Skip to main content
banner image
venafi logo

Who Do You Trust with Your Encryption Keys? [What Happened to NordVPN?]

Who Do You Trust with Your Encryption Keys? [What Happened to NordVPN?]

image of a red string connecting two thumbtacks, symbolizing VPN
October 29, 2019 | Guest Blogger: Kim Crawley


For years, consumer VPN providers have boasted about how their services can make users more secure online. It makes perfect sense for any sort of cybersecurity product or service vendor to market themselves that way. The companies I work for communicate to prospective customers that their products and services can improve the security of individuals and businesses. But the effectiveness of any product is dependent on how it’s used and implemented. Antivirus software must be frequently updated. A SIEM won’t work well without good correlation rules. And so on, and so forth.
 

Enterprises often can deploy their own VPNs, and they do. If a VPN is entirely within your organization’s control, that’s the best possible option. I have to take a VPN provider’s word that they don’t log my traffic, but if I have my own VPN, I can keep my logs on my organization’s computers. But it’s not pragmatic for a consumer to deploy their own VPN, especially if they lack network security experience. Ideally all consumer internet traffic should be as well encrypted as an enterprise’s.
 

 


That’s where providers like NordVPN come to the rescue! NordVPN has client software that makes it easy to implement a VPN on your phones, tablets, and PCs, no computer geek knowledge necessary. But using NordVPN requires your trust. Your internet traffic will be routed through their infrastructure, and they have the keys to your encryption. You need to rely on them to protect those encryption keys. More on that later.
 

On October 19th, NordVPN’s marketing team sent a controversial tweet that has since been deleted. “Ain't no hacker can steal your online life. (If you use VPN). Stay safe!” Understandably, those of us in the information security community didn’t like the tweet very much. Even if we assume that NordVPN implements encryption well and they avoid logging as they claim, a VPN only encrypts your data in transit. It should protect against man-in-the-middle attacks. But if the website or other online service doesn’t secure your data in storage on their end effectively, your “online life” can be “stolen” from point B. Some of my colleagues describe VPN usage as simply transferring the risk to the provider. And if the provider is cyber attacked, your “online life” could be “stolen” from there.
 

Personally, I didn’t like how NordVPN reacted to the controversy. On October 20th, they tweeted:
 

“1/3 Yesterday, our marketing department got ahead of themselves and published an ad on Twitter that triggered the infosec community. The message stated the following: ‘Ain't no hacker can steal your online life. (If you use VPN). Stay safe.’
 

2/3 This isolated case of one third-party datacenter did not impact our other servers in any way – it is virtually impossible to do that. So a lot of assumptions in the TechCrunch article are inaccurate.
 

3/3 We’d be happy to explain the technical details for a more accurate picture of the issue.
 

Privacy and security have always been our priority, and we will take all necessary measures to prove it.”
 

Oh… Were you “triggered?!” Do the people who work in NordVPN marketing frequent 4chan? People with PTSD and eating disorders have triggers that they should avoid for the sake of their mental health. Considerate people will post trigger warnings on their content that people may need to beware of, such as descriptions of war zones, abuse, or weight loss dieting. Less considerate people think the word “triggered” is hilarious and synonymous with “you’re offended, ha!”
 

I doubt that NordVPN’s “ain't no hacker can steal your online life” tweet triggered anyone’s mental illness. Those of us in cybersecurity have genuine concerns about misinformation. A hacker can definitely “steal your online life,” even with a VPN. It’s very irresponsible to make consumers think that NordVPN is any sort of complete security solution. And even my well security hardened endpoints can be subject to cyber attack, feeling invincible is dangerous indeed.
 

The marketing controversy came with very bad timing. On October 21st, it was reported that NordVPN was breached in March 2018. One of three private keys leaked, which were used to acquire NordVPN’s TLS certificate. There’s another command log that suggests that cyber attackers used another leaked key to access a private certificate authority that NordVPN used to issue digital certificates. It’s possible that cyber attackers have intercepted NordVPN for well over a year. The breached TLS certificate was set to expire in October 2018, months after it was maliciously acquired.
 

The implications of the NordVPN breach are relevant to all VPN providers, and also to TLS certificate use in general, including when it comes to securing websites and web apps. A security consultant looked into the matter and said, "intercepting TLS traffic isn't as hard as they make it seem. There are tools to do it, and I was able to set up a web server using their TLS key with two lines of configuration. The attacker would need to be able to intercept the victim's traffic (such as through public wifi)."
 

It’s not only irresponsible to convince consumers that a commercial VPN provider can make it impossible for a cyber attacker to “steal your online life.” It’s also dangerous to assume that TLS implementations are automatically securing your internet traffic effectively. It doesn’t matter how strong a cipher is, if the public key infrastructure or machine identities are vulnerable, cryptography is rendered pointless. We must never rest on our laurels when it comes to securing our network traffic. To assume makes an “ass” out of “u” and “me?”
 

Venafi’s Kevin Bocek understands the importance of securing TLS certificates and all other types of machine identities:
 

“VPN providers have grown rapidly because of the growing need for privacy. VPN cloud providers require TLS certificates that act as machine identities to authorize connection, encryption and establish trust between machines.  
 

Machine identities are extremely valuable targets for cyber criminals and large enterprises often have tens of thousands of machine identities they need to protect.  
 

These breaches will become more common in the future. It is imperative organizations have the agility to automatically replace every key and certificate that may have been exposed in breaches. Quickly replacing machine identities is the reliable way to ensure privacy and security in a world where businesses run and depend on the cloud.
 

This capability is especially critical in large enterprises that have tens of thousands of machine identities that must be protected against attackers.”
 

As someone who works for cybersecurity vendor marketing departments, I still understand that it’s important to spend more money and effort on securing security services than you spend on advertising. And it’s irresponsible to tell consumers that they’re invincible to cyber attack. Airbags and seatbelts can improve your odds of surviving a car accident, but you could still die in a collision.
 

Humility and conscientiousness are virtues… Are you triggered?!


 


 

 

Related posts

 

Like this blog? We think you will love this.
image of hands typing on a keyboard in the dark
Featured Blog

The Abuse of Root Certificates, Certificate Mis-issuance and Certificate Transparency

First, a bit about root certificates.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat