Windscribe VPN servers seized by authorities were not encrypted

Windscribe admits its VPN stack was in a compromisable position

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Following last month’s seizure of a couple of itsVPNservers in Ukraine, security tools providerWindScribeshockingly revealed that the seized servers weren’t encrypted.

While WindScribe contends that no user data is at risk since it doesn’t log any activities, the unencrypted server had anOpenVPNserver certificate along with its private key.

In ablog postWindscribe’s founder Yegor Sak admits that anyone with the private keys could have impersonated the Windscribe servers to capture and decrypt traffic passing through them.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“Although we have encrypted servers in high sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently enacting our plan to address this,” wrote Sak.

Misconfigured servers

Misconfigured servers

According to Sak, the seized servers were part of an old investigation into an activity that occurred over a year ago.

While sharing the plans to address the incident and improve Windscribe’s OpenVPN infrastructure, Sak revealed that their OpenVPN server and client configuration used thecompressparameter.

By Sak’s own admission, thecompressparameter was deprecated in 2018 after security researchers revealed that it could be exploited to allow adversaries to decrypt data.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

For its part though, Windscribe has assured that it has “no reason to believe” that the servers were compromised or that any unauthorized access took place before the seizure.

Furthermore, Sak has promised to get their replacement server stack audited by a third-party to ensure it is completely sound.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Should your VPN always be on?

3 reasons why PIA fell in our best VPN rankings

Anker Nebula Mars 3 review: A powerful and truly portable projector