Jump to content
Not connected, Your IP: 3.81.221.121
Oksana Luda

VPNs are so insecure you might as well wear a KICK ME sign

Recommended Posts

Has anyone read the article below, AirVPN is included...

Article : http://www.theregister.co.uk/2015/06/30/worlds_best_vpns_fall_flat_in_security_tests/

 

Brit boffins' test of 14 prominent privacy tunnels finds leaks galore thanks to IPv6 mess drop_345345564545.jpg?x=648&y=429&crop=1
30 Jun 2015 at 06:32

A team of five researchers from universities in London and Rome have identified that 14 of the top commercial virtual private servers in the world leak IP data.

Vasile C. Perta, Marco V. Barbera, and Alessandro Mei of Sapienza University of Rome, together with Gareth Tyson, and Hamed Haddadi of the Queen Mary University of London say vendor promises of user privacy and security are often lies that put users at risk.

"Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage," the authors wrote in the paper A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients [PDF].

"Our findings confirm the criticality of the current situation: many of these [14] providers leak all, or a critical part of the user traffic in mildly adversarial environments.

"The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models."

The team probed the top client software versions of providers including Hide My Ass, PrivateInternetAccess, and IPVanish. They established a campus dual stack OpenWrt IPv6 through IPv4 tunnel wifi network with updated Ubuntu, Windows, OSX, iOS 7, and Android clients. This simulated the environment where users would trust VPNs to protect them from a hostile network, they said.

 

645645.jpg

 

All but provider Astrill were open to IPv6 DNS hijacking attacks and only four did not leak IPv6 data.

None were resistant to both threats. Here's how the authors summarise the situation:

They found the most common VPN tunnelling technologies relied on outdated technologies like PPTP with MS-CHAPv2 which could be trivially broken with brute-force attacks."Whereas our work initially started as a general exploration, we soon discovered that a serious vulnerability, IPv6 traffic leakage, is pervasive across nearly all VPN services. In many cases, we measured the entirety of a client’s IPv6 traffic being leaked over the native interface. A further security screening revealed two DNS hijacking attacks that allow us to gain access to all of a victim’s traffic."

The "vast majority" of commercial VPNs suffer from data leakage in dual stack IPv4 and IPv6 networks in a way the exposes "significant amounts" of traffic to public detection in contradiction to vendor claims.

"Most importantly we find that the small amount of IPv6 traffic leaking outside of the VPN tunnel has the potential to actually expose the whole user browsing history even on IPv4 only websites," they wrote in the paper. Here's the paper's explanation of the IPv6 mess:

All of the DNS configurations used by the providers could be overcome by DNS hijacking attackers."... whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN’s virtual interface. Although not a serious issue some years ago, increasing amounts of traffic is now IPv6, bringing the problem to criticality."

Recommended countermeasures included altering IPv6 routing tables to capture all traffic, and ensuring the DNS server can only be accessed through the tunnel.

Share this post


Link to post

So, is this still part of the WebRTC leaks? And didn't AirVPN announce somewhere that IPv6 leaks are not to worry about? At least not more than IPv4 leaks.

Share this post


Link to post

I've read the article before.  Air's client now has IPv6 leak protection.  Regarding the DNS hijacking, it seems that it requires the attacker to have control of your machine anyway.  So, what's the point of DNS hijack at that time?  Much worse has already happened.  Do I misunderstand?

Share this post


Link to post

I've read the article before.  Air's client now has IPv6 leak protection.  Regarding the DNS hijacking, it seems that it requires the attacker to have control of your machine anyway.  So, what's the point of DNS hijack at that time?  Much worse has already happened.  Do I misunderstand?

 

Hello,

 

it's not necessary to control your machine. Anyway this is just talking about gender of angels since AirVPN setup has the same IP address for VPN DNS server and VPN gateway and the attack can't even start.

 

Kind regards

Share this post


Link to post

It wasn't long ago when the only thing you got after signing up with any vpn provider was config files.

Client side security was the responsibility of the user.

 

-grr @ the push button generation.

Share this post


Link to post

I also agree that AirVPN is not vulnerable.

Even for those who don't use Eddie and network locks.

 

For the second attack (IPv6 leak) to happen, the user must have a routable IPv6 address to begin with.

According to surveys only 10% of users do have it, and this % is probably much lower on "Shared" systems

like public hot-spots where this attack vector can take place.

 

If you just have a link-local IPv6 in your system, it doesn't mean that you can start sending AAAA DNS queries.

I am not sure why it is not mentioned in the paper.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Let me tell anyone a few things:

 

1. I have NO ip leak. Tested on dnsleak.org advanced search, only AirVPN is shown.

2. I have UNLIMITED bandwith while on VPN

3. I have UNLIMITED country changes

4. I have FULL SPEED on VPN (3mb/s down and 1mb/s upload)

5. I have an OPEN-SOURCE(!!!!!!) client software, hell NO ONE offers that except AirVPN

6. I have PORT-FORWARDING

7. I have a Speed-test of Airvpn testing in and outside tunnel

8. I have an account that last 762 days and for the CHEAP price of 54€/year I extend every year for sure

9. I have a CONFIG GENERATOR for ALL platforms

 

You complain about AirVPN? Show me ANY other provider that can offer the same quality for  the same price. There is none. AirVPN is the best, POINT.

I trust AirVPN more than any other provider because its EU based and they TALK to us. They inform us about every step behind the scene. They not sit down and count the money, they look forward and take of things before they happened. I've been a member for more than a year. I've never regret this membership, it was one of the best decisions in my life. If you want freedom and security for a FAIR price, go for AirVPN. You don't trust my words? Fine, compare with other providers and decide on your own like I did. AirVPN is worth the money, you will find out on your own.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...