Jump to content
Not connected, Your IP: 34.207.180.141
Lynnehawk

Could an attacker use forwarded ports to correlate users with their anonymous traffic?

Recommended Posts

Could a malicious party ever possibly gain access to a list of AirVPN's users' forwarded ports? If so, could the malicious party then correlate those users with traffic to and from the exit IP addresses of AirVPN's servers, using the port numbers as common values in both sets of data? To help explain what I mean, imagine the following scenario:

John Doe is the only AirVPN user to ever use BitTorrent on port 12345. Even if he connects to a malicious peer, which we'll call the Ministry of Truth, his anonymity remains intact, because the most information that the Ministry can correlate are the files being shared, the IP address of an AirVPN server, and port number 12345. However, what if the Ministry got a court order demanding that AirVPN provide a list of its users' forwarded ports? Correct me if I'm wrong, but wouldn't the Ministry then be able to see that John Doe was the only AirVPN user to forward port 12345, thus linking him to the aforementioned BitTorrent traffic?

Perhaps I'm simply misunderstanding how AirVPN's port forwarding works, so correct me if I'm wrong. But if I'm right, then what measures must users take to protect themselves from such a scenario?

Share this post


Link to post

Now that I think of it, there is some truth in it.

Short story: I once needed the standard SIP port (5060) to test VoIP with a Fritz!Box router but it has been forwarded by some other user. As soon as Staff saw my post informing about that they made this port aviable for me, saying that the user who forwarded the port in question no longer is actively using AirVPN.

So actually, there IS some database containing this information; it really might be a vulnerability.

However, I don't know if anyone is really allowed to ask for that kind of info. At least it would be unusual.

 

(Sent via Tapatalk 4)


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

So actually, there IS some database containing this information; it really might be a vulnerability.

 

How? Does anyone insert real name and surname and/or e-mail address that can be used to disclose their real identity in their account data? If so, it is more a fault on the client side, rather on the service side. Anyway port forwarding is optional and you can delete forwarded ports immediately after you needed them.

 

Kind regards

Share this post


Link to post

That's interesting, i hope the staff can put a remark in section: You provide Remote port forwarding, What is it? 

 

Something like:

 

Anyone insert real name and surname and/or e-mail address that can be used to disclose their real identity in their account data? If so ..... 

 

Information is what we share though.

Share this post


Link to post

Does anyone insert real name and surname and/or e-mail address that can be used to disclose their real identity in their account data?

 

Names are easy to fake, but major email providers are starting to demand quite a bit of personal information before you can get an address. For example, Gmail requires SMS confirmation, if I remember correctly. Should users get temporary addresses for signing-up? If so, should users connect to the email service using TOR, so that the service can't log their real IP address?

 

Also, does AirVPN discard ALL of a user's billing information after a he/she purchases a plan, or is using BitCoin the only way to ensure that users' accounts can never be correlated with their real indentities?

Share this post


Link to post

 

Does anyone insert real name and surname and/or e-mail address that can be used to disclose their real identity in their account data?

 

Names are easy to fake, but major email providers are starting to demand quite a bit of personal information before you can get an address. For example, Gmail requires SMS confirmation, if I remember correctly. Should users get temporary addresses for signing-up?

 

 

Hello,

 

no real e-mail address is required, we don't check it. However, if you insert a fantasy e-mail address, make sure not to lose your password, because you will not be able to reset it via e-mail. There are still very many mail service providers which accept connections from TOR and do not require SMS verification or other privacy hostile methods.

 

Also, does AirVPN discard ALL of a user's billing information after a he/she purchases a plan, or is using BitCoin the only way to ensure that users' accounts can never be correlated with their real indentities?

 

Only using Bitcoin. You can't and we can't delete transactions recorded through a bank, a credit card issuer company etc. They remain (and it must be so) stored in your account, our account, bank records etc. "for ever". This may be relevant or not according to your needs.

 

Kind regards

Share this post


Link to post

 

So actually, there IS some database containing this information; it really might be a vulnerability.

How? Does anyone insert real name and surname and/or e-mail address that can be used to disclose their real identity in their account data? If so, it is more a fault on the client side, rather on the service side. Anyway port forwarding is optional and you can delete forwarded ports immediately after you needed them.

 

Kind regards

Yes, I see, I didn't finish my thought.

 

(Sent via Tapatalk 4)


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...