A new security study by Trend Micro shows that most of the major VPN providers do not encrypt traffic from the internetworks and therefore their customers’ data is vulnerable to hacking.
The researchers said that the number of known vulnerabilities in NTP was at its highest level since 2008, when the NSA breached a major provider of the network and leaked a trove of NTP logs.
The new report, which focuses on VPNs that offer encrypted connections, said that a third of all VPNs offer a feature that allows the user to encrypt the traffic, and the vast majority of them are using the Tor browser to do so.
“Most of these providers have been slow to implement HTTPS encryption or even have disabled it, while at the same time providing no protections to users,” said the report.
The NTP security study also found that nearly half of all the major providers in India do not have a dedicated SSL certificate authority (CA), meaning that they have to provide their users with an SSL certificate in order to access their VPNs.
“SSL certificates are an important step in ensuring that NTP traffic cannot be intercepted by hackers,” said Trend Micro’s co-founder and principal analyst, Sandeep Kumar.
“However, the majority of VPNs do not offer an easy way to generate a certificate, and many providers do nothing to help customers encrypt their traffic.”
The report also revealed that a large number of the VPN providers had weak SSL certificates that allowed hackers to hijack traffic.
“Even if a VPN provider has a strong certificate, the hacker can still access traffic even when the VPN is disabled,” said Kumar.
“Some VPN providers have introduced features that allow them to connect to NTP using Tor, but these features have not been widely used and are not used by many users.”
Kumar said that while NTP is widely used, its use by VPNs is not universal and some providers have not implemented HTTPS encryption.
“If you are using a VPN and your traffic is not encrypted, then it is possible that a hacker could intercept your traffic even if you have a strong SSL certificate,” he said.
Kumar added that even VPN providers who have disabled HTTPS encryption do not guarantee that their customers will not be hacked.
“In some cases, VPN providers may also use the SSL certificates provided by the VPN service provider to protect users from their own users, or even provide them with additional privileges,” he added.
Rajan Rao, CEO of the Indian Internet Access Association (IIAA), a non-profit organisation that works on developing standards for internet access, said the findings of the study were significant.
“This is a clear indication that we should be looking for VPN providers that are not only compliant with our standards but also that they are doing it properly,” Rao said.
“The NIPT security study shows that a majority of these VPN providers are not taking any measures to protect their customers and users from internet-hacking threats.”VPN providers have to take the threat of cyberattacks seriously, but there are some companies that are also doing everything they can to make sure that the users have a good experience,” he continued.
The report’s findings come as the government has proposed that India introduce a new security standard for internet connectivity.
The government has said that NIPTS (Network Independent Protocol Transport Security) should be standardized, which would allow the government to standardise encryption for internet traffic.
It has also proposed that NPTs be standardized in other countries.