VPN Security flaw found.

Discussion in 'privacy technology' started by JDawg, Nov 27, 2015.

  1. JDawg

    JDawg Registered Member

    Joined:
    Aug 25, 2015
    Posts:
    17
  2. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
  3. Rafales

    Rafales Registered Member

    Joined:
    Feb 20, 2013
    Posts:
    49
    Location:
    Earth
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
  5. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    @Minimalist
    according to that article, you can check that for yourself easily.
    if both entry ip and exit ip are on the same server/ip address and port forwardings are on the same ip address as entry ip, then your provider is affected.
    afaik, most if not all providers on wilders users' top providers list provide different entry and exit ip addresses.
    maybe @mirimir can chime in...:) ( :p no offense @JDawg )
     
  6. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    A real VPN shouldn't facilitate port forwarding features under any circumstance, just my opinion.
     
  7. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    @marzametal
    so you say mullvad, ivpn, airvpn and such ain't "real vpn".
    if not those, then what?
     
  8. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    PrivateInternetAccess.com (PIA) subscribers are receiving this email from PIA regarding the "IP Address Leak Vulnerability":

     
  9. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Sorry for delay in response; haven't been at the PC for a couple of days.

    It all comes down to your definition of what a VPN is...

    I don't see why a VPN should provide anything else apart from an encrypted, private and anonymous virtual network via token authentication (not going to get into the nitty gritty; there are others on here who drink this stuff up like koolay). The rest, for me, is classed as feature-ware. Save that for the people who pay websites to boost their companys' top 10 rating. If the VPN really is serious about its network security, it won't be providing port forwarding or split tunnelling, etc... on the flip side, disabling ipv6, webrtc, randomising IP after connection and providing DNS leak protection all falls under the security banner, so I don't mind seeing that stuff.

    If the client wants it, they figure out how to do it themselves.

    P.S.: I am not saying don't go for one that does... the point I am trying to make is, the role of the VPN is bigger than the feature/s that clients drool over. No one is wrong, it's just my opinion...
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    The firefox fix works.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Hey, so I've been in the wilderness ;)

    Yes, I think that this is a new vulnerability. For me anyway, as I recall. There are VPNs without port forwarding, but mainstream providers have to offer it for torrenting, I2P, etc. I'm pretty sure that port forwarding isn't available for multi-hop routes. Also, when you're nesting VPNs, this would only hose the innermost one. I presume that all reputable providers have fixed this as PIA described.
     
  12. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    @mirimir
    hey there, mirimir. hope you're doing alright. you haven't been around for a while.
    anyways, who are those providers without pf?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Hey, I'm fine. I was just out of touch. Anyway, I don't believe that Insorg offers port forwarding. As I recall, iVPN didn't at first. Anyway, you'll just need to look. VPN services proclaim it as a feature, so it should be pretty obvious.
     
  14. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    I have my Web-RTC disabled. If someone really wants to track you bad enough couldn't they just do it through Java or other scripts?
     
  15. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    How about autistici's VPN? And riseup's black?
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I'm guessing that they don't allow port forwarding. If they do, it'll be obvious from their websites.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    That's why we compartmentalize across multiple VMs, each with its own Internet connectivity (VPNs, Tor, etc).
     
  18. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    And would you trust and install bitmask ?
     
  19. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Okay thanks. I still have some learning to do about VM's and how to fully utilize them in that manner. I use a sandbox for questionable programs and/or files at this point but that's about it virtually.

    Why should you hide Tor from your isp?

    I always use a VPN so in the rare instances that I use Tor I am hidden, but don't know why that is recommended. Because I connect to my VPN before Tor is all my Tor traffic now totally visible to my VPN provider?
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I don't know it. Do you trust it?
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    It's basically pretending to be a different person for a particular project, or an area of interest. Mirimir is my privacy persona. And so on ...
    VPN use is pretty common now. Tor is more unusual.
    Your VPN provider sees the same stuff that your ISP would see without the VPN. See https://www.wilderssecurity.com/thr...-but-are-users-anonymous.382102/#post-2547411
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    I don't trust people :p But like many other security tools, it's Open Source, and riseup recommends it. I'm hesitating or using it.

    https://help.riseup.net/en/vpn
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Ah, thanks :)

    So it seems to be a "security wrapper" for OpenVPN.
    I'll look into it.
     
  24. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,982
    Location:
    Brasil
    Thanks. Let me know of your findings!
     
  25. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Oh okay, so my VPN provider can't see my Tor traffic? For some reason I was under the impression that if you connect to the VPN before Tor, the VPN can see everything you do on Tor.

    Can you recommend a good VM that would be simple for a novice user? Here are the 5 I'm considering http://lifehacker.com/5714966/five-best-virtual-machine-applications
     
Loading...