What the Hell is CyberGhost Up To? Updated

CyberGhost is a Romanian VPN company that is generally well-regarded in the security world. The service is particularly notable for its rather good free option. There have been recent reports, however, that are somewhat troubling…

CyberGhost installs a root certificate

A recent update to CyberGhost’s desktop and Android software offers a number of new features. These include:

  • Block malicious websites
  • Block ads
  • Block online tracking

CyberGhost Internet Protection

In order to do this it, it seems CyberGhost installs a root certificate onto your system. This is not good.

UPDATE: Before publishing this article, reached out to CyberGhost,

The Fiddler Root Certificate was used in CG5 in order to block advertising and other stuff client side also for HTTPS. This is no longer supported and CG6 does not install a root certificate. All filters are now server side and do not touch HTTPS.”

It is good to hear that the new version of CyberGhost’s software does not install a root certificate. The decision to do this in the first place, however, remains questionable.

What is a root certificate?

When you visit an HTTPS secured website your connection is secured using SSL/TLS encryption. In addition to this, the website will present your browser with an SSL certificate. This shows that it (or more accurately ownership of the website’s public key) has been authenticated by a recognized Certificate Authority (CA).

Windows root certificates

In Windows you can check which root certificates are installed using the Microsoft Management Console

If a browser is presented with a valid certificate then it will assume a website is genuine. It will then initiate a secure connection and display a locked padlock in its URL bar to alert users that it considers the website genuine and secure.

So what’s the problem?

If CyberGhost has installed a root certificate then it can easily perform a Man-in-the Middle (MitM) attack on your all SSL -encrypted web traffic:

  • It can intercept your traffic and present itself as the website you think you are visiting.
  • Because of the installed root certificate, your system will accept this.
  • CyberGhost can then decipher all data sent over the HTTPS connection (including, for example, your bank account details).
  • It can then re-encrypt your data and pass it transparently onto the website you are visiting
  • And vice-versa

Not only can CyberGhost do this, in fact, but its new features  seem to rely on this in order to work! CyberGhost promises to keep no logs at all, but we just have to trust its word about this (see later).

To some extent this is true of every no-logs VPN service. But the fact that CyberGhost installs a root certificate on your system means that it has access to much more sensitive information than is usually the case. I.e. All your HTTPS-encrypted traffic.

This is a lot more information than your ISP can ever see.

UPDATE: “Additionally the root certificate was randomly and uniquely generated client side and is not a risk of security. See Fiddler for more details.”

Fiddler is a legitimate network development tool, but its purpose is to intercept HTTPS traffic,

Fiddler captures HTTP and HTTPS traffic and logs it for the user to review (the latter by implementing man-in-the-middle interception using self-signed certificates).

What can I do about it?

If you do not opt to use CyberGhost’s new Internet Protection features, then it will not install a self-signed Fiddler root certificate on your system. I’m not sure whether turning off these features if already enabled then deletes the root certificate. But it is worth checking, and manually removing it if necessary.


The Fiddler certificates are even labeled “D0_NOT_TRUST”!

Is CyberGhost logging hardware ID?

A member of Wilders Security Forums last moths posted evidence that CyberGhost is logging the hardware ID of computers that have its software installed. These details include:

  • BiosId
  • BiosDate
  • VideoId
  • CpuId
  • BaseId
  • ComputerUsername




A concerned reddit user contacted CyberGhost about this issue,

Just asked their support and they said this is how they monitor and keep your subscription computers in place for example; if your current subscription is limited to 1 computer, they use this information to pair it to their end so it knows you using your ‘1 machine and knowing how many connections to cyber ghost you have’. So you cant go over your computer limit and so forth..

This is not standard practice for a VPN provider, as this information can be checked using its user authentication server. Logs for which can then be immediately discarded by a provider offering a true no-logs service.

By keeping such logs CyberGhost is clearly violating its oft-stated claim that it keeps no logs…

UPDATE: “The hardware id is a secure hash of some system components to track the number of unique users to optimize our server infrastructure. As it is a hash it’s not possible to reverse identify a users computer. it’s also not associated with any date, time, account or usage behavior etc.”

The fact remains that CyberGhost does indeed log system components. It claims these logs are hashed, but we have only its word for this. Furthermore, even when hashed, this data constitutes a unique fingerprint of each users’ hardware.


CyberGhost may not be doing anything major wrong (other than lying about keeping logs). Its behavior, however, appears to be shady in the extreme.

Of particular concern is the root certificate. The reason for its installation appears innocuous enough – to enable advanced Internet Protection features. And that may, indeed, be all CyberGhost is using it for.

Being a root certificate, however, means that you must place a huge amount of trust in CyberGhost to not abuse its power to spy on everything you do on the internet.

For me… no thanks!

UPDATE: As has already been noted, a root certificate is not installed by CyberGhost 6, the latest version of CyberGhost’s software.

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


2 responses to “What the Hell is CyberGhost Up To? Updated

  1. Wow, thank you for this detailed article, i do believe in the genuineness of CG and briefly did subscribe to their paid service and was happy with the resulys. The no logging is important to me, and the CG privacy policy is pretty clear on that regard.
    Its interesting about the discovery of the hardware ID by folks at Wilders, that is certainly something that needs more attention from security and privacy experts.
    Im wondering though, if CG is doing this when their application is installed, perhaps other VPN providers may be doing it too, albeit for “optimization purposes”.
    Im specifically thinking of PIA, because next month im going to be taking a years subscription.
    Douglas, im curious at the omission of PIA in your “best VPN” categories on the site, and so could you give me your frank opinion as to why?
    Is there something about PIA that makes you not trust them, perhaps that they are a US based company or that you believe they keep detailed logs or something else?
    I value your other informative articles on this site, so your opinion is important to me. Please do respond when you have the time, i will keep checking the article’s comments section daily. Anyways, have a good one,and thanks for your hard work.

    Warm Regards,
    A weary traveller.

    1. Hi Call me Mike,

      Points against PIA:

      – It is based in the USA, so the NSA must (IMO) be spying on users in some way. The fact that PIA stridently denies this only reduces my trust in the company.
      – I used to use PIA, but the frequency of disconnections became an issue.
      – Apple users (OSX and iOS) repeatedly report dissatisfaction with the service.

      I actually think that PIA is a good service, but the first two issues listed above led me to move away from it.

Leave a Reply

Your email address will not be published. Required fields are marked *