Surfshark No-Log Audit Report

For some time VPNs had to deliver their services on a promise-like basis. It is sometimes hard to back up the zero-logs privacy claims because there is a pressure from not only government agencies but also surveillance centres for a tighter netizens control. There are several adverse incidents which take place in the past which advertise the VPN service in a wrong manner.

But, over the past few years, a new practice of independent auditing have emerged. It has proved to be an effective way for various VPN service providers to test their security features and provide an exceptional service to their users of what they had just promised. 

Different VPN providers like ExpressVPN, NordVPN, PureVPN, and VyprVPN, were able to defend their statements with reliable facts and verification proofs by top auditing companies around the globe.

Let’s drive in to see how SurfShark VPN moved in the line of such practice? Who did the service audit? And what was concluded from the inspection? So, just read on.

SurfShark Audit:

SurfShark VPN has become one of the most popular privacy tools in the market. When it comes out earlier during the year 2018, the majority of the users had a good feeling about this service. It was evident that the people behind it knew what they were doing.

The VPN service provider came out with no simultaneous connection limit as well as a full-fledged no-log policy. It doesn’t mean ‘’no activity logs’’ or some other marketing phrase, but just zero-logs. With time, SurfShark VPN expands in network size, number of supported platforms, and increased feature list.

During late 2018, the company took another step in SurfShark evolution as it publishes the result of an independent audit. The audit report successful claim it a no-log VPN provider and crowned as the best VPN newcomer of 2019.

In the entire audit process, the VPN gave its both Chrome and Firefox browser extension with the source code to Cure53 for in-depth analysis. The report states that the foremost aim of the project was to attain an external view of how well the VPN browser extension handles the security and privacy of the users. 

After the audit was done so, it concluded that whatever promises were made to users regarding protecting against DNS and IP leaks are kept. Both code audit and a penetration test were done to verify the no-log claim.

Why choose Cure53?

SurfShark, for their first independent audit, chooses a German cybersecurity company, Cure53. It is a respected and reliable firm in the security sphere, which is known for the integrity of its analysis along with one or two scandals it uncovers in the past. Its team was behind the shutdown of a parental control app distributed by the South Korean government.

Although the VPN industry is full of bold and boastful statements regarding anonymity, security, and privacy, however, independent audits are infrequent. When TunnelBear VPN completed their review in 2017, so, it was also performed by Cure53. For its significant experience and value in the market, SurfShark decided to choose Cure53 as their auditors.

What did the report say?

It is quite understandable and clear why independent audits and the public reports of such inspections are rare. Their subjects have a bit less to gain but a lot to lose. In an industry which is built on promises of utmost privacy and security, reports of security holes are best avoided. But that’s where the hypocrisy rises- after all, preventing bugs, exploits, and leaks is a lot easier if you submit your service to such audit companies. 

To fortify and reinforce the reliability of the results, Cure53 testers hired the so-called white-box methods while they were assessing the VPN. They do so to reach a right level of coverage which clear all doubts and questions of the targeted audience. 

The members of the Cure53 team conclude that the tested applications have an extremely robust impression and are not exposed to any issue. It implies to both privacy and general security jurisdictions.

The report also included the findings of Chrome and Firefox extensions. According to the results, both the extensions stand out with the relation of being rare for the VPN browser extension products who suffer from different issues.

The Cure53 audit team worked for five days and found just two vulnerabilities. One they marked as ‘Low impact’ which was not related to the browser extension and another was of a more general flaw. The team addressed the issue to ensure a bullet-proof service by all means.

The auditors were extremely satisfied to see a robust security posture on the SurfShark VPN extensions, especially given the shared vulnerability of similar products to privacy issues.

Findings:

The findings of the audit report reveal two vulnerabilities identified by Cure53. One is the service invitation emails which uses an unencrypted HTTP link. Well! It is not a severe issue as it may allow an attacker who can spy on the connection of the user. 

However, the second issue is that the code has a line which configures the proxy to use an unencrypted HTTP connection. Although it sounds worrying, it is impossible for the necessary condition to occur.

Conclusion:

To sum up all, the ambitious and primary VPN provider’s one after the other are checking their services for potential vulnerabilities. These audits look an effective way to back-up and defend the security and privacy claims these companies make on their website. 

Many VPN providers who promise top-notch privacy in their policies fail to keep their promise and results in keeping user’s logs. However, the audit strategy is now becoming the new customer standard for picking up the best VPN service provider.