Most Internet anonymity software leaks users' details
Published 30 June 2015
Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance, or access geographically limited services like Netflix and BBC iPlayer. The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as “IPv6 leakage.”
Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance, or access geographically limited services like Netflix and BBC iPlayer. According to a Global Web Index report from October 2014, around 20 percent of European Internet users use VPNs to encrypt users’ Internet communications, making it more difficult for people to monitor their activities.
The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as “IPv6 leakage.” The leaked information ranged from the Web sites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with Web sites running HTTPS encryption, which includes financial transactions, were not leaked.
QMUL reports that the leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user’s IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.
Researchers attempted two of the kinds of attacks that might be used to gather user data – “passive monitoring,” simply collecting the unencrypted information that passed through the access point; and DNS hijacking, redirecting browsers to a controlled Web server by pretending to be commonly visited Web sites like Google and Facebook.
The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple’s iOS, but were still vulnerable to leakage when using Google’s Android.
Dr. Gareth Tyson, a lecturer from Queen Mary, University of London (QMUL) and co-author of the study, said:
“There are a variety of reasons why someone might want to hide their identity online and it’s worrying that they might be vulnerable despite using a service that is specifically designed to protect them.
“We’re most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity while actually revealing all their data and online activity and exposing themselves to possible repercussions.”
— Read more in V. Perta et al., “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients,” (a paper to be presented at the Privacy Enhancing Technologies [PET] Symposium, Philadelphia, Pennsylvania, 30 June 2015)
No comments:
Post a Comment