Surfshark VPN Plans Updates After Being Dinged for Risky Security Design

The virtual private network is one of several facing criticism after researchers reveal its use of root certificate installs.

Rae Hodge Former senior editor

Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.

See full bio

Rae Hodge

April 19, 2022 4:52 p.m. PT

2 min read

Sarah Tew/CNET

Surfshark VPN said Tuesday it will soon release updates to its popular virtual private network app, after it was among six popular VPNs dinged by AppEsteem researchers for unsound security design in an April report.

Researchers revealed that the Surfshark app obtains an alarming amount of influence over a user's device security by installing a risky piece of tech known as a Trusted Root Certificate Authority security certification. Surfshark said it will continue installing the certificates but has fixed other problems noted by AppEsteem.

As reported by TechRadar, if a company's own Trusted Root CA certificate were compromised, it could undermine all of a device's data and communication security. AppEsteem found that Surfshark's app installs the security certificate even when a user cancels the app's overall installation. Surfshark previously said the certificates are necessary only for the use of its IKEv2 encryption protocol option, but the company told CNET Tuesday that it plans to remove the protocol option.
"When using the Surfshark root certificate, customers put their trust only in a VPN provider and not a third-party agency that can be compromised," the company said in and email. "We've been working on turning off the no longer popular IKEv2 protocol and focusing all our efforts on supporting Wireguard and OpenVPN protocols. This will eliminate the need to install the certificate."
AppEsteem also found a number of other security and privacy concerns with the Surfshark app. Researchers found the app continued running processes in the background even after the VPN was disconnected and the app itself closed. Surfshark also left components installed on a user's device after the app was uninstalled. Researchers also dinged Surfshark for not providing customers enough information on how to cancel annual subscriptions or how customers would be notified about subscription renewal.
"As for AppEsteem's evaluation, we've closely cooperated with the company in quickly fixing the highlighted issues. All of them have already been fixed, and all Windows users should soon receive an updated version of the app," Surfshark said.
Read more: NordVPN and Surfshark are merging, continuing VPN consolidation trend

Services and Software Guides

VPN

Cybersecurity

Streaming Services

Web Hosting & Websites

Other Services & Software

Services and Software Coupons