back to article VPNs are so insecure you might as well wear a KICK ME sign

A team of five researchers from universities in London and Rome have identified that 14 of the top commercial virtual private networks in the world leak IP data. Vasile C. Perta, Marco V. Barbera, and Alessandro Mei of Sapienza University of Rome, together with Gareth Tyson, and Hamed Haddadi of the Queen Mary University of …

  1. Anonymous Coward
    Anonymous Coward

    OpenVPN's IPv6 support is severely lacking…

    I've been using OpenVPN for some time now, and basically for a long time, the only way to get IPv6 tunnelled was to run it in layer 2 mode.

    The latest versions apparently do IPv6 tunnelling in layer 3 mode, but it's still rather hit-and-miss. Likely, the tunnels are IPv4 only, and if you happen to have a v6 connection either natively or through a migration protocol such as 6-to-4 or Teredo, you're going to find the few (and increasing!) v6-accessible sites will give you away.

    Fingers crossed OpenVPN gets something workable going. The only other option is something like OpenConnect (Cisco AnyConnect clone).

    1. Orv Silver badge

      Re: OpenVPN's IPv6 support is severely lacking…

      That's essentially the problem, yeah. Most of the common solutions don't handle IPv6 well, or can't mix it with IPv4 traffic. For example, IPSEC can do IPv6 by design...but can't mix IPv6 and IPv4 on the same tunnel, making it useless in practice.

      IPv6 also has a way of making a lot of easy problems hard. For example, any situation where you'd use static NAT in IPv4 -- e.g., machines behind a firewall -- requires a lot of head-scratching and possibly an additional routeable block of addresses in IPv6. Try explaining THAT to your ISP.

  2. Khaptain Silver badge

    Broken or badly configured

    Reading from El Reg's article I understood 2 things.

    1 : It's the protocole PPTP that is a problem more than the client/serveur.

    2 : The clients are badly configured rather than broken which means that they could easilly be updated.

    Neither of these look to be to difficult to repair but it definately requires action to be taken... I was glad to see that our system was not on that list.

    Is there really a VPN solution called "Hide my Ass", I don't find their name very "inspiring"...

    1. Winkypop Silver badge
      Joke

      Re: Is there really a VPN solution called "Hide my Ass"

      It's very big with the Equus, Asinus rustler set.

      1. Roland6 Silver badge

        Re: Is there really a VPN solution called "Hide my Ass"

        Yes and it made one UK young entrepreneur 'rich' (okay not Zuckerman rich) when he sold it to AVG for 40m GBP (just under 63m USD) earlier this year.

        http://www.bbc.co.uk/news/business-32702501

        1. BuckoA51

          Re: Is there really a VPN solution called "Hide my Ass"

          I can't understand how Hide My Ass is even still in business. Every time there's anything security related that mentions them they do abysmally. They have been shown to keep logs and hand them over to the authorities without question and it's no surprise their implementation is full of security holes at all. You'd think anyone looking for a VPN would at least be able to do a Google search and find out how useless these folks are.

          I've been using iVPN for when I go to Turkey or want to look up anything without it going in the GCHQ data vacuum. They have their own custom firewall that blocks anything leaking from outside the VPN tunnel and respond very quickly to support tickets (I reported their old VPN software silently disconnecting in Windows 8 and they not only talked me through configuring a firewall to prevent it but implemented their own custom software so that it could never happen again). I highly recommend them. Of course with any VPN you're always going to have to trust someone and eventually if you are using it for nefarious purposes someone will find a way to unravel your anonymity.

    2. chivo243 Silver badge

      Re: Broken or badly configured

      I didn't see our system on the list either, whew. Hide My Ass LOL!

    3. Anonymous Coward
      Anonymous Coward

      Re: Broken or badly configured

      "Hide My Ass" is known to cooperate with the authorities. They inspire zero confidence in anyone who knows their business practices. The catchy name is meant to draw in noobs who might as well use private browsing mode.

    4. Mark 65

      Re: Broken or badly configured

      I read this:

      Most importantly we find that the small amount of IPv6 traffic leaking outside of the VPN tunnel has the potential to actually expose the whole user browsing history even on IPv4 only websites," they wrote in the paper. Here's the paper's explanation of the IPv6 mess

      and thought "what about if you've configured it at an openwrt router thereby stopping client software leakages"? Am I missing the point?

  3. Tom Chiverton 1

    IPv4 VPN in failing to work with IPv6 shock. This isn't a red top paper.

    1. Anonymous Blowhard

      "IPv4 VPN in failing to work with IPv6 shock. This isn't a red top paper."

      Two things:

      1) This is a test of VPN technology; in 2015 "network" means IPv4 *and* IPv6.

      2) The top banner of The Register is red.

      1. Roland6 Silver badge

        Re: This is a test of VPN technology; in 2015 "network" means IPv4 *and* IPv6.

        Well the paper isn't totally clear (and it should be) about the test environment. It does seem that the test was of VPN over an IPv4 network, but details of the configuration (IPv4 and IPv6) are not obviously given.

        What is not clear (from an initial skim reading) is whether the leakage is happening because of client dual stacks and hence IPv6 traffic is not being routed over the VPN or what. What is clear, from the paper, turning off the client IPv6 stack resolves the leakage problem, however it is noted that not all client OS's permit this.

        I suspect from the article and my experience that this 'leakage' problem may not be wholly attributable to the specific protocol stacks being used, but to the mechanisms that are used to select between protocol stacks and specifically address the fundamental cause of the leakage "No rules are added to redirect IPv6 traffic into the tunnel.".

        A paper now on the "to read" list.

        1. Anonymous Blowhard

          Re: This is a test of VPN technology; in 2015 "network" means IPv4 *and* IPv6.

          @Roland6

          I take your point about the test setup/environment, but the impact for "real world" users is that the VPN software doesn't protect them as much as they might expect. Even if this is just a matter of configuration, I'd expect the default to be to handle IPv6 and IPv4 in as similar a manner as possible, or if that isn't possible I'd want the installer to disable IPv6 by default and warn me it's done that (although that may disable or interfere with functionality in other parts of my system, so not at all ideal).

          IPv6 implementation might be a bit of a dog's dinner, but network security software should be the kind of software that is the most IPv6-ready, otherwise it's only solving half of the problem.

  4. Pascal Monett Silver badge
    Trollface

    So the good news is . . .

    Stick with IPv4 and you're golden, right ?

    1. Big Chief Running Bare

      Re: So the good news is . . .

      Or the first product to plug holes and get a decent v6 solution - winner takes all.

      1. varoufakisthehero

        Re: So the good news is . . .

        Not necessarely. People like crap ... But serious, afaik does the CyberGhost VPN neither have the IPv6 nor the DNS vulnarability. But it hasn't been among the products tested. Maybe because it's here in Germany more popular than international. However, I guess CyberGhost doesn't support IPv6, so they deactivate it completely. seems like a lack in features turned out to be a feature ;-)

  5. This post has been deleted by its author

    1. Roland6 Silver badge

      Re: Why did the IPv6 rollout have to be such a mess as to encourage these problems?

      Because interop with IPv4 was never part of the IPv6 design philosophy!

      The idea was to "throw a switch" and hey presto the old IPv4 Internet simply disappeared to be replaced by a fully functional, highly secure IPv6 Internet. This is probably the main reason why there is so little IPv6 support and usage.

      Additionally, whilst IPv6 was often described as being more secure than IPv4, it was largely designed during the early 90's when our understanding of and focus on network security was that much less sophisticated.

      1. Mage Silver badge
        Trollface

        Re: Why did the IPv6 rollout have to be such a mess as to encourage these problems?

        IP6 actually can be secure, but it's too easy to set it up wrong and have less security, control and privacy.

        IP6 design is an academic exercise not suitable for the real world yet.

      2. Sebby

        Re: Why did the IPv6 rollout have to be such a mess as to encourage these problems?

        >>> Because interop with IPv4 was never part of the IPv6 design philosophy! The idea was to "throw a switch" and hey presto the old IPv4 Internet simply disappeared to be replaced by a fully functional, highly secure IPv6 Internet. This is probably the main reason why there is so little IPv6 support and usage.

        No, that was not the idea at all. The IETF made the conscious decision to ultimately choose a non-backward compatible transition plan, it's true, but they did so because they had faith in homo sapiens to deploy IPv6 at the earliest opportunity possible (hint: we are in 1996) with the goal of having it fully deployed by the time it was actually necessary (hint: IANA ran out in 2012) so that, at the time IPv4 was retired, it would not be a problem for the Internet. Homo sapiens proving itself to be more concerned with making lots of money and watching cat pictures, this plan did not bear fruit, and that is why we don't see much IPv6, and are now paying the price for our collective apathy. :(

        1. Anonymous Coward
          Anonymous Coward

          @Sebby - Re: Why did the IPv6 rollout have to be such a mess as to encourage these problems?

          Actually because real-life companies (banks as an example) have critical mission systems and other tens of thousands of host running just fine on their internal IPv4 networks, they didn't see any reason to risk their business for the sake of the academic work which is IPv6 and just because some nuts want every toaster in this world to be freely addressable from the Internet.

          You don't seem to have much knowledge of what it means to show up in front of the top management people of these institutions and explain to them about that cool IPv6 stuff that someday will take over the internet and then suggest you should mess with those critical systems, some of which have been running just fine for the past three decades. Those academics should better come up with a decent solution to translate (yeah, we can call it NAT) at the border between inside IPv4 and outside IPv6 networks so we can will all be friends.

          1. SImon Hobson Bronze badge

            Re: @Sebby - Why did the IPv6 rollout have to be such a mess as to encourage these problems?

            > Actually because real-life companies (banks as an example) have critical mission systems and other tens of thousands of host running just fine on their internal IPv4 networks

            But the point is, they don't have to change their existing internal networks if they don't want to. They can continue using their existing IPv4 allocations, or use RFC1918 addresses.

            But the pubic facing systems are a different matter - these are all relatively new (how many banks have old online banking portals ?) It's quite possible to upgrade the public facing portals while keeping IPv4 only on internal systems.

            And while we know that many of the internal critical systems are old, IPv6 has been around for something like a couple of decades. It's because people have stuck their head in the sand (or up their backsides) for a couple of decades that we are in the current situation and still talking about methods (carrier grade NAT, where's the barf bucket ?) to try and keep IPv4 going - and often it's the same people putting effort into this that are still dragging their heels and trying to pretend that the rumbling noise they can feel through that shiny bit of metal they are standing on really isn't the IPv6 train coming down the line.

        2. Anonymous Coward
          Anonymous Coward

          Re: Why did the IPv6 rollout have to be such a mess as to encourage these problems?

          Very good points there. Another reason why we don't see much of IPv6 is that most ISPs have proven to be less than helpful in deploying it. As a costumer you have to consciously search for ISPs who provide proper IPv6 support. Hint: BT isn't one of them.

          The same still applies to a lot of hosting providers, even very big ones. Try IPv6 in AWS, for example. Hint: You can't.

          Why don't they care? Because they grabbed huge IPv4 ranges while they could. More than they would ever really need. No pressure to switch there.

          Hell, even for my bunch of servers, I had no problem getting several /24 ranges, with about 95% of the addresses unused at that time.

          So you can assume that lots of providers are blocking (read: sitting on) IP ranges. They too have no immediate incentive to switch.

  6. Phil O'Sophical Silver badge

    Do the users of these services care?

    I get the impression that for many of the services listed the big draw is that they can be used, cheaply, to bypass geolocation, so folks in the UK can watch US Netflix, or those in the US can get to BBC iPlayer. The "Virtual Network" bit is the important one, not the "Private". Surely most people who need really solid privacy from a VPN tunnel, for work, etc., will be using a commercial product supplied by their company, such as Cisco AnyConnect, and connecting back to secured company servers?

    Do people really trust companies with names like "Hide My Ass" to, well, securely hide their ass?

    1. Ole Juul

      Re: Do the users of these services care?

      I use VPN all the time and sometimes I care a lot, but most of the time it's not so important to be really secure. When I care a lot is when I'm trying to learn how this works and how to be private in the best possible way. That's mostly educational as I don't have life/career threatening issues to protect in this regard.

      Most times it's a matter of obfuscating my IP for the purposes of accessing the free and open internet. I have no interest in media downloads. However, I've come to see just how censored Google search is because they give me results as if I'm located in some specific area. That's censorship. I prefer to get a wide range of results from all over the world. Moving my IP around is an easy way to achieve that.

      That's just plain practical stuff. But as a matter of principle, when I'm using a browser it's nobody's business where I live. It certainly doesn't need to be advertised to Google or other on-line giants. If some person wants to find me, they can take a moment to look me up by my real name and they'll have my address. I welcome human visitors. Robots, not so much.

      1. Irongut

        Re: Do the users of these services care?

        Using several VPNs is an easy way to get round Google's search bubble? Lol. Much easier to use Duck Duck Go.

        1. Mage Silver badge
          Thumb Down

          Re: Do the users of these services care?

          Re: Duck Duck Go.

          Appears to be Bing results. As does Yahoo.

          Bing seems generally inferior to Google's search unfortunately.

          Also DuckDuckGo messes with the links / URLs.

    2. SImon Hobson Bronze badge

      Re: Do the users of these services care?

      I think the point is not that these services can be insecure - as you say, for many people the geo-location thing may be all that they are bothered about. But there will be people using them who are reading the vendors hype, thinking they are more secure than they actually are, and therefore exposing themselves to "danger"* - perhaps to "danger"* that they wouldn't accept if they knew the truth.

      * Whether that danger is just a matter of remaining anonymous on a blog, through to cases where it could really involve personal physical risk.

      I would hope that people where "danger" actually meant real physical danger would take more care, but as we all know, many people really have no idea about technology, and even less knowledge about how to assess the security of a VPN.

  7. DwarfPants

    Hide My Ass

    If you could hide the rest of me as well it would be great. Surely if it is only hiding my ass the rest of me is some sort of leaking security risk.

    May be it should try a different line of business, diet pills, exercise plans, nope just hide my ass. No matter how big!

    1. wolfetone Silver badge

      Re: Hide My Ass

      "Surely if it is only hiding my ass the rest of me is some sort of leaking security risk."

      Or your ass is a biohazard where the rest of you isn't?

      1. James Ashton
        FAIL

        Re: Hide My Ass

        What's the good of hiding your IPv4 ass when it leaves your IPv6 bollocks exposed?

    2. Anonymous Coward
      Anonymous Coward

      Re: Hide My Ass

      I'd swap the ass for a bicycle… doesn't need feeding, doesn't make a mess of the stable and importantly doesn't need hiding.

    3. Wilco

      Re: Hide My Ass

      Not clear how concealment of donkeys assists in internet privacy. In any case, surely the worldwide population of internet-connected donkey owners is too small to make this a viable business model

      1. Phil O'Sophical Silver badge

        Re: Hide My Ass

        If you did have an internet-connected donkey you'd probably want to have it hidden, to keep the RSPCA off your back.

        1. Tim Jenkins

          Re: Hide My Ass

          Phase 1: internet-connected donkey

          Phase 2: ?

          Phase 3: Profit

          Once we're past the IPO, the RSPCA will never find my private island...

          1. Anonymous Coward
            Anonymous Coward

            Re: Hide My Ass

            (Re-post, because the forum ate my last post. Didn't show up in 'my posts' to allow editing nor did it turn up here.)

            Phase 1: internet-connected donkey

            I'll just leave this here then.

          2. This post has been deleted by its author

  8. Ole Juul

    Configuration

    It's not that easy to think this through and set up your computer to be private. It's not something a common user is likely to do. One should probably turn off IPv6. Set some non logging DNS servers (Not your ISP!) in case the one from the VPN is compromised or fails. Obfuscate your mac address perhaps, but most definitely spoof your OS and browser version as that is probably a clear ID for your computer. All this takes a bit of looking at, and I don't think the VPN provider can be expected to provide everything for their users. But as someone suggested, many people just want to download stuff without easy identification, or geolocation, of their IP address.

    But looking at that chart, I see one company using Google DNS. That's just not good. Google logs all DNS lookups and they can be gotten by any 3 letter agency. Another thing to look at is how much the VPN company itself logs. Personally, I think they should run entirely in RAM and not log anything. They should also not keep a record of your payment details. I chose a company which has all the above specifications and more. However, even after looking at all those things, it still comes down to trust. You never know what they really do.

    1. Anonymous Coward
      Anonymous Coward

      3 letter agency

      "Google logs all DNS lookups and they can be gotten by any 3 letter agency"

      Phew, that means I'm safe for the time being because GCHQ is a 4 letter agency, thank goodness for that!

  9. Anonymous Coward
    Anonymous Coward

    Many VPN's suck for other reasons

    either by design creppines or configuration why does a VPN tunnel have to totally F**k up all the VMWare networks that might be running on the same systems?

    I have to use one such VPN software package in order to login to the megacorp that pays my wages so that I can enter my timesheet data so that I can be paid. If I have any VM's running for the whole time the VPN is open even the private network connections between the VM's are unusable.

    There is no way to configure the VPN software to NOT grab everything. The VPN Supplier regards this as a security risk. The old software was configurable just to grab the main network connection leaving the others working as expected.

    Funnily enough if I run that same software from inside it's own VM all the other VM networking does not get hijacked.

    IMHO, VPN software sucks but we have to use it so we are stuck with it..

    1. Paul Crawford Silver badge

      Re: Many VPN's suck for other reasons

      Probably your best/most secure option is to have the VPN in your router and keep away from the oddity that is VMware's own network stuff.

      1. Anonymous Coward
        Anonymous Coward

        Re: Many VPN's suck for other reasons

        good idea but why should it grab even 10.0.0.* and 192.168.0.* networks. These don't route over the internet.

        It is just that the VPN software in general sucks big time.

        1. Anonymous Coward
          Anonymous Coward

          Re: Many VPN's suck for other reasons

          good idea but why should it grab even 10.0.0.* and 192.168.0.* networks. These don't route over the internet.

          The megacorp I work for uses 10.x.x.x addressing on the internal network, so when I connect my home PC (on 192.168.x.x) to work via a VPN I get a 10.x.x.x address on the tunnel. VPN software can't make assumptions about what addresses might mean.

          It's pretty logical that my company doesn't want any other systems on my home network to be able to connect to my PC while I'm connected to the company network, so it is configured to block all other non-VPN network traffic. Yes, that will block VMs as well, but why shouldn't it? Those VMs could be connected to other external systems, via other tunnels. Obviously I know how to configure my system so that this isn't the case but corporate security can't have different rules for the plebs and the clever folks.

          Agreed it's a pain, but from a security POV it makes sense.

    2. Mark Solaris

      Re: Many VPN's suck for other reasons

      In a former life I would have my work VPN running on a dedicated machine, and then route to the corporate network IP ranges through it. You could have several VPNs running to access many networks, as well as one for a default route to the Internet. It requires it's own device but they are pretty cheap. Doing it on a VM on the same box is asking for interoperability trouble.

      The requirement is the VPN host has to be allowed to talk to local devices... obstensively to print but in this case for many machines to route over its tunnel.

  10. sthen

    Nothing new here...

    See RFC 7359 [https://tools.ietf.org/html/rfc7359], the first published draft was from October 2012...

    1. Roland6 Silver badge

      Re: Nothing new here...

      An up vote for the relevant RFC URL, but the news is actually that many implementations have yet to implement it... - I also suspect that many may not even be aware of this RFC...

  11. Anonymous Coward
    Anonymous Coward

    Hmmm

    My VPN is not on the Reg article list.

    It's not based in a 5-eyes nation.

    It also has a setting to "disable IPv6 while connected".

    No idea if it's secure, but when I tick the disable option I feel better anyway.

    Sécurisé, je ne sais pas!

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmm

      Oh come on, please tell us which one!

    2. JKM

      Re: Hmmm

      What VPN do you have?

      1. Ole Juul

        Re: Hmmm

        I don't know what he's got, but Proxy.sh has those features.

        - disable ipv6 (for obvious reasons)

        - registered in Seychelles (because it requires local lawyer to sue there)

        - no actual office (to make it difficult to attack users with suits)

        - no logging, ever (because with non-disclosure threats you can't have it any other way)

        - warrant canary (whatever ... it may, or may not be useful)

        - and so on

        They had some bad press which I interpret differently than many other people. They seem a bit hokey which I prefer to slick. The really slick companies always leave me wondering if they've really honest of if they just got a good writer. My theory is that if you have pimples, you're real. Anyway, there's my testimony - I don't get any affiliate points or anything for this.

    3. Anonymous Coward
      Anonymous Coward

      Re: Hmmm

      Oh sorry, my clue was too cryptic.

      LeVPN

      https://www.le-vpn.com/

      Caveat emptor

  12. Christian Berger

    VPNs are not designed for privacy

    VPNs can be used for lots of things, but privacy is not one of them, particularly not with commercial VPN providers which have to answer to inquiries.

    If you want privacy, there's TOR. It's been designed for privacy and even in the worst case is _much_ better than any VPN solution could be in the best case.

    1. Anonymous Coward
      Anonymous Coward

      TOR designed by US DoD

      Nuff said.

    2. Ole Juul

      Re: VPNs are not designed for privacy

      If you want privacy, there's TOR. It's been designed for privacy and even in the worst case is _much_ better than any VPN solution could be in the best case.

      Tor and VPN do different things. To what ever level it is a achievable, privacy is gotten by carefully choosing the right tools at the right time.

      I use both Tor and VPN in different ways at different times. Sometimes together or in a different order. These are choices one has to have a long hard think about. Just saying one is more private than the other doesn't even make sense.

  13. PattyCummings4

    I did some research and did some testing myself. I chose to be with IronSocket and it's working great as ever. If you want the best personal VPN service, IronSocket is for you.

    1. Havin_it
      Trollface

      That's interesting, Patty. I notice the vast majority of your comments have involved enthusing about the product you mention here. Are you by any chance a shitbag astroturfer?

  14. Richard 15

    Is there any easy test I can do to find out if the one my company using is ok?

    1. Anonymous Coward
      Anonymous Coward

      Yes

      Download a dodgy copy of the Dallas Buyers Club, then wait.......

      ; )

    2. Anonymous Coward
      Anonymous Coward

      Interesting question. I wonder if it's possible for someone to write a 'testmyvpn' website.

  15. emmalopez

    This is not a recent discovery, it has been known for a long time. Disabling IPv6 is the incorrect way to handle it. The problem occurs because of VPN providers not supporting IPv6 Internet access into the VPN. If the host already has IPv6 access, as is increasingly common, traffic to sites like Google, Facebook, Yahoo, Netflix, Akamai, Linkedin will bypass the VPN and go out on the IPv6 access.

    The story here is that VPN providers need to support IPv6 not that IPv6 should be disabled on the host. The VPN should allow IPv6 or IPv4 for the tunnel transport and IPv6 and IPv4 for the encapsulated user traffic. When the VPN is brought up both IPv6 and IPv4 default routes can be pointed into the VPN and the DNS servers should be assigned by the VPN provider.

    1. Ole Juul

      "The story here is that VPN providers need to support IPv6 not that IPv6 should be disabled on the host. The VPN should allow IPv6 or IPv4 for the tunnel transport and IPv6 and IPv4 for the encapsulated user traffic. When the VPN is brought up both IPv6 and IPv4 default routes can be pointed into the VPN and the DNS servers should be assigned by the VPN provider."

      You're entirely right. It's just that few ISPs support IPv6 natively and the user needs to look after all that - which is not so easy. In my own case, when I'm doubting my own skills I think it is better to do what I know than what I think I know. Since my first post in this thread I've actually spent some hours reading about IPv6 and how to better implement it here. Like many people, my situation is with an ISP that uses carrier grade NAT, so I had to get a static address from them in order to even get any IPv6 to work in the first place.

      1. Roland6 Silver badge

        Re: "It's just that few ISPs support IPv6 natively"

        From the paper it isn't clear where the information is being leaked to...

        If your client running a dual IPv4/IPv6 stack is behind a pure IPv4 router (ie. the typical 'free' home broadband router and typical public WiFi hotspot), the question has to be just who is able to pick up the IPv6 traffic and where are they taping into it?

        1. Charles 9

          Re: "It's just that few ISPs support IPv6 natively"

          Probably something like a 6to4 tunnel, which can be autoconfigured by a magic number address to who-knows-where.

  16. CantBeSerious

    Not very accurate...

    While I enjoy being informed of potential security leaks, I don't find this article very accurate as I use Torguard for person use and I can't mimic the IPv6 leak...

    http://s15.postimg.org/s557wx6nv/torguardnoleak.jpg

    It just makes me question if they missed some setting when testing the other providers...

  17. Anonymous Coward
    Anonymous Coward

    AirVPN

    AIRVPN answered its users

    https://airvpn.org/topic/14649-vpn-insecurity-research/?p=29462

    they did not manage to get the paper updated :

    https://airvpn.org/topic/14231-ipv6-leakage-and-dns-hijacking/#entry27633

    1. Roland6 Silver badge

      Re: AirVPN

      Up vote - good reference, especially https://airvpn.org/topic/14231-ipv6-leakage-and-dns-hijacking/ as this clearly explains the exploits in a 'real world' context.

      Be interesting to see if any of the other VPN providers also put up similar (technical) statements about their service and its vulnerability to these exploits.

      Interesting, that commonsense advice for many years has been to disable IPv6 on Windows, unless you are actually using it, so as to avoid network issues...

  18. alanwade

    Here is PureVPN Reply: http://www.purevpn.com/blog/ipv6-leakage-and-dns-hijacking-protection/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like