What the Hell is CyberGhost Up To? Updated - BestVPN.com

What the Hell is CyberGhost Up To? Updated

Douglas Crawford

Douglas Crawford

September 16, 2016

CyberGhost is a Romanian VPN company that is generally well-regarded in the security world. The service is particularly notable for its rather good free option. There have been recent reports, however, that are somewhat troubling…

CyberGhost installs a root certificate

A recent update to CyberGhost’s desktop and Android software offers a number of new features. These include:

  • Block malicious websites
  • Block ads
  • Block online tracking

CyberGhost Internet Protection

In order to do this it, it seems CyberGhost installs a root certificate onto your system. This is not good.

UPDATE: Before publishing this article, BestVPN.com reached out to CyberGhost,

The Fiddler Root Certificate was used in CG5 in order to block advertising and other stuff client side also for HTTPS. This is no longer supported and CG6 does not install a root certificate. All filters are now server side and do not touch HTTPS.”

It is good to hear that the new version of CyberGhost’s software does not install a root certificate. The decision to do this in the first place, however, remains questionable.

What is a root certificate?

When you visit an HTTPS secured website your connection is secured using SSL/TLS encryption. In addition to this, the website will present your browser with an SSL certificate. This shows that it (or more accurately ownership of the website’s public key) has been authenticated by a recognized Certificate Authority (CA).

Windows root certificates

In Windows you can check which root certificates are installed using the Microsoft Management Console

If a browser is presented with a valid certificate then it will assume a website is genuine. It will then initiate a secure connection and display a locked padlock in its URL bar to alert users that it considers the website genuine and secure.

So what’s the problem?

If CyberGhost has installed a root certificate then it can easily perform a Man-in-the Middle (MitM) attack on your all SSL -encrypted web traffic:

  • It can intercept your traffic and present itself as the website you think you are visiting.
  • Because of the installed root certificate, your system will accept this.
  • CyberGhost can then decipher all data sent over the HTTPS connection (including, for example, your bank account details).
  • It can then re-encrypt your data and pass it transparently onto the website you are visiting
  • And vice-versa

Not only can CyberGhost do this, in fact, but its new features  seem to rely on this in order to work! CyberGhost promises to keep no logs at all, but we just have to trust its word about this (see later).

To some extent this is true of every no-logs VPN service. But the fact that CyberGhost installs a root certificate on your system means that it has access to much more sensitive information than is usually the case. I.e. All your HTTPS-encrypted traffic.

This is a lot more information than your ISP can ever see.

UPDATE: “Additionally the root certificate was randomly and uniquely generated client side and is not a risk of security. See Fiddler for more details.”

Fiddler is a legitimate network development tool, but its purpose is to intercept HTTPS traffic,

Fiddler captures HTTP and HTTPS traffic and logs it for the user to review (the latter by implementing man-in-the-middle interception using self-signed certificates).

What can I do about it?

If you do not opt to use CyberGhost’s new Internet Protection features, then it will not install a self-signed Fiddler root certificate on your system. I’m not sure whether turning off these features if already enabled then deletes the root certificate. But it is worth checking, and manually removing it if necessary.


The Fiddler certificates are even labeled “D0_NOT_TRUST”!

Is CyberGhost logging hardware ID?

A member of Wilders Security Forums last moths posted evidence that CyberGhost is logging the hardware ID of computers that have its software installed. These details include:

  • BiosId
  • BiosDate
  • VideoId
  • CpuId
  • BaseId
  • ComputerUsername




A concerned reddit user contacted CyberGhost about this issue,

Just asked their support and they said this is how they monitor and keep your subscription computers in place for example; if your current subscription is limited to 1 computer, they use this information to pair it to their end so it knows you using your ‘1 machine and knowing how many connections to cyber ghost you have’. So you cant go over your computer limit and so forth..

This is not standard practice for a VPN provider, as this information can be checked using its user authentication server. Logs for which can then be immediately discarded by a provider offering a true no-logs service.

By keeping such logs CyberGhost is clearly violating its oft-stated claim that it keeps no logs…

UPDATE: “The hardware id is a secure hash of some system components to track the number of unique users to optimize our server infrastructure. As it is a hash it’s not possible to reverse identify a users computer. it’s also not associated with any date, time, account or usage behavior etc.”

The fact remains that CyberGhost does indeed log system components. It claims these logs are hashed, but we have only its word for this. Furthermore, even when hashed, this data constitutes a unique fingerprint of each users’ hardware.


CyberGhost may not be doing anything major wrong (other than lying about keeping logs). Its behavior, however, appears to be shady in the extreme.

Of particular concern is the root certificate. The reason for its installation appears innocuous enough – to enable advanced Internet Protection features. And that may, indeed, be all CyberGhost is using it for.

Being a root certificate, however, means that you must place a huge amount of trust in CyberGhost to not abuse its power to spy on everything you do on the internet.

For me… no thanks!

UPDATE: As has already been noted, a root certificate is not installed by CyberGhost 6, the latest version of CyberGhost’s software.

Douglas Crawford
February 14th, 2017

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

23 responses to “What the Hell is CyberGhost Up To? Updated

  1. Shark Laser says:

    Dear Douglas,

    now after did read all of your so called best VPN which gives in fact CG a very high rating likes AirVPN,NordVPN and the elite likes which seems to be very honest is totally wrong after all what did happened so far with CG incl. root ca, hash plus most shocking pass over to law enforcement copyright infringement data in conjunction with torrents and P2P networks likes Hide my Ass which is in my opinion and most other serious and sincere reviews allover the net a very, very negative and a very,very friendly said not transparent VPN service operation !
    I primary use NordVpn, AirVpn & Zorro Vpn and they all by far the most decent and transparent companies around with a very good performance and high security combined in such instances with TOR the very best anyone could do to stay secure and private online.
    Surely, there are more around, but unfortunately so far I had no chance to test them currently.
    All in all it looks more for me that your site generates some profits somehow with CG .
    The only good thing there is that they operate from a country which was rejecting the EU Directive and even been warned from the European Commission to fined 30,000 EUR each day if not somehow implemented ! This was than done in english passed 2012 but than 2014 from EU Court declared as totally injustice for allover privacy concerns !
    Seems like now where the European Commission seems like again on the wrong side of the our history with considered BTC future regulations .
    May be Romania is for that also on the right side of the history, but as I said that is the very only good reason spend any money with CG.

    1. Douglas Crawford says:

      Hi Shark,

      Please first note that we have never recommended HMA. Then please see my new CyberGhost Review. CG has improved dramatically over the last year (following massive investment from Crossrider) and there is now very little we can fault it for (although it could be faster). I am not happy about the stuff mentioned in this article (which I wrote, after all!), but our policy at BestVPN.com is to work with VPNs, using our influence in the VPN industry in order to improve their standards across the industry. Thanks to a series of criticisms from us (including this article) CyberGhost has worked hard to meet the high standards we require before we can recommend a service. Given this, we think it unfair to kick them for past “mistakes.”

  2. A CG user says:

    As for November/December 2017 – does the CG-client still create a unique hash of my hardware?
    I have just purchased a plan for another year. I find their server performance quit well.
    If not CG – which VPN-provider would be “safe” or “safer” then? Are ther fully transparent VPN-providers out there e.g. relying on 100% GPL-kind-of open-source-vpn-clients and so on?

    1. Douglas Crawford says:

      Hi A CG user,

      As far as I know, a hash is still created from users’ hardware. AirVPN and Mullvad offer open source clients.

  3. Private says:

    Subject – CyberGhost VPN’s own Adware / Tracking Cookie
    Status: Paid Subscription
    CyberGhost Support Not answering our email requests for help.
    In Sept. 2017 – Shortly after your CyberGhost (By a message in the software) persuaded us to download and install their newest VPN software – The Trouble Began.
    Therefore, am Very Concerned that CyberGhost has chosen Install CyberGhost VPN’s own Adware / Tracking Cookie onto our Computer.

    1. Douglas Crawford says:

      Hi Private,

      Are you talking about a tracking cookie from visiting the CG website, or something else?

  4. EST says:

    Hi Douglas,

    (I try to continue here, because I could not reply to you directly beneath our previous discussion.)

    Thank you again for your reply. I fully agree with you that taking advantage of free trails would be both ethically questionable and excessively laborious. Personally, in need few proprietary software programs (except my OS), but when I find something convincing – like my security suite -, I am ready to pay it.

    However, I remember an instance a few months ago when I was testing a program (not Cyberghost) on its free trial. After a short time (i.e. a few minutes), the software did not work at all anymore. So I had to uninstall it, but as the deadline had definitively not yet expired, I tried to reinstall it again (afer reboot). But then I was told that the fee trial was already over (obviously, uninstalling and reinstalling during the free trial was not permitted or not scheduled).
    Therefore, the software was obviously able to “recognize” my OS somehow. (It was a my “mobile” computer where I always and automatically get a new IP for every new internet session.)

    1. Douglas Crawford says:

      Hi EST,

      – Hmm. Not sure why you couldn’t reply to our previous discussion. If you want to explain the problem in a bit more detail, I can pass it on to our tech team.

      – That does seem to be the case. In all likelihood it is just a Registry entry, but this is still bad show from software that is supposed to improve your privacy. FWIW, I use Revo Uninstaller, which is great for hunting down and removing left-over files and registry entries from deleted programs.

  5. EST says:

    This article is interesting and somewhat worrying, but perhaps things are less disquieting than it seems. (My background: I’ve been using CG5, 5.5 and 6.)

    It seems that CG was installing a root certificate only in version 5 (and older versions?), and not in 5.5. or 6. And it seems that even then it was done only if you explicitly agreed. In the settings, you could choose whether the traffic would be filtered or not. There was another – additional – option to include also SSL (or https?) traffic in the filtering process; but it was clearly stated that, in this last case, you will have accept the installation of a root certificate. (That’s the story as far as I can remember, at least.)

    Later then, such a procedure was not used at all – or so they say. On 12. April 2016, PA (from staff), being asked about cryptotraffic in the CG board, stated (in German) that CG would not filter any https-traffic. (His argument was that CG was now doing the work on the server side, and not on the client side any more.)

    Now, this procedure can certainly be criticized. Users should at least be informed that such a method presumes a high level of trust into the service and is viewed with skepticism by some people.

    Yet, it seems that CG did not, at the least, “clandestinely” add a root certificate. And while this practice was certainly questionable, I personally do not find it too shocking, then again. At the least, it was apparently transparent and optional (even though many users may not have understood its significance).
    Furthermore, the same thing is done by many AV programs, too. And I guess that, as you install some advanced and complex (closed-source)software, you will always have to trust it to some degree, hoping that it will not spy on you by some means or other or do some other evil things.

    Personally, I find the “hardware tracking” thing more disquieting. While it may not be a “huge” threat to privacy, it is neither transparent nor optional.

    1. Douglas Crawford says:

      Hi EST,

      As noted in the article, a root certificate is not installed by CG6. I do not believe, however, that sufficient transparency was shown when a root certificate was installed, as users were not adequately warned about the privacy dangers it represented (i.e. that it would allow CG to monitor their HTTPS traffic).

      1. EST says:

        Hi Douglas,

        you are certainly right that installing a root certificate is a severe step, and that it can only be justified (if it can be justified at all) when its relevance and implications are thoroughly explained to the user.

        name wrote:

        “interesting observation: when using cyberghost and accessing cyberghostvpn.com, it bypasses the vpn connection…”

        When asked about that in their their forum (German speaking part), they said that they were using Cloudflare, and that their web servers and their API were sharing the same Cloudfalre-Server respectively the same IP range. Therefore, their website would be on the same list of exceptions. (Exceptions would be necessary because otherwise, when the connection drops, one would not be able to connect to another CG-Server.)

        I have to admit that I know too little to say if this makes any sense or not.

        By the way, might I ask you something? There is much software out there – including some VPN software – that, for a limited period of time, can be tested for free. It is obvious that the producers must prevent people from reinstalling the software again after the testing phase is over.

        But how can the software “know” that it had been installed on a given devise before? If they can not store any “hidden” information on your computer, in the light of your article it seems to me that the only chance would be to collect some (technical) data about your devise, to store them, and to create a specific user profile.
        Is this acutaully the way things are done, or have I missed another option? This would be perturbing, in my mind.

        1. Douglas Crawford says:

          Hi EST,

          – Hmm. So if I understand correctly, CG exempts Cloudflare IPs from its VPN? This would surely mean that visitors to any website protected by Cloudflare are not using a VPN when visiting that site! I really hope this is not the case!

          – Most providers will simply log the IP address of trial subscribers. So nothing needs to be stored/hidden on users’ computers. This can be problematic for VPNs genuinely commited to keeping no logs, and AirVPN has gone on record to say it has no real way to prevent its free trial from being abused (as it keeps no logs at all).

          1. EST says:

            Hello Douglas,

            thank you for your reply.

            “So if I understand correctly, CG exempts Cloudflare IPs from its VPN?”

            If I get them right, it’s only about the IPs of their own webservers. I can just try to translate what they were saying. My translation (German to English) may not be very good, but I hope it will capture the essence of what they were saying. A member of their forum had reported that, while using Cyberghost VPN, (s)he had been blocked by Cloudflare when (s)he had tried to access the Cyberghost website. In their reply, Cyberghost stated:

            “For the protection of our service + website we are using Cloudflare. Because [our] web servers and our API share the same Cloudflare-Server respectively the same IP range, our website is also on the automatic list of exceptions (otherwise the client would not be able to obtain a new server when the current connection is interrupted).

            Therefore, our website is routed outside of the tunnel, and, whatever you have done to our website/service, your current IP is banned.”

            (This is the (German speaking) original site: https://community.cyberghostvpn.com/index.php/Thread/8632-Echte-IP-wird-angezeigt-obwohl-mit-CG-verbunden/ )

            As I said before, I don’t know how much sense that makes. What I do know is just that their website was unavailable for some hours several times; and that they declared that this was the result of some DDoS attacks and that they were going to do something to protect themselves.

            “Most providers will simply log the IP address of trial subscribers.”

            That’s very ineffective in fact, it seems to me. For example, my current ISP will change my IP after some days. I also own one devise where I get a dynamic IP automatically. I have not asked for that. My ISPs are doing it by their own, and I think I could not even stop them.

            Might I ask you another question, concerning the root certificate matter? Some browser add-ons are blocking tracking attempts (e.g. tracking pixels) or advertisement. It seems that even with https-traffic, they still work, don’t they? But how do they do that? I hope they will not install a root certificate, too?
            Yet, if they can do it without adopting such problematic measures, why do even some security/AV programs use root certificates in order to examine the https-traffic?

          2. Douglas Crawford says:

            Hi EST,

            Thanks for your detailed reply. So basically, CG’s website is excluded from its VPN. This is, in fact, quite easy to do.

            – And I think you will find that if you sign-up using different disposable email addresses etc., it is possible to abuse most providers’ free trials. I discourage readers from doing this (and in most cases it is almost certainly more hassle than its worth!).

            – To my knowledge, no. Ad-blocker browser add-os do not install root certs. They primarily work using blocklists of known ad domains and trackers.

  6. name says:

    interesting observation: when using cyberghost and accessing cyberghostvpn.com, it bypasses the vpn connection; looking at router logs, all other connections use vpn

    1. Douglas Crawford says:

      Hi name,

      Now that is an interesting observation. Thanks. Hmm.

  7. sunsetlover says:

    Thanks for the research Douglas. I wonder if uninstalling this version would also remove the root certificate. We have to wonder though how this would get approval from the senior manager to be installed in the first place. It’s not like this is a Google-type outfit with thousands of designers/engineers.
    I find that the best way to use questionable software VPN providers is to use their servers with manual connections. It’s time-consuming but after a few “trial and errors” you can find 5-6 servers that work consistently. Frankly, I’ve been using VPN services for over 5 years and I find that the “number of servers” feature is just a marketing ploy. Most VPN providers are in a race of who has the most servers, not the quality of the servers. So when I see a service that advertises 200+ or 300+ servers, I take that with a huge grain of salt and I calculate that 10% of those should be ok.

    1. Douglas Crawford says:

      Hi sunsetlover,

      1. Yes. That is a good question.
      2. Uninstalling the software would not necessarily guarantee that the root cert has been uninstalled, which is why I linked to instructions on how to remove the Fiddler root cert manually.
      3. In general I agree, although some large companies such as ExpressVPN are able to maintain a large number of very fast servers.

    2. Enrique Hernandez says:

      Why is the main reason for you to get VPN?

      I am planing to get a VPN so my information is more secure when browsing on the internet and on free wi-fi.

      In your opinion is it worth having a VPN?

  8. max says:

    Very weird review considering that it’s completely opposite to this one /cyberghost-vpn-review/
    That small update at the end doesn’t seem to honestly want to clear things up.
    A bit too harsh in my opinion.

    1. Douglas Crawford says:

      Hi max,

      Well, the review was written by another BestVPN.com staff member. The main issue highlighted in this article has now been resolved (the root cert), so it would not be fair to include it in a full review. Harsh? I think I have simply presented the evidence, and left it to readers to make up their own minds.

  9. Call me Mike says:

    Wow, thank you for this detailed article, i do believe in the genuineness of CG and briefly did subscribe to their paid service and was happy with the resulys. The no logging is important to me, and the CG privacy policy is pretty clear on that regard.
    Its interesting about the discovery of the hardware ID by folks at Wilders, that is certainly something that needs more attention from security and privacy experts.
    Im wondering though, if CG is doing this when their application is installed, perhaps other VPN providers may be doing it too, albeit for “optimization purposes”.
    Im specifically thinking of PIA, because next month im going to be taking a years subscription.
    Douglas, im curious at the omission of PIA in your “best VPN” categories on the site, and so could you give me your frank opinion as to why?
    Is there something about PIA that makes you not trust them, perhaps that they are a US based company or that you believe they keep detailed logs or something else?
    I value your other informative articles on this site, so your opinion is important to me. Please do respond when you have the time, i will keep checking the article’s comments section daily. Anyways, have a good one,and thanks for your hard work.

    Warm Regards,
    A weary traveller.

    1. Douglas Crawford says:

      Hi Call me Mike,

      Points against PIA:

      – It is based in the USA, so the NSA must (IMO) be spying on users in some way. The fact that PIA stridently denies this only reduces my trust in the company.
      – I used to use PIA, but the frequency of disconnections became an issue.
      – Apple users (OSX and iOS) repeatedly report dissatisfaction with the service.

      I actually think that PIA is a good service, but the first two issues listed above led me to move away from it.

Leave a Reply

Your email address will not be published. Required fields are marked *