Brit boffins' test of 14 prominent privacy tunnels finds leaks galore thanks to IPv6 mess A team of five researchers from universities in London and Rome have identified that 14 of the top commercial virtual private servers in the world leak IP data. Vasile C. Perta, Marco V. Barbera, and Alessandro Mei of Sapienza University of Rome, together with Gareth Tyson, and Hamed Haddadi of the Queen Mary University of London say vendor promises of user privacy and security are often lies that put users at risk. "Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage," the authors wrote in the paper A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf They found the most common VPN tunnelling technologies relied on outdated technologies like PPTP with MS-CHAPv2 which could be trivially broken with brute-force attacks. The "vast majority" of commercial VPNs suffer from data leakage in dual stack IPv4 and IPv6 networks in a way the exposes "significant amounts" of traffic to public detection in contradiction to vendor claims. "Most importantly we find that the small amount of IPv6 traffic leaking outside of the VPN tunnel has the potential to actually expose the whole user browsing history even on IPv4 only websites," they wrote in the paper. All of the DNS configurations used by the providers could be overcome by DNS hijacking attackers. Recommended countermeasures included altering IPv6 routing tables to capture all traffic, and ensuring the DNS server can only be accessed through the tunnel. http://www.theregister.co.uk/2015/06/30/worlds_best_vpns_fall_flat_in_security_tests/
This is, quite frankly, stupid. My ISP doesn't even support IPv6 together with 90% or so of the ISP's around the world, so it can't possibly leak. Even so, it's quite easy to block IPv6 in Linux. PPTP is far from ideal, but properly configured it isn't exactly trivial to brute force. The script kiddie setting next to you in Starbucks won't be anywhere near having that capability. And pretty much every decent provider offers OpenVPN as well.
Yes! But IPv6 will eventually become essential. And while it can probably be configured for privacy, that will be another gotcha