an OpenVPN server certificate and its private key.
We then come to one of the standout sentences of the post. Windscribe tell us that “Although we have encrypted servers in high sensitivity regions, the servers in question were running a legacy stack and were not encrypted.”
Now, anyone who has followed the news in recent years will wonder how on earth Ukraine cannot be classified as a “high sensitivity” region. This is a country that has had an entire province seized by a hostile, authoritarian neighbour (Russia) and which has been teetering on the brink of civil war for years.
Most worrying is that fact that none of the Windscribe servers seized were encrypted.
What the loss of a key means
The big security concern for Ukrainian users of Windscribe or indeed anyone who used the Ukraine servers is that, because Ukrainian authorities were in possession of the complete private key, they had the capability to impersonate a Windscribe VPN server and capture VPN tunnel traffic running through it.
If they did this, that means they would have been able to see any unencrypted traffic being sent as well as the source and destination of that traffic.
Make no mistake, this is a huge security blunder and it is worth noting that while Windscribe stress that this is only a “potential impact” on its users, they do not go so far as to say that they are confident it did not happen.
The blog post then waffles on trying to explain away their decision not to inform users immediately when they found out about this breach – which is unforgiveable in our book – and then explaining their fix.
There is a mea culpa of sorts in the bottom half of the blog post. “The simple truth is that these safeguards were not in place when the server seizure occurred. This should not have happened and we understand that it hurts the trust you all have placed in us.”
But there is no apology, but rather some flimsy excuses about why they haven't upgraded their server stack sooner.
To add insult to injury the issue has been slipped out with an underwhelming blog post titled “OpenVPN Security Improvements and Changes” and a tweet which simply reads “If you are an OpenVPN user (especially if you use custom configs), please read this important announcement.”
So concerned was one VPNCompare visitor who claimed to be a Windscribe customer that they reached out to highlight this issue. An issue so quietly announced, in the four days since the Windscribe blog post hasn't been picked up by any major tech publication or VPN related website at the time of writing.
What is Windscribe doing?
It's a bit late now, but at least Windscribe are now taking action to ensure this security blunder cannot be repeated. Better late than never as they say.
They claim that they are now beginning to transition all of their servers to in-memory servers. This means they will have no hard disk backing so any data that might be stored is wiped when they power down.
This process has begun but will not be completed until the end of the Autumn at the earliest.
Once it is complete, Windscribe will be using WireGuard as its primary protocol and introducing new features such as double-hop servers, IP rotation, and static IP Addresses.
Users will be understandably worried and questioning whether they can take Windscribe at their word this time after being so badly let down before. To try and quell this discontent, Windscribe will be getting their changes independently audited once they are complete.
This is a welcome step although we are still worried about the length of time it is taking Windscribe to roll out this fix. Its attempts to downplay what is a major security issue with their service does not exactly inspire too much confidence either.
It will be down to individual users to decide whether they want to stick with Windscribe and take the risk of waiting until the fix has been fully implemented, several months from now.
If they don't, we would gently make the point that the changes that Windscribe are now implementing are already in place in some VPNs. Certain other providers already use diskless servers and, on top of that, can also offer users a faultless security track record to date.
If you are thinking of changing your VPN provider, others are well worth considering. But if you are planning to stick with Windscribe, we would recommend you keep a close eye on their progress and make sure they don't try and sneak out another serious security breach in this way in the future.
For a service that is often quick to call out the failings of others in the industry we would have expected much better, both in the security of their service and the subsequent reveal.
Windscribe now join a growing list tainted by security issues.