TL;DR: A VPN service copied our extension's design, they use(d) our API servers and implemented their browser proxy service insecurely. We make this public to avoid the awkward moment when someone might accuse us of copying them and not the other way around.
Normally we wouldn't point the finger at someone else to highlight insecure/bad implementations, but this is an exception from our conduct.
Today we found out from a customer of ours that TorGuard's Proxy Extension looks very similar to ours(Webstore/official page). We investigated the findings and confirmed that it is, mostly, a copycat (see our tweet).
Our extension for Chrome was first released on December 17, 2014; for Firefox on April 19, 2015. Their extension for Chrome was first released on May, 2015. Public announcements, number of users/ratings, SSL certificate dates stand as evidence to confirm which was created first.
This is a comparison between our app version 1.6.x(mirror) for Chrome/current version 1.0.1 for Firefox and Torguard's current version.
The design similarities are very obvious even to an untrained eye.
A note to those who aren't familiar with Chrome extensions development: the code can be easily inspected, not being closed source. An extension like CRX source viewer can be used to view code in Webstore directly. Or you can download the .crx file, unzip it and inspect it.
It's not only the design that's similar, but they also use the same geo-location API server address (highlighted in the comparison image above). This is our own geo-IP API server that we're using internally (for software, extensions etc.). Hosting this image on the API server to prove that it is ours, in case someone has doubts.
Fyi, using someone else's API servers, as a VPN service, is a very irresponsible mistake - just terrible from a security & privacy point of view. What they do by using someone else's servers such as our API service, essentially, is to expose all their Chrome Proxy users' IPs to a competitor. We don't interfere with the queries in any way, but you should be aware that a malicious competing service could make use of such opportunity to log IPs of users or even worse, redirect them or forge the JSON replies to mess-up with the extension functionality: e.g. trolling scenario where connected location will display "Fort Meade, Maryland" regardless of real gateway IP location.
Now, moving to the security part. Not everything from our app was copied (they missed the good parts!), for example the storage of credentials and the update of active servers via JSON queries:
-
Torguard stores the credentials in clear-text; we are XORing the pass to protect it against spyware that will search all over the place for clear-text credentials;
To reproduce: add some credentials and save them > right click on extension > Inspect popup > Resources > Local Storage -
Torguard gets the up-to-date list of proxy gateways over HTTP (again in clear-text); we get them over HTTPS (A+ on Qualys/mirrored results): from Torguard's background.js, from our background.js;
The obvious risk of providing server IPs over HTTP is that they can be easily hijacked in a MitM attack; -
Torguard's HTTPS proxy is highly insecure: uses insecure ciphers like RC4, supports SSL 3, is vulnerable to POODLE attack, doesn't provide Forward Secrecy. Gets a shameful Grade C on Qualys test. Result mirror 1, mirror 2 (to see the original result). And this is our result/mirror (FS enabled, no weak ciphers, support only for TLS 1.1 and 1.2);
An advice to Torguard: when copying someone else's work, please also consider your users. Don't promise them "anonymity"(a false promise as a VPN service, but that's a different topic) and "security" unless you do it correctly, at least to a reasonable degree.
We demand apologies on this matter and we also urge Torguard to make the necessary design & code changes to make it less obvious that their Chrome Extension is a blatant, unethical imitation.
Cheers!
Update 1: they acknowledged (mirror 1, mirror 2) earlier today removal of our geo API servers from their app, though not having a problem with the copycat design.
Update 2: they updated the Chrome extension, adding encryption for credentials. They also "secured" the HTTPS proxies (now getting a grade B instead of C mirror). Extension design is still the same.
Mirrors hosting their extension version 0.1.69: Mega, our CDN (you can also unzip it)
Mirror hosting of our previous version 1.6.4 that's been copied: our CDN
