Surfshark VPN Review (2023)
Surfshark is ranked as one of the top VPN services in the world and offers an easy way to secure your internet privacy and regain freedom on the Web. With the ability to spoof locations, block activity trackers, and bypass VPN detection systems, the service features of good speeds and unlimited simultaneous connections makes this a great option for families and travelers.
What we like
- A long list of locations in the USA
- Dodges the Great Firewall of China
- Virtual servers to access India
- Add-on cybersecurity protection package
- Smart DNS option for fast streaming
- Unlimited devices can be connected simultaneously per account
What we don't like
- 7-day free trial only available on mobile apps
- Not as many VPN servers as NordVPN
- Runs static IP servers but doesn’t sell dedicated IP addresses
- Can’t get into BBC iPlayer or Hulu
|Price:||$2.49 – $12.95 per month|
|Refund period:||30 days|
|Based in which country:||The Netherlands|
|# devices per license:||Unlimited|
|Server locations:||133 locations in 95 countries, including the USA, UK, Canada, Australia, India (virtual), and Singapore|
|Streaming sites unblocked:||Netflix, Disney+, Amazon Prime|
|Does VPN keep logs:||No|
|24/7 customer support:||Yes|
Surfshark started up in 2018 and set its headquarters in the British Virgin Islands – a VPN-friendly jurisdiction that is also the base of ExpressVPN. The services started off with a mobile app for iOS devices – iPads and iPhones.
Surfshark worked on adding VPN apps for more operating systems. The first Surfshark app for Android was actually a smart DNS system, called Trust DNS. This is a way to manage internet connections, but it doesn’t offer any security. However, the smart DSNS strategy is lightweight and doesn’t slow down connections.
Right back in its first year, the company decided that proving its credentials for anonymity would be a priority in its marketing strategy, so, it contracted Cure53, a cybersecurity consultancy from Germany, to perform a system audit, pricing a validation of the VPN provider’s no-logs policy and explaining that there is no retention of activity records in the Surfshark service.
Today Surfshark provides apps for all of the major operating systems. It also offers browser extensions for Chrome, Firefox, and Edge. Surfshark VPN connections can also be set up on smart TVs, games consoles, such as Xbox, TV boxes and streaming systems, such as Fire TV and Apple TV, and routers.
Although the headquarters for Surfshark was in the British Virgin Islands, the founder of the company and his team were Lithuanian, and they actually ran the business from their home country. One of the leading VPNs in the world, NordVPN is part of Lithuanian-owned Nord Security. In 2021, the two companies came to an agreement to merge. This process was completed in 2022. However, the two brands will continue operations separately, while collaborating on technology development.
Surfshark is now based in The Netherlands, a country with no data retention obligations for VPNs and so the service can continue its no-logs guarantee from that base.
Privacy and security
Surfshark offers a secure service for internet connections, but it falls short of some of the top VPNs, such as ExpressVPN, NordVPN, and CyberGhost. We’ll look at how the VPN service of Surfshark works, what attributes make it secure and reliable, and which features could be improved.
Surfshark moved its headquarters from the British Virgin Islands (BVI) to The Netherlands in October 2021. While there might have been good business reasons for this move, it wasn’t a good decision from a security aspect.
The EU keeps trying to enforce controls on internet access by imposing legal requirements on internet service providers (ISPs) to log every connection made by each of their clients and retain those records. Connection retention periods vary from country to country. However, this creates a paper trail for copyright lawyers and law enforcement agencies to read the browsing history of anyone in the EU.
EU logging requirements apply to ISPs and not VPNs however, it is just a question of time before that requirement gets extended. So, sometime soon, Surfshark might need to move its headquarters again … perhaps back to the BVI.
How Surfshark VPN works
VPN stands for “virtual private network.” It is a concept that was created for use by businesses. The idea is that a remote worker can connect to the office network and that connection should be as private as a network cable within the office building.
Data privacy over the internet has been practiced for some time. You can block snoopers from reading your data in transit by encrypting it. However, data travels over networks and the internet in packets, and the headers on packets contain useful information. The purpose of headers is to tell routers where the packet is being sent to. As each router on the path across the internet needs to read the header, its contents have to be in plain text. Unfortunately, the information in the header can be useful to others.
To enforce privacy, encryption needs to be applied to packet headers and the data payload. However, encrypting the destination address makes it impossible for routers to move the packet forward. A solution to this problem lies with encapsulation. The entire packet is encrypted and then placed in the payload of an outer packet. That container packet is then addressed – in plain text – to the VPN server.
The encryption system for the protection has to be agreed upon at both ends, so the VPN needs a client, which is the Surfshark app on your device, and a server. Before turning the VPN on, Surfshark users select a destination server from a list in the app.
All traffic has to pass through an ISP to get across the internet, and we know that all ISPs record the destination of each packet that travels through their systems. If a customer has a VPN service active, all of the packets are addressed to a VPN server, and that is all that the ISP can log.
When packets arrive at the VPN server, the outer packet is stripped off, and the inner packet is decrypted. The reveals the header of the packet – the data payload might also be encrypted separately before the encryption of the VPN applies, and that security remains in place. A connection in which the packets are encapsulated is called a tunnel.
An IP packet header also includes the source IP address of the packet. The VPN server replaces the address of the customer with its own. This is where the second benefit of a VPN service kicks in.
IP addresses on the internet have to be globally unique. They are distributed by a central agency that allocates ranges of addresses to an institution in each country for sale. This process means that an IP address can be tracked to a specific country. Many websites use the IP address location to work out how to control access to their content.
Thus, you might find that when you go to a website, you are denied access because you are in the wrong country. Selecting a VPN server in the right country gets you in.
Surfshark VPN protocols
Technology on networks and the internet is governed by protocols. A protocol is a set of rules that the creators of networking software need to follow to make it compatible with corresponding systems produced by other providers. There are many protocols available for VPN services.
The VPN protocols that Surfshark offers are:
- WireGuard for Windows, macOS, iOS, Android, and Amazon Fire OS
- IKEv2 for macOS, iOS, and Android
- OpenVPN for Windows, Linux, macOS, Android, Amazon Fire OS, and routers
WireGuard is a new VPN protocol, and it is the preferred system used by Surfshark. The Wireshark system offers strong protection, and it is lightweight.
OpenVPN is the most widely used VPN protocol, but it is gradually being replaced by WireGuard. The advantage that OpenVPN has over WireGuard is that it has been in use for longer and time usually reveals security weaknesses. This system has been attacked by every hacker in the world without success, which proves its security credentials.
When using the OpenVPN option, users have one more choice to make. That is, whether to use TCP or UDP.
- The Transmission Control Protocol (TCP) adds session controls to a connection. These include the detection of loss packets and retransmission and checking and buffering for out-of-sequence arrival. These functions are great, but they slow connections down.
- Streaming and VoIP systems prefer to manage these functions themselves and, in these cases, it is better to opt for the User Datagram Protocol (UDP), which doesn’t provide any session performance support.
IKEv2 / IPSec is a long-running combination of protocols that are commonly used for mobile devices. IPSec’s advantage is its operation at the Internet Layer of the protocol stack, which makes it quick. However, low-level protocols don’t sustain records across packets, so IKEv2 provides higher-level session management, including encryption key negotiation. The low-processing requirement of this combo means it uses little power, so it puts less strain on the batteries of mobile devices.
Surfshark uses two phases of encryption: AES-256 and RSA-2048. AES is the Advanced Encryption Standard, which was commissioned by the US government to protect its own data. This is the encryption system used by the CIA and the US military.
AES is a symmetric cipher, which means that it uses the same key for encryption and decryption. Encryption systems transform text into something that is unintelligible but is reversible. A typical cipher is a mathematical formula that includes a variable. Changing that variable completely alters the character that results from the transformation. That variable is called the key.
Hackers can crack an encryption key through trial and error – this is called a brute force attack. The longer a key is, the longer it takes to crack. The biggest key available for AES is 256 bits long. This is the 256 in the AES-256 cipher that Surfshark uses.
Long-distance correspondents have to transmit the AES key over the internet. As the key needs to be sent before encryption is in place, it has to travel in plain text. Intercepting that transmission gives a hacker access to the encrypted text.
Surfshark uses RSA, a public key encryption system, to protect the transmission of the session AES key. A public key cipher uses different encryption and decryption keys that complement each other. However, despite the association between the two, you cannot guess the decryption key if you know the encryption key, and you cannot decrypt a text by using the encryption key.
Surfshark uses a 2048-bit key for RSA. Public key systems have lower effective security than symmetric key ciphers and so need much longer keys. 2048 bits is not so great for an RSA key. ExpressVPN, NordVPN, and CyberGhost use a key that is twice as long – 4096 bits. However, Surfshark is not the only VPN that uses a 2048-bit RSA key because Private Internet Access and IPVanish both use this key length.
RSA is also used for authentication. As only the true owner of the public key has the associated private key, only that device can decrypt any text encrypted with the published key. Thus, when the Surfshark VPN client first contacts the server, it acquires the server’s key off its SSL certificate, which is held by a certificate authority. It then encrypts a challenge with the public key and sends it to the server.
Any snooper intercepting the challenge will be unable to decrypt it without the associated private key. Thus, only the true owner of the SSL certificate can send back the correct response, enabling the server to prove its identity and cut out man-in-the-middle attacks.
Surfshark DNS leak protection
DNS is the domain name system. This is a cross-reference between internet addresses (IP addresses) and Web addresses (URLs). The addresses you type into the address bar of your browser mean nothing to internet routers – they only deal with IP addresses. So, before a browser can fetch a requested web page, it needs to get the OIP address for the relevant Web server from the DNS network.
DNS gives your ISP opportunities to intrude on your Web activity and restrict your internet freedom. The DNS system provided by your ISP is the default DNS server for your web browser. Firstly, without the right IP address, your browser will never get the Web page you want. If an ISP wants to ban a website, it returns a false IP address. This happens all the time.
Surfshark blocks ISP tricks by providing its own DNS system. As long as the customer keeps the VPN active, all DNS queries are sent to the Surfshark DNS resolver.
A DNS leak occurs when the VPN connection is not tight and doesn’t keep all of the traffic inside the tunnel. If a VPN service doesn’t include a DNS server, it will have to allow DNS queries to go elsewhere for IP addresses, and that traffic will have to travel unencrypted. When this happens, the ISP can log the customer’s activity because all of the IP addresses that the user accesses pass through the ISP’s system in plain text.
This is one of the main reasons you need to avoid cheap or free VPNs because they can’t afford to manage their own DNS resolvers.
Surfshark IP leak protection
An IP leak occurs when traffic that should be protected by a VPN isn’t. This is an unintentional disclosure. If you keep the VPN on all the time, you won’t get an IP leak. A brief gap in internet service causes the VPN session to end, while your network card will spend a short time reconnecting and often has success.
If you don’t notice that the VPN is turned off, you will continue your Web activity unprotected. The Surfshark app includes a kill switch. When this is turned on, it will jam the network card, and you won’t have access to the internet until you turn the VPN back on again. This prevents IP leaks.
You can intentionally leave some web traffic outside the VPN tunnel with a tool in the app called the Bypasser. This is a whitelister that implements split tunneling. This intentional IP address disclosure is not classed as an IP leak.
The Surfshark VPN app offers a list of server locations around the world. This is an important feature because one of the main reasons that people use a VPN is to avoid geographic access restrictions imposed by many Websites and internet systems. These access controls are particularly severe with streaming services, which go to great lengths to ensure that visitors are not tricking their location detection systems by using a VPN. Location controls on content access are also regularly implemented by employment vacancy sites, news sites, and gaming platforms.
With some streaming sites, such as Hulu, you can only get an account in one country and only access the service from within that country. In other streaming services, such as Netflix, Disney+, and Amazon Prime Video, the system can be accessed by a subscriber when traveling to a different country where the streamer has operations. However, they present different content libraries in different countries.
One example of where Surfshark is ahead of the competition is with YouTube TV. It is impossible to trick that network into giving you cross-border access because not only does it check the origin of the connection request and scan for identifiers of VPN protection, but it double-checks the visitor’s location by accessing the GPS function of the device. Surfshark coordinates the location readout of device location systems with the chosen VPN server location to confound this control.
There are many examples of how getting cross-border access to sites is so good that the owners of those Web systems don’t want you to do it. This is a particularly big issue with streaming services; those systems know about VPNs, so they try to identify VPN traffic and block it. In the VPN industry, getting cross-border access to Netflix is the touchstone, particularly access to US Netflix. Very few VPNs can do this, and Surfshark is one that can.
Here is a list of the streaming services that we tested with Surfshark
|Netflix||Tests confirmed for access to Hong Kong, the UK, the USA, and France|
|Disney+||Tests confirmed for access to the UK, the USA, and France|
|ITV Hub||Tests confirmed, accessing from the USA|
|Channel 4||Tests confirmed, accessing from the USA|
|ABC||Tests confirmed, accessing from the UK|
|NBC||Tests confirmed, accessing from the UK|
Other major streaming services that Surfshark gets cross-border access to include HBO Max, ESPN+, and Amazon Prime Video. Surfshark couldn’t fool the BBC iPlayer server, which spotted VPN activity and blocked access. It also can’t get into Hulu.
Surfshark offers one plan that is available in three subscription periods. The monthly price works out lower with longer subscription periods, however, you have to pay for the whole period upfront.
The prices shown on the Surfshark website are:
- 1-month plan: $12.95 per month
- 12-month plan: $59.76 ($3.99 per month)
- 24-month plan: $59.76 for the first two years ($2.49 per month)
There are probably a few points you have noticed about the pricing structure.
- The price for two years is the same as for one year.
- The monthly rate or the one-year plan is incorrect — $59.76 / 12 = $4.98.
- The 24-month price is labeled as being for the first two years.
These pricing anomalies are explained by the following discoveries:
- The 12-month plan costs $47.88 for the first year and then $59.76 for all subsequent years.
- The 24-month plan only covers two years for the first subscription, upon renewal, it switches to a yearly payment cycle at the same price of $59.76.
So, the price for the one-year and two-year plans both increase when the first subscription expires.
You can add on the extra security protection services of Surfshark One for $1.49 extra per month. This package gives you the Antivirus, Alert, and Search functionality.
All plans auto-renew at the end of each payment period unless you remove your payment card details in your Surfshark account settings.
The prices shown on the Surfshark website alter, according to the country you are in when you access the site – the site detects your location. Your country’s sales tax (VAT) is added to the prices quoted.
Surfshark offers a 30-day money-back guarantee on all of its plans – even the one-month plan. This only applies to your first subscription. You don’t get a refund option after your plan renews. If you have an account and then cancel it with the money-back guarantee and then take out a new subscription, you can’t get a refund that second time unless six months have passed since you claimed the first refund. If you claim the refund twice and then open an account again, you don’t get the money-back guarantee.
You can pay for a Surfshark subscription with a credit card (Mastercard, Visa, American Express, or Discover), PayPal, Google Pay, Amazon Pay, or cryptocurrency (Bitcoin, Ethereum, or Ripple).
You have to enter an email address on the order page. However, unlike most other VPN providers, Surfshark doesn’t require verification of this address to activate the account. Once your payment goes through, you will be asked to set up a password for your new account.
A nice feature of the password creation system is that the Surfshark system instantly checks through all known data leak records to check that the password you choose hasn’t been discovered by hackers in association with the email address you gave.
We tested the performance of Surfshark in the UK on a wireless mobile internet system run by the 3 networks. This service is owned by CK Hutchison Holdings, a global telecoms company. For all of these test runs, the VPN protocol settings in the app were set to use WireGuard. Tests were carried out using the Ookla system at speedtest.net.
First, we tested a connection to a nearby server without the VPN turned on:
The download speed shown was 10.34 Mbps, and the Upload speed was 3.22 Mbps. As shown below, turning on the VPN, set within the UK, in the same city as the Speedtest server, made a big difference to upload performance, halving it to 1.50 Mbps, but the download speed actually increased to 11.89 Mbps. These speed differences can be partially explained by the variability of wireless-delivered internet services.
Long distance didn’t show any speed deterioration on the unprotected line, which is rare. This test went to Sydney, Australia:
Usually, international internet connections take more time to complete a round trip, simply because the data packets have to travel further and be processed by more routers. However, at 10.46 Mbps, the download speed of this connection to the other side of the world was almost the same as that of the local connection. The upload speed of 3.96 Mbps was actually better than the upload speed on the local connection.
Channeling through the Surfshark Manchester server improved download speeds:
The download speed increased to 13.47 Mbps, the upload speed was 4.05 Mbps. The improvement of speeds was consistent through several test runs and fell outside of the normal range of variability caused by the instability of wireless signals. It should be noted that the speed benefits of using Surfshark increase with distance.
International connections also showed an improvement. Connecting to Sydney through a VPN server in New York, USA, gave a download speed of 13.53 Mbps and an upload speed of 3.15 Mbps. Connecting to Sydney while routing traffic through the Surfshark server in Hong Kong gave a download speed of 12.26 Mbps and an upload speed of 3.43 Mbps.
As you can see, the VPN improved speeds on long-distance connections, which is a significant benefit for those who want to use a VPN to get cross-border access to streaming services. Those who play online games internationally should also pay attention to the speed offered by Surfshark.
How to install
You can get the Surfshark VPN app for Android at the Google Play Store, and on Macs, iPads, and iPhones, you should go to the Apple App Store. There is a 7-day free trial option in these apps, but only if you choose the one-year subscription option.
- To get the app installed on Linux, you should open a Terminal session and enter the following commands:
sudo apt install ./path/to/downloaded/link
sudo apt update
sudo apt install surfshark
You can then access the GUI app on the Desktop of your computer.
- Go to the Windows app page at the Surfshark website.
- Click on the Download app button to get the installer.
- Click on the downloaded file to run it.
- Click on Yes in the User Account Control popup that Windows presents
- Click on the Install button in the Surfshark installer.
- Press the Finish button on the last page of the installer.
- The app will appear on your screen before you dismiss the installer. The first time you log into the app, you need to enter the email address you gave when paying for the service and the password you set up for your Surfshark account.
- The first time you get into the app, you will be given a brief tour of how to use the system.
Surfshark First Visit Tips
- If you are already logged into the Surfshark system on one device and then open the VPN app on another app, you can enter your email address and password in that second window or use a login code and control access through the first app. This means that you can let family members have access without telling them the account password.
- Under the login code scenario, the second user clicks a login code button on the login screen. This generates a code. The first user goes to the My Account page in the app’s settings and selects Enter login code. On entering the code on this screen, the primary user activates that second app.
- The app shows a list of VPN locations. If a country has servers in several cities, each city is shown on a separate line. A V symbol attached to the flag of a location indicates that this is a virtual location. This means that the servers are not actually in those countries but present IP addresses as though they were. At the end of each line is a hollow star. Click on this to mark your favorite locations and create a shortlist.
- The little speed dial symbol in the heading of the location list, directly above the favorite stars, is a button to launch a response time test on each location. With this, you can see the fastest servers to connect to.
- To get the VPN running and protect your internet access, click on the Quick Connect button, which will log you into the nearest server. If you want to spoof your location to another country to fool access controls at streaming services, click on the location you want to appear to be in.
- Click on the Disconnect button to end the VPN session.
- The mobile app has the same look and feel as the desktop version, except that the Quick Connect button and the location list don’t appear in the same view. The Quick Connect feature is on the home screen of the mobile app; you need to tap on the Locations button at the bottom of the screen to get the locations page.
- There is no option in the app to log out.
Is there a Surfshark VPN free trial?
Surfshark offers a 7-day free trial on its mobile apps. These are the VPN Surfshark apps you get from Google Play for Android and the Apple App Store for iPhones and iPads. To get the 7-day free trial, you must sign up for the 12-month subscription. However, they hold off applying the charge for 7 days, so if you cancel before the end of that period, you don’t pay anything. This offers isn’t available for desktops or laptops.
How much does Surfshark cost?
The price per month for a Surfshark subscription is $12.95. You can get the price per month considerably by taking out a longer subscription period. With the two-year plan, you can get the Surfshark service for $2.49 per month.
Can Surfshark unblock Netflix?
Surfshark claims that it can get you cross-border access into the library for any country where it runs VPN servers. We have tested and confirmed that the service unblocks Netflix for the USA, the UK, France, Australia, Canada, Hong Kong, and Germany.
How do I use a VPN?
The basics of using a VPN is that you need an app on your device called a client. In the VPN app, you select a service to connect to and then turn the VPN connection on. While that VPN is on, all of the traffic from your device goes through that VPN tunnel, and not even your internet service provider (ISP) can see what you are doing. You can access tutorials on specific usage instructions at the Surfshark website.
Does Surfshark keep logs?
Surfshark servers keep the mapping between the true IP address and the cover IP addresses of a customer in memory (RAM) while that person is connected. As soon as the VPN session ends, that link is deleted. No logs get written to files, so there are no logs for any copyright lawyer or law enforcement agency to seize. However, you can be identified as a customer of the Surfshark VPN service through your bank account.
The verdict on Surfshark
- Surfshark is very good. Few VPN services can get past the detection systems of Netflix, and many of those can have some very slow servers.
- The cast iron no-logs policy of this system and extra security protection, such as obfuscation and malware protection, make this VPN an excellent deal.
- The one-month price of Surfshark is at the high end of the market, but the long-term deal prices the service below the lowest prices offered by NordVPN and ExpressVPN. CyberGhost’s lowest price of $2,29 per month on a three-year plan is slightly cheaper than the two-year offer of Surfshark, which works out at $2.49 per month.
- Surfshark is a great choice for torrenting, online gaming, and streaming. Its low latency makes it a great choice for protecting interactive systems, such as VoIP (internet telephony).
- Speed test results show that the fastest servers offered by Surfshark are very good for accessing faraway streaming sites.
- The unlimited bandwidth, unlimited simultaneous connection allowance, excellent download speed, and innovative features, such as the CleanWeb malware, tracker, ad blocker, its multihop system, and camouflage mode, are all extra reasons to opt for this VPN provider.