Jump to content
Not connected, Your IP: 34.201.18.139
Drewdd

Can all VPNs be trivially deanonymized? Is AirVPN any better?

Recommended Posts

I assume that organizations like the NSA can monitor and save metadata of all VPN traffic in the world. I think, then, that all VPNs are useless because having access to metadata of incoming and outgoing traffic of a VPN server can reveal almost everything and cracking the encrypted traffic is not necessary as they can look on decrypted traffic that exited a VPN server.

 

Some correlation attacks scenarios I could think of:

​1) If a VPN user accesses a less popular site, say abc.net then it can be safely assumed that he/she is the only VPN user that accesses it. Then the user can be easily identified, because it may be looked up that whenever a request was sent to this site by the VPN, a user X was also connected (for example sent/received requests from the VPN within 5-10 seconds) to the VPN. This can hardly be a coincidence so the anonymity is compromised.

​2) Similarly, some pattern in the traffic can be seen. For example, a user usually spends some time on one site before moving on to some other site. So it is plain to see that if whenever some user X sent a request to the VPN and the VPN sent a request to some site abc.net 2 seconds later (or at any regular interval) and this continued for, say, several minutes, then those outgoing requests from the VPN are likely to correspond to the incoming requests from the user to the VPN.

​There are probably dozens of other variations of correlation attack that can be performed. ​I think that 60-100 people on a server is much too less to provide any anonymity.

​The point is that organizations like the NSA don't even have to decrypt the data but just seek for patterns. With all the computational power they have it should be easy. They wouldn't even need to perform the attack on specific targets only, but simply use computers to deanonymize almost every user.


My questions are:

​1. Does the NSA use correlation attacks? Why or why not? I have never read any news about it but saw a bunch of posts like this on forums that dangers of a correlation attack. I have only read about them cracking VPNs (but only those that were vulnerable because they were apparently run by lazy people and AirVPN is not one of them) here: http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/ and here: http://arstechnica.com/tech-policy/2014/12/nsa-has-vpns-in-vulcan-death-grip-no-really-thats-what-they-call-it/. But no information about correlation attacks.

​2. What measures does AirVPN take to prevent correlation attacks? Do you use multihop network i.e. different entry and exit IP? If so, are there any additional hops inbetween, similar to TOR relay nodes? Does it make correlation attacks any harder? What can we do to increase our security against these type of attacks? Would routing the traffic through AirVPN SSH tunnel (in the client) help or further compromise anonymity?

Share this post


Link to post

I assume that organizations like the NSA can monitor and save metadata of all VPN traffic in the world. I think, then, that all VPNs are useless because having access to metadata of incoming and outgoing traffic of a VPN server can reveal almost everything and cracking the encrypted traffic is not necessary as they can look on decrypted traffic that exited a VPN server.

My questions are:

​1. Does the NSA use correlation attacks? Why or why not? I have never read any news about it but saw a bunch of posts like this on forums that dangers of a correlation attack. I have only read about them cracking VPNs (but only those that were vulnerable because they were apparently run by lazy people and AirVPN is not one of them) here: http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/ and here: http://arstechnica.com/tech-policy/2014/12/nsa-has-vpns-in-vulcan-death-grip-no-really-thats-what-they-call-it/. But no information about correlation attacks.

 

​2. What measures does AirVPN take to prevent correlation attacks? Do you use multihop network i.e. different entry and exit IP? If so, are there any additional hops inbetween, similar to TOR relay nodes? Does it make correlation attacks any harder? What can we do to increase our security against these type of attacks? Would routing the traffic through AirVPN SSH tunnel (in the client) help or further compromise anonymity?

 

Here is great talk on this topic:

 

Answering You question:

 

1. Yes they do, no question. Not only NSA but about every surveillance agency out there. That's bad news. However, unless You are doing something really wrong You have nothing to worry about. That's good news. Because correlation attacks must have been carefully prepared and targeted. It's nothing that just pops out of of metadata logs just like this, randomly.

 

2. AirVPN is not a magic. They just make correlation attacks significantly harder. As You've seen in the video included, correlation attacks are available regardless what tools You use. You may use tails with Tor on random public hot spot. However if surveillance camera catches You, and you is single Tor user, at the time where someone sent bombing threats out of this Tor node, this is not very difficult to correlate those facts. Like this poor guy at his Univiersity. Correlation attacks are bitch. In most cases positive correlation attack has nothing to do with underlying security tools, rather with some behavioural mistakes. But as I said they must be carefully prepared and analysed.  

Share this post


Link to post

Hey, thanks for the answer. Could you please paste a direct link to the talk you're talking about, because I see "Error: Not an image." instead of what probably should be a video.

​Two more questions:

​1) Will routing my AirVPN traffic through AirVPN SSH help (you can enable this option in the client) ? Will it increase my anonymity by adding one more relay node, or decrease it because most AirVPN users probably don't use SSH so I will stand out more?

2) Does it help if I don't live in the USA or it doesn't matter?

Share this post


Link to post

AirVPN is one of the few providers that have separate entry and exit IPs for each server.

While this is not NSA-proof, this is 99% correlation proof from many ISPs, devices and

research papers that I read in the last decade.

 

And you should not be worried about adveraries like NSA, since if you are on their list,

and you are asking help on a public forum from people you don't know, you are doing

it wrong already.

 

When you access sites which you don't want anyone to correlate to your AirVPN

connection, you can use Tor over VPN - it's in the wiki.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

What is the benefit of having seperate entry and exit IP addresses ? How does that make one more anonymous ?

 

Regards

 

Fox

Share this post


Link to post

What is the benefit of having seperate entry and exit IP addresses ? How does that make one more anonymous ?

 

Regards

 

Fox

 

You -> router/access point -> ISP -> AirVPN: entry IP xxx.xxx.xxx.xxx

AirVPN -> the dark depths of the internet: exit IP xxx.xxx.xxx.yyy

 

Anyone on your local network (router) and your ISP may see a connection to xxx.xxx.xxx.xxx. Any website, service, whatever on the internet would see a connection coming from xxx.xxx.xxx.yyy. If an adversary is listening on your router and on some website you view simultaneously, a correlation is avoided.


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

I assume that organizations like the NSA can monitor and save metadata of all VPN traffic in the world. I think, then, that all VPNs are useless because having access to metadata of incoming and outgoing traffic of a VPN server can reveal almost everything and cracking the encrypted traffic is not necessary as they can look on decrypted traffic that exited a VPN server.

 

Some correlation attacks scenarios I could think of:

​1) If a VPN user accesses a less popular site, say abc.net then it can be safely assumed that he/she is the only VPN user that accesses it. Then the user can be easily identified, because it may be looked up that whenever a request was sent to this site by the VPN, a user X was also connected (for example sent/received requests from the VPN within 5-10 seconds) to the VPN. This can hardly be a coincidence so the anonymity is compromised.

​2) Similarly, some pattern in the traffic can be seen. For example, a user usually spends some time on one site before moving on to some other site. So it is plain to see that if whenever some user X sent a request to the VPN and the VPN sent a request to some site abc.net 2 seconds later (or at any regular interval) and this continued for, say, several minutes, then those outgoing requests from the VPN are likely to correspond to the incoming requests from the user to the VPN.

​There are probably dozens of other variations of correlation attack that can be performed. ​I think that 60-100 people on a server is much too less to provide any anonymity.

​The point is that organizations like the NSA don't even have to decrypt the data but just seek for patterns. With all the computational power they have it should be easy. They wouldn't even need to perform the attack on specific targets only, but simply use computers to deanonymize almost every user.

My questions are:

​1. Does the NSA use correlation attacks? Why or why not? I have never read any news about it but saw a bunch of posts like this on forums that dangers of a correlation attack. I have only read about them cracking VPNs (but only those that were vulnerable because they were apparently run by lazy people and AirVPN is not one of them) here: http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/ and here: http://arstechnica.com/tech-policy/2014/12/nsa-has-vpns-in-vulcan-death-grip-no-really-thats-what-they-call-it/. But no information about correlation attacks.

​2. What measures does AirVPN take to prevent correlation attacks? Do you use multihop network i.e. different entry and exit IP? If so, are there any additional hops inbetween, similar to TOR relay nodes? Does it make correlation attacks any harder? What can we do to increase our security against these type of attacks? Would routing the traffic through AirVPN SSH tunnel (in the client) help or further compromise anonymity?

AirVPN uses different entry and exit IP addresses

The IP you connect to when using AirVPN is not the same IP that the internet will see.

Share this post


Link to post

You do *NOT* want to stand out. You want to look like any of thousands of others using AirVPN. This makes it all but impossible for surveillance to work, even if they had a magic key to get past the encryption. Think of it like this. You go to a site or service named Stupid. Many others use Stupid too. If you are the only one at any time that uses SSH to connect, then once you log into Stupid you are known. Your real IP, if ever you used it with Stupid is now linked to your VPN IP at any time when you login.

 

So what can you do to blend in with everyone else? Use UDP 443 first. If it fails, try TCP 443. Those are the two most common connection methods and it is brutally hard to determine if the traffic being sent and received over 443 is OpenVPN or a normal SSL connection to a secure site like your bank. And breaking it is pretty much never going to happen. Not in trillions of years. Here is a site that explains AES-128 and how strong it is. Remember that adding one bit to a cipher like AES doubles the number of possible keys, so going from AES-128 to AES-256 is a 'effing huge number of possible keys.

http://www.eetimes.com/document.asp?doc_id=1279619


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

Are you saying that OpenVPN over SSL is desirable so that the powers-that-be can't spot that you are using a VPN? I have often wondered if the website you land on "knows" that you are using Air. According to browserleaks.com/whois the host is left blank whereas if I use "some other" VPN providers it gives the name of the VPN provider which is a bit of a giveaway (but better than in the clear).

Share this post


Link to post

No, he meant that it is very hard to a host you connect to know that the origin of the connection is a client with a VPN.

This doesn't matter if you use SSL or not, this only matters for hiding the traffic from your ISP.

Providers that put their name in the reverse DNS (PTR) or in the whois data do it wrong, and cause themselves more

problems than they solve.

 

Your question has been answered many times on the forums, no matter from whom you try to hide the fact of using

OpenVPN from - a detail you didn't mention in your original question.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...