Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

[The Register] VPNs are so insecure you might as well wear a KICK ME sign

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1263
Joined: Wed Feb 05, 2014 3:47 am

[The Register] VPNs are so insecure you might as well wear a KICK ME sign

Postby parityboy » Tue Jun 30, 2015 6:21 pm

"Our findings confirm the criticality of the current situation: many of these [14] providers leak all, or a critical part of the user traffic in mildly adversarial environments.

"The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models."

The team probed the top client software versions of providers including Hide My Ass, PrivateInternetAccess, and IPVanish. They established a campus dual stack OpenWrt IPv6 through IPv4 tunnel wifi network with updated Ubuntu, Windows, OSX, iOS 7, and Android clients. This simulated the environment where users would trust VPNs to protect them from a hostile network, they said.


Source
Attachments
PETS2015VPN.pdf
(757.45 KiB) Downloaded 682 times

User avatar

marzametal
Posts: 518
Joined: Mon Aug 05, 2013 11:39 am

Re: [The Register] VPNs are so insecure you might as well wear a KICK ME sign

Postby marzametal » Wed Jul 01, 2015 4:30 am

I laughed when I read that article... they continue to dodge CS...


mart-e
Posts: 18
Joined: Thu Jul 02, 2015 5:07 pm

Re: [The Register] VPNs are so insecure you might as well wear a KICK ME sign

Postby mart-e » Sun Jul 05, 2015 2:18 am

Could you please elaborate on how Cryptostorm is doing on this?
18 months ago, cryptostorm did not work on IPv6 and advised to disable it. It seems that it's still the case and CS is not so fan of using IPv6.

Is there something planned to support it or is IPv6 just not made to work with VPN (then what is?)

Thanks

CS disables IPv6 via the widget

User avatar

Topic Author
parityboy
Site Admin
Posts: 1263
Joined: Wed Feb 05, 2014 3:47 am

Re: [The Register] VPNs are so insecure you might as well wear a KICK ME sign

Postby parityboy » Sun Jul 05, 2015 4:18 am

@mart-e

As far as I am aware, the Windows widget executes scripts which disable/block IPv6 packets from leaking out-of-tunnel. See here.

User avatar

marzametal
Posts: 518
Joined: Mon Aug 05, 2013 11:39 am

Re: [The Register] VPNs are so insecure you might as well wear a KICK ME sign

Postby marzametal » Sun Jul 05, 2015 7:09 am

Read an article stating the USA has ran out of IPv4 addresses... this IPv6 stuff might end up being forced.

User avatar

Topic Author
parityboy
Site Admin
Posts: 1263
Joined: Wed Feb 05, 2014 3:47 am

Re: [The Register] VPNs are so insecure you might as well wear a KICK ME sign

Postby parityboy » Sun Jul 05, 2015 4:16 pm

@marzametal

Maybe. I think the tardiness in moving to IPv6 is rooted in commercial interest, hence the implementation of things like CGNAT in order to stave off the inevitable.

Having said that, I think it'll be the mobile networks which move to IPv6 first.

User avatar

df
Site Admin
Posts: 376
Joined: Thu Jan 01, 1970 5:00 am

Re: [The Register] VPNs are so insecure you might as well wear a KICK ME sign

Postby df » Mon Aug 03, 2015 6:39 am

by parityboy » Sun Jul 05, 2015 5:16 am
@marzametal

Maybe. I think the tardiness in moving to IPv6 is rooted in commercial interest,


Of course it is :-P
There's been some innovations in IPv4 subnetting that make IPv6 not as necessary as it once was, but it's still a problem for public facing networks. Or so I hear...

While I do say IPv6 will be required at one point, right now the protocol feels a bit too rushed out "to get things functional" for my tastes. Every IPv6 implementation I've ever audited has vulns everywhere. That's why we disable it with the widget, as you can see in the ipv6_off.bat in the widget's folder:

Code: Select all

@echo off
netsh interface teredo set state disabled
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
netsh interface ipv6 isatap set state state=disabled


In english, those commands say: fuck IPv6, we don't trust anything you do, fuck off
(especially in windows).

In linux it's easier to get rid of. Some stuff in linux will shit itself if it tries ipv6 things and it just fails (like if someone doesn't compile their kernel with ipv6 support), so for those cases ip6tables can be used to block all ipv6 scariness.

User avatar

marzametal
Posts: 518
Joined: Mon Aug 05, 2013 11:39 am

Re: [The Register] VPNs are so insecure you might as well wear a KICK ME sign

Postby marzametal » Tue Aug 04, 2015 6:13 am

df wrote:by df » Sun Jul 05, 2015 11:39 am
In english, those commands say: fuck IPv6, we don't trust anything you do, fuck off
(especially in windows)

I smell a t-shirt slogan!


Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: No registered users and 8 guests

cron

Login