What Happened to Windscribe and Why Does It Matter?
Due to Windscribe’s servers being located in Ukraine, they were susceptible to seizure by Ukrainian authorities. Normally this wouldn’t be a massive issue, as the data that users send through the servers would be encrypted and protected. However, Windscribe’s failure to appropriately protect these servers means that Ukraine has access to everything.
This is bad for customers, as it essentially lays bare their entire activity online – something which a VPN is fundamentally supposed to protect against.
As for Windscribe’s response, it has owned up to the fault, with the company’s director Yegor Sak making a statement:
“We make no excuses for this omission. Security measures that should have been in place were not. After conducting a threat assessment we feel that the way this was handled and described in our article was the best move forward. It affected the fewest users possible while transparently addressing the unlikely hypothetical scenario that results from the seizure.”
It’s not just words though, as the company is making strides to improve after this mistake. These steps, according to Windscribe, are:
- All keys required for server function are no longer stored permanently on any our servers and exist solely in memory after they are put into operation
- All servers have unique short-lived certificates and keys generated from our new CA which are rotated
- Each server certificate has uniquely identifying Common Name + SANs
- New OpenVPN client configurations enforce server certificate X509 name verification using the common name which is unique.