Article on VPN traffic tracing

[Valerian 20]

Has anyone heard of this practice? Comments welcome, especially from @Staff.

"ISPs are quietly giving so-called netflow data to private businesses, who then sell access to this data themselves. Can be used to trace traffic through VPNs."
https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru

[Staff 9751]

Hello!

If all tier1 transit providers co-operated with each other to exchange all of their data and could do that with impunity in every country, you would have a global adversary-like entity, against which you can't prevent correlations between source and destination of a packet of yours.. You can protect your data content against the global adversary trivially (end-to-end encryption), but you can't hide the real destination and source of your own communications (provided that you don't perform illegal war-driving and similar actions of course). What you can do is making the correlation as expensive as possible, in order to render data harvesting through correlations no more financially attractive, as long as you are not a high profile target.

Please read the following, old article of ours:
https://airvpn.org/forums/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745

Kind regards
 

[Staff 9751]

@airvpnforumuser

1) Irrelevant if not wasteful given PFS. Client certificate and keys do not allow decryption of traffic, so one that steals them has indeed nothing to decrypt.

2) That's up to the user. We think it's a bad idea to force renewal of a key of a simple API, for some good reasons tied to customers' behavior and needs.

3) Fluff and nonsense if referred to client certificate and static key. About PFS, what you propose is insecure, because by "rotating" key you would use the same keys over and over, periodically, so you violate the basic paradigm of Forward Secrecy, OpenVPN implements PFS, uses a one time key and renews it every 60 minutes by default. You can decide an arbitrary renewal time (<=60 minutes) and you will never use the same key again.

4) It's already possible (since 2012) but we ask you to contact us to do so. Our requirement is caused by attempted frauds in the past.

5) So what?

6) That was done recently, in 2019 if we recall it correctly. Due to some technical limitations with IPB you must anyway enter at least a character in your e-mail field, but that's all. In order not to overlap with other existing e-mail field contents. just enter a random string.

7) Incredibly awful and dangerous idea about server rotations, and we can easily see why no provider offers it. Key "rotation" is also a terrible idea, we (and OpenVPN) have something much better, check 3).

We are very sorry to see how even our own customers are misinformed about AirVPN features or ignore essential features which have been implemented since years ago. We must be making mistakes in our communications, we will perform an internal exam (but we will not pay parasite reviewers to avoid that they hide such features, of course ).

Kind regards

 

[Staff 9751]

@airvpnforumuser

Hello!

We're glad anyway that you posed your questions, so you know now that the most important features you required are already available in AirVPN.

The famous "golden rule" makes sense nowadays too when your threat model includes an adversary with typical organized crime power: connect to a server located in a different country from the country you are in, just to make life harder to those who could perform dangerous correlations by wiretapping lines in the same country, an action which we have seen possible by criminal organizations in the past, in Western countries too. By connecting to a server in another country you often make their correlations attempts much more difficult.

We will try to be even more transparent about our decisions (and their reasons) on the infrastructure and its design when possible in the future. How do you like the Bluetit developer's manual? With it and with the source code you should be able to see exactly many things, for example how the bootstrap servers work in details, and how the "manifest" file is built. On the other hand, Bluetit provides you with the option to integrate your software with AirVPN even if you don't mind about the inner mechanisms, thus greatly simplifying your development work.

Kind regards
 

[Staff 9751]

@airvpnforumuser

Hello!

Unfortunately it is impossible to port Bluetit into Android. It could be designed with heavy modifications to run only in rooted devices. As such it would remain a niche software, unused by most of our customers.

It is possible to make Eddie GUI a Bluetit client, but it is not a trivial task because Eddie GUI is written in C#, and for other important reasons. Thus, Firescrest is the currently planned software which will be a Bluetit GUI .

Before that, anyway, a TUI mode must be implemented into Goldcrest. Goldcrest TUI mode can in many cases be even more useful than a Qt based client because it will require only the light and available in all systems ncurses library (therefore no need for Qt or GTK or desktop environments).
 

Quote

having getters/setters for all VPN tasks (for example, managing clients, keys).

Yes, Bluetit can do it for your client already.

Kind regards
 

[Stalinium 44]

On 8/25/2021 at 2:51 AM, Staff said:

If all tier1 transit providers co-operated

I would love to get back on topic, it's interesting.
But it doesn't need complete cooperation. Remember the example with WhatsApp: you can hide all you want, but all it takes is one of your contacts to end up in Facebook's database. The more contacts you have, the more probable it is.
With networks this is harder, but generally you still only need ONE node surveilling. The more hops your traffic does, the more likely you will hit an "attacker". Even if your incoming / outgoing traffic flows differently (e.g. one way is tracked and another is not) this is still enough to know there was communication between you.
Symmetric example: you <---> hop1 <---> hop2 <---> evil hop3 <---> hop4 <---> hop5 <---> host
Wiretapping on any of the 5 hops and they got your full metadata.
Asymmetric example:
you ---> hop1 ---> hop2 ---> evil hop3 ---> hop4 ---> hop5 ---> host
you <--- hop1 <--- hop2 <--- hopA <--- hopB <--- host

It is known that NSA does extensive wiretapping in the US, European traffic in most cases flows through France/UK (also known to be wiretapped) then over the Atlantic, lately there was a story about wiretapping in Denmark by the same parties, before that directly at DE-CIX in Germany (a major internet exchange for European traffic too).
Heck even West AND East Europe to Japan is often routed through the UK-US. One Russian hosting (Moscow, Saint-Petersburg) too! Get someone's good looking glass to see that one.

Damn I now see the scale of operations here.