Viscosity App Attempts Silent TCP Connection over Port 443

rlblairjrrlblairjr
in Mac OS X VPN Setup
I've recently began trying out the Viscosity App, version 1.7.5, on macOS using OpenVPN connections to my VPN provider. I use network traffic monitoring software to allow different inbound/outbound connections. After installing and configuring the app, I made an attempt to connect to one of the VPN servers and allowed the OpenVPN connection. However, I received a notice that the Viscosity App was attempting an TCP connection to their servers over port 443. This isn't a normal request for software updates or anything within the user preferences that would justify this attempted network connection. In fact, the user would not know about this connection attempt since you are not given any informative that the app would perform this request when installing it or are notified when you make a VPN request to connect with your provider. This seems quite distrustful by the developer to include a new feature that could damage the users privacy when creating a tunnel to their VPN for all of their network traffic to pass through. This attempt by the Viscosity app does not occur when the app is open, idle, and not being used for a VPN connection but only when the user initiates a request for the VPN connection. I had attempted to post an inquiry and informative on their forum but have not had any of the three posts approved. I've also contacted their support to inquire as to why this app is making this connection attempt and what is its purpose but have been ignored, as well. I'm making this post to hopefully allow others to chime in with their feedback that they have witnessed this on their platforms and to give feedback to the developers about this being unacceptable.

Comments

  • tomewormtomeworm
    rlblairjr said:
    I use network traffic monitoring software to allow different inbound/outbound connections.
    Which app? Little Snitch.

    Please provide a screenshot of what you're seeing.
  • rlblairjrrlblairjr
    No problem and I am currently working on setting up a VM to provide a screen recording of this claim. The app I was using for blocking inbound/outbound connections is Vallum/Murus. Give me some time and I'll post back with further proof. If you've got any suggestions, advice, or guides to provide any relevant information to validate or for others refute this claim, then please feel free to post what I can provide to the community for them to review. I've had some suggestions on reddit but am in the process of learning these tools, to include, file monitoring software such as opensnoop to observe the activity by the app on files for my platform.
  • jbekkemajbekkema
    edited November 2017
    Hi Folks,

    Viscosity dev here - rlblairjr sent us an email over the weekend asking about this. Please find our reply below:

    Viscosity may phone-home to check your serial number is valid. It sends a SHA256 hash of your license details (i.e. something that can’t be easily reversed in the rare instance the HTTPS connection is somehow compromised) over HTTPS to check on the status. The server will return a valid or invalid status.

    This functionality has been in Viscosity for many, many years, and it is not new. If you’re concerned you can even inspect the request Viscosity is making using a tool like mitmproxy to confirm the above description is accurate.

    Furthermore, Viscosity is very privacy conscious about the way it performs such a check. It does not regularly perform any such checks, and it will only perform such a check if the license status is unknown and it has been a extended period of time (which is probably why you’ve never encountered a check until now). Viscosity attempts to perform any such check through an active VPN connection, rather than over the local network. This prevents a malicious network administrator (or country) from being able to monitor for connections to our server to identify you as a Viscosity user.

    The license check support was added many years ago after we encountered several dodgy VPN Service Providers buying a single-user Viscosity license, and then providing that license to thousands, and sometimes tens-of-thousands, of their customers. This created a massive support load for us, as ultimately many of those users reached out to us when having problems thinking they had a legitimate Viscosity license.

    The license check process allows us to prevent these dodgy VPN Service Providers from attempting this by allowing us to blacklist those licenses.

Sign In or Register to comment.