NordVPN

What the Hell is CyberGhost Up To? Updated

Douglas Crawford

Douglas Crawford

September 16, 2016

CyberGhost is a Romanian VPN company that is generally well-regarded in the security world. The service is particularly notable for its rather good free option. There have been recent reports, however, that are somewhat troubling…

CyberGhost installs a root certificate

A recent update to CyberGhost’s desktop and Android software offers a number of new features. These include:

  • Block malicious websites
  • Block ads
  • Block online tracking

CyberGhost Internet Protection

In order to do this it, it seems CyberGhost installs a root certificate onto your system. This is not good.

UPDATE: Before publishing this article, BestVPN.com reached out to CyberGhost,

The Fiddler Root Certificate was used in CG5 in order to block advertising and other stuff client side also for HTTPS. This is no longer supported and CG6 does not install a root certificate. All filters are now server side and do not touch HTTPS.”

It is good to hear that the new version of CyberGhost’s software does not install a root certificate. The decision to do this in the first place, however, remains questionable.

What is a root certificate?

When you visit an HTTPS secured website your connection is secured using SSL/TLS encryption. In addition to this, the website will present your browser with an SSL certificate. This shows that it (or more accurately ownership of the website’s public key) has been authenticated by a recognized Certificate Authority (CA).

Windows root certificates

In Windows you can check which root certificates are installed using the Microsoft Management Console

If a browser is presented with a valid certificate then it will assume a website is genuine. It will then initiate a secure connection and display a locked padlock in its URL bar to alert users that it considers the website genuine and secure.

So what’s the problem?

If CyberGhost has installed a root certificate then it can easily perform a Man-in-the Middle (MitM) attack on your all SSL -encrypted web traffic:

  • It can intercept your traffic and present itself as the website you think you are visiting.
  • Because of the installed root certificate, your system will accept this.
  • CyberGhost can then decipher all data sent over the HTTPS connection (including, for example, your bank account details).
  • It can then re-encrypt your data and pass it transparently onto the website you are visiting
  • And vice-versa

Not only can CyberGhost do this, in fact, but its new features  seem to rely on this in order to work! CyberGhost promises to keep no logs at all, but we just have to trust its word about this (see later).

To some extent this is true of every no-logs VPN service. But the fact that CyberGhost installs a root certificate on your system means that it has access to much more sensitive information than is usually the case. I.e. All your HTTPS-encrypted traffic.

This is a lot more information than your ISP can ever see.

UPDATE: “Additionally the root certificate was randomly and uniquely generated client side and is not a risk of security. See Fiddler for more details.”

Fiddler is a legitimate network development tool, but its purpose is to intercept HTTPS traffic,

Fiddler captures HTTP and HTTPS traffic and logs it for the user to review (the latter by implementing man-in-the-middle interception using self-signed certificates).

What can I do about it?

If you do not opt to use CyberGhost’s new Internet Protection features, then it will not install a self-signed Fiddler root certificate on your system. I’m not sure whether turning off these features if already enabled then deletes the root certificate. But it is worth checking, and manually removing it if necessary.

windows-root-certs-2

The Fiddler certificates are even labeled “D0_NOT_TRUST”!

Is CyberGhost logging hardware ID?

A member of Wilders Security Forums last moths posted evidence that CyberGhost is logging the hardware ID of computers that have its software installed. These details include:

  • BiosId
  • BiosDate
  • VideoId
  • CpuId
  • BaseId
  • ComputerUsername

cyberghost-hardware-id-2

cyberghost-hardware-id-1

cyberghost-hardware-id-3

A concerned reddit user contacted CyberGhost about this issue,

Just asked their support and they said this is how they monitor and keep your subscription computers in place for example; if your current subscription is limited to 1 computer, they use this information to pair it to their end so it knows you using your ‘1 machine and knowing how many connections to cyber ghost you have’. So you cant go over your computer limit and so forth..

This is not standard practice for a VPN provider, as this information can be checked using its user authentication server. Logs for which can then be immediately discarded by a provider offering a true no-logs service.

By keeping such logs CyberGhost is clearly violating its oft-stated claim that it keeps no logs…

UPDATE: “The hardware id is a secure hash of some system components to track the number of unique users to optimize our server infrastructure. As it is a hash it’s not possible to reverse identify a users computer. it’s also not associated with any date, time, account or usage behavior etc.”

The fact remains that CyberGhost does indeed log system components. It claims these logs are hashed, but we have only its word for this. Furthermore, even when hashed, this data constitutes a unique fingerprint of each users’ hardware.

Conclusion

CyberGhost may not be doing anything major wrong (other than lying about keeping logs). Its behavior, however, appears to be shady in the extreme.

Of particular concern is the root certificate. The reason for its installation appears innocuous enough – to enable advanced Internet Protection features. And that may, indeed, be all CyberGhost is using it for.

Being a root certificate, however, means that you must place a huge amount of trust in CyberGhost to not abuse its power to spy on everything you do on the internet.

For me… no thanks!

UPDATE: As has already been noted, a root certificate is not installed by CyberGhost 6, the latest version of CyberGhost’s software.

Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

17 responses to “What the Hell is CyberGhost Up To? Updated

  1. Hi Douglas,

    (I try to continue here, because I could not reply to you directly beneath our previous discussion.)

    Thank you again for your reply. I fully agree with you that taking advantage of free trails would be both ethically questionable and excessively laborious. Personally, in need few proprietary software programs (except my OS), but when I find something convincing – like my security suite -, I am ready to pay it.

    However, I remember an instance a few months ago when I was testing a program (not Cyberghost) on its free trial. After a short time (i.e. a few minutes), the software did not work at all anymore. So I had to uninstall it, but as the deadline had definitively not yet expired, I tried to reinstall it again (afer reboot). But then I was told that the fee trial was already over (obviously, uninstalling and reinstalling during the free trial was not permitted or not scheduled).
    Therefore, the software was obviously able to “recognize” my OS somehow. (It was a my “mobile” computer where I always and automatically get a new IP for every new internet session.)

    1. Hi EST,

      – Hmm. Not sure why you couldn’t reply to our previous discussion. If you want to explain the problem in a bit more detail, I can pass it on to our tech team.

      – That does seem to be the case. In all likelihood it is just a Registry entry, but this is still bad show from software that is supposed to improve your privacy. FWIW, I use Revo Uninstaller, which is great for hunting down and removing left-over files and registry entries from deleted programs.

  2. This article is interesting and somewhat worrying, but perhaps things are less disquieting than it seems. (My background: I’ve been using CG5, 5.5 and 6.)

    It seems that CG was installing a root certificate only in version 5 (and older versions?), and not in 5.5. or 6. And it seems that even then it was done only if you explicitly agreed. In the settings, you could choose whether the traffic would be filtered or not. There was another – additional – option to include also SSL (or https?) traffic in the filtering process; but it was clearly stated that, in this last case, you will have accept the installation of a root certificate. (That’s the story as far as I can remember, at least.)

    Later then, such a procedure was not used at all – or so they say. On 12. April 2016, PA (from staff), being asked about cryptotraffic in the CG board, stated (in German) that CG would not filter any https-traffic. (His argument was that CG was now doing the work on the server side, and not on the client side any more.)
    https://community.cyberghostvpn.com/index.php/Thread/8466-Vorl%C3%A4ufiges-BETA-Feedback/

    Now, this procedure can certainly be criticized. Users should at least be informed that such a method presumes a high level of trust into the service and is viewed with skepticism by some people.

    Yet, it seems that CG did not, at the least, “clandestinely” add a root certificate. And while this practice was certainly questionable, I personally do not find it too shocking, then again. At the least, it was apparently transparent and optional (even though many users may not have understood its significance).
    Furthermore, the same thing is done by many AV programs, too. And I guess that, as you install some advanced and complex (closed-source)software, you will always have to trust it to some degree, hoping that it will not spy on you by some means or other or do some other evil things.

    Personally, I find the “hardware tracking” thing more disquieting. While it may not be a “huge” threat to privacy, it is neither transparent nor optional.

    1. Hi EST,

      As noted in the article, a root certificate is not installed by CG6. I do not believe, however, that sufficient transparency was shown when a root certificate was installed, as users were not adequately warned about the privacy dangers it represented (i.e. that it would allow CG to monitor their HTTPS traffic).

      1. Hi Douglas,

        you are certainly right that installing a root certificate is a severe step, and that it can only be justified (if it can be justified at all) when its relevance and implications are thoroughly explained to the user.

        name wrote:

        “interesting observation: when using cyberghost and accessing cyberghostvpn.com, it bypasses the vpn connection…”

        When asked about that in their their forum (German speaking part), they said that they were using Cloudflare, and that their web servers and their API were sharing the same Cloudfalre-Server respectively the same IP range. Therefore, their website would be on the same list of exceptions. (Exceptions would be necessary because otherwise, when the connection drops, one would not be able to connect to another CG-Server.)

        I have to admit that I know too little to say if this makes any sense or not.

        By the way, might I ask you something? There is much software out there – including some VPN software – that, for a limited period of time, can be tested for free. It is obvious that the producers must prevent people from reinstalling the software again after the testing phase is over.

        But how can the software “know” that it had been installed on a given devise before? If they can not store any “hidden” information on your computer, in the light of your article it seems to me that the only chance would be to collect some (technical) data about your devise, to store them, and to create a specific user profile.
        Is this acutaully the way things are done, or have I missed another option? This would be perturbing, in my mind.

        1. Hi EST,

          – Hmm. So if I understand correctly, CG exempts Cloudflare IPs from its VPN? This would surely mean that visitors to any website protected by Cloudflare are not using a VPN when visiting that site! I really hope this is not the case!

          – Most providers will simply log the IP address of trial subscribers. So nothing needs to be stored/hidden on users’ computers. This can be problematic for VPNs genuinely commited to keeping no logs, and AirVPN has gone on record to say it has no real way to prevent its free trial from being abused (as it keeps no logs at all).

          1. Hello Douglas,

            thank you for your reply.

            “So if I understand correctly, CG exempts Cloudflare IPs from its VPN?”

            If I get them right, it’s only about the IPs of their own webservers. I can just try to translate what they were saying. My translation (German to English) may not be very good, but I hope it will capture the essence of what they were saying. A member of their forum had reported that, while using Cyberghost VPN, (s)he had been blocked by Cloudflare when (s)he had tried to access the Cyberghost website. In their reply, Cyberghost stated:

            “For the protection of our service + website we are using Cloudflare. Because [our] web servers and our API share the same Cloudflare-Server respectively the same IP range, our website is also on the automatic list of exceptions (otherwise the client would not be able to obtain a new server when the current connection is interrupted).

            Therefore, our website is routed outside of the tunnel, and, whatever you have done to our website/service, your current IP is banned.”

            (This is the (German speaking) original site: https://community.cyberghostvpn.com/index.php/Thread/8632-Echte-IP-wird-angezeigt-obwohl-mit-CG-verbunden/ )

            As I said before, I don’t know how much sense that makes. What I do know is just that their website was unavailable for some hours several times; and that they declared that this was the result of some DDoS attacks and that they were going to do something to protect themselves.

            “Most providers will simply log the IP address of trial subscribers.”

            That’s very ineffective in fact, it seems to me. For example, my current ISP will change my IP after some days. I also own one devise where I get a dynamic IP automatically. I have not asked for that. My ISPs are doing it by their own, and I think I could not even stop them.

            Might I ask you another question, concerning the root certificate matter? Some browser add-ons are blocking tracking attempts (e.g. tracking pixels) or advertisement. It seems that even with https-traffic, they still work, don’t they? But how do they do that? I hope they will not install a root certificate, too?
            Yet, if they can do it without adopting such problematic measures, why do even some security/AV programs use root certificates in order to examine the https-traffic?

          2. Hi EST,

            Thanks for your detailed reply. So basically, CG’s website is excluded from its VPN. This is, in fact, quite easy to do.

            – And I think you will find that if you sign-up using different disposable email addresses etc., it is possible to abuse most providers’ free trials. I discourage readers from doing this (and in most cases it is almost certainly more hassle than its worth!).

            – To my knowledge, no. Ad-blocker browser add-os do not install root certs. They primarily work using blocklists of known ad domains and trackers.

  3. interesting observation: when using cyberghost and accessing cyberghostvpn.com, it bypasses the vpn connection; looking at router logs, all other connections use vpn

  4. Thanks for the research Douglas. I wonder if uninstalling this version would also remove the root certificate. We have to wonder though how this would get approval from the senior manager to be installed in the first place. It’s not like this is a Google-type outfit with thousands of designers/engineers.
    I find that the best way to use questionable software VPN providers is to use their servers with manual connections. It’s time-consuming but after a few “trial and errors” you can find 5-6 servers that work consistently. Frankly, I’ve been using VPN services for over 5 years and I find that the “number of servers” feature is just a marketing ploy. Most VPN providers are in a race of who has the most servers, not the quality of the servers. So when I see a service that advertises 200+ or 300+ servers, I take that with a huge grain of salt and I calculate that 10% of those should be ok.

    1. Hi sunsetlover,

      1. Yes. That is a good question.
      2. Uninstalling the software would not necessarily guarantee that the root cert has been uninstalled, which is why I linked to instructions on how to remove the Fiddler root cert manually.
      3. In general I agree, although some large companies such as ExpressVPN are able to maintain a large number of very fast servers.

    2. Why is the main reason for you to get VPN?

      I am planing to get a VPN so my information is more secure when browsing on the internet and on free wi-fi.

      In your opinion is it worth having a VPN?

    1. Hi max,

      Well, the review was written by another BestVPN.com staff member. The main issue highlighted in this article has now been resolved (the root cert), so it would not be fair to include it in a full review. Harsh? I think I have simply presented the evidence, and left it to readers to make up their own minds.

  5. Wow, thank you for this detailed article, i do believe in the genuineness of CG and briefly did subscribe to their paid service and was happy with the resulys. The no logging is important to me, and the CG privacy policy is pretty clear on that regard.
    Its interesting about the discovery of the hardware ID by folks at Wilders, that is certainly something that needs more attention from security and privacy experts.
    Im wondering though, if CG is doing this when their application is installed, perhaps other VPN providers may be doing it too, albeit for “optimization purposes”.
    Im specifically thinking of PIA, because next month im going to be taking a years subscription.
    Douglas, im curious at the omission of PIA in your “best VPN” categories on the site, and so could you give me your frank opinion as to why?
    Is there something about PIA that makes you not trust them, perhaps that they are a US based company or that you believe they keep detailed logs or something else?
    I value your other informative articles on this site, so your opinion is important to me. Please do respond when you have the time, i will keep checking the article’s comments section daily. Anyways, have a good one,and thanks for your hard work.

    Warm Regards,
    A weary traveller.

    1. Hi Call me Mike,

      Points against PIA:

      – It is based in the USA, so the NSA must (IMO) be spying on users in some way. The fact that PIA stridently denies this only reduces my trust in the company.
      – I used to use PIA, but the frequency of disconnections became an issue.
      – Apple users (OSX and iOS) repeatedly report dissatisfaction with the service.

      I actually think that PIA is a good service, but the first two issues listed above led me to move away from it.

Leave a Reply

Your email address will not be published. Required fields are marked *