CyberGhost VPN’s website says it’s the most ‘trusted and secure VPNs in the world‘. I decided to question this and see how this could be incorrect. One thing that I did not like the sound of was the advertising feature which would be shown to users on connection of their service, this seemed a viable vector for a user to be able to have themselves tracked, so I looked further.
Straight after installation there is a mixture of requests, one of them being downloading ‘Additional Components’. These use HTTP instead of HTTPs, which is strange, I’m unsure why, because a certificate is installed and HTTPS is used later on.
We are then given a choice of HTTPS or HTTP when going to the start up, using sslstrip could help us achieve what we could use as a vector here. The code later redirects to a logging image. This code is used to track the user and log down their times, mostly for the advertising but also gives a userid values at some points.
The SSL isn’t even owned by CyberGhost VPN but indeed Cloudflare, Cloudflare haven’t got the greatest track record for SSL security and I thought being the biggest VPN that would be a priority.
Visiting https://advertiser.cyberghostvpn.com redirects you to the admin login, which provides attackers a clear easy way to get the admin folder in which the source provides a piece of information vital for fingerprinting the server. I couldn’t see any rate limiting on the login or the forgot my password feature which could allow bruteforcing as well, and all round bad start for security at advertiser.cyberghostvpn.com
One thing to learn from a quick glance at CyberGhost VPN, they’re not all that.
EDIT: CyberGhost VPN provided me a response within 24 hours. I like to keep things open in these instances, although there are still some things I disagree on.
Just stumbled upon your blog post “CyberGhost VPN – I got 99 Problems and I’m sure SSL is one” and found it quite interesting. Thanks a lot for critically looking at our declarations about privacy. That’s what we always encourage our users to do and that’s one of the basics that helps us to improve over time.
For your information you might like to know the following:
– Yes, it’s true, we are using advertiser to deliver ads, but you should know that we solely use our own advertiser to deliver our own offers.
– It’s also true that we look for updates via non SSL connections – but all our updates are digitally signed. So the non-HTTP requests you saw are made by our update system that uses HTTP to bypass problems. For security the update itself is signed with a private key, the corresponding public key is integrated into CyberGhost (a RSA key only used for this intend, not a public certificate, which can be faked). Every update will be checked before applaying.
– The additional components you saw are due to the installation of the Gecko engine. (Per default CyberGhost operates with the Internet Explorer engine. If the Gecko engine is being demanded, it means that you either use Windows XP or at least an outdated version of IE.)
Thanks for responding to the article so quickly, many just ignore the articles and update silently. That’s why I didn’t send an email out to CyberGhost, it’s good to hear that you are happy about the article.
1. Although you have slightly rectified that right now but 403’ing the redirects, I didn’t like how open your service was for attackers. Although I didn’t extensively try, it seemed rather too easy to find the admin panel and bruteforce some logins for my liking.
2. I still don’t understand why HTTPS was not used aswell as your signing as most of your other requests are HTTPS.
I don’t think you should provide the option of either HTTP or HTTPS in advertiser. either http://itsjack.cc/blog/wp-content/uploads/2015/07/b.png, as I’ve outlined in the article have you thought about changing your Cloudflare SSL?
Again, thanks for being aware of things. Some mentions you might be interested in:
In our opinion there is no need to change the Cloudflare SSL certificate – except one wants us to pay $ 1.000 per year just for using our own certificate. After all, we are still a start up and have to be sure to whom and at what time we throw our money at.
There had been no attacks on the advertiser yet, for sure no successfull ones, and since we don’t use dummy credentials one can bruteforce us until the sun dies and still won’t find a combination that works 😉
Also, the update process had been spared for a reason. Why risk running into troubles by using SSL when there is no real need to? And since there are no private data or any secret bits involved or even transferred the self signed updater is really enough. You convinced us that it might be cool, but at the end of a long day coolness has to stay behind effectiveness for some more time 😉
Serious, be assured that we value your work and input – and even though we won’t react at the time being, because we have a different opinion, it doesn’t mean we won’t come back on this topic. Your thoughts have entered our mind and might do their work in time, laying base for a change in your direction …