)RU�LWV�SDUW��7RU*XDUG�GHVFULEHG�WKH�DWWDFN�DJDLQVW�LWV�LQIUDVWUXFWXUH�WKLV�
ZD\�
³7RU*XDUG�GLG�QRW�VWRUH�RXU�PDLQ�>FHUWL¿FDWH�DXWKRULW\@�NH\�RQ�DQ\�
endpoint. But, even if the CA key was obtained and it was valid,
attacks like these would be virtually impossible to pull off because
OpenVPN has multiple layers of security. An attacker would have
to locate and synchronize multiple attack vectors [...] People
sometimes complain that OpenVPN is complicated, but that is one
reason it is highly regarded as a secure VPN protocol.”
:KDW¶V�SHUKDSV�PRUH�WURXEOLQJ�LV�WKDW�WKH�DWWDFNHU�PD\�KDYH�EHHQ�DEOH�
WR�REVHUYH�VRPH�XVHU�DFWLYLW\�ZKLOH�WKH\�KDG�DFFHVV�WR�1RUG931¶V�VHUYHU��
�,�KDYH�UHDFKHG�RXW�WR�7RU*XDUG�WR�FODULI\�ZKHWKHU�WKLV�LV�DOVR�WKH�FDVH���
,Q�LWV�UHSRUWLQJ��%ORRPEHUJ�TXRWHG�1RUG931�DGYLVRU\�ERDUG�PHPEHU�
7RP�2NPDQ�ZKR�VSRNH�DERXW�WKLV�VSHFL¿F�LVVXH�
“Okman said it was hard to determine if hackers obtained
information on the internet usage of Nord users because the
company doesn’t collect logs of activity on its servers, a selling-
point to privacy-conscious customers. ‘I think that the worst case
VFHQDULR�LV�WKDW�WKH\�FRXOG�LQVSHFW�WKH�WUDI¿F�DQG�VHH�ZKDW�NLQG�RI�
websites you could visit,’ Okman said. He said this would only
apply to Nord users who used its Finnish server and were accessing
websites that didn’t use the secure protocol HTTPS.”
%ORRPEHUJ�VDLG�1RUG931�HVWLPDWHV�WKDW����WR�����FXVWRPHUV�XVHG�WKH�
D̆HFWHG�VHUYHU�
,�UHDFKHG�RXW�WR�1RUG931�WR�FRPPHQW�RQ�WKLV�VSHFL¿F�LVVXH��$�FRPSDQ\�
UHSUHVHQWDWLYH�VWUHVVHG�WKDW�ZKLOH�LW�ZDV�SRVVLEOH��WKHUH�LV�QR�HYLGHQFH�
WKH�DWWDFNHU�REVHUYHG�WUḊF��7KH�FRPSDQ\¶V�UHVSRQVH�
³(YHQ�LI�>WKH@�KDFNHU�FRXOG�KDYH�YLHZHG�WKH�WUDI¿F�ZKLOH�EHLQJ�
connected to the server, he could only see what an ordinary ISP
would see, but in no way it could be personalized or linked to
SDUWLFXODU�XVHUQDPH�RU�HPDLO��+LVWRULFDO�931�WUDI¿F�FRXOG�QRW�EH�
monitored.”
M
a
x
E
d
d
y
