back to article Why you shouldn't trust a stranger's VPN: Plenty leak your IP addresses

Virtual Private Networks, or VPNs, turn out to be less private than the name suggests, and not just because service providers may keep more records than they acknowledge. Security researcher Paolo Stagno, also known as VoidSec, has found that 23 per cent (16 out of 70) of VPN providers tested leak users' IP address via WebRTC …

  1. JassMan
    Headmaster

    Tautological tautology

    "Plenty leak IP addresses aplenty" seems to have plentiful references to plenitude.

    I always thought the P in VPN meant private but obviously the headline refers to Very Plentiful Neocryptography

    1. diodesign (Written by Reg staff) Silver badge

      Re: Tautological tautology

      Sometimes, we occasionally break the language from time to time for laughs and to sporadically irritate pedants, but only once in a while.

      However, we've thought of a better headline, so now it's your comment that is the redundant text.

      C.

      1. JassMan
        Trollface

        Re: Tautological tautology

        Ah, but my redundant text was deliberate. I call foul for changing a headline just to make comments meaningless. Nearly as bad as cricketers rubbing sandpaper on the ball to get some swing. And we all know how that one ended.

      2. Ramazan

        Re: Tautological tautology

        To the point. But it's not VPN who's to blame, it's JavaScript and browsers, every last of them. Even if a browser doesn't use WebRTC, it still has a lot of means to submit user's ID (MAC, geo etc) to Apple/Google/MS servers.

        1. Roland6 Silver badge

          Re: Tautological tautology

          >To the point. But it's not VPN who's to blame, it's JavaScript and browsers, every last of them.

          I think we aren't really talking about VPN's but privacy protection services that in the main offer anonymous browsing. Hence it probably isn't unreasonable to expect their in-browser client to modify relevant browser settings...

          1. Charles 9 Silver badge

            Re: Tautological tautology

            Most VPNs I know use outside-the-browser clients like the OpenVPN client if not the OS's internal L2TP protocol. This along with HTTPS will make the VPN client blind to the browser.

            1. Anonymous Coward
              Anonymous Coward

              Re: Tautological tautology

              @Charles 9: I was wondering how this was an issue. Does it only apply to browser-based services rather than affecting OpenVPN and router-based setups? That would be a genuine fuck up.

  2. doublelayer Silver badge

    Your own VPN doesn't work for a lot

    Creating your own VPN won't block various things. It works for preventing MITM attacks by way of sneaky networks outside trusted access methods, which is why I have mine. This clearly doesn't refer to VPNs that let you access devices on one walled-off network, as only VPNs set up specifically to that network will work for that. Therefore, for anonymity, you don't have great options as far as VPNs go. Your own VPN will protect you from where you are all the way to the endpoint, which is also yours. Ergo anyone who was going to identify you from your original traffic will now identify you from your endpoint. If they're monitoring you, they will still be able to identify somewhere where your data is going, so any by-person tracking system will still work (except for location info, but that's not the major problem). You could try to get around that by making a new system that just serves as an endpoint, making that difficult to identify as yours. Still, records of activity and/or records with the company hosting or providing service to said system should identify that quite clearly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Your own VPN doesn't work for a lot

      Exactly. I like some games and their servers are in North America. They will block all the range of IPs from my country, hence a VPN will make it look like I'm gaming from somewhere else. The kick is, they blocked IPs due to players toxic behaviour, pure discrimination over an entire country, instead of punishing this or that player. The game company went quickly bankrupt after blocking several IP ranges, and you wonder why...

      Microsoft herself had some stupid blockage on an old rally game where you couldn't SAVE the game if your HOTMAIL account was created with a Zip code not in a country where it offered support. So you had to create an email pretending you lived in, say, Manhattan NY, and learn the zip code from there. It was so convoluted and stupid that they never used that authentication shenanigan again.

      Except for the email thing, you sort locale discrimination with VPNs. Bravo.

  3. JohnFen

    WebRTC

    Nobody actually uses WebRTC, do they? That's among the first things that I disable/block -- it's presence is a security hole that can be leveraged by websites even if you don't actively use it.

    1. Paul Crawford Silver badge

      Re: WebRTC

      The usual VPN check sites such as https://ipleak.net/ already report on WebRTC activity.

      But as you say, who really uses it?

    2. Anonymous Coward
      Anonymous Coward

      @JohnFen

      Thanks for acknowledging this. For a moment I was wondering if I should be surprised that Opera (my favorite browser) allows me to disable WebRTC completely. Guess not.

      The article almost makes it sound as if this is seriously difficult but within Opera (and I imagine Chrome as well) it's merely an issue of disabling the right setting. It's under "Privacy & security" so very hard to miss.

      1. diodesign (Written by Reg staff) Silver badge

        Re: disabling WebRTC

        Hi. It's pretty clear in the piece that you should disable WebRTC. It's not the first time we've highlighted the dangers of WeRTC either.

        Also, in addition to this: don't trust your VPN provider.

        C.

        1. Anonymous Coward
          Anonymous Coward

          Re: disabling WebRTC

          Don't use a VPN provider you don't trust.

          Anything less is not good enough.

          1. Mark 65

            Re: disabling WebRTC

            I'd amend that to be "don't use a VPN provider for doing something untrustworthy". If all you're doing is hiding metadata from your ISP and forcing your Govt to get a warrant rather than having the local dogshit warden read your emails then all is well. If you're a dissident or need better protection then I'm afraid you need better spycraft.

  4. Anonymous Coward
    Anonymous Coward

    IPv6

    My "private" IPv6 address seems to appear under WebRTC on ip.voidsec.com even when I am tunnelled through BlackVPN

    1. Paul Crawford Silver badge

      Re: IPv6

      You really should be checking your config, etc. Sadly IPv6 leaks are all too common: many VPNs simply disable v6 as a quick solution to that issue.

      1. Mark 65

        Re: IPv6

        Mine merely shows my VPN endpoint so all is well - advantage of using router based VPN. The fucks the ISP and the local council off. The nation state actors will likely be able to correlate / aggregate from various site access timings.

  5. fidodogbreath Silver badge

    One of the many scourges of the modern browser

    Things I disable when installing a browser:

    * WebRTC

    * Browser "telemetry" / health reports / etc.

    * Notifications / update subscriptions

    * Persistent cookies

    * Pocket (if Firefox)

    * Media autoplay

    * Ads, "social integration" Like / Share / Login buttons, and 2/3 of Javascript (by way of an ad blocker)

  6. zb42

    This article puts the blame on the wrong people. VPN services should not be messing with your traffic to block webRTC.

    Blame the broswer makers for this.

    If you follow el reg's advice at the bottom of the article to set up your own vpn using the openvpn software then it will not block webRTC.

    1. ds6

      The article should be changed to explain the software provided by VPN providers is often insecure, not the service itself. Of course your no-ratings Chrome Web Store extension leaks, of course your VPN's awful Windows-only closed-source client leaks... What did you expect?

      Just use OpenVPN, IPSec, or even a SOCKS proxy... If your VPN doesn't support any of these services, that should be the first thing to go. God forbid they use a proprietary, nonreviewed solution!

      1. diodesign (Written by Reg staff) Silver badge

        Re: VPN providers

        Hi. I think the piece is pretty clear we're talking about the VPN providers not the underlying encryption tech- especially since we recommend experienced users try openvpn or ipsec.

        C.

      2. Anonymous Coward
        Anonymous Coward

        "Just use OpenVPN, IPSec, or even a SOCKS proxy... If your VPN doesn't support any of these services, that should be the first thing to go. God forbid they use a proprietary, nonreviewed solution!"

        OpenVPN yes, IPSec no, proxy no. A proxy is not a good enough type of solution, and IPsec is flawed in design and implementation.

        But just as important as the software is the configuration. Good software badly configured will not be secure.

        Unless you are a VPN expert, it is much better to get a configuration from a reliable VPN provider.

        1. ds6

          I didn't mean to imply IPsec or proxies were better than OpenVPN, just that rolling your own secure, audited clients to make use of VPN services is often better.

          My point was that often it is more the case of bad software causing leaks (web browser, bad VPN[-provided] client, etc) and not the service itself. The article (and the linked research) implies it is wholly within their responsibility to fix all leaks, but that is not always possible or practical.

          Using flawed or leaky software not provided by the VPN provider is not their fault. If your real IP is being leaked, it should only be the fault of a VPN provider when they directly provide flawed software or configuration that resulted in the leak. For example, if a VPN service provides a browser-based VPN client and it doesn't block WebRTC leaks, that is their fault, because it is well within the scope of the code to do so.

    2. Ramazan

      "Blame the broswer makers for this"

      There's no profit in doing so. Browser writers must not be blamed, they must be prevented from writing browsers.

  7. Anonymous Coward
    Anonymous Coward

    Also disable WebAssembly!!

    WebAssembly is the second big attack vector. It allows bad actors to hide bad untrustworthy binary executables that are run on end user browsers. All the recent cryptominers that slow down website usage are in WebAssembly.

    Unfortunately, Chrome made it impossible to disable WebAssembly. The hidden flag meant to disable it, got broken with Chrome v62 and they haven't fixed it with v64 (current).

    Try to set the following flag to "disabled" and try one of the WebAssembly demos. You can't deactivate WebAssembly anymore :(

    chrome://flags/#enable-webassembly

    1. NanoMeter

      Re: Also disable WebAssembly!!

      Still possible to disable in Vivaldi.

  8. Anonymous Coward
    Anonymous Coward

    Astrill

    according ip.voidsec

    uBlock didn't help

    WebRTC did

    For whatever that's worth

    1. ds6

      Re: Astrill

      Whaa? Are you saying uBlock (and I hope you mean Origin, and not the lesser one) doesn't block WebRTC local IPs? Because, it does. You may have to enable it in the options, as it was set to off by default for quite a while.

      1. Anonymous Coward
        Anonymous Coward

        doesn't .org mean Origin

        settings, what settings

        was admonished not to click the first link in a Google search.

        the 'we are not the other guys' link

        1. Anonymous Coward
          Anonymous Coward

          Re: doesn't .org mean Origin

          spinning troll heads anyone

  9. Oh Homer

    Old news

    Can't remember where I heard it first (probably Torrentfreak. Ed: no actually it was my VPN provider) but I've known about this for at least a year, I think.

    This is one of the reasons I dumped Chrom(e|ium), because at the time I couldn't see any way to disable WebRTC. I had no idea uBlock does it. I got the impression that Google had gone out of their way to ensure nobody could disable it, and even Firefox needs an extension (which I use).

    My VPN provider actually provides a DNS leak test on their site, along with another that tests something they're calling the "MSLEAK", which apparently affects both IE and Edge, and is detailed here.

    As of the date of that blog post; "seems like Microsoft isn’t going to fix it and it still can be exploited on a Windows 10 with latest updates".

    No idea if Microsoft ever patched it.

  10. Pascal Monett Silver badge

    If I got this correctly

    It's not the VPN that is leaking info if I have to lock down my browser to prevent it.

    When I started reading this article, I was under the impression that someone could use the weakness to get my IP address. That is not the case.

    Apparently, someone can hijack my browser with the proper script and then get my true IP address.

    So it's a browser issue, and for that, there's NoScript (or whatever js-blocker you prefer). Or it's a PEBCAK issue, and the solution for that is ye ol' cattle prod to teach not to bloody click on something just because it's a link.

    In other words, this article is a tad misleading, at least for me.

    1. Charles 9 Silver badge

      Re: If I got this correctly

      And if they're prod-proof...and over your head?

  11. John Smith 19 Gold badge
    Unhappy

    Ahhh. Javascript. The tool that just keeps on giving.

    Your private details to anyone who can work out how to query it.

  12. Anonymous Coward
    Anonymous Coward

    More crap to block because people design protocols without thought!

    While I don't use a VPN, I don't appreciate my internal network IP address (which is not the standard 192.168.x.x but a private subnet I picked up years ago which can be traced back to me through ARIN) leaking out and of course browsers don't block that by default and even uBlock didn't have the option to block it checked by default!

    We really need to have people wearing tinfoil hats design web protocols and chsoing browser defaults so we don't have so much cleaning up to do after the idiots who do design protocols and choose defaults...

    Check here: https://ip.voidsec.com/

    1. TRT Silver badge

      Re: More crap to block because people design protocols without thought!

      You could always use 10.0.0.0 and appear as if you are a massive organisation.

      1. Anonymous Coward
        Anonymous Coward

        Re: More crap to block because people design protocols without thought!

        The reason I use my own subnet is because when I'm consulting and VPN into other networks I might get 10/8 or 172.16/19 or 192.168/16 addresses on the other end. This way I don't have to worry about address conflicts - though granted I could probably hide a little /24 inside 10.x with very very low chance of a conflict...

        I figure I have it so I might as well use it, but I have thought about selling it, since a class C can be sold for about $4000-$5000 these days! If only I'd tried to apply for a class B back then, if I'd been able to hold onto it all these years I could practically retire on it :)

  13. Kevin McMurtrie Silver badge
    Boffin

    Kiwix

    An offline copy of Wikipedia is nice if you want to kill time reading about unusual knowledge without worrying that it's going to be picked up by advertisers or snoops looking to fabricate justification for a new budget. (I just fired up the BitTorrent client to help you download the Kiwix snapshots)

  14. Anonymous Coward
    Anonymous Coward

    So ElReg what are you reporting this crap for.

    Have you become a Human Nature Publication.

    It would be news if someone didn't take it's customers for a ride, leak info, crash, stuff up or simply fade away in the Here-today gone-tomorrow Check is in the mail World-of-Ether we call the Internet.

    It just shows human nature

    The only VPN's of any value are the ones that you connect to at your place of Work or Home, if you can keep them secure, don't stuff up, leak your own addresses, crash, staff don't spy on your usage or just............

    1. gerdesj Silver badge

      Re: So ElReg what are you reporting this crap for.

      "The only VPN's of any value are the ones that you connect to at your place of Work or Home, if you can keep them secure, don't stuff up, leak your own addresses, crash, staff don't spy on your usage or just............"

      So true and yet even the pros make mistakes. Take me for example. I look after quite a few networks, firewalls and the like. I have a newish laptop and decided to put my office OpenVPN connection on it. Fired it up, typed in "whats my ip" into Google and saw my IPv6 address staring back at me. Bollocks. Oh well I'll use the office WANs via the web proxy to get the job done.

      I now need to fix up what happens with working IPv6 when connecting to our currently IPv4 only VPN. The assumed policy is that all traffic is gatewayed through the VPN and it isn't. I could simply change the policy I suppose.

    2. diodesign (Written by Reg staff) Silver badge

      Re: So ElReg what are you reporting this crap for.

      Wtf are you on about?

      C.

  15. Anonymous Coward
    Anonymous Coward

    If I were running a TLA...

    If I were running a three letter agency then I'd certainly offer several excellent free VPN services. And in case anyone is suspicious of free VPN services, then I'd also offer some reassuringly-expensive pay VPN service options.

  16. Anonymous Coward
    Anonymous Coward

    Stop with FUD. They can compile the same cryptominers to asm.js or rewrite it in pure js and you won't know the difference. Use adblockers.

  17. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Tor browser.

      "Tor browser. That is all."

      Not quite all. We mustn't forget to mention that Tor and Deep/Dark Web users doing nasty illegal things have been caught in spite of their best efforts.

      The obvious rebuttal would be that "yeah, but they made a mistake", implying that the rebutter couldn't possibly.

      The thing to remember about being on the Internet, is that you're doing thousands of 'things' per hour. Can you be sure that you're not making some subtle mistake once in a while?

      It's a half-life thing. It's just a matter of time.

      No exception for Tor.

      1. Ramazan

        Re: Tor browser.

        TOR is just a TCP VPN, of course the same IP discovery via side channel methods apply, even to the greater degree.

  18. Winkypop Silver badge
    Happy

    April first

    Icons -->

    1. JJKing
      Trollface

      Re: April first

      But has anyone clicked on the Troll icon?

      A tad amusing. :-)

      1. Charles 9 Silver badge

        Re: April first

        But rather overkill. Do we really need something like this in the HTML spec?

  19. jamescraft

    Yes we should not trust any VPN until and unless we read some reviews and have a proper knowledge for that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021