from the oops-didn't-think-about-that-one dept.
Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance or access geographically limited services like Netflix and BBC iPlayer. Used by around 20 per cent of European internet users they encrypt users' internet communications, making it more difficult for people to monitor their activities.
The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leaked information ranged from the websites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked.
The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user's IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.
http://phys.org/news/2015-06-internet-anonymity-software-leaks-users.html
[More Info]: GWI Infographic: VPN Users
The paper 'A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients' by V. Perta, M. Barbera, G. Tyson, H. Haddadi, A. Mei will be presented at the Privacy Enhancing Technologies Symposium on Tuesday 30 June 2015.
See also our story here.
Original Submission
Related Stories
Another story from Ars Technica:
By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don't encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn't widely appreciated.
Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure's Freedome and Privax's HideMyAss. Your device connects with the VPN service's servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.
It's a better solution than relying on SSL from websites for a number of reasons: with a VPN, all of the traffic from your device is encrypted, whether the site you are visiting has SSL or not. Even if the Wi-Fi access point to which you are connected is malicious, it can't see the traffic. Any party that is in a position to monitor your traffic can't even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL over open Wi-Fi.
But there is a hole in this protection, and it happens at connect time. The VPN cannot connect until you connect to the Internet, but the VPN connection is not instantaneous. In many, perhaps most public Wi-Fi sites, your Wi-Fi hardware may connect automatically to the network, but you must open a browser to a "captive portal," which comes from the local router, and attempt to gain access to the Internet beyond. You may have to manually accept a TOS (Terms of Service) agreement first.
In this period before your VPN takes over, what might be exposed depends on what software you run. Do you use a POP3 or IMAP e-mail client? If they check automatically, that traffic is out in the clear for all to see, including potentially the login credentials. Other programs, like instant messaging client, may try to log on.
(Score: -1, Offtopic) by Anonymous Coward on Tuesday June 30 2015, @10:02PM
I can't find the damn list to see if my VPN service is on it. The paper doesn't seem to have been made public, at least not at any of the links provided.
That makes this article a total waste of time. Please tell me I'm blind!
(Score: 4, Informative) by _NSAKEY on Tuesday June 30 2015, @10:10PM
The paper in question can be found here [degruyter.com]. The rest of the papers [degruyter.com] are also online. It's all open access, so there should be no trouble.
(Score: 1, Redundant) by takyon on Wednesday July 01 2015, @08:09PM
Follow-up:
http://torrentfreak.com/vpn-providers-respond-to-allegations-of-data-leakage-150701/ [torrentfreak.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Interesting) by _NSAKEY on Tuesday June 30 2015, @10:05PM
A lot of stuff still pretends that IPv6 doesn't exist. For example, the Tor Project volunteers who watch for censorship events have never seen IPv6-related censorship, not even in China. Apparently the censorship gear just lets IPv6 traffic pass through unmolested.
(Score: 2) by Freeman on Tuesday June 30 2015, @10:44PM
Wow, loophole much?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by takyon on Tuesday June 30 2015, @11:01PM
Or even better, a honeypot.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Informative) by kaszz on Tuesday June 30 2015, @10:16PM
The leak problem is on the client side. And the cure is simple: Disable IPv6 completely on your local system while using the VPN service that only handles IPv4. And watch out for what DNS requests that leave your network. Another solution is to make sure your local IPv6 traffic and DNS requests goes to the VPN and perhaps using a virtual machine to begin with. Make sure IPv6 addresses are constantly randomized and doesn't use any local Ethernet MAC address as part of the IPv6 address. Test that your VPN also actually does support IPv6 and anonymize it properly.
The table on page 3 says TorGuard, PrivateInternetAccess, VyperVPN and Mullvad are proof against IPv6 leakage. Astrill is proof against OpenVPN and PPTP/L2TP DNS hijacking.
Microsoft addicts may want to pay attention to that disabling IPv6 is an unsupported [microsoft.com] configuration that can make the support contract and license keys be gone. John W. Thompson a chairman of the board of Microsoft has even talked about taking legal action against businesses that disable IPv6.
(Score: 0) by Anonymous Coward on Tuesday June 30 2015, @11:14PM
Perhaps we just need standard method for blocking or null.routing IPv6 on Windows. Got Windows? Use a VPN? Run this script named blockIPv6.bat. Done.
Microsoft can do whatever they like but once the PC is in your hands you decide what it does for you. Love to see them try to knuckle users who disable IPv6. Revoke licence or support over disabling a system service? This is as bad as requiring a new OS licence when the motherboard and hard drive go at the same time.
Ask yourself why Windows 10 is free.
(Score: 2) by Runaway1956 on Tuesday June 30 2015, @11:35PM
"Love to see them try to knuckle users who disable IPv6."
Well - it would work for awhile. Most people who get cease and desist letters, or other threatening correspondence, look for the Easy Way Out® rather than addressing the issue. We see that from threatening letters from ISP's to TOS disputes, to copyright disputes, on and on.
MS could probably bully a few million people into compliance, before running into someone willing to make a meaningful fight of it.
(Score: 2) by kaszz on Tuesday June 30 2015, @11:37PM
Once the PC is in your hands it will regularly start to phone-home and there will be feedback to tell them you did bad things..
(Score: 1) by Nollij on Wednesday July 01 2015, @02:12AM
It's just the motherboard now. The key is held on the board itself, and the manufacturer is the only one who can do a "swap" of the keys.
The HDD failing makes life difficult, since you have to find replacement media. But it doesn't affect your license, either officially or unofficially.
(Score: 2) by mojo chan on Wednesday July 01 2015, @07:53AM
Your most is mostly good, but this bit is just FUD:
Microsoft addicts may want to pay attention to that disabling IPv6 is an unsupported configuration that can make the support contract and license keys be gone.
Microsoft won't cancel your licence keys because you disabled IPv6. They might ask you to enable it when supporting network issues, but they won't tear up your support contract either.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 2) by EvilSS on Wednesday July 01 2015, @01:47PM
Or just disable IPv6 locally. Most people are not using it on their local networks (not on purpose at least) and it tends to cause more trouble that it's worth with Windows current implementation. Even if your ISP is handing out IPv6 addresses now (and few overall are) you probably are not going to want to dump your network onto the internet. You'll still keep a firewall/NAT device in place.
(Score: 2) by kaszz on Wednesday July 01 2015, @04:53PM
Two things that might be "gotchas" with IPv6 is addresses made up of local Ethernet MAC and that all units will now be 1:1 with internet as it actually was meant to be before the NAT mess. And lets not forget that address specification notation. Someone will screwup with that many time more than for IPv4.
(Score: 2) by Whoever on Wednesday July 01 2015, @03:02AM
I have always assumed that the majority of the users of these VPN services want to get around geographic content restrictions. They probably don't care about IPv6 leakage.
(Score: 2) by takyon on Wednesday July 01 2015, @08:09PM
http://torrentfreak.com/vpn-providers-respond-to-allegations-of-data-leakage-150701/ [torrentfreak.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]