SoylentNews is people
SoylentNews
from the oops-didn't-think-about-that-one dept.
Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance or access geographically limited services like Netflix and BBC iPlayer. Used by around 20 per cent of European internet users they encrypt users' internet communications, making it more difficult for people to monitor their activities.
The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leaked information ranged from the websites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked.
The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user's IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.
http://phys.org/news/2015-06-internet-anonymity-software-leaks-users.html
[More Info]: GWI Infographic: VPN Users
The paper 'A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients' by V. Perta, M. Barbera, G. Tyson, H. Haddadi, A. Mei will be presented at the Privacy Enhancing Technologies Symposium on Tuesday 30 June 2015.
See also our story here.
Original Submission
(Score: 4, Informative) by kaszz on Tuesday June 30 2015, @10:16PM
The leak problem is on the client side. And the cure is simple: Disable IPv6 completely on your local system while using the VPN service that only handles IPv4. And watch out for what DNS requests that leave your network. Another solution is to make sure your local IPv6 traffic and DNS requests goes to the VPN and perhaps using a virtual machine to begin with. Make sure IPv6 addresses are constantly randomized and doesn't use any local Ethernet MAC address as part of the IPv6 address. Test that your VPN also actually does support IPv6 and anonymize it properly.
The table on page 3 says TorGuard, PrivateInternetAccess, VyperVPN and Mullvad are proof against IPv6 leakage. Astrill is proof against OpenVPN and PPTP/L2TP DNS hijacking.
Microsoft addicts may want to pay attention to that disabling IPv6 is an unsupported [microsoft.com] configuration that can make the support contract and license keys be gone. John W. Thompson a chairman of the board of Microsoft has even talked about taking legal action against businesses that disable IPv6.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @11:14PM
Perhaps we just need standard method for blocking or null.routing IPv6 on Windows. Got Windows? Use a VPN? Run this script named blockIPv6.bat. Done.
Microsoft can do whatever they like but once the PC is in your hands you decide what it does for you. Love to see them try to knuckle users who disable IPv6. Revoke licence or support over disabling a system service? This is as bad as requiring a new OS licence when the motherboard and hard drive go at the same time.
Ask yourself why Windows 10 is free.
(Score: 2) by Runaway1956 on Tuesday June 30 2015, @11:35PM
"Love to see them try to knuckle users who disable IPv6."
Well - it would work for awhile. Most people who get cease and desist letters, or other threatening correspondence, look for the Easy Way Out® rather than addressing the issue. We see that from threatening letters from ISP's to TOS disputes, to copyright disputes, on and on.
MS could probably bully a few million people into compliance, before running into someone willing to make a meaningful fight of it.
(Score: 2) by kaszz on Tuesday June 30 2015, @11:37PM
Once the PC is in your hands it will regularly start to phone-home and there will be feedback to tell them you did bad things..
(Score: 1) by Nollij on Wednesday July 01 2015, @02:12AM
It's just the motherboard now. The key is held on the board itself, and the manufacturer is the only one who can do a "swap" of the keys.
The HDD failing makes life difficult, since you have to find replacement media. But it doesn't affect your license, either officially or unofficially.
(Score: 2) by mojo chan on Wednesday July 01 2015, @07:53AM
Your most is mostly good, but this bit is just FUD:
Microsoft addicts may want to pay attention to that disabling IPv6 is an unsupported configuration that can make the support contract and license keys be gone.
Microsoft won't cancel your licence keys because you disabled IPv6. They might ask you to enable it when supporting network issues, but they won't tear up your support contract either.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 2) by EvilSS on Wednesday July 01 2015, @01:47PM
Or just disable IPv6 locally. Most people are not using it on their local networks (not on purpose at least) and it tends to cause more trouble that it's worth with Windows current implementation. Even if your ISP is handing out IPv6 addresses now (and few overall are) you probably are not going to want to dump your network onto the internet. You'll still keep a firewall/NAT device in place.
(Score: 2) by kaszz on Wednesday July 01 2015, @04:53PM
Two things that might be "gotchas" with IPv6 is addresses made up of local Ethernet MAC and that all units will now be 1:1 with internet as it actually was meant to be before the NAT mess. And lets not forget that address specification notation. Someone will screwup with that many time more than for IPv4.