VPNs are so insecure you might as well wear a KICK ME sign

[Batu69]

Brit boffins' test of 14 prominent privacy tunnels finds leaks galore thanks to IPv6 mess

A team of five researchers from universities in London and Rome have identified that 14 of the top commercial virtual private servers in the world leak IP data.

Vasile C. Perta, Marco V. Barbera, and Alessandro Mei of Sapienza University of Rome, together with Gareth Tyson, and Hamed Haddadi of the Queen Mary University of London say vendor promises of user privacy and security are often lies that put users at risk.

"Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage," the authors wrote in the paper A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients [PDF].

"Our findings confirm the criticality of the current situation: many of these [14] providers leak all, or a critical part of the user traffic in mildly adversarial environments.

"The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models."

The team probed the top client software versions of providers including Hide My Ass, PrivateInternetAccess, and IPVanish. They established a campus dual stack OpenWrt IPv6 through IPv4 tunnel wifi network with updated Ubuntu, Windows, OSX, iOS 7, and Android clients. This simulated the environment where users would trust VPNs to protect them from a hostile network, they said.

All but provider Astrill were open to IPv6 DNS hijacking attacks and only four did not leak IPv6 data.

None were resistant to both threats. Here's how the authors summarise the situation:

"Whereas our work initially started as a general exploration, we soon discovered that a serious vulnerability, IPv6 traffic leakage, is pervasive across nearly all VPN services. In many cases, we measured the entirety of a client’s IPv6 traffic being leaked over the native interface. A further security screening revealed two DNS hijacking attacks that allow us to gain access to all of a victim’s traffic."

They found the most common VPN tunnelling technologies relied on outdated technologies like PPTP with MS-CHAPv2 which could be trivially broken with brute-force attacks.

The "vast majority" of commercial VPNs suffer from data leakage in dual stack IPv4 and IPv6 networks in a way the exposes "significant amounts" of traffic to public detection in contradiction to vendor claims.

"Most importantly we find that the small amount of IPv6 traffic leaking outside of the VPN tunnel has the potential to actually expose the whole user browsing history even on IPv4 only websites," they wrote in the paper. Here's the paper's explanation of the IPv6 mess:

"... whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN’s virtual interface. Although not a serious issue some years ago, increasing amounts of traffic is now IPv6, bringing the problem to criticality."

All of the DNS configurations used by the providers could be overcome by DNS hijacking attackers.

Recommended countermeasures included altering IPv6 routing tables to capture all traffic, and ensuring the DNS server can only be accessed through the tunnel.

Source

[CODYQX4]

That explains all the Disable IPv6 options.

I believe my VPN client disables IPv6 while connected, but I've never tested. I've passed all the other tests.

[Holmes]

I dont see cyberghost vpn I wonder if it leaks data. You use privateinternetaccess vpn right cody what tests are you talking about..

[CODYQX4]

I dont see cyberghost vpn I wonder if it leaks data. You use privateinternetaccess vpn right cody what tests are you talking about..

IPLeak.net. That checks for DNS, WebRTC, and other IP Leaks. I'm covered so far, nothing yet has leaked my IP, and my torrent client (Vuze) binds connections to the VPN interface so it has to use it, disconnect = no torrent traffic.

I use Viscosity VPN client on OS X, and every VPN Config I add to it has an option to Enable IPV6 which is disabled by default. I don't know if that suffices for the leak, but people were talking about IPV6 leaks years back as a way to leak through VPN to deanonymize torrent downloaders, so a lot of VPNs just disabled IPV6 or recommended it.

If anyone has an IPV6 test that would be nice to have.

[steven36]

That explains all the Disable IPv6 options.

I believe my VPN client disables IPv6 while connected, but I've never tested. I've passed all the other tests.

Yes it does if you use CG have a place to disable them but also you can just go to network connections and disable them. Ive knew about this every since I used a vpn to disable them.

here's a test

http://ipv6leak.com

They been claiming World IPv6 since 2010 but still Im able to surf the web just fine without it enabled and its 2015 :P

Why they dont do some research on something new? here is a article form 2013 about it.

Many VPN clients are unable to intercept and tunnel Internet Protocol version 6 (IPv6) packets. They can only tunnel IPv4 traffic. They do not tunnel or otherwise secure the flow of IPv6 traffic. In alphabetical order, some VPNs that can simultaneously tunnel both protocols are:

1. Cisco AnyConnect SSL VPN (version 2.5 and later)

2.Juniper Junos Pulse (also known as Network Connect) using their SSL VPN appliances (version 7.3 and later).

3. LogMeIn Hamachi VPN using the vpn.net service (version 2.1.0.122 Windows and 2.1.0.65 Macintosh)

4. Microsoft Secure Socket Layer (SSL) VPN over the Secure Socket Tunneling Protocol (SSTP) supported by Windows Server 2008 and 2008 R2

5. NCP Secure Engineering Secure Entry Client (version 9.3 or later)

6. OpenVPN Technologies Inc. OpenVPN Access Server (version 2.3.x and later), OpenVPN Client (version 2.3.x and later)

7. realVNC Ltd. realVNC Enterprise Edition (version 4.1.7 and later), Personal Edition (version 4.1.2 and later)

8. SonicWALL SSL VPN (version 3.5 and later)

9. StoneSoft StoneGate SSL VPN (version 1.1.0 and later)

10. Vidder VPN (all versions)

While is does more than just tunnel packets, the Microsoft DirectAccess product also tunnels both IPv4 and IPv6 packets.

[Enterprise-level VPN software is the subject of this article. VPN solutions for individual use (such as privateinternetaccess.com, purevpn.com, and vpnv6.com) are not.]

To prevent unsecure traffic via the IPv6 network stack while using a VPN client that can tunnel IPv4 traffic only, it is recommended to temporarily disable IPv6 and then reboot before activating the VPN client, and then re-enable IPv6 upon terminating the VPN client. The recommended procedure to disable or enable IPv6 traffic on specific host Operating Systems is described in numerous separate articles in the IP Transport section of the IPv6 knowledge base.

http://www.hpc.mil/index.php/2013-08-29-16-03-23/networking-overview/2013-10-03-17-24-38/ipv6-knowledge-base-infrastructure/virtual-private-networks-vpns-and-ipv6

[CODYQX4]

That test says I'm fine.

I was learning 8 years ago about how we're running out of IPv4, but they just keep NATing it up and no significant visible progress has been made.

[shamu726]

VPN Providers Respond To Allegations of Data Leakage

[TeActive]

I dont see cyberghost vpn I wonder if it leaks data. You use privateinternetaccess vpn right cody what tests are you talking about..

IPLeak.net. That checks for DNS, WebRTC, and other IP Leaks. I'm covered so far, nothing yet has leaked my IP, and my torrent client (Vuze) binds connections to the VPN interface so it has to use it, disconnect = no torrent traffic.

DNS Address detection

should it show dns? Test on that site for me show 12 different dns addresses.