Douglas Crawford

Douglas Crawford

June 21, 2018

CyberGhost is a Romanian VPN service that has recently been acquired by Kape Technologies PLC, formerly Crossrider. We know that Kape Technologies has been investing heavily in CyberGhost, so thought it time to have another detailed look at this popular service.

PROS:
  • Private: Great logs policy
  • Based in Romania so no government spying!
  • Good looking and easy-to-use software: Five simultaneous connections
  • Friendly Live Chat support
  • Peer-to-peer (P2P) torrenting allowed
CONS:
  • Not much

Visit CyberGhost »

Pricing and Plans

CyberGhost offer a variety of packages, depending on your budget. But, generally the longer the package, the better the value:

CyberGhost offers a full 7 days free trial of its Premium service, plus a 30-day “no questions asked” money back guarantee. Both of which are great! It also offers free browser proxy add-ons for Chrome and Firefox.

Payment is via credit/debit card, PayPal, or direct debit. Additional payment options may be available depending on your country of residence.  CyberGhost also accepts payment in Bitcoin. This does allow for potentially anonymous payment, but please remember that no matter how anonymously you pay, CyberGhost will always know your real IP address.

Features

A CyberGhost subscription offers the following features:

  • 5 simultaneous devices
  • 1319+ Servers in 61 countries worldwide
  • 24/7 Live Chat (native French and German)
  • WiFi protection
  • Support for OpenVPN, L2TP/IPsec, and IKEv2 (new) VPN protocols
  • Split-tunneling and website exemption
  • “Extra features” – the desktop app claims to block malicious websites, ads, and online tracking, and force HTTPS connections when they are available
  • P2P is permitted on selected servers
  • Works with US Netflix and BBC iPlayer

Allowing you to connect up to five devices to the VPN at once is great. Most of CyberGhost’s servers are located in Europe or North America, but there are also some in South East Asia and Australia.

 “Extra features”

The desktop client offers a number of “extra features.”

It is very difficult, however, to assess their effectiveness – especially as no feedback or information is available on what they are doing.

They may well be great tools, but I personally would much rather trust respected open source browser add-ons such uBlock Origin, Privacy Badger and HTTPS Everywhere for this kind functionality.

It is worth noting that CyberGhost tells me “the https feature is 100% based on HTTPS Everywhere.” This sounds great, although the fact that the code is closed means there is no way to verify this claim.

Data compression uses standard LZO compression (which is performed by most VPN services), and re-encodes JPEG images into lower quality images – “thus optimizing them for size”.

“Extra speed” connects you to faster premium servers, and is always-on for paying customers.

Privacy

CyberGhost itself is based in Romania, which is widely regarded as very privacy-friendly. Romanian courts struck down the EU Data Retention Directive on constitutional grounds long before it was declared illegal by the European Court of Justice. Romania is also not a 14-Eyes spying alliance nation, and has no known ties to the NSA. All of which is great.

CyberGhost has, however, recently  been acquired by Kape Technologies PLC – a company based in the Isle of Man and headquartered in Tel Aviv.  The Isle of Man is a self-governing Crown dependency.  The UK government has very little direct influence on such independently administered jurisdictions, but could conceivably exert considerable diplomatic pressure.

That said, any such pressure would be very indirect, as CyberGhost itslef is based in Romania. This allows it to offer a very robust no-logs policy:

“Log data: CyberGhost keeps no logs which enable interference with your IP address, the moment or content of your data traffic. We make express reference to the fact that we do not record in logs communication contents or data regarding the accessed websites or the IP addresses.

CyberGhost VPN records exclusively for statistical purposes non-personal data (such as for example, data regarding the utilization degree of the servers), which do not represent in any moment a danger for your anonymity. Such serve exclusively for the improvement of the service quality.

This means that CyberGhost logs no information that be used to identify users. Is it 100% no logs? I think it is close enough not be worth quibbling over.

CyberGhost publishes a transparency report. This still relies on trusting CyberGhost to report all incidents,  but is a nevertheless a reassuring show of dedication to openness. It also provides a great insight into the kind of issues a large VPN company such as CyberGhost must routinely deal with.

No-spy servers

CyberGhost is very proud of its no-spy servers, which are the result of a crowdfunding campaign. These are servers located in Romania on premises owned and entirely managed by CyberGhost. This means that CyberGhost has complete control over these servers, rather than having to rely on a third party server provider.

CyberGhost’s bold claim that these servers are “out of NSA reach” should be taken with a pinch of salt. If the NSA wants your data badly enough, it can almost certainly get it one way or another. However… running its own server center does make the data stored in it much more secure. And as noted above, the USA has no legal purchase in Romania. Unfortunately, these No-spy servers only currently seem available to original backers of the crowdfunding campaign.

Visit CyberGhost »

Security

Encryption

CyberGhost primarily uses the OpenVPN protocol to secure connections with the following settings:

Data channel: an AES-256-CBC cipher with SHA256 hash authentication. Control channel: an AES-256 cipher, RSA-4096 key encryption and SHA384 hash authentication. Perfect forward secrecy is provided by an ECDH-4096 key exchange.

OpenVPN Encryption
Cipher
AES-256 CBC
Data Auth
HMAC SHA256
Handshake
RSA-4096
Control Auth
HMAC SHA384
Forward Secrecy
ECDH-4096
Logs & Legal
Connection
None
Traffic
None
Country
Good

This is a fantastic OpenVPN setup!  And unlike many providers, CyberGhost does not use publicly available pre-shared keys (PSKs) for its L2TP connections. This is also good.

For information on what all this means, please see VPN Encryption: The Complete Guide.

Payment processors

Please note that CyberGhost itself does not process any orders or payments. We work exclusively with resellers, namely Cleverbridge (cleverbridge AG, 2-4 Brabanter Str., 50674 Cologne, Germany) and/or Stripe and/or Paypal. Once you chose your selected way of payment and click “continue to payment”, you will be directed to our third-party payment gateways domain.

Please be aware that these services have their own privacy policies. So if you are concerned about this information being logged, you should carefully examine them. Note that PayPal and Stripe are both US companies. Bitcoin payments are processed by BitPay. This is also a US company, but if you have properly anonymized your Bitcoin and pay using a VPN or Tor, this should not matter.

Other security considerations

CyberGhost last year caused concern by issuing a root certificate (now removed from the software) and logging users’ hardware ID. CyberGhost may well have acted in good faith in both these cases, as it claims, but these incidents are nevertheless rather worrying from a privacy perspective.

Of even greater concern is a paper published this year which named CyberGhost’s Android VPN app among those found to be “malicious and intrusive,” and for testing positive for malware. CyberGhost has always strenuously denied any wrongdoing, and it is indeed common for anti-virus scanners to generate “false positives.” For what it’s worth, I downloaded an .apk of the latest Android app, and VirusTotal gave it a clean bill of health.

The Website

The CyberGhost website has a friendly feel to it, helped by the company’s distinctive ghost logo. It is also available in eight languages, which is great for accessibility. There is plenty of information available on the website about the company, its features, and suchlike.

This server list looks pretty

The Help section opens onto CyberGhost’s older website, which can be a little confusing when it comes to navigating around. It is very comprehensive, but most articles relate to CyberGhost’s free and legacy services. It is often far from clear whether all information presented in the Help section still applies.

Support

In addition to how-to guides and an extensive help section, direct support is available via 27/4 Live Chat with native support for French and German. The Live Chat staff member I talked to was quick to answer and friendly. He also answered most questions just fine.

I don’t expect front-line support staff to be technological whizz-kids, so did not mind when he referred more deeply technical questions to be answered later by via email… Which took more a day before I received a response and which utterly failed to address my detailed questions about the OpenVPN encryption CyberGhost uses. Fail.

CyberGhost has since told me that it has hired 10 new support agents. This should improve matters, although recent customer service tests we performed for our VPN Awards still produced somewhat mixed results.

The Process

In order to sign-up for a CyberGhost account you need to provide a valid email address and payment details. As already noted, CyberGhost accepts potentially anonymous payment in Bitcoin. Once payment is done, you will be sent a confirmation email with links to download software etc.

The CyberGhost 6 Windows Client

CyberGhost is very keen to highlight that its software is German-made. Please see a recent interview I did with CyberGhost CEO Robert Knapp for an explanation why CyberGhost considers this important.

CyberGhost organizes its Windows client around typical tasks you might want to perform using the VPN. This is a clear and intuitive layout.

The Ghost Downloads tab, for example, brings up various features and options you might want while torrenting.

A pretty screen gives you connection details when connected.

The Ghost Streaming tab lists various streaming services that CyberGhost claims to work with. I was not able to test the subscription services, but all the free ones I tested did indeed work as advertised.

CyberGhost now fully supports Netflix and BBC iPlayer streaming.

A fairly neat feature is the ability to define your own Ghost Streaming service.

The Ghost Pro tab is simply a more traditional list of severs with User Load and Ping rates. This information can be handy for choosing a fast VPN server.

The client allows you exempt specified websites and domains from the VPN.

You can chose between OpenVPN UDP and OpenVPN TCP. There is no port selection feature, however, so you cannot use TCP port 443 to evade censorship.

WiFi protection is a feature that I am seeing more and more in custom VPN clients. It will alert you whenever you connect to an unsecured WiFi network, and will automatically enable the VPN if it is not active.

I have not had an opportunity to test this feature, but I can see its value.

CyberGhost offers an interesting feature called App Protection. A VPN usually protects your entire internet connection, but App Protection allows you to specify that only certain apps are protected by the VPN. This is also known as split-tunneling.

A kill switch is not mentioned in the client, but I was informed by staff that an automatic one is baked-in.  If this is the case then it must be the kind that detects if a VPN connection has dropped before disconnecting the VPN, or which uses its own firewall rules rather than Window’s. The second option is better, but does mean that when I force-closed the CyberGhost VPN client in Task manager to simulate a software crash, my internet still worked.

Overall, the windows client looks good, sports lots of useful features, is easy to use, and works well.

The CyberGhost 6 MacOS Client

The Mac client looks different to the Windows client, and is not organized around “typical tasks.” It instead uses the much more traditional format of just pick a country and/or server, then hit the “Start” button. This means there is considerably less hand-holding than with the Windows client. Whether this is a good or bad thing will be entirely subjective.

There is no dedicated streaming tab, but CyberGhost does now support Netflix streaming in macOS.

WiFi protection and split tunneling options are missing from the Mac client. You can exempt websites, however.

It is a bit of a shame that the macOS client is not as fully-featured as the Windows client, but it is still more fully-featured than many custom client from other providers.

Performance  (Speed, DNS, WebRTC, and IPv6 Tests)

Speed tests are performed using our groovy new speed test system. This provides a scientific and objective way to measure and compare VPN speed performance. Please see here for more details.

Both CyberGhost’s average and burst download results are very middle-of-the-road, and fall far below those of our top performers. That said, 73.5 Mbits/s burst speed should be plenty fast enough for most users when connected to a nearby server.

DNS lookup time is a good measure of how fast users’ perceive their connection to be as it affects web page loading times. Faster lookup time= faster web page loading (i.e. lower is better).  CyberGhost scores well on this metric.

VPN connection time measures how long it takes between hitting the “connect” button in your VPN client, and the VPN connection to be established. It is probably the least important of these speed measurements, but no-one enjoys hanging around. CyberGhost results are a little disappointing here.

We run basic test IP leak tests by visiting ipleak.net. These include IPv4 and IPv6 DNS leak tests and Ipv4 and IPv6 WebRTC leak tests.

Please see A Complete Guide to IP Leaks for a full discussion of what all this means. Basically, though, if we can see our real IP address or an IP address belonging to our real ISP when using the VPN, then that’s not good.

Please note that Private Use RFC IPs are local IPs only. They cannot be used to identify an individual, and so do not constitute an IP leak.

CyberGhost says that its software has DNS leak and IP leak protection built-in, and in my tests it certainly passed with flying colors (this includes IPv6). WebRTC is not disabled as it can be useful, but WebRTC leaks are blocked by the client.

Other Platforms

CyberGhost Pro offers a custom VPN app for Windows, MacOS, iPhone, and Android. I have not had the opportunity to test this VPN on iPhone. It also provides guides for manually setting up OpenVPN and L2TP/IPsec connections on these platforms plus Linux, various routers, and Chrome OS. In addition to this, CyberGhost now offers free proxy browser add-ons for Chrome and Firefox.

The CyberGhost Android app

When you first install the Android app you are offered a 7-day free trial, after which it reverts to the Free plan unless you upgrade. The app does not ask for any special permissions during install, which is very welcome. As with the Windows client, the Android app is  organized around “typical tasks.” These are: Secured Streaming, Surf Anonymously (a term I hate – VPNs provide privacy not anonymity), and Choose My Server. WiFi Auto-Protect is also supported.

The app looks very professional and offers many of the features found in the desktop client.

The Android app fully supports steaming profiles – including US Netflix and BBC iPlayer. I tested Netflix, and it worked both on its mobile web page and the Netflix app.

I detected no IP leaks while using the Android app.

The browser add-ons

The free browser proxy add-ons appear identical for Chrome and Firefox. They allow you to connect to servers in Germany, Netherlands, Romania, and the United States.

Proxy connections are encrypted using HTTPS (that is, they are HTTPS proxies). This means they act very much a regular VPN except that they affect the browser only. Cyberghost states that these add-ons do not provide protection against WebRTC leaks, but I did not detect any such leaks, anyway. I am impressed to note that add-ons unblock US Netflix!

Conclusion

I liked

  • 5 simultaneous devices
  • Great logs policy
  • Based in Romania, which has no government surveillance
  • Low cost
  • 24/7 Live Chat (native French and German)
  • 7-day free premium trial plus 30-day no-quibble money back guarantee
  • Servers in 61 countries worldwide
  • WiFi protection against hackers
  • Free browser add-ons (which unblock US Netflix!)
  • App protection and website exemption
  • Good looking and easy-to-use software
  • P2P torrenting is permitted on selected servers
  • Accepts Bitcoin
  • DNS and WebRTC  leak protection
  • Kill switch (but will not survive a software crash)
  • Works with a lot of streaming services, including Netflix and iPlayer

I wasn’t so sure about

  • It is impossible to tell how well the various “extra features” work or how they compare to similar FOSS browser extensions
  • Speed test results are a bit meh

I hated

  • Support could not answer detailed encryption questions

CyberGhost is a very good VPN service. Its software is easy-to-use while also being fully featured. It uses very strong encryption, and 5 simultaneous connections is generous. Being based in Romania and keeping (almost) no logs is also a big draw.

All-in-all,  I think CyberGhost’s great logging policy, decent local (burst) speeds, and fully featured software a winning combination. And with a 7-day free premium trial plus 30-day no-quibble money back guarantee, there is zero reason not to give it a whirl.

If you are interested in Cyberghost, you may also want to check out our CyberGhost Interview with CEO Robert Knapp.

Visit CyberGhost»