Jump to content
Not connected, Your IP: 44.200.40.97
Valerian

Article on VPN traffic tracing

Recommended Posts

Hello!

If all tier1 transit providers co-operated with each other to exchange all of their data and could do that with impunity in every country, you would have a global adversary-like entity, against which you can't prevent correlations between source and destination of a packet of yours.. You can protect your data content against the global adversary trivially (end-to-end encryption), but you can't hide the real destination and source of your own communications (provided that you don't perform illegal war-driving and similar actions of course). What you can do is making the correlation as expensive as possible, in order to render data harvesting through correlations no more financially attractive, as long as you are not a high profile target.

Please read the following, old article of ours:
https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745

Kind regards
 

Share this post


Link to post

Personally, some of AirVPN's policies/procedures are a little concerning, some examples:

1) Keys are not renewed automatically, this needs to be done manually (at the moment). All keys should expire every 90 days (or a custom timer set by customer).
2) API keys should also rotate frequently.
3) I'd like a feature to generate 10 random keys with random names and automatically rotate them
4) I'd like to be able to destroy a user account entirely (as if it never existed) and remake a new one with my subscription balance every so often (similar to Mullvad in this regard).
5) Using "all activity" the usernames of each new account that registers is uniquely published and can be scraped.
6) Using the login/register flow you can check emails that may or may not be registered to an account. this was disclosed to staff but not considered - staff should remove email field altogether due to possible abuse.
7) Eddie (all platforms) should be able to frequently rotate connections (countries) and keys (randomly). This is a feature I've wanted for years but doesn't seem to be coming (so I'll probably need tot make it myself, although an API for this would be appreciated). No VPN provider seems to allow their software to automatically connect to a new server automatically every so often (not sure why really, in theory it would help?)
8) Other providers have "double hop" where you enter/exit via different countries which...feels more secure/safer but probably arguable.

Thing with VPNs is that you need to define clearly your threat model and tolerance - truthfully at some point you will become uniquely identifiable. The Staff mentions you should use BTC but in the EU they are going to tighten it up so you have to provide PII to purchase the coins.

Mainly for me VPN is used to hide traffic from ISPs and public networks - of course if you use a VPN to login to your online bank then they will tie your access to the VPNs IP - they will know you use a VPN (or other anonymity technique) purely based on IP alone, which again, falls into your threat model.

 

Share this post


Link to post
@airvpnforumuser

1) Irrelevant if not wasteful given PFS. Client certificate and keys do not allow decryption of traffic, so one that steals them has indeed nothing to decrypt.

2) That's up to the user. We think it's a bad idea to force renewal of a key of a simple API, for some good reasons tied to customers' behavior and needs.

3) Fluff and nonsense if referred to client certificate and static key. About PFS, what you propose is insecure, because by "rotating" key you would use the same keys over and over, periodically, so you violate the basic paradigm of Forward Secrecy, OpenVPN implements PFS, uses a one time key and renews it every 60 minutes by default. You can decide an arbitrary renewal time (<=60 minutes) and you will never use the same key again.

4) It's already possible (since 2012) but we ask you to contact us to do so. Our requirement is caused by attempted frauds in the past.

5) So what?

6) That was done recently, in 2019 if we recall it correctly. Due to some technical limitations with IPB you must anyway enter at least a character in your e-mail field, but that's all. In order not to overlap with other existing e-mail field contents. just enter a random string.

7) Incredibly awful and dangerous idea about server rotations, and we can easily see why no provider offers it. Key "rotation" is also a terrible idea, we (and OpenVPN) have something much better, check 3).

We are very sorry to see how even our own customers are misinformed about AirVPN features or ignore essential features which have been implemented since years ago. We must be making mistakes in our communications, we will perform an internal exam (but we will not pay parasite reviewers to avoid that they hide such features, of course :) ).

Kind regards

 

Share this post


Link to post

@Staff

I should've been more clear and not used the word "rotating" (instead renewing), but certainly renewing the key every so often might be worthwhile otherwise why offer the feature at all?

I also would welcome (similar to your bluetit developer manual) more information regarding your infrastructure and design decisions - I'm not a VPN/server guru and clearly you are experts in the field (hence the long term business and why I have a multi-year account) so it would be nice to explain how to best use AirVPN. For example, why is switching countries frowned upon? Is it safer to use a single server or do you indeed need to consider carefully the server you are using? Eddie is a great application and offers many countries, but not any idea on best practice which most VPN providers do not seem to offer.

I do not subscribe to the belief simply buying a VPN and using their software is automagically going to make you "secure" as there may be other behaviors that might be worthwhile considering (indeed, how you purchase a VPN as you rightfully mention is important, as well as possibly using AirVPN over Tor).

 

Share this post


Link to post
@airvpnforumuser

Hello!

We're glad anyway that you posed your questions, so you know now that the most important features you required are already available in AirVPN.

The famous "golden rule" makes sense nowadays too when your threat model includes an adversary with typical organized crime power: connect to a server located in a different country from the country you are in, just to make life harder to those who could perform dangerous correlations by wiretapping lines in the same country, an action which we have seen possible by criminal organizations in the past, in Western countries too. By connecting to a server in another country you often make their correlations attempts much more difficult.

We will try to be even more transparent about our decisions (and their reasons) on the infrastructure and its design when possible in the future. How do you like the Bluetit developer's manual? With it and with the source code you should be able to see exactly many things, for example how the bootstrap servers work in details, and how the "manifest" file is built. On the other hand, Bluetit provides you with the option to integrate your software with AirVPN even if you don't mind about the inner mechanisms, thus greatly simplifying your development work.

Kind regards
 

Share this post


Link to post
On 8/26/2021 at 4:29 PM, Staff said:
@airvpnforumuser

Hello!

We're glad anyway that you posed your questions, so you know now that the most important features you required are already available in AirVPN.

The famous "golden rule" makes sense nowadays too when your threat model includes an adversary with typical organized crime power: connect to a server located in a different country from the country you are in, just to make life harder to those who could perform dangerous correlations by wiretapping lines in the same country, an action which we have seen possible by criminal organizations in the past, in Western countries too. By connecting to a server in another country you often make their correlations attempts much more difficult.

We will try to be even more transparent about our decisions (and their reasons) on the infrastructure and its design when possible in the future. How do you like the Bluetit developer's manual? With it and with the source code you should be able to see exactly many things, for example how the bootstrap servers work in details, and how the "manifest" file is built. On the other hand, Bluetit provides you with the option to integrate your software with AirVPN even if you don't mind about the inner mechanisms, thus greatly simplifying your development work.

Kind regards
 

The manual is quite sufficient and explains a lot about how the bootstrap servers work, and essentially acts as an 'api' for AirVPN integration into any software as is mentioned in the documentation. I do wish it was integrated into eddie for desktop/android so all software used the bluetit library and provided a 'central' base to work from, and of course having getters/setters for all VPN tasks (for example, managing clients, keys). Some things can only be done using the website yet the manual makes it clear there are methods for most things.

 

Share this post


Link to post
@airvpnforumuser

Hello!

Unfortunately it is impossible to port Bluetit into Android. It could be designed with heavy modifications to run only in rooted devices. As such it would remain a niche software, unused by most of our customers.

It is possible to make Eddie GUI a Bluetit client, but it is not a trivial task because Eddie GUI is written in C#, and for other important reasons. Thus, Firescrest is the currently planned software which will be a Bluetit GUI .

Before that, anyway, a TUI mode must be implemented into Goldcrest. Goldcrest TUI mode can in many cases be even more useful than a Qt based client because it will require only the light and available in all systems ncurses library (therefore no need for Qt or GTK or desktop environments).
 
Quote

having getters/setters for all VPN tasks (for example, managing clients, keys).


Yes, Bluetit can do it for your client already.

Kind regards
 

Share this post


Link to post
On 8/25/2021 at 2:51 AM, Staff said:

If all tier1 transit providers co-operated

I would love to get back on topic, it's interesting.
But it doesn't need complete cooperation. Remember the example with WhatsApp: you can hide all you want, but all it takes is one of your contacts to end up in Facebook's database. The more contacts you have, the more probable it is.
With networks this is harder, but generally you still only need ONE node surveilling. The more hops your traffic does, the more likely you will hit an "attacker". Even if your incoming / outgoing traffic flows differently (e.g. one way is tracked and another is not) this is still enough to know there was communication between you.
Symmetric example: you <---> hop1 <---> hop2 <---> evil hop3 <---> hop4 <---> hop5 <---> host
Wiretapping on any of the 5 hops and they got your full metadata.
Asymmetric example:
you ---> hop1 ---> hop2 ---> evil hop3 ---> hop4 ---> hop5 ---> host
you <--- hop1 <--- hop2 <--- hopA <--- hopB <--- host

It is known that NSA does extensive wiretapping in the US, European traffic in most cases flows through France/UK (also known to be wiretapped) then over the Atlantic, lately there was a story about wiretapping in Denmark by the same parties, before that directly at DE-CIX in Germany (a major internet exchange for European traffic too).
Heck even West AND East Europe to Japan is often routed through the UK-US. One Russian hosting (Moscow, Saint-Petersburg) too! Get someone's good looking glass to see that one.

Damn I now see the scale of operations here.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...