In the world of VPNs, reputation is everything. When someone trusts you to uphold their privacy, anonymity, and security, you better deliver. And don’t get me wrong. VPN providers try to do so by all means. They’re just not always super transparent about how well they’re succeeding.
This is why I was a little surprised (pleasantly so) when I read news about Surfshak’s recent security audit. How open they are about the results is indeed very welcome and should be commended.
In my recent review of Surfshark, I noted that they’re quickly developing a reputation as one of the best up and coming VPNs. This security audit only enforces that statement. Other VPN providers take note.
The Security Audit
The audit concerns Surfshark’s Chrome and Firefox extensions.
If you’re not familiar with them, it’s pretty simple. They’re pretty much just browser plugins that offer VPN connectivity when the browser is in use. Extensions are a popular option for those of us that don’t require a system-wide VPN.
Generally, browser-based VPN solutions don’t have the best reputation. For many years, glaring security problems with a few specific and widely-used VPN plugins cast a dark shadow over all others.
Surfshark wanted to show they’re different. So, a few weeks ago, they commissioned a third-party audit of their own browser plugins. The goal, to determine how secure and reliable they really are.
Both versions passed with flying colors.
Respected code security and penetration testing firm Cure53 performed the audit. They did a full review of the extensions’ software code. They also looked thoroughly at the software in action.
The tests, which in total took five days, uncovered only two security issues. One was considered out-of-scope and the other an unexploitable vulnerability.
The first problem Cure53 found had to do with the invitation email Surfshark sent to new users. The email included an insecure HTTP download link to the software page (instead of HTTPS).
This issue could allow a malicious actor to eavesdrop on your connection during software download. However, it posed no operational threat to the VPN itself, once active.
The other discovered issue had to do with the actual VPN extension. But, as in the first case, it also posed no real threat.
Within the configuration files that control the operation of the extensions, the testers found an unusual line of code. It indicated the possibility of enabling an unencrypted HTTP connection to the Surfshark VPN servers, rather than an encrypted HTTPS tunnel.
The good news is there is no way any third-party could use this code to enable such a connection. It’s also not a configurable user-facing option so no one could turn this on by accident.
The Audit Report
The results of the audit were so positive that it surprised even the testers. They made the following remark in the final report:
As the extremely low number of findings and their limited implications clearly indicate, the results of this Cure53 assessment of the Surfshark VPN extensions position the product in a very good light.
They also concluded the report with
Cure53 is highly satisfied to see such a strong security posture on the Surfshark VPN extensions, especially given the common vulnerability of similar products to privacy issues.
Here’s the entire Surfshark audit report.
A Rare Event
It’s worth noting once again that security reviews of this kind are rare in the VPN industry. Most operators loathe allowing third-party access to their systems and software.
For that reason, it’s impossible to tell how many consumer VPN services may have security or privacy vulnerabilities that have gone unnoticed by most, or worse, are known to malicious actors who work to exploit them.
Security audits of VPN services allow providers to address vulnerabilities and issues before they become a threat to us all.
This is something that Surfshark understands well, according to Chief Technology Officer Magnus Steinberg, who said:
Currently, browser extensions are the most popular apps to stay private while surfing the web – that is why we started with them. We have carried out an external security audit to prove our commitment to transparency and deliver on a promise of diamond-strong protection.
The situation of the whole VPN market is worrying, since close to none VPN providers can truly substantiate on claims of full privacy and security. Having an external audit is one of the very few ways to prove your claims.
Surfshark was quick to act on the audit report. Both issues identified have already been addressed.
The Bottom Line
By commissioning and releasing the results of the audit of their VPN browser extensions, Surfshark has set a useful industry precedent. They’ve shown that it is both possible and proper for VPN providers to back up their assertions regarding the security and safety of their products.
With any luck, other services will follow their lead. It would be great for everyone to start providing us detailed audit information like this. It would make our decision making when choosing a VPN service that much more informed.
If that eventually happens, all sides will be better off. And VPNs will reinforce their reputation as the go-to data security product they are.