Ephemerial / Self Destructing Port

[aspartame 1]

The heat on torrenting is getting worse - https://torrentfreak.com/u-s-court-orders-up-to-97500-in-damages-for-sharing-adult-films-via-bittorrent-250322/

The weak link in privacy is port forwarding, so adding an easy-to-use expiration date to a port would help users with their privacy.

 It could have practical time windows of usage: 12 hours, 1 day, 2 days, 7 days

I think it would be a nice opt-in feature.

[OpenSourcerer 1488]

I seem to miss the link between the contents of the article and port forwarding, and by extension a link between port forwarding and any individual BitTorrent activity involving copyrighted works. Therefore, this feature makes no sense.

[flat4 85]

and they like tushy pron

[Donwo1995 0]

7 hours ago, OpenSourcerer said:

I seem to miss the link between the contents of the article and port forwarding, and by extension a link between port forwarding and any individual BitTorrent activity involving copyrighted works. Therefore, this feature makes no sense.

To illustrate a potential privacy risk with port forwarding, consider this hypothetical scenario. Strike 3 Holdings automatically monitors copyright infringement, logging an IP address, timestamp, port, and the port's open status. The IP belongs to an AirVPN server, which would normally halt legal action. However, in this case, Strike 3 Holdings obtains a court order.

The order compels AirVPN to identify the user connected to the server at the time of infringement and using the forwarded port in question. In response, AirVPN staff would identify the IP's port pool and query their database for the user account currently forwarding that port. Because AirVPN offers static port forwarding, this query would likely identify the infringer's account.

This alone is insufficient for disclosure. The port could have been relinquished after the infringement, and AirVPN keeps no historical port forwarding logs. Users can also change port configurations during a session.

A more detailed examination, however, reveals a problem. Port forwarding can only be managed via the AirVPN website, which logs login dates and basic browser information for security purposes. The hypothetical user, Joe Smith, has not logged in since initially configuring his forwarded ports long ago.

The timestamp of the infringement is more recent than the last recorded login for the account holding the forwarded port. This creates compelling evidence that the account owner continuously held that port forwarding rule since their last login. AirVPN would then be compelled to provide Joe's username, login history, current ports, origin IPs, and payment transaction IDs. With this information, Strike 3 Holdings can subpoena payment processors and ISPs to uncover Joe Smith's identity.

[Staff 10219]

@Donwo1995

Hello!

There are a couple of wrong assumptions in your scenario:
 

Quote

AirVPN would then be compelled to provide Joe's username, login history, current ports, origin IPs

We do not log origin IP addresses according to the ToS and the current legal framework, therefore we can not provide information we do not have.
 

8 hours ago, Donwo1995 said:

creates compelling evidence that the account owner continuously held that port forwarding rule since their last login

Not really, as ports can be deleted/changed for account inactivity, pool shifts and other actions not involving the user.
 

8 hours ago, Donwo1995 said:

payment transaction IDs

This problem can be resolved with specific payment methods without intermediaries.

On a different, higher priority layer we must make clear that you can't come here, declare publicly an intent of illegal usage of the service by writing from an account that does not even have a valid subscription and then expect that AirVPN aids and abets this illegal usage through additional ad hoc options. If one really claims a criminal intent and comes here to declare it publicly, he/she should not expect help from AirVPN, in fact quite the contrary.

Kind regards
 

[Donwo1995 0]

@Staff

Thank you for your response. To be absolutely clear: I am strongly against any illegal activities, including copyright infringement, and fully support AirVPN's ToS, which prohibit such use. I used a throwaway account here as a basic OPSEC practice, which aligns with privacy best practices and doesn't imply wrongdoing.

On the technical points:

Users' origin IPs are visible in real-time so long as they are actively connected. Indeed, users are explicitly warned of this in the Client Area. In a compelled disclosure scenario, this could reveal origin IPs corresponding to active connections without relying on logs.

Your comment that "ports can be deleted/changed for account inactivity, pool shifts and other actions not involving the user" seems at odds with the following statement in the [UPDATE] Remote port forwarding system expansion announcement: "Each user can rely indefinitely, as long as the account has a valid plan, on the same ports and the same exit-IP address."

Paying with non-KYC Monero mitigates transaction ID exposure, and more generally, following the "partition of trust" model you described here would obviate any of the aforementioned privacy issues. However, most users probably don't have such rigorous OPSEC.

For the record, I do not support aspartame's proposal to add ephemeral ports. Instead, I hope that the implementation of the port forwarding management API you discussed here can be completed.

My apologies if my scenario was misconstrued. I brought this up in what I hoped was the constructive spirit of the "General & Suggestions" forum.

Kind regards.
 

[aspartame 1]

23 hours ago, OpenSourcerer said:

I seem to miss the link between the contents of the article and port forwarding, and by extension a link between port forwarding and any individual BitTorrent activity involving copyrighted works. Therefore, this feature makes no sense.

It shows that there is a real adversary for port forwarding - one that could make users think twice before trusting the "no logging" claims, if a privacy mishap happens and article headlines scream danger.


AirVPN team, you have not implemented multi-hop and traffic-analysis foiling - you are behind, slacking. You can take offense or actually pick up the pace - it's only a matter of time before AI exposes any VPN users' identity via traffic analysis, so I suggest AirVPN be ahead. I do like the transparent network, it's very helpful. Edited ... by aspartame

[Staff 10219]

1 hour ago, aspartame said:

AirVPN team, you have not implemented multi-hop

It's implemented since 2012 and currently defeats any AI or not AI attempt to disclose users' identity via traffic analysis. Only the global adversary is potentially able to do it, if it exists, but by definition the global adversary can not be defeated in any case, you can only make to it the content of your communications inaccessible, not your real origin and destinations of communications.
 

Quote

you are behind, slacking. You can take offense

Difficult to take offense by one who does not even know (or pretends he/she doesn't know) features implemented 13 years ago. Now locking the thread for a few days to avoid trolling anyway.

Kind regards
 

[Staff 10219]

5 hours ago, Donwo1995 said:

However, most users probably don't have such rigorous OPSEC.

Good to know, but it's outside our scope to force users to be rigorous. We offer the option and the proper tools to act rigorously and we try to educate through articles. We can't do much more.
 

Quote

I hope that the implementation of the port forwarding management API you discussed here can be completed.

That was a very good suggestion but it still remains in a limbo, we will prioritize it when possible.

Kind regards