Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

very odd event while using the VPN

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
cryptostorm user

very odd event while using the VPN

Postby cryptostorm user » Thu Apr 13, 2017 7:38 am

First post here, so go easy on the critiques.

Recently, while visiting a well-known imageboard site over Cryptostorm (Dusseldorf), an odd event occurred. After approximately a half-hour browsing the board over a HTTPS connection and reading several discussion threads, I entered a thread that discussed a social networking site called tribe. The thread included screen captures of various groups on tribe that involved sex crimes against children. Comments in this thread were strongly against the content, calling for doxxing those tribe members and sharing their personal information with law enforcement. This is not my thing, so I left the thread to find more interesting content.

Within one hour, my cell phone received a text message inviting me to join tribe.

This text message raises several troubling questions. My knowledge of security is almost non-existent compared to others here. You probably have questions I did not think to ask. Since I do not know who sent the text message, let us assign the name Dr. Evil.

How did Dr. Evil decode the HTTPS stream from Cryptostorm to the imageboard?
How did Dr. Evil link the browsing activity on Cryptostorm to a cellular telephone number in less than 60 minutes?

Two days later, I visited this same imageboard discussion thread. The same conditions and procedures were used, and Wireshark captured packets on the computer's only network connection. I did not receive a repeat cell phone text message. The Wireshark data shows packets traveling between the Mac and Cryptostorm after the VPN connects, but it also shows packets traveling outside the VPN (examples as IP:port are 17.249.172.12:5223, 17.188.136.186:5223, and 17.248.143.91:443).

Why does the Mac connect to these two Apple servers (17.xxx.xxx.xxx) while the VPN is active?
If this Apple-specific traffic does not travel over the VPN, then Dr. Evil's work appears more impressive. Or Dr. Evil co-opted Apple.

I appreciate your answers and suggestions.

Details:
OSX 10.11.6
VPN software: Tunnelblick
Web browser: Iridium 51.1
Web browser extensions: uBlock Origin, uMatrix, Canvas Defender.
Web browser use: Iridium is closed and the browsing data cleared at least once daily (history, cache, cookies, downloads, download history, autofill form, and hosted app data).
uMatrix settings: allow content only from the imageboard or YouTube; spoof user agent and http referrer requests; force https; delete cookies and storage from blocked hosts; delete session cookies every 60 minutes; and block http auditing.
Canvas Defender noise hash changed every time the browser is loaded.
Other information: before joining the Cryptostorm VPN, all applications except Tunnelblick are stopped. Iridium is not opened until after Tunnelblick reports a valid VPN connection.

User avatar

parityboy
Site Admin
Posts: 1105
Joined: Wed Feb 05, 2014 3:47 am

Re: very odd event while using the VPN

Postby parityboy » Fri Apr 14, 2017 10:49 pm

@OP

On your second point, port 5223 is officially the IANA registered port for XMPP/Jabber protocol. It may be that macOS is using this for push notifications. That itself is not an issue, what is of more pressing concern is that the system is able to route the packets outside of the VPN tunnel - you clearly have a firewall issue.

On your first point, was the Mac used to visit this image board, or was it your cell phone? If it was your cell, it maybe that something on that device is encoding your phone number into the HTTP headers sent by the browser. This is something which happened on the O2 network a few years ago - their gateway was supposed to strip this information before forwarding the traffic onward, but failed due to a misconfiguration. Also see here (slide 14 onward).

So if it was the cell phone, what device is it? What browser did you use? What do you get if you do an IP check? Is it possible that some traffic is being routed out-of-tunnel?


Topic Author
cryptostorm user

Re: very odd event while using the VPN

Postby cryptostorm user » Sun Apr 16, 2017 9:29 am

@Parity Boy

Thank you for the reply.

Your point about packets leaking around the VPN is a good one. My general understanding of a VPN was al traffic went through it. That doesn't appear to be the case with some OS X system processes. To keep this event from reoccurring, I've created VPN-specific profiles in Little Snitch that prevent programs and processes from sending data. The only exceptions are DNS, NTP, OpenVPN, and the web browser.

The question about the phone is a good one. I have visited the imageboard from the cell phone with a VPN in place, initially a different VPN and later Cryptostorm.

However, even if "Dr. Evil" knew my cell phone had visited the imageboard, and could link the non-VPN OS X system process data back to my IP address, I still cannot explain how "Dr. Evil" connected all of the above. Shouldn't the connection from a desktop computer through Cryptostorm to a HTTPS site be immune from observation? The HTTPS site should see only the Cryptostorm server, and the end-to-end traffic should be encrypted, correct? This is where I'm having trouble understanding what happened.


** Dr. Evil, if you're reading this exchange, then you know who I am from what you've hacked, and you know I am not who you are trying to find. **

User avatar

parityboy
Site Admin
Posts: 1105
Joined: Wed Feb 05, 2014 3:47 am

Re: very odd event while using the VPN

Postby parityboy » Tue Apr 18, 2017 5:55 am

@OP

The purpose of a VPN is to encrypt data between your Internet connection point (PC/phone/tablet/router)
and the VPN exit node. This has the effect of "going dark" on your ISP - they can only see that traffic is going between your router and the VPN exit node, and that the traffic is encrypted. The data is decrypted back into its original form as it exits the VPN server, and makes its way to the intended destination.

To build upon the above: if that original form is HTTP (or any other plaintext protocol), anyone (including the VPN provider) sniffing between the exit node and the destination will be able to read everything - destination, source and all headers and content. If the original form is HTTPS (or any other TLS-encrypted protocol), observers will be able to see the destination and source IP addresses, but the payload (headers and content) will be encrypted.

The part you appear to be missing - based on what you've written - is what happens when your request
finally makes it to the target website. That part is actually very simple: your request gets logged. I would guess part of the website code is parsing the logs looking for HTTP headers known to carry cell phone numbers. Doesn't take much effort, to be honest.

Out of curiosity, point your cell phone browser(s) here, click on the link for the headers and see what you get. :)


Topic Author
thread OP

Re: very odd event while using the VPN

Postby thread OP » Sun Apr 23, 2017 3:14 am

@parityboy

I think something was lost in translation.

When I connected to the imageboard over Cryptostorm, I was on my desktop computer, not a cell phone.

The text message arrived to my cell phone within an hour despite the lack of a connection between the phone and the imageboard.

Somehow "Dr. Evil" linked the desktop computer VPN connection to my cell phone number. This is what I find troubling.

User avatar

parityboy
Site Admin
Posts: 1105
Joined: Wed Feb 05, 2014 3:47 am

Re: very odd event while using the VPN

Postby parityboy » Mon Apr 24, 2017 2:39 pm

@OP

cryptostorm user wrote:The question about the phone is a good one. I have visited the imageboard from the cell phone with a VPN in place, initially a different VPN and later Cryptostorm.


Maybe the two were not correlated - did you log into this imageboard on either device? - and perhaps it was simply chance that your previous visit to this imageboard on your cell was finally acted upon.

User avatar

exempt
Posts: 31
Joined: Sun Dec 29, 2013 7:49 am

Re: very odd event while using the VPN

Postby exempt » Tue Apr 25, 2017 11:09 am

You must route all traffic through the VPN on Mac/OSX in the Tunnelblick settings.

BAD

Image

GOOD

Image


Return to “member support & tech assistance”

Who is online

Users browsing this forum: No registered users and 13 guests

cron

Login