Surfshark VPN is one of six popular virtual private network services to fail security tests, with many others failing so-called “deceptor” tests …

TechRadar reports.

Several well-known VPN providers – including Surfshark, TurboVPN and VyprVPN – are among six brands called out for a risky practice that potentially undermines user security.

As part of its Deceptor programme, security research firm AppEsteem found that providers’ apps install a trusted root certificate authority (CA) cert on users’ devices and some providers even fail to obtain users’ consent for doing so […]

TechRadar Pro’s security expert, Mike Williams, stated “Installing trusted root certificates isn’t good practice. ‘If it’s compromised, it could allow an attacker to forge more certificates, impersonate other domains and intercept your communications.”

It’s a pretty egregious flaw in a product specifically designed to ensure that you don’t have to trust third-party companies like internet service providers to protect your privacy.

When an additional root CA cert is installed by a VPN provider, you are relying only on the provider’s encryption and authenticity checks, as the trusted root certificate can overwrite the encryption and authenticity checks of the actual service you’re using (e.g. Mozilla Firefox, WhatsApp). 

This makes it possible for the VPN provider to intercept and monitor essentially all your traffic, in a worst case scenario.

SharkVPN says that is it working on eliminating the need for the certificate.

AppEsteem works to identify apps that engage in “deceptive and risky behaviors which could harm customers.” The number of VPN services that fail these tests is extensive.

9to5Mac’s Take

The whole point of a VPN is that your privacy and security are protected even when third-party companies – like ISPs or Wi-Fi hotspot providers – can’t be trusted not to engage in sketchy practices.

The problem is that you instead place your trust in the VPN service itself. Free VPN services are particularly questionable, as they are likely after the data for their own purposes. But it’s important to exercise care even when choosing a paid service. Key things to look for are zero logs, and independent audits of the company’s security claims. Personally, I use NordVPN, one of only a handful of VPN services that meets these criteria.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear