The Hidden Privacy Risk in Commercial VPN Services: Root Certificate Installation
Introduction
As a cybersecurity professional who routinely investigates Business Email Compromise (BEC) attacks, I've encountered numerous obstacles that hinder effective incident response. One particularly concerning discovery came during a recent investigation of a potentially infected machine: many commercial VPN providers silently install their own Trusted Root Certification Authority certificates on users' devices. This practice, while not widely discussed, has significant privacy implications that contradict the very privacy promises these services advertise.
The Promise vs. Reality of VPN Privacy
Commercial VPN services market themselves as privacy enhancers that shield your internet activity from prying eyes. The typical pitch highlights encrypted connections, IP address masking, and protection from surveillance. Users naturally assume their data is protected from all third parties—including the VPN provider itself.
However, what many users don't realise is that by installing their own root certificates, these VPN providers potentially position themselves as trusted intermediaries who can inspect all encrypted traffic—including HTTPS connections that should be secure.
What I Found During My Investigation
While investigating an account I believed to be compromised in a BEC attack, I was attempting to trace the attacker's activities. The investigation was complicated by the victim's use of a commercial VPN service (which I won't name specifically). As I examined the machine's certificate store, I discovered something concerning: the VPN provider had installed its own Trusted Root Certification Authority certificate.
This discovery is significant because:
- Root certificates grant the issuer extraordinary trust within your system
- With this certificate in place, the VPN provider can potentially intercept and decrypt your supposedly secure HTTPS traffic
- This capability creates a technical possibility for the provider to inspect the content of your encrypted communications - this means any traffic, including online banking, email and other sensitive traffic that is natively encrypted by the provider
- Most users are never informed about this installation or its implications
How Root Certificate Installation Works
When you install many commercial VPN applications, the software typically requests administrator privileges. During installation, it quietly adds its certificate to your system's Trusted Root Certification Authorities store. Once installed, your system now implicitly trusts any certificate issued by this authority.
This enables a technique known as SSL/TLS interception (sometimes called "adversary-in-the-middle" in security contexts). Here's the process:
- You connect to a website using HTTPS
- The VPN intercepts this connection
- The VPN creates a new, on-the-fly certificate for that website using its trusted root authority
- Your browser accepts this certificate because it chains up to a root certificate your system now trusts
- The VPN can now see the unencrypted content of your communication
- The VPN establishes its own connection to the actual website
This technique is identical to what corporate networks use for content filtering and what malicious actors use for traffic interception. The difference lies solely in the intent and disclosure.
The Privacy Contradiction
The irony shouldn't be lost on privacy-conscious users: many people subscribe to VPN services specifically to prevent third parties from spying on their internet activity, yet they're potentially giving the VPN provider itself this very capability.
To be fair, not all VPN providers engage in active traffic inspection, and many have privacy policies that explicitly forbid it. However, the technical capability exists, and users must trust the provider's policies and security practices—trust that may not always be warranted. If a provider is offering to "scan for malware" or "prevent malicious downloads" then the end user should be asking how they are able to perform this action without inspecting ALL traffic between you and the sites you're communicating with.
Implications for Security Investigations
From an investigator's perspective, this practice creates additional complexity when investigating security incidents:
- VPN connections obscure the original source of malicious traffic
- The certificate installation creates additional variables when analyzing TLS/SSL connectivity issues
- It becomes more difficult to detect genuine certificate-based attacks when legitimate certificate manipulation is already occurring
- In multinational investigations, determining applicable jurisdiction becomes more complicated
Best Practices for Privacy-Conscious Users
If you're concerned about this issue but still want to use a VPN, consider these recommendations:
- Consider whether you truly need this service: With the introduction of secure communications for most services such as banking or email, consider whether you need to mask your location and weigh this up against risks of trusting a 3rd party entity.
- Research thoroughly: Investigate whether your VPN provider installs root certificates and for what purpose
- Check your certificate store: On Windows, you can review installed certificates through the Certificate Manager (
certmgr.msc
) - Use VPN services that don't require root certificates for standard functionality
- Read the privacy policy carefully: Look specifically for mentions of traffic inspection or monitoring
- Consider using browser-based security tools in addition to VPNs: Tools like HTTPS Everywhere and other security-focused extensions can add layers of protection
Conclusion
Commercial VPN services can provide valuable privacy benefits if you're living in a country with strict freedom of speech controls, or need to access content in another country when travelling (such as streaming UK television services), but users should approach them with a clear understanding of their limitations and potential privacy trade-offs. The installation of root certificates represents a significant trust extension that many users grant without full awareness.
As with many security tools, the decision involves balancing convenience, functionality, and privacy. By understanding these technical details, users can make more informed decisions about which services best meet their specific needs and privacy expectations.
Remember: Perfect privacy solutions rarely exist. The goal should be to select tools whose limitations and trust models align with your personal threat model and privacy requirements.
This blog post reflects the author's personal research and professional experience. Specific VPN providers have not been named to focus on the technical practice rather than targeting individual companies.