Jump to content
Not connected, Your IP: 34.200.218.187
JpvEXonHrB

(security) findings and suggestions to AirVPN

Recommended Posts

Hello everybody,

After creating a ticket for AirVPN support, and to my surprise them closing it without an update or any feedback back to me. I have to say that my original ticket only had my first two bullet points and I kept on adding new ones by replying to the ticket, maybe support got annoyed and wished I created separate tickets for each, but they could've said so instead of closing the support request without any feedback at all.

I'm now posting my findings and suggestions on the forums in the hopes any other people, researchers, privacy advocates, journalists, white hats, black hats, etc... anybody who's remotely interested in VPN and security, can participate and hopefully start a healthy topic and discussion. Hopefully to discourage anybody practising safety through obscurity.

Without further ado, here's what I found so far and send back to AirVPN:

Good evening,

Not sure if I'm the first one bringing this to your attention, but anyway, couldn't find anything on the forum.

Something caught my attention in the Eddie VPN client, running on Arch Linux. In the stats sheet there's a VPN total downloaded and uploaded.

- Could you please make it possible to erase those values, or not log them at all, cause I couldn't find any way to do it from within Eddie. I haven't checked the source code yet for that value and where it's stored locally but in my eyes it can represent a potential hazard. As in a third party can view that value, once access has been gained to the system, and based on that determine that the VPN had been used for x amount of data.

- Another thing that I'm pondering now if that value is also send back by the Eddie client. Can you guys please clear that up to? Does this in any chance have to do with the log message that says "collect information about AirVPN completed'. Sorry I haven't gone through the source code of Eddie to find this particular string to see what it does, or what gets collected.

If you could please link me to the commits in Eddie containing both points I'd be more than happy to check it myself.

This kinda surprised me so please excuse if I sound a bit distrusting. I've been a happy customer for years and completely support in your mission statement. Understand this is coming from a fellow privacy advocate, and a ICT security advocate so most of all I believe it is a that matter that should be addressed for everybody's benefit.

- Sorry, forgot to add one more thing, if using UDP over VPN with a MTU value of 1500 potentially can generate log messages like the AEAD decrypt errors, as seen on the forums from various posts, and my own logs, wouldn't it be recommended to switch in Eddie to a MTU value of 1431 as default instead as found here for example:

https://askubuntu.com/questions/1136003/aead-decrypt-error-bad-packet-id-on-openvpn-using-udp

If the errors afterwards will happen wouldn't that increase the chances of that it might be a MITM replay attack?

Since I'm no expert on this specific error please correct me if I'm wrong.

- My brain just won't stop, so another quick question, do you guys ever pentest your environment and software? It'll be nice to see you guys take part in those activities, in my eyes. Share the results with the community, further increase trust and your brand.

- Last thing, please also make it possible to securely delete any potentially personal identifiably info, like for example support tickets, from AirVPN. I can understand it might be useful for reporting, but at least have the option available, even if the data can only just be anonymized.

Last two, promised.

- I noticed that there a difference between the Android and Linux client, regarding location and security. Android recommends using a different country to login to for increased security and anonymization. However the Linux client does not and sorts by speed and latency, usually servers in the country of origin win instead of servers in other countries. Is this by choice? Why would such a safety recommendation be not adhered to in the desktop client?

- Multi hop only showed a difference in IP address by two decimals, between entry and exit. If this is always the case it, wouldn't it be impossible, and perhaps make it even easier, for a hacker or third party to make correlations possible and positively ID persons?

Share this post


Link to post

First of all, thank you for writing this, erm, novel. :D No offense, I like it. Bestseller. :D
 

1 hour ago, JpvEXonHrB said:

After creating a ticket for AirVPN support, and to my surprise them closing it without an update or any feedback back to me. I have to say that my original ticket only had my first two bullet points and I kept on adding new ones by replying to the ticket, maybe support got annoyed and wished I created separate tickets for each, but they could've said so instead of closing the support request without any feedback at all.


In their defense, the ticket system has got this habit of automatically closing tickets after a certain period of time without an answer from support.
 
1 hour ago, JpvEXonHrB said:

- Could you please make it possible to erase those values, or not log them at all, cause I couldn't find any way to do it from within Eddie. I haven't checked the source code yet for that value and where it's stored locally but in my eyes it can represent a potential hazard. As in a third party can view that value, once access has been gained to the system, and based on that determine that the VPN had been used for x amount of data.


As far as I know this info is RAM-only. If you terminate the application, all this info is gone as well without a way to restore it. Furthermore, I don't see how this is a hazard for privacy or data confidentiality. Any script kiddie can quickly analyze a network and find that data was transferred through the line to and from your host, but even such a kiddie cannot do more than that. If it's not paranoia, who is the adversary in your model?
 
1 hour ago, JpvEXonHrB said:

- Another thing that I'm pondering now if that value is also send back by the Eddie client. Can you guys please clear that up to? Does this in any chance have to do with the log message that says "collect information about AirVPN completed'. Sorry I haven't gone through the source code of Eddie to find this particular string to see what it does, or what gets collected.


As wrote, it's RAM-only. A local thing. Kill the app, you kill the info.
"Collect info about AirVPN completed" could be rephrased as "Eddie successfully connected to a bootstrap server and got back some current info about servers".
 
1 hour ago, JpvEXonHrB said:

- Sorry, forgot to add one more thing, if using UDP over VPN with a MTU value of 1500 potentially can generate log messages like the AEAD decrypt errors, as seen on the forums from various posts, and my own logs, wouldn't it be recommended to switch in Eddie to a MTU value of 1431 as default instead as found here for example:


Ideally, all MTU values are tailored to a client's setup. One client connects via UDP on a DSL line, another to TCP on a GSM network, a third uses fiber and wants to use VPN over SSH, etc. In all these cases the MTU must be adjusted accordingly to optimize the connection. OpenVPN offers a way to autodiscover the path MTU to set the MTU values automatically, and the way I heard it it does so well itself. The problem lies with all the network providers out there with a nonexistent or broken autodiscovery. The way I understood it, in these cases OpenVPN uses a default MTU which would work on the vast majority on setups but is not optimized for individual setups, sometimes creating these kinds of messages in the logs. Though I must write, Bad Packet ID errors can also be caused by other means, not necessarily from a wrong MTU setting.
 
1 hour ago, JpvEXonHrB said:

- Last thing, please also make it possible to securely delete any potentially personal identifiably info, like for example support tickets, from AirVPN. I can understand it might be useful for reporting, but at least have the option available, even if the data can only just be anonymized.


You must explain how a ticket is potentially identifiable in your eyes. I don't grasp it, to be honest.
 
1 hour ago, JpvEXonHrB said:

- I noticed that there a difference between the Android and Linux client, regarding location and security. Android recommends using a different country to login to for increased security and anonymization. However the Linux client does not and sorts by speed and latency, usually servers in the country of origin win instead of servers in other countries. Is this by choice? Why would such a safety recommendation be not adhered to in the desktop client?


The Android client was coded well after Eddie for desktop, and by another developer (individual, not company :)). The same recommendation is valid for desktop, even if the client does not actively warn the user of this. But you are right, it is a difference.
 
1 hour ago, JpvEXonHrB said:

- Multi hop only showed a difference in IP address by two decimals, between entry and exit. If this is always the case it, wouldn't it be impossible, and perhaps make it even easier, for a hacker or third party to make correlations possible and positively ID persons?


The concept was implemented to make this correlation more difficult, not to make it impossible. If someone sits on the ISP line and on the datacenter line, the correlation is not possible using the IP address alone.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

First of all, thank you for writing this, erm, novel. :D No offense, I like it. Bestseller. :D

Lol, no offense taken. SWIM maybe smoked to much of that Dr Greenthumb and had gotten this idea, that what if there's this malicious third party at work trying to collect any info at all on a AirVPN user or users by any means necessary.

In their defense, the ticket system has got this habit of automatically closing tickets after a certain period of time without an answer from support.

Thanks for clearing that up.
 
As far as I know this info is RAM-only. If you terminate the application, all this info is gone as well without a way to restore it. Furthermore, I don't see how this is a hazard for privacy or data confidentiality. Any script kiddie can quickly analyze a network and find that data was transferred through the line to and from your host, but even such a kiddie cannot do more than that. If it's not paranoia, who is the adversary in your model?

Thanks for clearing that up as well. That reduces SWIMs concerns by a factor. But there's still a little concern left.

It would depend if that person would have access to the physical network, either via another system already on the network, or by physically plugging into the network. If the first two are sufficiently secured, it might be possible and easier then, for a person, one way or the other, to, by some form of social engineering, or infiltration, access a physical system running the VPN instead. By already disposing this information in Eddie, that third party would learn a lot more in a very short time period as opposed to being required to start monitoring traffic from there. SWIM thinks it's very important to show nothing at all, as opposed to, to much, to minimize any information gathering at all, no matter how small or insignificant the data might seem.
 
As wrote, it's RAM-only. A local thing. Kill the app, you kill the info.
"Collect info about AirVPN completed" could be rephrased as "Eddie successfully connected to a bootstrap server and got back some current info about servers".

Thanks, if it's local it should be much easier to have an option to not display it at all.
Thanks for that insight, one less concern.
 
Ideally, all MTU values are tailored to a client's setup. One client connects via UDP on a DSL line, another to TCP on a GSM network, a third uses fiber and wants to use VPN over SSH, etc. In all these cases the MTU must be adjusted accordingly to optimize the connection. OpenVPN offers a way to autodiscover the path MTU to set the MTU values automatically, and the way I heard it it does so well itself. The problem lies with all the network providers out there with a nonexistent or broken autodiscovery. The way I understood it, in these cases OpenVPN uses a default MTU which would work on the vast majority on setups but is not optimized for individual setups, sometimes creating these kinds of messages in the logs. Though I must write, Bad Packet ID errors can also be caused by other means, not necessarily from a wrong MTU setting.

Do you might know if it is possible to easily edit these values within Eddie?
 
You must explain how a ticket is potentially identifiable in your eyes. I don't grasp it, to be honest.

For example, a person that uses AirVPN is logged into the AirVPN website on his phone. A third party gains access to that phone. They read the ticket history. Depending on the information in the ticket, maybe location, payment  year, month, ISP data, network info, etc. It doesn't really matter, any info can be useful in certain cases. So as in order to be totally anonymous, delete or anonymize that data after the ticket has been closed. It serves no other purpose anyway, why take the risk in the first place?
 
The Android client was coded well after Eddie for desktop, and by another developer (individual, not company :)). The same recommendation is valid for desktop, even if the client does not actively warn the user of this. But you are right, it is a difference.

Thanks, SWIM wish they would add that feature in the desktops clients as well then.
 
The concept was implemented to make this correlation more difficult, not to make it impossible. If someone sits on the ISP line and on the datacenter line, the correlation is not possible using the IP address alone.

SWIM thinks if somebody wants to gain access and insights into AirVPN that this party would purchase a subscription first to gather insights into the design and topology of AirVPN. By gathering this data it would then be easier to make predictions, since the entry and exit IP only differ by two digits. As opposed to a completely random different subnet/zone for the exit. Make it more difficult, and not easy for malicious third parties, and for the sake of increased anonymity.

SWIM also still thinks that is very important to perform pentesting from within and outside the AirVPN and Eddie environment and software, and by sharing this with me community would further increase the integrity and value of AirVPN and Eddie.

Share this post


Link to post

Who or what is SWIM? It keeps popping up in your post, as if you are referring to yourself in the third person or so. :D
 

40 minutes ago, JpvEXonHrB said:

It would depend if that person would have access to the physical network, either via another system already on the network, or by physically plugging into the network. If the first two are sufficiently secured, it might be possible and easier then, for a person, one way or the other, to, by some form of social engineering, or infiltration, access a physical system running the VPN instead. By already disposing this information in Eddie, that third party would learn a lot more in a very short time period as opposed to being required to start monitoring traffic from there. SWIM thinks it's very important to show nothing at all, as opposed to, to much, to minimize any information gathering at all, no matter how small or insignificant the data might seem.


This information includes neither metadata nor content data of your communications. I don't know what you are concerned about here, that is, again, if you are not paranoid. As I wrote, every script kiddie can monitor your connection but the only info would be how much data was transferred, if at all. This is absolutely irrelevant from a data protection point of view. Transferred data could really be anything.
 
46 minutes ago, JpvEXonHrB said:

Thanks, if it's local it should be much easier to have an option to not display it at all.


This option would amount to nothing. Monitoring a specific interface is easier and even a built-in feature of at least Windows (e.g., the performance metrics you can read with WMI) and Linux (e.g., iftop). And since OpenVPN works with a virtual network interface (TAP adapter on Windows, tunX devices on Linux), it gets real easy.
 
52 minutes ago, JpvEXonHrB said:

Do you might know if it is possible to easily edit these values within Eddie?


Only through custom directives which are passed to OpenVPN. They are essentially tun-mtu and link-mtu, plus mssfix for TCP and fragment for UDP connections.
 
53 minutes ago, JpvEXonHrB said:

For example, a person that uses AirVPN is logged into the AirVPN website on his phone. A third party gains access to that phone. They read the ticket history. Depending on the information in the ticket, maybe location, payment  year, month, ISP data, network info, etc. It doesn't really matter, any info can be useful in certain cases. So as in order to be totally anonymous, delete or anonymize that data after the ticket has been closed. It serves no other purpose anyway, why take the risk in the first place?


Sorry, but this problem lies with you and you only. If you don't trust your phone, don't login permanently and enable cookie and cache deletion. All browsers can do it, even the less known. I mean, would you ask your bank to regularly delete all transaction data from your account as well, just because you are concerned about me finding your phone?
 
58 minutes ago, JpvEXonHrB said:

Thanks, SWIM wish they would add that feature in the desktops clients as well then.


Legitimate request. Would support an implementation.
 
59 minutes ago, JpvEXonHrB said:

SWIM thinks if somebody wants to gain access and insights into AirVPN that this party would purchase a subscription first to gather insights into the design and topology of AirVPN. By gathering this data it would then be easier to make predictions, since the entry and exit IP only differ by two digits. As opposed to a completely random different subnet/zone for the exit. Make it more difficult, and not easy for malicious third parties, and for the sake of increased anonymity.


I agree with you, though I must write that nothing in the world could ever protect you well if you are subject to a targeted attack. This feature is there for all the much more common "less enthusiastic" cases, such as "I'll just launch this correlation tool here, see what comes up".
 
1 hour ago, JpvEXonHrB said:

SWIM also still thinks that is very important to perform pentesting from within and outside the AirVPN and Eddie environment and software, and by sharing this with me community would further increase the integrity and value of AirVPN and Eddie.


It is a sensible topic, one to which I personally didn't form a conclusive opinion yet.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

SWIM Someone Who Isn't Me.

Thanks for the extensive reply and clearing a lot up. The possibility to check the properties of the adapters on the various OS completely crossed SWIMs mind, most definitely a direct result from the Dr Greenthumb, he asked to be excused.

SWIM feels very strongly about tickets and any data that might contain private and personal information. From a privacy and security point of view, less is more. This isn't a bank. It's a VPN which offers anonymity and privacy.

Also by saying that responsibility lies with the end user with regards to properly securing devices and surroundings, which is true, partially.

Any info that can be easily seen or accessed by some way or another, people can all make mistakes, trust the wrong person, or drop their guard, if that information wouldn't be so easily accessible on the first place, it would further hinder any malicious third party.

So SWIM asks why, if the possibilities are there to make it more secure by taking away that responsibility from the end user, it only serves to further increase privacy and security. If a privacy and security service is offered, in this case a VPN, then why only partially, pull it through the entire business chain. Try and take as much responsibility away from the end user as possible. Less is more.

Thanks again for taking the time to reply.

Share this post


Link to post
3 hours ago, JpvEXonHrB said:

SWIM Someone Who Isn't Me.

Thanks for the extensive reply and clearing a lot up. The possibility to check the properties of the adapters on the various OS completely crossed SWIMs mind, most definitely a direct result from the Dr Greenthumb, he asked to be excused.


Ah, I see. "Asking for a friend". ;)
 
3 hours ago, JpvEXonHrB said:

SWIM feels very strongly about tickets and any data that might contain private and personal information. From a privacy and security point of view, less is more. This isn't a bank. It's a VPN which offers anonymity and privacy.


If you feel very strongly about it, you can ask Staff via ticket yourself if they could detach your tickets from your account.
But I've got a better idea: Use throwaways you keep for a max amount of time, then reregister. Optionally ask for account removal.
 
3 hours ago, JpvEXonHrB said:

Any info that can be easily seen or accessed by some way or another, people can all make mistakes, trust the wrong person, or drop their guard, if that information wouldn't be so easily accessible on the first place, it would further hinder any malicious third party.


Explain how a throughput graph can be used against you. I really want to know your thought process here, because I still don't get the concern. Wouldn't want to think it's baseless paranoia, right? :)
 
4 hours ago, JpvEXonHrB said:

So SWIM asks why, if the possibilities are there to make it more secure by taking away that responsibility from the end user, it only serves to further increase privacy and security. If a privacy and security service is offered, in this case a VPN, then why only partially, pull it through the entire business chain. Try and take as much responsibility away from the end user as possible. Less is more.


The removal of this tab does not enhance privacy or especially security, no matter how hard I try thinking about it. As I wrote earlier, if it's not in the app, it's definitely in the interface metrics of operating systems, so you'd apply a placebo, a feel-good measure without any effect.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Thanks again for the reply.

SWIM is no longer speaking about the throughput graph here. You cleared that up in the previous reply. But more about the possibility of private and personal data found in the account page, like tickets.

SWIM doesn't want to turn this into a debate about semantics, if this, or but that, use this workaround, etc. Not all end users are tech savvy or would follow best practices. But to rather make and keep it most convenient for the end user as much as possible.

Regarding any laws or legal matters in removing ticket data for example, SWIM isn't knowledgeable in that area. The staff might be able to clear that up whether or not deleting ticket data automatically is actually possible and/or allowed by law.

Maybe an option in the accounts page to delete that data would be ideal? Why bother the staff and their precious time with something that could possibly be done automatically with a script on the back end.

SWIM still hopes for input from other users as well. More and different views, from different usage requirements, maybe different and/or additional ideas/findings and wishes.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...