hugomueller 13 Posted ... https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/ We have tested this with nine prominent VPN providers that offer port forwarding. Was AirVPN one of the tested services? Is AirVPN affected to this issue? Quote Share this post Link to post
Staff 9973 Posted ... https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/ We have tested this with nine prominent VPN providers that offer port forwarding. Was AirVPN one of the tested services? Is AirVPN affected to this issue? Hello! It's a correlation attack through some social engineering support. A solution is having separate entry and exit-IP addresses on each VPN server, just like in AirVPN. The astounding information in the article, if true, is that nine [five, fixed by pj] providers have not taken care of that. The attack in itself is very trivial and is quite common knowledge in consumers' VPN industry. Perhaps the five providers cited in the article are not "VPN industry", but amateurish services? Kind regards 13 go558a83nk, wunderbar, Lee47 and 10 others reacted to this Quote Share this post Link to post
randomairuser 1 Posted ... Where did you get the idea of "nine providers have not taken care of that" when the article says that "We have tested this with nine prominent VPN providers"..." Five of those were vulnerable to the attack and have been notified". PIA, as mentioned in the TorrentFreak article (and would be your biggest competitor) took care of it and offered a $5000 bounty, would you guys also do the same? Quote Share this post Link to post
pj 72 Posted ... Hi, I am an original founder of AirVPN and I am aware of this "problem" since about 2002 when I started using OpenVPN. I don't understand "so much ado about nothing". It's not even a vulnerability, it's simply how the Internet works. Articles like this one http://0x27.me/2015/11/26/Practical-Exploitation-of-Portfail.html could have been nice like thirteen or fourteen years ago, but now...? Maybe it's just a a sad picture of how unprofessional nowadays VPN services have become, or maybe it's only that IT culture and knowledge have still a long way to go. To a techie eye, these articles are very detrimental for consumers' VPN services. They could cast a shadow of lack of professionalism on the whole industry. AirVPN personnel competence standards have always been and will always be at a (much) higher level than these articles might make you think. Ciao! 18 mr.Rhee, OmniNegro, Ford Prefect and 15 others reacted to this Quote Share this post Link to post
pj 72 Posted ... Where did you get the idea of "nine providers have not taken care of that" when the article says that "We have tested this with nine prominent VPN providers"..." Five of those were vulnerable to the attack and have been notified". PIA, as mentioned in the TorrentFreak article (and would be your biggest competitor) took care of it and offered a $5000 bounty, would you guys also do the same? A 5000 USD reward to be notified how the Internet works? Don't be joking. For serious vulnerabilities unknown to us then yes, we could invest that amount of money. The "perfect, invulnerable system" does not exist, that's it. About PIA... well it's a giant in size if compared to AirVPN, and this makes this whole affair very odd, to say the least. 7 amair, OmniNegro, Lee47 and 4 others reacted to this Quote Share this post Link to post
randomairuser 1 Posted ... and this makes this whole affair very odd, to say the least. That is something I can agree with. It was well published at the time of Snowden leaks that the NSA would take advantages of exploits and use them to their advantage. This attack however seems too specific to really be done on a "mass scale" of sorts but could be used to target an individual if there was a need. I still say people should be more concerned at the WebRTC leaks and other such technology which is always wanting to bypass any security you have in place. It's a dangerous game of cat and mouse and only your own knowledge and expertise can save you from any such attack. Quote Share this post Link to post
voltron 0 Posted ... kudos to PerfectP, they said the Emperor is nude. PIA seems more and more a bell and whistles service for gullible ppl. Remember HMA too! if this incident does not open your eyes then nothing can. Air is spartan and Spartans are tough and know what they do Quote Share this post Link to post
zhang888 1066 Posted ... The crucial part here is knowing which VPN server your victim is connected to, and the page where the victim hasto visit in order to "leak" his IP. So in case of AirVPN, which is a mid-small sized provider, the attacker will have to buy 40 accounts. 40x3 connectionsto be able to "cover" all AirVPN's ~100 exit servers. PIA boasts to have 3k servers so in that case making the attack feasible will require even more effort. There are much simpler attack vectors to unmask VPN users with fail-open OpenVPN connections.An old classic one is to initiate a DDoS attack on your victim VPN address, let's say even when you are on IRC,where poorly configured VPN users will timeout their VPN connection and will re-connect to the IRC server with theirown address. pj said something about 2002 this is exactly the kind of things I remember from that era. Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
nestegg101 3 Posted ... Seems like there was a post on Reddit about PIA's patch not working which also mentioned AirVPN having failed in the test for this vulnerability. Reddit post has been removed but poster has re-posted the claim in PIA's forums. Link below: https://www.privateinternetaccess.com/forum/discussion/19289/pia-still-vulnerable-to-port-fail-leak#latest Tested about 80 servers and they are all still leaking!Sounds like PIA didn’t actually test there patch! IPVANISH failed too.AirVPN FailedTorGuard passed.. Quote Share this post Link to post
Guest Posted ... Seems like there was a post on Reddit about PIA's patch not working which also mentioned AirVPN having failed in the test for this vulnerability. Reddit post has been removed but poster has re-posted the claim in PIA's forums. Link below: https://www.privateinternetaccess.com/forum/discussion/19289/pia-still-vulnerable-to-port-fail-leak#latest Tested about 80 servers and they are all still leaking!Sounds like PIA didn’t actually test there patch! IPVANISH failed too.AirVPN FailedTorGuard passed.. Now what doesn't add up for AirVPN to actually FAIL is this, on the https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/ page there is this: MitigationAffected VPN providers should implement one of the following:Have multiple IP addresses, allow incoming connections to ip1, exit connections through ip2-ipx, have portforwardings on ip2-ipxOn Client connect set server side firewall rule to block access from Client real ip to portforwardings that are not his own.and AirVPN has BOTH, the entry address used is different from the exit address. In any way even if that method was to fail, the network lock blocks any sort of connection on every port to your real IP except those of AirVPN which the hacker cannot get their hands on which means their attempt would fail 3 nestegg101, rei.andrea and OmniNegro reacted to this Quote Share this post Link to post
Staff 9973 Posted ... So in case of AirVPN, which is a mid-small sized provider, the attacker will have to buy 40 accounts. 40x3 connections to be able to "cover" all AirVPN's ~100 exit servers. Hello, as you very well know, anyway the "attack" would fail on AirVPN, because clients connect to an IP address, and are reachable on a different IP address only. Kind regards 5 OmniNegro, Lee47, expired and 2 others reacted to this Quote Share this post Link to post
tranquivox69 27 Posted ... Good, I came here just to check if and how this affected us and I see that the staff had already covered it. Just renewed my subscription for a year. 1 Kennif reacted to this Quote Share this post Link to post
BlaatAap66 1 Posted ... AirVPN is not vulnerable, because the VPN server you're connecting to (with your real ip, obviously) is for example 1.2.3.4. For this, route has been set, but the ip that can be used for incoming connections is never 1.2.3.4, but will be something like 1.2.3.5. And since connections to 1.2.3.5 will just be routed via your VPN tunnel (like any other public ip), you are not vulnerable to this attack vector. Quote Share this post Link to post
johnnymac 0 Posted ... https://torrentfreak.com/huge-security-flaw-can-expose-vpn-users-real-ip-adresses-151126/ Quote Share this post Link to post
iamoverthere 0 Posted ... It was nice to find this discussion. Thanks for explaining it. Quote Share this post Link to post
rickjames 106 Posted ... Hi, I am an original founder of AirVPN and I am aware of this "problem" since about 2002 when I started using OpenVPN. I don't understand "so much ado about nothing". It's not even a vulnerability, it's simply how the Internet works. Articles like this one http://0x27.me/2015/11/26/Practical-Exploitation-of-Portfail.html could have been nice like thirteen or fourteen years ago, but now...? Maybe it's just a a sad picture of how unprofessional nowadays VPN services have become, or maybe it's only that IT culture and knowledge have still a long way to go. To a techie eye, these articles are very detrimental for consumers' VPN services. They could cast a shadow of lack of professionalism on the whole industry. AirVPN personnel competence standards have always been and will always be at a (much) higher level than these articles might make you think. Ciao! With enough time old becomes new and new becomes old. Quote Share this post Link to post
win8 7 Posted ... The crucial .....d of things I remember from that era. Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.How can this be done? Quote Share this post Link to post
PWolverine 8 Posted ... It looks to me like simple marketing. It basically is a "don't use any other VPN they are not secure, sign up with us" article. Nothing to back it up, no place for comments. Same with Torrentfreak, whilst its a great site for info, they are bent towards all their sponsors like PIA and are simply reporting unverified info from another site. Quote Share this post Link to post
zhang888 1066 Posted ... The crucial .....d of things I remember from that era. Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.How can this be done? http://www-archive.mozilla.org/projects/netlib/PortBanning.html Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
jameskatt 3 Posted ... I'm glad AirVPN is run by professionals. 3 rei.andrea, IceEzio and drpaneas reacted to this Quote Share this post Link to post
nestegg101 3 Posted ... The crucial .....d of things I remember from that era. Stay safe and configure your browsers to NOT connect to any port higher than 1024. For many reasons.How can this be done? http://www-archive.mozilla.org/projects/netlib/PortBanning.html Article shows how to ban specific ports by entering each port in .js files. Given what we want to ban is a whole range of ports, how would we do that? Quote Share this post Link to post
zhang888 1066 Posted ... The article is for educational purposes. It shows you how Firefox treats high ports as a potential security issue since at least 2001.To block ports, you just have to open about:config, type network.security.ports.banned and enter 1024-65535. For 99% of users, the web expeirience will remain the same. 4 rickjames, OmniNegro, win8 and 1 other reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
Riddick 13 Posted ... The article is for educational purposes. It shows you how Firefox treats high ports as a potential security issue since at least 2001.To block ports, you just have to open about:config, type network.security.ports.banned and enter 1024-65535. For 99% of users, the web expeirience will remain the same. network.security.ports.banned << does not exist in Firefox v42.0 1 wcfeader reacted to this Quote Hide Riddick's signature Hide all signatures You're not afraid of the dark web, are you ? Share this post Link to post
rickjames 106 Posted ... The article is for educational purposes. It shows you how Firefox treats high ports as a potential security issue since at least 2001.To block ports, you just have to open about:config, type network.security.ports.banned and enter 1024-65535. For 99% of users, the web expeirience will remain the same. network.security.ports.banned << does not exist in Firefox v42.0I think its a string.-Right click and create a new string.-Name it network.security.ports.banned-Next step toss in 1024-65535. If you need multiple ranges you can seperate them with commas.eg. 1-52, 54-79, 81-442, 444-65535 3 zhang888, win8 and OmniNegro reacted to this Quote Share this post Link to post
win8 7 Posted ... The article is for educational purposes. It shows you how Firefox treats high ports as a potential security issue since at least 2001.To block ports, you just have to open about:config, type network.security.ports.banned and enter 1024-65535. For 99% of users, the web expeirience will remain the same.Does it work w Chrome, Opera etc also? Quote Share this post Link to post