
Tautological tautology
"Plenty leak IP addresses aplenty" seems to have plentiful references to plenitude.
I always thought the P in VPN meant private but obviously the headline refers to Very Plentiful Neocryptography
Virtual Private Networks, or VPNs, turn out to be less private than the name suggests, and not just because service providers may keep more records than they acknowledge. Security researcher Paolo Stagno, also known as VoidSec, has found that 23 per cent (16 out of 70) of VPN providers tested leak users' IP address via WebRTC …
>To the point. But it's not VPN who's to blame, it's JavaScript and browsers, every last of them.
I think we aren't really talking about VPN's but privacy protection services that in the main offer anonymous browsing. Hence it probably isn't unreasonable to expect their in-browser client to modify relevant browser settings...
Creating your own VPN won't block various things. It works for preventing MITM attacks by way of sneaky networks outside trusted access methods, which is why I have mine. This clearly doesn't refer to VPNs that let you access devices on one walled-off network, as only VPNs set up specifically to that network will work for that. Therefore, for anonymity, you don't have great options as far as VPNs go. Your own VPN will protect you from where you are all the way to the endpoint, which is also yours. Ergo anyone who was going to identify you from your original traffic will now identify you from your endpoint. If they're monitoring you, they will still be able to identify somewhere where your data is going, so any by-person tracking system will still work (except for location info, but that's not the major problem). You could try to get around that by making a new system that just serves as an endpoint, making that difficult to identify as yours. Still, records of activity and/or records with the company hosting or providing service to said system should identify that quite clearly.
Exactly. I like some games and their servers are in North America. They will block all the range of IPs from my country, hence a VPN will make it look like I'm gaming from somewhere else. The kick is, they blocked IPs due to players toxic behaviour, pure discrimination over an entire country, instead of punishing this or that player. The game company went quickly bankrupt after blocking several IP ranges, and you wonder why...
Microsoft herself had some stupid blockage on an old rally game where you couldn't SAVE the game if your HOTMAIL account was created with a Zip code not in a country where it offered support. So you had to create an email pretending you lived in, say, Manhattan NY, and learn the zip code from there. It was so convoluted and stupid that they never used that authentication shenanigan again.
Except for the email thing, you sort locale discrimination with VPNs. Bravo.
Thanks for acknowledging this. For a moment I was wondering if I should be surprised that Opera (my favorite browser) allows me to disable WebRTC completely. Guess not.
The article almost makes it sound as if this is seriously difficult but within Opera (and I imagine Chrome as well) it's merely an issue of disabling the right setting. It's under "Privacy & security" so very hard to miss.
I'd amend that to be "don't use a VPN provider for doing something untrustworthy". If all you're doing is hiding metadata from your ISP and forcing your Govt to get a warrant rather than having the local dogshit warden read your emails then all is well. If you're a dissident or need better protection then I'm afraid you need better spycraft.
Things I disable when installing a browser:
* WebRTC
* Browser "telemetry" / health reports / etc.
* Notifications / update subscriptions
* Persistent cookies
* Pocket (if Firefox)
* Media autoplay
* Ads, "social integration" Like / Share / Login buttons, and 2/3 of Javascript (by way of an ad blocker)
This article puts the blame on the wrong people. VPN services should not be messing with your traffic to block webRTC.
Blame the broswer makers for this.
If you follow el reg's advice at the bottom of the article to set up your own vpn using the openvpn software then it will not block webRTC.
The article should be changed to explain the software provided by VPN providers is often insecure, not the service itself. Of course your no-ratings Chrome Web Store extension leaks, of course your VPN's awful Windows-only closed-source client leaks... What did you expect?
Just use OpenVPN, IPSec, or even a SOCKS proxy... If your VPN doesn't support any of these services, that should be the first thing to go. God forbid they use a proprietary, nonreviewed solution!
"Just use OpenVPN, IPSec, or even a SOCKS proxy... If your VPN doesn't support any of these services, that should be the first thing to go. God forbid they use a proprietary, nonreviewed solution!"
OpenVPN yes, IPSec no, proxy no. A proxy is not a good enough type of solution, and IPsec is flawed in design and implementation.
But just as important as the software is the configuration. Good software badly configured will not be secure.
Unless you are a VPN expert, it is much better to get a configuration from a reliable VPN provider.
I didn't mean to imply IPsec or proxies were better than OpenVPN, just that rolling your own secure, audited clients to make use of VPN services is often better.
My point was that often it is more the case of bad software causing leaks (web browser, bad VPN[-provided] client, etc) and not the service itself. The article (and the linked research) implies it is wholly within their responsibility to fix all leaks, but that is not always possible or practical.
Using flawed or leaky software not provided by the VPN provider is not their fault. If your real IP is being leaked, it should only be the fault of a VPN provider when they directly provide flawed software or configuration that resulted in the leak. For example, if a VPN service provides a browser-based VPN client and it doesn't block WebRTC leaks, that is their fault, because it is well within the scope of the code to do so.
WebAssembly is the second big attack vector. It allows bad actors to hide bad untrustworthy binary executables that are run on end user browsers. All the recent cryptominers that slow down website usage are in WebAssembly.
Unfortunately, Chrome made it impossible to disable WebAssembly. The hidden flag meant to disable it, got broken with Chrome v62 and they haven't fixed it with v64 (current).
Try to set the following flag to "disabled" and try one of the WebAssembly demos. You can't deactivate WebAssembly anymore :(
chrome://flags/#enable-webassembly
Can't remember where I heard it first (probably Torrentfreak. Ed: no actually it was my VPN provider) but I've known about this for at least a year, I think.
This is one of the reasons I dumped Chrom(e|ium), because at the time I couldn't see any way to disable WebRTC. I had no idea uBlock does it. I got the impression that Google had gone out of their way to ensure nobody could disable it, and even Firefox needs an extension (which I use).
My VPN provider actually provides a DNS leak test on their site, along with another that tests something they're calling the "MSLEAK", which apparently affects both IE and Edge, and is detailed here.
As of the date of that blog post; "seems like Microsoft isn’t going to fix it and it still can be exploited on a Windows 10 with latest updates".
No idea if Microsoft ever patched it.
It's not the VPN that is leaking info if I have to lock down my browser to prevent it.
When I started reading this article, I was under the impression that someone could use the weakness to get my IP address. That is not the case.
Apparently, someone can hijack my browser with the proper script and then get my true IP address.
So it's a browser issue, and for that, there's NoScript (or whatever js-blocker you prefer). Or it's a PEBCAK issue, and the solution for that is ye ol' cattle prod to teach not to bloody click on something just because it's a link.
In other words, this article is a tad misleading, at least for me.
While I don't use a VPN, I don't appreciate my internal network IP address (which is not the standard 192.168.x.x but a private subnet I picked up years ago which can be traced back to me through ARIN) leaking out and of course browsers don't block that by default and even uBlock didn't have the option to block it checked by default!
We really need to have people wearing tinfoil hats design web protocols and chsoing browser defaults so we don't have so much cleaning up to do after the idiots who do design protocols and choose defaults...
Check here: https://ip.voidsec.com/
The reason I use my own subnet is because when I'm consulting and VPN into other networks I might get 10/8 or 172.16/19 or 192.168/16 addresses on the other end. This way I don't have to worry about address conflicts - though granted I could probably hide a little /24 inside 10.x with very very low chance of a conflict...
I figure I have it so I might as well use it, but I have thought about selling it, since a class C can be sold for about $4000-$5000 these days! If only I'd tried to apply for a class B back then, if I'd been able to hold onto it all these years I could practically retire on it :)
An offline copy of Wikipedia is nice if you want to kill time reading about unusual knowledge without worrying that it's going to be picked up by advertisers or snoops looking to fabricate justification for a new budget. (I just fired up the BitTorrent client to help you download the Kiwix snapshots)
Have you become a Human Nature Publication.
It would be news if someone didn't take it's customers for a ride, leak info, crash, stuff up or simply fade away in the Here-today gone-tomorrow Check is in the mail World-of-Ether we call the Internet.
It just shows human nature
The only VPN's of any value are the ones that you connect to at your place of Work or Home, if you can keep them secure, don't stuff up, leak your own addresses, crash, staff don't spy on your usage or just............
"The only VPN's of any value are the ones that you connect to at your place of Work or Home, if you can keep them secure, don't stuff up, leak your own addresses, crash, staff don't spy on your usage or just............"
So true and yet even the pros make mistakes. Take me for example. I look after quite a few networks, firewalls and the like. I have a newish laptop and decided to put my office OpenVPN connection on it. Fired it up, typed in "whats my ip" into Google and saw my IPv6 address staring back at me. Bollocks. Oh well I'll use the office WANs via the web proxy to get the job done.
I now need to fix up what happens with working IPv6 when connecting to our currently IPv4 only VPN. The assumed policy is that all traffic is gatewayed through the VPN and it isn't. I could simply change the policy I suppose.
This post has been deleted by its author
"Tor browser. That is all."
Not quite all. We mustn't forget to mention that Tor and Deep/Dark Web users doing nasty illegal things have been caught in spite of their best efforts.
The obvious rebuttal would be that "yeah, but they made a mistake", implying that the rebutter couldn't possibly.
The thing to remember about being on the Internet, is that you're doing thousands of 'things' per hour. Can you be sure that you're not making some subtle mistake once in a while?
It's a half-life thing. It's just a matter of time.
No exception for Tor.