Security of Updates & Outbound Connections
Viscosity will make a number of outbound network connections in normal operation. Besides encrypted VPN connections themselves, software update checks are the most common form of connection and one that we occasionally receive queries about. This support article covers all possible connections Viscosity may attempt to make, and covers the security surrounding update checks to ensure that an attacker can't compromise the update process.
Viscosity will create an outbound connection when establishing a VPN connection. The destination address/es, IP protocol type and port, encryption level, and other security characteristics are entirely dependant on the configuration of the VPN connection itself. In most instances we recommend getting in touch with your VPN Provider if you require technical details.
If using a client-side process firewall, such as Little Snitch, these connections will be reported to come from an "openvpn" process. When using obfuscation, you'll likely see an "obfsclient" or "obfs4proxy" process connecting to the obfuscation server.
Update Checks and Downloads
Viscosity will check for an available update at most once every 24 hours. Viscosity performs these checks by accessing a XML file on the SparkLabs software update server (swupdate.sparklabs.com) over HTTPS. This file contains the latest version information and is known as an "appcast". If an update is found, the corresponding release notes will also be downloaded from the same server over HTTPS.
When installing an update, Viscosity will automatically download the update from the software update server and then verify that it is a legitimate update that has not been tampered with before installing it. Viscosity uses several verification techniques: a) The download takes place over HTTPS using only valid certificate credentials; b) Viscosity checks the DSA signature of the update using an embedded public key; and c) the code-signature and certificate on the Viscosity app bundle (macOS) or installer (Windows) is verified.
Viscosity does not collect or send any "system profiling" (information about your computer's system) data as part of these checks. Update checks can be disabled using the "Automatically check for updates" setting under the Preferences window, however it's strongly recommended update checks are left enabled.
When configuring an enterprise firewall to allow these connections, please be aware that the software update server is located behind Cloudflare's CDN network. This means that the IP address/es of the software update server will vary, so rules based on the destination IP address alone are not recommended.
The Windows version of Viscosity runs its own DNS engine to support features such as Split DNS. Viscosity will make outbound UDP connections on port 53 to the relevant VPN DNS server/s to perform DNS lookups when Split DNS is active for one or more connections. Please note that this does not apply to the Mac version, where Split DNS queries will instead come from the OS.
Depending on the serial type and age, Viscosity may phone-home to check that the license details used to register it are valid. It sends a secure irreversible hash (SHA256) of your license details over HTTPS to our server (sparklabs.com or secure.sparklabs.com) to check on the status. The server will return a valid or invalid status. Like with update checks, Viscosity does not collect or send any "system profiling" data.
To remove the ability for an adversary to monitor for these checks Viscosity attempts to perform them through an active VPN connection, rather than over the local network. This prevents a malicious network administrator or country level actor from being able to monitor for connections to our server to identify someone as a Viscosity user. A check will only take place outside of a VPN connection if prior attempts through a VPN connection have been blocked for an extended period of time.
Certificate Revocation Checks
Viscosity is code-signed for added security and part of macOS and Windows developer requirements. When launching Viscosity the operating system (OS) will check and verify the signature to ensure that Viscosity has not been altered or corrupted. As part of this process it may need to contact one or more servers (typically apple.com or microsoft.com domains) to ensure that the certificate/s are valid.
In some instances client-side process firewalls may report these connections coming from Viscosity itself. However these checks are handled entirely by the OS and outside the control of Viscosity.