Headline says "all" but it seems to actually require specific features that some providers offer.
VPN users menaced by port forwarding blunder
Virtual Private Network (VPN) protocols have a design flaw that can be potentially exploited by snoops to identify some users' real IP addresses. VPN provider Perfect Privacy, which discovered the security weakness, has dubbed it "port fail", and says it affects VPNs based on the IPSec (Internet Protocol security) or PPTP ( …
COMMENTS
-
Monday 30th November 2015 08:35 GMT Ole Juul
Who would use this attack?
"If the attacker has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control," the researchers say.
I suppose this attack would be useful for copyright companies who are just interested in catching whatever they can. It seems to me that an attacker trying to target a single specific person would not find this too useful unless they also knew what commercial VPN their target was using. In any case I sidestep the matter entirely by being the only user with access to my own VPN. That has other disadvantages security wise, but in this case it's a win.
-
-
Monday 30th November 2015 08:51 GMT Ole Juul
According to Wikipedia OpenVPN works on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows 2000/XP/Vista/7/8. I use it on FreeBSD and Linux. There's not much to running either the client or server - just a very small config file. If you don't want to bother running your own server, or want the added anonymity of being part of a large group, or the luxury of choosing among servers in many different countries, then get a commercial VPN. Most of them support OpenVPN as well as others. Check out the TorrentFreak annual list, but most important, read up very carefully so you understand both what you need and what you get.
-
Monday 30th November 2015 08:52 GMT Anonymous Coward
Which VPN?
@ James 51
In answer to your question, I've tried most of the VPN offerings over the past two years since Snowden. I narrowed it down to using Private Tunnel and PureVPN. The one that fits the bill for you in terms of covering Linux, Windows, Android and Blackberry is PureVPN.
I don't know where they stand in relation to this potential vulnerability, I think it may be based on the OpenVPN client but I'm not 100% sure, but as a well established, multi-platform and good quality VPN provider you could choose a lot worse than PureVPN. If you have the need, it also allows you to choose various VPN protocols as well as the ability to even attach a VPN session to a specific application or browser which is a bonus for those that need it.
-
Monday 30th November 2015 10:14 GMT davemcwish
Re: Which VPN?
I did look at others including Private Tunnel before I made my choice (vpn.ac). I decided against Private Tunnel (and others) given they are more easily subject to US oversight. I'm not sure what is really the one that provide the most anonymity as they are probably mostly as good/bad as each other. IMHO true anonymity would be not to use the internet at all but failing that, the advise in the ISIS/ISIL/Daesh OPSEC guide is a start
-
-
-
Monday 30th November 2015 09:28 GMT Paul Crawford
Firewall rules
I don't know if it was specifically intended for this port-forward risk, or just the more general issue of a VPN being dropped due to other software bugs or MITM attempts, but the UK Gov security advices on system deployment has a section on setting the firewall to only allow the VPN range of access. For example, see section 8.7 of this:
https://www.gov.uk/government/publications/end-user-devices-security-guidance-ubuntu-1404-lts/end-user-devices-guidance-ubuntu-1404-lts
-
-
Monday 30th November 2015 15:17 GMT Danny 14
sure, why not? It depends on WHAT you are using a VPN for and what you intend getting out of it. Sure, the crypto is weak and can be broken very easily, but for the sake of hiding your IP address a VPN is as good a link from you to your provider as another.
PPTP is easily cracked but you still need to actually crack it. Unless you have a PC on the same hotspot as the device then how do you plan on getting a PCAP file? Record the internet?
Whilst PPTP is pretty crap it still have niche applications. If you MUST use PPTP for whatever reason, it might be possible to script a cyclical password changer on VPN disconnect possibly based on an algorithm that you know. Obviously desync issues if you lose track of...... (enough now, use SSTP :) )
-
-
-
-
-
-
Sunday 27th December 2015 15:37 GMT David Moore
Re: sshuttle for the win!
"Why install something else?" is explained quite well here - see the 'theory of operation' section. https://github.com/apenwarr/sshuttle
The general gist is that forwarding TCP packets over a TCP session isn't a good idea. Packet loss is needed in order to help define the speed of the connection... in that sort of setup the forwarded session will never experience packet loss - the external 'wrapper' connection will deal with any making the forwarded connection appear perfect. *this is bad* ;-)
sshuttle does some clever mutliplexing over ssh then disassembles it on the other end, meaning you never do TCP-over-TCP... which is good.
-
-
-
-
Monday 30th November 2015 18:23 GMT DropBear
Tried to read the linked explanation and there's a problem because if I did understand it correctly then this is massively brain-dead design. It seems to say that the VPN protects / hides you the user most of the time unless another user asks it to run a port-forwarded server for him - in which case the whole thing flips over and it protects him form you, coincidentally serving your true IP to him. Why on earth should it work that way?!? Why would it do either A <-> X(proxy for A) <-> B or A <-> X(port forward for B) <-> B, considering what it should really do is A <-> X(proxy for A) <-> X(port forward for B) <-> B ?!? Your traffic as a client should never go to / emerge from anywhere other than their end of your tunnel, and it should never seem to originate from anywhere else. Doesn't seem that complicated, really. As a non-VPN-specialist this doesn't make much sense to me, where am I going wrong? Headache -->
-
Monday 30th November 2015 21:03 GMT Crazy Operations Guy
The risk with shared systems
This is the problem with shared systems, they are only as secure as the other people using it. Of course the solution here would be to build out a massive number of tiny VPN servers and only allow a dozen sessions or so through it rather than very large boxes with thousands of sessions. A tuned linux kernel, a couple libraries, and a VPN daemon would fit in a tiny amount of resources (a single core box with 128 MB of RAM and 8 GB of storage would be more than enough)
-
Tuesday 1st December 2015 12:50 GMT Aristotles slow and dimwitted horse
Re VPN
I trialled the AirVPN service (3 days free trial if you email them asking for it).
I DDWRT'ed my WDR4300 router as I wanted all devices sat behind the router encrypted as part of my tests - and the DDWRT firmware has the various VPN clients inbuilt. The problem I found is that routers for home use generally don't have the CPU grunt to chew through the AES256 encryption cipher quickly enough, hence the overall speed via VPN seems limited by the router (i.e. 1/5th of the non VPN throughput).
If anyone can recommend a SOHO or lower cost small business device device that could replace it then I would appreciate it. I was initially looking at a Zyxtel USG or Zywall device or similar...
-
Tuesday 1st December 2015 17:46 GMT Down not across
Re: Re VPN
If anyone can recommend a SOHO or lower cost small business device device that could replace it then I would appreciate it. I was initially looking at a Zyxtel USG or Zywall device or similar...
Asus AC-RT87U has dual-core (1GHz) CPU so should have bit more grunt than some of the cheaper SOHO routers, and AsusWRT-Merlin is quite good and is improvement on the stock AsusWRT.
Alternatively ebay is full of cheap more business class devices (for example Cisco 1801 which has built-in ADSL2 modem). Only 100Mbit/s ethernet so would be a bottleneck on faster VM cable connections). Advanced IP Services supports hardware-based IPSec encryption (inlcuding AES iirc).
Just to mention couple of options. I'm sure other commentards will offer some good solutions.
-
-
Tuesday 1st December 2015 21:40 GMT IPVanish VPN
IPVanish VPN
While the announcement of the Port Fail vulnerability has left some VPN services vulnerable, IPVanish and its users are not affected. IPVanish has, is, and will always be dedicated to our member's security and privacy. We have employed protective measures, including those suggested in the article, to mitigate the “Port Fail” vulnerability. Our NAT protection is free of charge for all subscribers, and requires no additional setup.
We applaud Perfect Privacy for responsibly disclosing this vulnerability to providers prior to the publication of the vulnerability, and thank them for protecting user privacy and security with us.
-
-
Friday 2nd December 2016 12:08 GMT AdrianH
As long as I don't see a credible reference to an actual study, I don't think I'm going to give in to such claims. Subscribing to a VPN was THE best thing that could have happened to me, specially after surviving some really nasty hack attacks. Now, I can do whatever I want online safely and anonymously, and without any fear.
The risks highlighted by Perfect Privacy could be limited to some specific brands of VPN and could be, in all probability, linked to certain features offered by the VPN. I've personally tried almost every free VPN out there and didn't feel safe. Now I'm using a Singapore-based Ivacy VPN which gives the same range of features as industry leaders but at a highly competitive price of $36 (1-year). Oh, it was love at first byte! :)