back to article VPN tests reveal privacy-leaking bugs

A virtual private network recommendation site decided to call in the white hats and test three products for bugs, and the news wasn't good. VPNMentor hired Paulos Yibelo, “File Descriptor” (a Cure53 researcher), and one anonymous researcher to put Pure VPN, Zenmate, and Hotspot Shield to the test. The researchers found IP …

  1. Paul Crawford Silver badge

    Whatever VPN service and/or method you are using, do at least some basic testing yourself using sites like ipleak.net

    They also offer a dummy torrent link to allow you to check for that spilling out to your ISP, for those who do that sort of thing, obviously for Linux ISOs, eh?

    1. DropBear

      Frankly, nothing mentioned in the article sounded like anything any superficial, user-conducted test could have possibly revealed.

      1. Anonymous Coward
        Anonymous Coward

        You make it sound like people know what 'testing' is. I have watched throughout my career as a programmer that testing now means 'does it do what I intended', the 'other' testing is not touched as standard, so testing it doesn't do 'other' things is something that is rarely performed, especially by small outfits.

      2. Paul Crawford Silver badge

        @ DropBear

        No, it probably won't show up the sort of flaws found here.

        But it is a damn sight better then "installing" some sort of VPN service and assuming it is doing a proper job. So it is a minimum step if you think you need a VPN for any reason.

        Also readers of El Reg probably would set up their firewalls (independently of the VPN provider) to allow normal traffic to only go via tun0, and only traffic to the VPN address(s) to go via eth0, etc. Partly to mitigate simple mistakes, but also to prevent leaks if the VPN is dropped.

  2. Phil Endecott

    Why are they whitelisting amazonaws.com?

    1. Colin 19

      amazonaws.com worries you, but google-analytics.com doesn't?

      1. big_D Silver badge
        Coat

        But google-analytics.com is 127.0.0.1 in hosts...

        1. Claptrap314 Silver badge

          It's a good thing I don't drink coffee...

    2. Roj Blake Silver badge

      Re: Why are they whitelisting amazonaws.com?

      Because that's where an awful lot of the internet lives.

  3. Anonymous Coward
    Anonymous Coward

    "A virtual private network recommendation site"

    Is that like a Price Comparison site which is paid commission from sales of the products it is supposed to be comparing ?

  4. Harry Stottle

    Excellent VPN testing advice

    strongly recommend this site for those wishing to test their own VPNs...

    My personal preference is for the open source PIA which doesn't get a mention in that previous link. I'll be testing it pronto...

    1. Anonymous Coward
      Anonymous Coward

      Re: Excellent VPN testing advice

      I've tools and instrumentation to test here (I collect them like lint) and Private Internet Access works a treat. Of course, you *do* need to set the proper options for it. I also stack that with various other things in browser, OS, and hardware so that I've several layers of outright lies should the VPN be breached. Tinfoil hat much? Yes. Although here the VPN is used to separate my traffic from the rest of the boarding home. Not to protect me. As I've said a few times before, it's to protect everyone else from whatever I might do causing blowback.

    2. ds6 Silver badge

      Re: Excellent VPN testing advice

      I recommend using this excellent list to make a choice on what VPN to use.

      I eventually settled on BolehVPN and Mullvad, each for different purposes. Mullvad is my daily driver and I couldn't be more happy. Highly recommended, and cost efficient.

      Do research on your VPN! That site is only the first step. Remember, you're trusting these people with your Internet traffic.

      Probably still better than your ISP.

  5. MNB

    whitelist

    genuine question... why does VPN software need a whitelist that includes anything that's not a RFC1918 private address? Surely if amazonaws.com can determine your real IP address everyone can, or have I misunderstood what the VPN software is using the whitelist for?

    1. ds6 Silver badge

      Re: whitelist

      So the connection is faster and users are happier? "Hey this client is faster than that client!"

      Or so that you can log in to your Google services without being prompted for security questions or OTA codes? "Wow, it doesn't keep asking me to check my email for a code when I use this client!"

      I'm sure whoever put it in felt it was worth doing for one reason or another, but that doesn't mean it was a smart choice.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like