CyberGhost Vpn start logging Hardware ID

Discussion in 'privacy technology' started by liba, Aug 21, 2016.

  1. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    76
    Last edited: Aug 21, 2016
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    I've also read on /r/VPN that they install a root CA, which allows them to decrypt HTTPS.

    Maybe I ought to look at a bunch of VPNs for that behavior.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    @liba - Was this stock OpenVPN, or their custom client?

    Also, how do we block that stuff?
     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Are those images that could be uploaded here? What is ddlw.org? Smells like a Russian image sharing site on a host in France.
     
  5. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    76
    i tested windows client only.

    I am trying to block
     
  6. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    76
    German image sharing site on a host in France :)
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591

    OP,

    Are you in a position to setup a bridge from a linux host? You could then connect CyberGhost via bridge from a VM? Masking hardware specs via a false report of virtual hardware, which changes daily, might be a great counter measure. This is what I do for a host of security reasons. My physical hardware never sees workspace, or does it? LOL!
     
  8. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    76
    Which Linux Distribution? any advice?
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Its difficult to recommend because I don't know where you are on linux. I have not read about whether or not CyberGhost has a linux client. Most vpn providers are not too good with offering a ready made linux client to connect with. Are you comfortable with configuring the certificates and stuff if you have to do it manually (no client offered)?

    Before we even go there, are you somewhat familiar with using Virtual Machines as an OS? The concept I am presenting is that while you are operating in a virtual machine it is the VM OS presenting the workspace (browser activity) to the internet. Therefore any hardware details (hacked/observed) are those of the virtual machine if configured correctly, and not your true physical machine/motherboard.

    As a general answer I prefer Debian because its stable and rarely needs updates. note: for use as a connection bridge you are not going to be using workspace on that VM, or at least I wouldn't. I would chain to a subsequent VM and all workspace happens there leaving the bridge VM clean and safe. My .02.

    You could reference Mirmir's guides as a starting point.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    If you want to stay with CyberGhost, for whatever reason, you could just use the stock OpenVPN client. I doubt that this behavior would be possible without a custom client. Or better, use your VPN in a Linux VM. Or use pfSense VMs as VPN gateways. See https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-1

    Perhaps related, I did notice that CyberGhost's Windows and OSX clients both hit CloudFlare sites, whether the VPN was connected or not. I saw these two IPs: 162.159.240.233, 198.41.249.232.

    And you don't need to bold so much ;)
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    That would be Greek too ;) Anyway, I did safely grab the images. A Fiddler even, nice. When are requests like that sent? Is the VPN usable if you block the HTTPS requests to rest.cyberghostvpn.net or assign it 127.0.0.1 (or 0.0.0.0) via hosts file?

    In addition to the IDs themselves, the distinct_id name jumps out. That is a property that MixPanel uses and I notice the CyberGhost privacy policy mentions using MixPanel. Based on limited reading I thought that when you use MixPanel you expose data to their API and server. IOW, I wonder if those IDs are also sent to MixPanel via subsequent requests and/or behind the scenes CyberGhost server traffic.
     
    Last edited: Aug 22, 2016
  12. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    https://www.robtex.net/?dns=account.cyberghostvpn.com.cdn.cloudflare.net
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
  14. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    That would be my guess. It appears there is a number-of-simultaneous-devices limit which depends on the plan. Which may also factor into the phone home you mentioned and/or the phone home OP mentioned.

    However, it might be best to MITM/study rather than guess ;)
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    But damn, doing stuff like that to check on device limits seems rather over the top, no? And bad PR!
    True :)
     
  16. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Agreed, but that's only when you stick with their client software. Like most VPNs you could just use the original OpenVPN with their service plan...

    Props to the person who originally investigated this and found the entries though
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    @liba - Was this free or paid CyberGhost?
     
  19. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    76
    i dont use cyberghost vpn, only testing For Fun (free version)

    my vpn provider is Cryptostorm Vpn
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    OK, cool :)

    I'm thinking about surveying custom VPN clients for this behavior. But my Windows skills are limited and rusty. Maybe you could post a how-to for the testing that you did. That would be great :)
     
  21. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    That would eliminate some concerns. However, I bet there are VPN users who do not think about other aspects such as:
    1. Exploring the VPN provider's website
    2. Creating/accessing their account at that website
    3. Interacting with the VPN provider's payment processor
    4. Downloading/using the OpenVPN config file provided by the VPN provider
    Which, regardless of VPN provider, *might* expose the user to advertising/analytics/other tracking that reduces the privacy the user may be hoping to achieve through a VPN. I'm reminded of https://medium.com/@yegor/hypocrisy-plaguing-major-vpn-providers-b4613b82f795 dated Oct 29, 2015. I don't think we want a VPN provider and its software and/or websites to be a source of cookie/other identifiers that could be used to track us while we browse websites via its VPN.

    So I think VPN users, regardless of provider, should still research and closely monitor all other applicable aspects that might create an exposure. Not only as a defense step against specific issues, but also because it would shed light on how serious the VPN provider is about privacy in general.
     
    Last edited: Aug 23, 2016
  22. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I don't twit, twet, twat, whatever it is called. However, I'm curious if anyone took advantage of their "If questions please tell us" response and twooted back(?).

    Since "anonymous", "personal", "not personally identifiable", and various "we don't X (but there is no way for you to verify that)" qualifiers leave too much wiggle room, it might be good if a twutter started with what is sent and to which parties.

    FWIW, someone mentioned there were a few comments on Facebook (which I didn't even try to look at).
     
    Last edited: Aug 24, 2016
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
  24. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I think ad blocking, tracker blocking, malicious website blocking, anti-browser-fingerprinting, and image/data compression type features might be a problem. Depending on how/where they are implemented. Some things can be done without MITMing, other things would require it.

    In general, I think a local MITM which keeps protected information local would be acceptable to many users. If they are properly informed/asked (often not the case) and if the MITMing is done in a secure fashion (often not the case). On the other hand, I think an implementation that sends or otherwise exposes protected information to a remote server and third-party (including VPN provider) would or at least should be unacceptable to many users.

    I don't know how CyberGhost has implemented things. I would certainly want to know before exposing my traffic to such features.
     
  25. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    @TheWindBringeth - agree that the statements made in the negative, how "we don't do xyz" are pretty useless, and remind me of Clapper. You just choose your xyz and nominally, you're in the clear.

    The responsible thing to do if you care about the users is to state what you do do, and then say that's ALL we do. Chance would be a fine thing. It would also be nice to have punitive measures on paid-for accounts which recompensed you if they failed to meet what they stated. I can dream.
     
Loading...