Does Flash leak your IP with a VPN?

I am trying to mask my IP address from Google and the like. Not for nefarious purposes but just because I don't want Google or anyone else to track me for any reason.

I know a VPN will mask my IP but some research online has led me to believe that certain apps like Flash (youtube) can unmask your real IP. Can anyone confirm or deny this? Are there any other web technologies that can do this?

Does a good VPN mask DNS also, or can this be circumvented by some web scripts?

Thanks.

 

Any plugin always has the risk of unmasking you. It's why TOR tells people to use the default browser bundle, kill Javascript and not to add any additional plugins or addons that aren't already there. Flash can easily do this, which makes using such services for every day surfing rather pointless unless you have really low and specific web usage.

 

Thanks for your reply.

I do wish to view flash videos, and I have noticed that many websites do not function properly when you disable the scripts, making it difficult to browse the web.

Some people are concerned about the NSA's "spying" on citizens, but Google is doing far more and worse. In fact the NSA routinely asks Google for private info. They should change their motto from "Don't be Evil" to "All your information are belong to us"

Is there any way to mask your ip from websites without disabling these plugins?

Any alternatives or additions to a VPN to mask IP?

 

I wouldn't even come near to agreeing that Google data collection is worse than what the NSA has been doing, but let's not even get into that since there are more than enough threads covering that topic.

As to your question, not that I'm aware of. Plugins will always be an available door into your real identity. Contrary to popular belief, there is very little a "normal" company (normal being not the NSA/government) can get and do with your IP address. Tracking is generally done through cookies and such. If truly hiding your identity is what you want, then you're going to have to compromise and refrain from a lot of things like Youtube. If you just don't want some ad company or even Google tagging along behind you like a clingy child, then you don't need to be looking at hiding your IP, but rather blocking trackers and ads through such tools as ABP/DNTMe

 

Yes, there is. You can try to use a virtual machine and allow it to connect only through VPN. That way, there is no possibility for any plugin to connect to the internet using a way other than the VPN.

 

Also, you want the VPN client and the workspace separated, so malware can't trash your VPN connection. And you want the machine running the VPN client firewalled so there's no connectivity if the VPN connection dies.

You can use a Linux VM as your workstation, and either run the VPN client on the host, or in a pfSense router/firewall VM.

 

Thanks again for the response.

I don't know why I threw the NSA/Google rant in there but, I'd rather not have either organization collecting my information/habits.

I have tried TOR with no plugins and ABP/NoScript - just too slow, as well as a direct connection through my ISP and with those blocking plugins - found it to break too many sites to be usable (to me) for regular browsing.

A couple of question regarding your statement: "Contrary to popular belief, there is very little a "normal" company can get and do with your IP address."

I'm wondering, do you mean that since only the ISP knows who used what IP and when, that a regular company wouldn't reliably be able to use an ip to tie to a specific person/ISP account? Do or have ISP's given out that kind of information to "partners", who could be anyone including Google?

Every so often I will change my MAC address on my router and then cycle the modem to receive a new IP address. Is this a good way of keeping information from being collected? Or does google and their analytics not bother tying IP's to people for reasons of unreliability?

 

Nebulus: So If I set up a VM on my own PC and then install the VPN software/service on that instance of VM - browsing through that, even using Flash - that they cannot see my real IP?

 

Sorry, I have been replying too slowly and you guys have been replying so fast I didn't get a chance to read the responses.

Thank you guys for explaining this VM-VPN method. So plugins cannot see though this?

 

Not sure I agree that using a VM is going to make any difference, but okay. Anyway, a regular company, and really anyone but the government and really determined hackers can't get anything out of your IP except for generalized location. Obviously it's much easier if you have an account with said company and don't use VPNs and such, but otherwise, an IP address really means little. The reason it's no issue for government is because they have a hell of a lot more tools, databases and authority than companies do.

ISPs are able to see most anything and collect and store data regarding your internet usage, emails using their services and so on. They all do their own share of 3rd party data selling, but so does every company. They also have to store your data for a set period of time if you're a U.S citizen. This means logs, your new and past IP addresses and so on. So yes, say police found your IP address doing something naughty and showed up at your ISP. They give the ISP the offending IP address, the ISP checks the logs and, even if it was 3 months ago and you have a new IP, sees that old IP was yours and turns that information over.

Google uses your IP to give you location based services and data, which is why if you type in, say, Pizza Hut into Google search, you'll see your local Pizza Hut information and a map of its location next to the results. It doesn't mean they know who you are or precisely where you live, again, it's just generalized location data.

 

I totally understand if authorities subpoena your ISP there is no hiding. I'm not looking for that. Just a way to keep Google from collecting data on me.

Google may only be using your info for location based advertising now, but I see no reason why they wouldn't collect personally identifying info if they could for the future. It seems like it would be only in their best financial interests to do so - nothing beats marketing catered to the individual.

If ISP's do data selling - besides your usage numbers, would a VPN block them from seeing what sites you visit?

 

By using a workspace VM, with VPN client and network stack on the host or in another VM such as pfSense, exploits can't (unless they break out from the workspace VM) mess with your network stack. And so there's much less risk that anything in the VM can access the Internet directly.

If you're using a VPN protected by routing and firewall rules, your ISP will never see anything from the VM except encrypted traffic to and from the VPN server.

Using your hypothetical, police would first need to get logs from the VPN provider, and then go to the ISP. If the VPN provider really doesn't keep logs, and/or operates from a not-so-cooperative country, the police won't know what IP address to ask about, or even which ISP to ask.

 

Thanks to ts for this question, was about to post it up also.

I have always wondered if you are using a VPN, then how would java or flash or anything else get hold of your real IP address? Surely it would just find your VPN IP or Exit VPN IP ?

 

As long as the VPN is connected and not leaking, remote content servers accessed by Flash etc will only see the VPN exit IP.

However, if you download a file, and open it later when the VPN isn't connected, remote content servers would see your ISP-assigned IP. If the file is tagged, that would associate your VPN exit and ISP-assigned IPs.

 

Hi Mirmir. I have suspected something like this before. Can you describe this tagging? Is this some kind of hidden file that connects to the internet all on it's own without requiring any execution or permission?

 

I can't recall any specific example, but I can imagine how it might easily be done using standard exploit and malware dropping methods.

The key point is never opening or running anything that you download via Tor or a VPN, except with the same Internet connectivity, or none at all.

Even worse is malware that doesn't require opening or running. That's why I keep pushing separation of networking and apps.

 

So I guess the trick is to prevent DNS leaks from your VPN provider ?

And if anything stay always connected to your VPN provider....

Surely files like a downloaded pdf or downloading a exe like winzip would not communicate and only a malware ?

 

By default, Adobe Reader will download remote content from sites that Windows trusts. So no, it's not just malware

 

thanks, there I was thinking some guys are a bit excessive running adobe in a sandbox !

Still it feels like some things are pretty excessive I mean would adobe or winzip have that much power to report your data or websites visited and upload it to there servers ?

 

It's not that they report your browsing or upload stuff. They mostly just download images. But let's say that you downloaded some pdf that's just been put online, and then start reading it after shutting down your VPN. If it downloads some image, and only ten other people had downloaded that pdf, the operator might know that your ISP-assigned IP address was using one of those ten IP addresses.

 

I looked up pfSense and it says that it's firewall software, but you refer to it as another VM - can you please explain?

Trying to understand your stated setup:

Set up a VM and VPN and pfSense (firewall?) on the host. Then also install the VPN on that VM instance (workspace?) and browse through that?

If someone is sure that plugins like java/flash can see your real IP through a VPN - as a challenge to anyone with a webserver and coding skill: how about setting up a webpage that uses one of the common plugins to show the real IP when connecting to it through a VPN? I have never been able to find something like that onine.

 

pfSense is a FreeBSD distro specialized as a router/firewall. You can install it on hardware, or run it as a VM. It includes openvpn, and can run as either an openvpn client, or as a server.

It's really very simple.

There's a pfSense VM connected to some VPN service through its WAN adapter. It routes the VPN tunnel to its LAN adapter, and then to a VirtualBox internal network. There's a workstation VM connected to the same internal network. It sees the pfSense VM as its DHCP server, and sees the Internet through the VPN tunnel. If the pfSense VM or its VPN client hangs or dies, or you forget to start it, the workstation VM can't see the Internet at all.

I didn't say that they can see your real IP through a VPN. I said that they could see it after shutting down the VPN, and that an observer could correlate your real IP with your VPN-exit IP.

 

Thanks for the explanation I think I understand: Host machine running VirtualBox with pfSense+VPN loaded on one instance and another OS loaded on second instance (workstation). The workstation VM uses pfSense to route/firewall it's traffic through an internal network created by VirtualBox?

I wasn't referreing to anything you said. I understood what your were saying in your previous posts regarding some applications and their automatic connections and correlating IP's after VPN shutdown.

I just was interested to see if someone claiming a plugin can see your real IP through a VPN (just direct to VPN service), might have the expertise to try a webpage showing that and maybe post a link so we could try as well. I have yet to see anything like this - would be interesting.

Thanks for your help.

 

Yes. ... and from that internal network through the VPN.

The best that I know is -http://ip-check.info/?lang=en, but it doesn't compromise VPNs. I suspect that VPN decloaking would require exploits that permitted routing changes. But even those would fail with networking and workspace in separate VMs.

 

Great! Thanks for the confirmation.

I tried that site but could not find it getting around the VPN IP, as you state it doesn't try to compromise VPN.

I have been searching for all this information on VPN's and best setup for a while now. Glad to finally get some help here. Thanks.