Surfshark VPN releases independent audit results
Surfshark VPN is fast becoming one of our favorite privacy tools on the market. When it came out earlier this year, we immediately had a good feeling about this service – it was clear that the people behind it knew exactly what they were doing.
Right off the bat, Surfshark VPN came out with no simultaneous connection limit and a full-fledged zero-logs policy. Not “no activity logs” or some other phrase marketing departments spew out, only to walk it back deep in the Privacy Policy document – zero logs, period.
Over time, Surfshark VPN grew in network size, number of supported platforms, and increased its feature list. Now, the company is taking the next step in Surfshark’s evolution and publishing the results of an independent audit.
The Surfshark VPN browser extension audit: who, what, and why?
For Surfshark’s first independent audit, the company chose a German cybersecurity firm, Cure53. This is a respected actor in the security sphere, known for the integrity of its analyses, as well as the one or two scandals it was able to unearth. Notably, its team was responsible for the shut down of a parental control app distributed by the South Korean government – Smart Sheriff.
Although the VPN industry is teeming with bold and boastful statements about security, privacy, anonymity and the like, independent audits are extremely rare. As a matter of fact, when TunnelBear completed their first annual independent audit in 2017, it was the first such case in the history of the VPN industry. By the way, it’s worth pointing out that this audit was also performed by Cure53.
It’s understandable why independent audits and public reports of these audits are so rare. Their subjects have a lot to lose, but, arguably, quite a bit less to gain. In an industry built on promises of complete privacy, reports of security holes are best avoided. But that’s where the hypocrisy again rears its ugly head – after all, avoiding bugs, leaks, and exploits is a lot easier if you submit your service to these audits.
The audit
Surfshark VPN gave its Chrome and Firefox browser extensions (along with the source code) to Cure53 for review. According to the report, “The aim of the project was to gain an external view as to how well the Surfshark VPN browser extensions in scope handle security and privacy. In particular, it was verified whether promises made to the users about the protections against IP leaks and DNS leaks are kept.” The tests included a penetration test as well as a code audit.
The Cure53 team worked for 5 days and were able to “catch” only two vulnerabilities – one they marked “Low impact” and another that was more of a general flaw. For those who have not spent a lot of time digging through software audits, we can tell you that this is indeed very good. Regardless, let’s look at the specifics.
The findings
The first Surfshark VPN vulnerability identified by Cure53 is that the service’s invitation emails use an unencrypted HTTP link. While not a serious issue, this may allow an “attacker who has the ability to eavesdrop (i.e. a Man-in-the-Middle adversary) on the connection of a user can take advantage of techniques like sslstrip1 to proxy clear-text traffic to the victim-user.”
The second issue is that the code has a line configuring the proxy to use an unencrypted HTTP connection. Sounds worrying, right? However, it is literally impossible for the necessary conditions to occur.
Conclusion
Surfshark VPN is walking the walk when it comes to user security and privacy. We like Surfshark VPN more and more with each piece of news that comes out about it. Hopefully, they will soon submit their VPN apps to an independent audit as well.
