SMiThaYe

vpn
[TheRegister] VPNs are so insecure you might as well wear a KICK ME sign

3 posts in this topic

[TheRegister] VPNs are so insecure you might as well wear a KICK ME sign

May as well mention this here as a lot of people I know use VPN and mine is on my 1+1 for Wi-Fi for general news catchup and never anything personal. Uses of VPN includes a thanks to government spying (and search engine logging), or to get around restrictions, or maybe your ISP only offers static IP instead of dynamic meaning tracking is a lot easier, etc etc. Other uses for VPN including not just BitTorrent but porn .... they generally go hand in hand (sry!)

6xYVDPH.png

 

All but provider Astrill were open to IPv6 DNS hijacking attacks and only four did not leak IPv6 data.  None were resistant to both threats. Here's how the authors summarise the situation:

 "Whereas our work initially started as a general exploration, we soon discovered that a serious vulnerability, IPv6 traffic leakage, is pervasive across nearly all VPN services. In many cases, we measured the entirety of a client’s IPv6 traffic being leaked over the native interface. A further security screening revealed two DNS hijacking attacks that allow us to gain access to all of a victim’s traffic."

WG7wTvW.png

What this doesn't mention is that if your VPN software offers DNS Leak protection or IPv6 Protection, use it to protect your information. As for the type and level of encryption to use, article states correctly that PPTP (Point-to-Point Tunneling Protocol) is a very weak 128-bit encryption that is easily attacked via brute-force methods and one of the key targets for governments to crack and why it's no longer safe to use since being undermined in this way. This is listed as being easily cracked by the NSA and should not be used despite being very easy to use and setup, only use as a last resort than none at all. For mobile devices use L2TP if other methods are troublesome.

For cipher and encryption strength I would choose by default (for this I mean general email, browsing, streaming) to use AES-256 as this is the standard for many government departments without issues while still being relatively fast. When I say cipher, this refers to say SHA/AES/Blowfish/RSA/ECC - encryption is the strength of the algorithm or the key in order to crack it. You pick whatever fits the purpose but not so OTT that its slows your workload without good reason, speed also relies having a fast connection to start with and decent hardware on said device and fireware (hardware and software). Do note that although for common folks you'll already have malware and antivirus protection separately, VPN may allow virus's to temporarily bypass real-time protection but once it resides within the memory at the next stage it is dealt with as normal and quarantined. That's enough talk of viruses and malware otherwise we'll be here all day. Cipher's certified by NIST from the US are to be questioned too if you've been following security news over the years, they created backdoors which in itself weakens cipher's and also allows other governments to intercept communications - results ends up with servers being hacked unless patched. Next you want to use RSA-2048 as standard for the encryption key as again it has been known for years that 1024-bit was cracked by governments - feel free to use RSA-4096 though generally unnecessary.

 

Source #1 (post based on thishttp://www.theregister.co.uk/2015/06/30/worlds_best_vpns_fall_flat_in_security_tests/
Source #2 (PDF includes more references to read up) http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

0

Share this post


Link to post
Share on other sites

I'm not using VPN on my phone, but I sometimes do on tablet to speed up slow connections for streaming services.

Are you satisfied with the VPN i suggested? My account will soon expire, thinking of testing a new one.

0

Share this post


Link to post
Share on other sites

The 1+1 is great for easily setting up VPN, once I got to that option on my first day with it I kept it running. Our 'VPN' offers what we need with plenty of bandwidth and security at a competitive pricepoint.

You have to watch for free alternatives out there that they use your connection to allow eg. the US or China to access content in Europe, meaning they could be up to anything and therefore isn't offering any protection as this defeats the point of VPN. These free options also have premium services that are also using the same principle and was in the news. This was a first for a paid VPN to use other customers connections, adding insult to injury. We knew about the free VPN services being exploited this way for ages in the same way as noobs that don't secure their WiFi on WPA2, don't change passwords, or worse still using a router that is known to have backdoors. Best to buy one you can flash an open firmware and update regularly. Manufacturer support for routers in general is rubbish and quality leaves a lot to be desired with regular interruptions and dropouts (your ISP can confirm this or any service maintenance to check against router stats), buy a new one if you haven't in the past 2 years. Check for known security issues on said router, check last official firmware release as a backup then check open source firmware db as I've already linked. Sometimes unofficial may offer better security at the expensive of a more unstable line on a good router despite the best efforts of the community, can't win them all. Open is great when your router only got 1 or 2 official updates.

Meanwhile on our VPN, it's customisable on whatever device you need to use it on. Either manually via devices built-in VPN credentials like my iPad that runs an old iOS meaning video/audio buffering not great at all without VPN. Also run the simple app by default at startup since I never do anything important on 1+1 and share the account with gf without issues. Find it's worth having two locations to pick from as even London seems slow at random times of the day and pick Southampton but would have liked one more because the UK is very data intensive (about a third of the US iirc). Also worth having VPN when gf wants to watch the odd US content that is usually blocked just like the iPlayer is blocked for UK citizens while away. Sometimes I just screw around with sites and use random EU countries on VPN while bouncing through alternative proxies just to feel the effect of being back on slow ass ADSL ;) If I was trying to be smart I'd be on Tor and use Linux, hell you could even run Kali on Pi and all data would only be stored temporary in RAM (if you wanted to test that out) but luckily we needn't be that paranoid... yet!

TLDR answer: Yes, and read warning in paragraph 2 about ones with free options too. May have rambled typing this out fast cos I just got up about 15 minutes ago to take a friend to the airport and my body is telling me to go back to bed :(

0

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now