Security: VPN vs SSH vs Proxy

I've seen information that certain Java, Flash and Javascript applications can bypass a proxy in order to get your true IP. But it's not clear to me how effective those things are in different situations.

How secure are VPN and encrypted SSH Tunnels against these kinds of applications?

 

This is going to sound like a cop-out and one that I rarely use, but really, do a search of the archives or just browse this sub-forum and you will see countless threads discussing this very topic with lots of good answers/explanations. Good luck!

 

Flash / Java / JS / ActiveX / Plugins can bypass the connection/proxy settings of native SSH tunnels and proxies. VPN is the way to go, it automatically reroutes all your traffic. One problem with PPTP VPN protocol is leakage, avoid PPTP at all costs, unless you just need encryption (which PPTP does not have, requires MSCHAP for encryption I think) and not much anonymity. L2TP + IPSec or OpenVPN is the way to go for solid encryption and anonymity.

 

Thanks for your suggestions. I did search a bit but not too much, so I'll try some more.

I just use VPN for anonymity and changing my IP geolocation, although the solution I use provides 128bit encryption with PPTP VPN. When I want encryption I use SSH, because I know what I'm getting. But I'm always looking for better solutions

 

Beware of PPTP. If you are using PPTP, then it isn't very anonymous, no matter what your provider claims.

 

Bad browser plugins can also cause this problem. I've seen it at least 30 times, and it's not even due to an exploit. The plugin simply doesn't want to go through your proxy and will try to connect out directly.

A good outbound firewall will probably block all of it. Only allow your browser/application to access the internet through the proxy. And otherwise, use a default deny policy with the firewall. This makes any protocol you use much safer.

 

I have a quick question about VPNs. My understanding is that they route all traffic from your computer. With the ones I've tried, you simply start them up and all traffic is automatically routed. When you close them, traffic then goes through normally without the VPN.

This doesn't seem very secure to me because if the program were to close for some reason without your knowledge, all traffic would automatically go normally through your ISP. I remember JAP used to have this problem. Once you turned off the proxy service, there would be no indication that it was off. They've since corrected that problem.

I have very little experience with VPNs. I've always used application-level proxies, such as Tor. So, what do the good VPNs do differently?

 

Applications do not change your routing, they simply have an escape hatch port that traffic can travel out of to be transported to another network (such as Tor). VPNs change your routing tables, and push all your traffic through the new routes, essentially making your machine part of another network entirely.

JAP still has this "problem". We spoke with the JonDoNym folks about this and will likely be making our VM browser available for their network, allowing them to perform full VPN to the JAP network, just as we have done with the Tor network.

 

I understand this. But how can you be certain that if something shuts off the program that your traffic is not compromised?

Let me give you an example. Let's say the VPN I'm using is VPN-X. I turn on the program and all my traffic is now protected. I turn off the program and all my traffic goes through my ISP unencrypted/unproxied. Now let's say this program turns off due to some error, and I have no idea it's off. That's a problem, but that's how all of these cheap VPNs I've tried work. I need to know that if the program is shut off due to some error (and without my knowledge) that all my traffic won't go through my ISP unencrypted.

 

Depends on how the routing is being managed. It sounds like you want "dead to the world" routing, which is all-or-nothing. The most solid way to implement this is through external hardware such as the XeroBank CryptoRouter XJR, which is a hardware minirouter. All traffic leaving your machine is routed though our network using this hardware, so it makes you leakproof. Another method is making it where the VPN is the only route your system knows, and can be done in mac linux or windows.

Windows directions for leak-proofing your VPN

Linux direction for leak-proofing your VPN

 

The VPN I use, vpnuk.info, has an application that automatically configures the vpn for you and installs a connection assistant utility that you click on to launch the VPN, you can also configure it to startup when you turn on the computer. When you connect to the VPN using this utility, if the connection drops you will have no more internet connection. Of course this is ideal because having a VPN that isn't connected when you think it is can be worse than having no vpn at all. That utility is used to launch and choose between PPTP or L2TP VPN connections via a simple popup menu. I haven't done the Open VPN setup yet, so I'm not sure how it works with Open VPN.

When I use SSH, I set up firefox to use that only (you also need to set up remote dns lookups) then if the SSH Tunnel gets dropped, or you launch firefox and forget to open the tunnel first, you can't go on the net.

I used to use JAP when it did this dropped connection without notifying thing, so I switched to TOR. But I quit using TOR a long time ago because it's usually slow and I've heard too much about hackers, governments, etc setting up servers to watch what's going through their servers. Also JAP is supposed to have a backdoor.

I still use TOR when I need an IP from country X, then I setup the config file to just use servers from that country. That's very useful.

 

Is this a security feature?

 

Tor is a cesspool. That's why it's so great for anonymity. Even if someone had a malicious exit node, it does them no good unless:

1) You're sending personally identifying information.

OR

2) They also control the first node.

Assuming you don't do 1), who really cares about 2) ? Tor is more than good enough, even for the paranoid. It would be a huge undertaking to de-anonymize someone on it. And even then, it only gives them an IP, which isn't proof of who originated the traffic, just where.

Just don't check your e-mail on it, unless it's an anonymous account.

 

Yeah, Tor= Good for anonymity, bad for just about everything else.

 

Just as much as my power supply and USB ports are. If you take a look around here, you'll see a lot of people listing their computer specs in their signature line.

If others can list their 128 core hyper-extreme platinum 10GHz processors, then I should be able to list my Pentium 3 (extreme edition) and CRT monitor.

 

This needs to be corrected. Tor is a cesspool, it is not safe. Exit nodes can bypass your tor circuit through injecting malicious code and cause your machine to leak your real IP address or drop your tor connection or reroute all your traffic into a new network where they are the entry/middle/exit, effectively bypassing your anonymity and encryption. This is an unpopular truth. These symptoms are indicative of two problems: 1) tor applications use tunnel technology instead of vpn technology (xB Browser VM solved this problem) and 2) problem with the design of complete p2p anonymity: if anyone can participate, then they can *always* game the network (this is the fatal flaw of tor).

 

First of all, perhaps it could be done on some unsecured machines, but not if you take precautions. The same things you learn on this site about preventing browser exploits will also prevent this from happening.

Second, if an exit node can do this, couldn't the website being visited also do this? I used your de-anonymizer with Tor, and it wasn't even close to unmasking my real IP. I have layered security. Even when I stripped the layers one by one, de-anonymizer didn't do squat. By all means, inject as much code as you want. But if you can't do it on your site, you won't convince me that someone else can do it.

The exit node, by definition, does not know who is originating the traffic. The only way this could be done is by some fatal flaw in Tor or by the user running an unsecured machine, where malicious code could be used. Since the latter isn't going to affect me, you must be talking about the former.

If you mean a fatal flaw in Tor, then prove it.

If you're talking about malicious code, why don't you use some of that code on de-anonymizer? Or better yet, why don't you acquire an exit node and prove it in that way? Either way, if you can't prove it on my machine, I'm not taking your word for it.

 

It was proven at defcon, 2007. Tens of thousands of machines were compromised in a 24 hour period and put onto a private network with compromised directory nodes and all. This was done using a single malicious exit node via the control port exploit that was used to prove the concept. All it takes is one hole and an evil exit node and the network gets compromised.

 

Kudos to Kyle for that. But it was corrected, and we can't live in the past. We can't condemn Tor for a flaw from 2 years ago or for some people running it in a way that makes them vulnerable to malicious code. You won't help the latter no matter what you tell them. They need to learn the hard way. I do agree with you that Tor is a cesspool, but that's as far as I'll go.

If you can compromise Tor again, I'll definitely be on your side though.

I look forward to trying out your new browser.

 

That was just one flaw. It affected not just a few tor clients, it affect ALL of them ever produced up to that point. You want to see another magic trick and then you'll believe?

 

Two large systemic flaws would mean there might be some systemic problems with the development of Tor. One major flaw can happen to anyone.

Unlike you, I don't believe that every non-VPN system is necessarily flawed. A VPN is clearly easier for the average user, but Tor can be configured properly if the user bothers to learn how. So, I don't think you can compromise my system absent any systemic flaws in Tor itself. Prove me wrong.

Interestingly, you're also releasing browsers that will make Tor safer as well. You're making the job harder for yourself.

 

I think I know just the thing.

 

I just took a look at this. It looked good for a while because they stated unlimited bandwidth. But if you look at the FAQ, you only get 3Mbps (with unlimited usage) and no P2P allowed. I have to wonder if the P2P policy is due to illegal file sharing or because of the huge bandwidth requirements.

What kind of speeds do you get? Have you tried P2P? How about usenet?

Thanks

 

Heh.

I guess they have to write that so they can cut you off if your usage is excessive or if somebody subpoenas them to get private information. Then they can say you misused the service. I use P2P and I get up to 120kbs or more download speeds on utorrent on my 4Mbit DSL line. In other words, the download with or without the vPN is vitually identical. When I'm travelling and I use the VPN via my mobile connection the VPN actually INCREASES my bandwidth for web access. I went to a speed check website to verify it and it is almost double with the VPN vs without. Maybe because my mobile provider throttles back bandwidth on certain protocols? I don't know.

re: Usenet. I never use it

For $12 or so, you just try it, if it doesn't work you move on.