VPNs are so insecure...

Discussion in 'privacy technology' started by joedoe, Jun 30, 2015.

  1. joedoe

    joedoe Registered Member

    Nov 24, 2012
    Brit boffins' test of 14 prominent privacy tunnels finds leaks galore thanks to IPv6 mess

    A team of five researchers from universities in London and Rome have identified that 14 of the top commercial virtual private servers in the world leak IP data.

    Vasile C. Perta, Marco V. Barbera, and Alessandro Mei of Sapienza University of Rome, together with Gareth Tyson, and Hamed Haddadi of the Queen Mary University of London say vendor promises of user privacy and security are often lies that put users at risk.

    "Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage," the authors wrote in the paper A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients.


    They found the most common VPN tunnelling technologies relied on outdated technologies like PPTP with MS-CHAPv2 which could be trivially broken with brute-force attacks.

    The "vast majority" of commercial VPNs suffer from data leakage in dual stack IPv4 and IPv6 networks in a way the exposes "significant amounts" of traffic to public detection in contradiction to vendor claims.

    "Most importantly we find that the small amount of IPv6 traffic leaking outside of the VPN tunnel has the potential to actually expose the whole user browsing history even on IPv4 only websites," they wrote in the paper.

    All of the DNS configurations used by the providers could be overcome by DNS hijacking attackers.

    Recommended countermeasures included altering IPv6 routing tables to capture all traffic, and ensuring the DNS server can only be accessed through the tunnel.

    Last edited by a moderator: Jun 30, 2015
  2. krustytheclown2

    krustytheclown2 Registered Member

    Nov 18, 2014
    This is, quite frankly, stupid. My ISP doesn't even support IPv6 together with 90% or so of the ISP's around the world, so it can't possibly leak. Even so, it's quite easy to block IPv6 in Linux.

    PPTP is far from ideal, but properly configured it isn't exactly trivial to brute force. The script kiddie setting next to you in Starbucks won't be anywhere near having that capability. And pretty much every decent provider offers OpenVPN as well.
    Last edited: Jun 30, 2015
  3. mirimir

    mirimir Registered Member

    Oct 1, 2011
    Yes! But IPv6 will eventually become essential. And while it can probably be configured for privacy, that will be another gotcha :(