Mozilla shared the findings of an independent security audit, which found three vulnerabilities in its VPN. Two have been corrected. As for the last, it implies a functionality that is too interesting for Internet users.
Except perhaps in science fiction, invulnerable and faultless computer systems do not exist. Virtual private networks (VPNs) operated by all kinds of companies, despite sometimes bombastic communication, can therefore also occasionally encounter dysfunctions and weaknesses. The challenge is to spot them as early as possible and correct them.
Mozilla, which has also entered this market with its own solution (more exactly, the service is based on a partnership with the service provider Mullvad), has submitted to an independent security audit, to both to illustrate the seriousness with which he conceived it and to demonstrate transparency. Because more than promises, what many Internet users expect are concrete elements.
Three flaws found, two fixed. And the last ?
For this, Mozilla called on a German company specializing in cybersecurity, Cure53, to check its VPN. It was more precisely to ask him to give an update on the Mozilla VPN Qt5 application, in its variations for Windows, macOS, Linux, Android and iOS. In summary, the audit revealed three security flaws, two of which have been corrected.
Only two? In fact, Mozilla explains in a dedicated publication why one of these three vulnerabilities has been left as is. The company first emphasizes that its degree of severity was judged to be moderate (the other two, which were resolved, were classified for one as a serious fault and the other as a medium breach). Also, it was felt that the risk-benefit balance was worth keeping.
The breach in question, which is described as a VPN leak via the detection of the captive portal, is triggered under special circumstances. It is explained that ” the Mozilla VPN client allows unencrypted HTTP requests to be sent out of the tunnel to specific IP addresses, if the captive portal detection mechanism has been enabled through settings. ”
We talk about a tunnel, because the general idea with a VPN is to pass the connection to the Internet through an encrypted tunnel, so as to prevent prying eyes from seeing what you are doing on the net. In addition, the tunnel in question generally tries to pass the connection through servers dispatched around the world, so as not to tell the site visited what your real location is.
The company notes, however, that “ the captive portal detection algorithm requires a clear-text trusted HTTP endpoint to function. Firefox, Chrome, MacOS Network Manager, and many applications have a similar solution enabled by default. Mozilla VPN uses the Firefox endpoint. The risk therefore appears acceptable in view of the advantages for the Internet user.
Regarding the other two issues, the first and most serious was a cross-site WebSocket hijacking. The good news is that the WebSocket interface was only used in the test versions of the app. It was not in the final version. No customers have been affected. As for the other concern, it was a risk that could disclose the authentication code could by injection of a port.
Ultimately, the user benefits outweigh the safety risk
Mozilla’s VPN has been commercially available since the end of April 2021 in France and in a few other countries since summer 2020. The platform has entered a market which is extremely competitive (we have a comparator, as the solutions are legion: NordVPN, Surfshark , Cyberghost, ProtonVPN, ExpressVPN, VyprVPN – to name just the ones we looked at).
There are many uses for a VPN and can be used for legal or illegal activities. It can be used for example to increase the confidentiality of its online activities, for reasons of privacy. This allows you to see foreign catalogs on SVOD sites or to access press sites blocked in Europe due to the GDPR. But VPNs are also handy for stealth hacking.
In the case of Mozilla’s VPN, the offer is chargeable (from 4.99 to 9.99 euros per month depending on the subscription chosen). This billing ensures that the VPN is funded by money and not otherwise, such as monetization of personal data. It provides access to more than 750 servers in 30 countries, with no history retention and activity encryption.
Wondering which is the best VPN?