Editor’s note: This post is written by Brian S., a pen test manager on ExpressVPN’s cybersecurity team.
Recent media articles have reported on the risky practice by other VPN providers of installing Trusted Root Certification Authority (CA) certificates on users’ devices. We wanted to share our position on this practice.
Digital certificates are the foundation of trust on the internet. They’re what your device uses to confirm that a given site, connection, or file is what it claims to be.
At the very heart of the system are Trusted Root CA certificates. For the uninitiated, a Trusted Root CA is a certificate installed on your computer that tells it which certificates to trust. A company that installs its own Trusted Root CA has enormous power over your device or communications, because it can create a certificate that can pretend to be just about any other entity you might interact with.
That’s why we will never install our own Trusted Root CA on your device, with or without your permission. Though it could be convenient for us, making things easier and cheaper, it’s a power we don’t need, don’t want, and don’t believe any VPN has a right to ask for.
In this article, we’ll explain what a Trusted Root CA is and what could go wrong if a VPN (or other) company installs its own.
A cautionary tale
The installation of a Trusted Root CA poses significant privacy and security risks. Despite that, it’s a practice that we’ve unfortunately seen from other companies, including VPN providers.
Most notably, when Facebook operated a VPN “research app,” it used a covertly installed Trusted Root CA to further its ability to monitor user activity. In 2019, Wired noted:
[W]ith its root certificate installed, Facebook could decrypt the browsing history or other network traffic of the people who downloaded Research, possibly even their encrypted messages.
To use a nondigital analogy, Facebook not only intercepted every letter participants sent and received, it also had the ability to open and read them.
Other companies installing Trusted Root CAs may have different intentions, for better or for worse, but regardless, it’s a dangerous amount of control and access to hand over to a third party.
We believe that Trusted Root CAs should only come from organizations that are regularly audited and included on recognized lists of well-known certificate authorities—not third parties. Ensuring our company, employees, and customers maintain the best security posture they can is a core tenet of our business.
What is a Trusted Root CA?
Trusted Root CAs are crucial to everyone’s privacy and security because they ensure that the service or software you are using has been created by a legitimate, well-known party that you trust. We need to establish this type of trust to:
- Ensure that encrypted network communications for sensitive services, like online banking and email, are performed with the correct trusted party
- Ensure the software we install comes from a trusted author as opposed to a malicious copy with components that could be used to spy on you or steal your information
At the center of this trust model lies public key cryptography, TLS certificates, and certificate authorities (CAs for short). For a quick refresher on how these work, give our recent blog post on these topics a read.
A CA is the origin of trust within the Public Key Infrastructure (PKI) model. It is the authority of a trust hierarchy used to validate all the other certificates in the certificate chain. Within the context of your computer, a Trusted Root CA is a Root CA certificate installed on and trusted by your computer to verify the authenticity of other certificates. Examples of certificates that need verification are those used for TLS on the websites you visit or the signatures on the software you install.
All modern computers and browsers come with a limited set of pre-installed Trusted Root CAs. As of April 2022, the Firefox web browser includes Trusted Root CAs from 54 organizations, including Amazon, DigiCert, GlobalSign, GoDaddy, Google, Microsoft, and Sectigo (Comodo). All Trusted Root CA organizations whose certificates are pre-installed must undergo regular external auditing to ensure that they hold an elevated security posture commensurate with the criticality of this responsibility.
However, you can also add other certificates to be used as Trusted Root CAs by your computer for various purposes, like authentication to an internal company website. These CAs are not subject to the same level of security scrutiny as the limited set pre-installed on your computer.
Can someone create their own CA?
Yes, anyone is able to create a certificate that can subsequently be used to verify the authenticity of the certificates they create with this CA. But your browser or computer won’t trust them unless they have been explicitly added as Trusted Root CAs to your computer or mobile device.
Any website or software signature that uses a certificate not issued by the list of Trusted Root CAs on your computer won’t be trusted, and you’ll receive a warning that someone may be trying to intercept your communications or install untrusted software.
What are the risks of installing a Root CA as Trusted?
Given that a Trusted Root CA is entrusted to verify other certificates, affirm the authenticity of software and websites, and keep your communications safe from prying eyes, the installation of additional Root CAs potentially undermines the security of all your software and communications. When you install a Trusted Root CA, you are trusting the separate, potentially malicious, authority that created the Root CA to:
- Verify the authenticity of the websites you visit
- Provide a secure, encrypted communication channel that the Root CA entity won’t intercept or monitor
- Verify the authenticity of the software you install
Assuming the entity that created the CA is not malicious and you trust it to safely perform the above functions, you’re also trusting it to keep that Root CA’s private key safe, which is not an easy task.
If the private key is compromised, anyone who has access to it can:
- Man-in-the-middle attack almost any website or web service, like WhatsApp, email providers, or online banking, compromising the privacy and security of any user who trusted that CA
- Sign any software to make it appear as if it had been signed by a trusted, well-known party
Over the years, a number of supposedly well-protected CA private keys have been compromised, most notably in the case of DigiNotar. It’s also unlikely you would ever know that the CA’s private key was compromised, potentially allowing the compromise to last indefinitely.
Finally, we consider the installation of third-party Trusted Root CAs so toxic, we don’t even use them in our own corporate IT operations. We take privacy seriously, including the privacy of our own employees. This is a departure from many corporate IT products and systems that require the installation of Root CAs to validate their own servers or inspect traffic. We consistently screen vendors for such egregious requirements and eliminate them if they require Root CAs. That means we sometimes limit our capabilities in managing or securing our endpoints, and we think that’s an acceptable approach in the name of privacy. We have developed other ways to ensure our corporate assets remain secure and managed.
In short, installing a third-party Trusted Root CA can have catastrophic effects on user privacy and security. Whatever conveniences it might entail, we simply don’t think it’s worth the risk.
Privacy should be a choice. Choose ExpressVPN.
30-day money-back guarantee