Major VPN brands come under fire for forcing users to download root CA certificates to their devices / Digital Information World

ByLance T. Lee

Apr 21, 2022

A long list of well-known VPN brands have been called out very recently for automatically installing root CA certificates on their customer’s devices, according to Appreciates.

VPNs have gained massive appeal over the past few years, with much of that success accelerating due to increased awareness of online data selling practices. It seems that no online platform, consumer or otherwise, is safe from taking private user data and selling it to advertisers or other companies. Social media platforms such as Facebook, Instagram, and TikTok may still be the worst offenders, but there’s plenty to blame. No website allows users to completely disable cookies; there is always something “necessary” required by websites.

In light of these rampant data thefts, much of which occur entirely without user consent, secure alternatives are a rare lifeline. Apple’s iOS 14 tracking/transparency features were hailed at launch and were also strongly opposed by social media conglomerate Meta. VPNs have grown in popularity because they not only make user data anonymous online, but they also allow access to websites and content found abroad. Netflix and HBO Go have certainly become much more useful after the switch to VPNs.

With all of that in mind, for VPNs to conduct any kind of activity on a user’s device without their permission seems like a betrayal of the same core audience that the services invite. However, let’s dive deeper: what is a root CA certificate? Well, root CA certificates are basically a form of digital authentication. Installing one is basically used by the software at hand to confirm whether or not the user is who they claim to be. Think of root CA certificates as digital IDs attached to new software.

However, unlike your average ID, they run the risk of exposing more than just an account. If a third party were to take control of a device’s root CA certificate, the end result would be nothing short of catastrophic. That party would then have access to virtually everything in that relevant device: contacts, passwords, IDs, etc. This is why states such as Russia are actively trying to have all citizens download state-issued versions of root CA certificates. It’s a new era of digital surveillance.

Source link