I admit, the polemical title is just to get attention: VPNs are still useful!



During the last weekend, security researcher hexdefined tweeted that NordVPN was compromised as the private keys for their web site certificate were publicly leaked on the Internet:

https://twitter.com/hexdefined/status/1185864801261477891

If this certificate was used prior to expiration it could have allowed an attacker to perform man in the middle attack (MiTM) to listen in on encrypted communications.

In this blog post, NordVPN said it has known about the breach for “a few months” but did not immediately disclose the problem because the company wanted to audit the rest of its systems:

Once we found out about the incident, we immediately launched a thorough internal audit to check our entire infrastructure. We double-checked that no other server could possibly be exploited this way and started creating a process to move all of our servers to RAM, which is to be completed next year. We have also raised the bar for all datacenters we work with. Now, before signing up with them, we make sure that they meet even higher standards.

NordVPN

The server was vulnerable between January 31st, 2018 and March 20th, 2018, but according with NordVPN's timeline analysis, it was only breached once, during March.


Not only NordVPN

Furthermore, CryptoStorm.is's twitter account posted a link to an 8chan post where a person hacker claimed to have full root access to servers belonging to NordVPN, TorGuard, and VikingVPN:

https://twitter.com/cryptostorm_is/status/1186097950327476224

This allowed the attacker to steal OpenVPN keys and configuration files and, accordind to CryptoStorm.is, stealing these keys could have allowed an attacker to decrypt traffic at the time of the hack:

https://twitter.com/cryptostorm_is/status/1185976222364438528


The replies of affected providers

Toghether the NordVPN statement, other providers published updates about this critical topic.
In this post, TorGuard states that none of their VPN users were affected by this breach and their CA key was not stolen as it was not present on the compromised server, because they utilize a "secure PKI management":

Due to the ongoing lawsuit we cannot provide exact details about this specific hosting re-seller or how the attacker gained unauthorized access. However, we would like the public to know this server was not compromised externally and there was never a threat to other TorGuard servers or users.
The TLS certificate for *.torguardvpnaccess.com on the affected server is a squid proxy cert which has not been valid on the TorGuard network since 2017. TorGuard’s squid proxy TLS cert was upgraded to SHA256 at that time and the affected SHA1 TLS cert removed from browser apps and retired immediately. Even though the affected SHA1 TLS cert did not expire until October 2018, this has not been in use since 2017 and is not valid on the TorGuard proxy network.
TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol.

TorGuard

Currently, VikingVPN has yet to release a statement on the breach.


Are VPNs really helpful for privacy and security?

Definitely yes!
A VPN can help to protect you from identity theft; hides your IP address, making it harder for third parties to track you; accesses all content privately without censorship; and bypasses many firewalls.
Further, internet service providers may invade your privacy by selling data about your online habits to advertisers., and a VPN reduces those risks.
VPN providers are made by persons, who can make mistakes, and by systems, that may be vulnerable.
Cases like this may occurs, and providers must to be resilient, ready to fix and restore.
And this is the answer we got from NordVPN and TorGuard … a little less from VickingVPN.


References