UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers 65
jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.
14 tested, 11 leaked... (Score:5, Interesting)
Re:14 tested, 11 leaked... (Score:4, Funny)
Re: (Score:3)
TFA doesn't actually say which ones were no vulnerable. However, Mulvad has features to protect against IPv6 and DNS leaks, so it looks like they are aware of this problem and fixed it a while back.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Apple gladly spread your nudes? I don't remember any time that Apple did that... Only people who had valid passwords to accounts spread nudes.
Similarly? (Score:1)
"Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back."
What? How is this "similar"? The topic is that most VPN providers aren't encrypting IPv6 for some reason. What does that have to do with the US spying program?
"IPv6 Leakage"??? Give me a break. (Score:5, Insightful)
No.... That has nothing to do with IPv6, it has to do with what those VPN's support. What that statistic really means is that 11 out of fourteen VPN providers don't really support IPv6 in the first place.
Re: (Score:2)
mod up. That statement, along with the following one, made no sense to me.
The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6.
I wasn't aware that IPv6 was fundamentally flawed. This sounds more like bad network design or something.
Re:"IPv6 Leakage"??? Give me a break. (Score:5, Informative)
Exactly this.
The problem occurs when you have an IPv4 VPN tunnel, and IPv6 native connectivity. The IPv6 connectivity will be preferred over the IPv4 tunnel, and you will connect natively.
The fix? There are two
1) Add IPv6 support to the VPN, and default route traffic over that.
2) Drop the IPv6 connection while connected to the VPN.
The first solution is obviously best.
Re: (Score:3)
If this is the model that any VPN service uses, it's really stupid, for 2 reasons:
In IPv6, there would be 3 ways to natively support a VPN:
Re: (Score:3)
No.... That has nothing to do with IPv6, it has to do with what those VPN's support. What that statistic really means is that 11 out of fourteen VPN providers don't really support IPv6 in the first place.
Well if IPv6 packets can pass at all, clearly they support IPv6.
The problem is that they likely are accidentally supporting it with no knowledge about doing so.
Would you put your Windows box on the IPv4 Internet with no firewall what so ever?
I don't mean having a firewall and accidentally misconfiguration it, I mean having a firewall and not adding a single rule.
Well, that's exactly what these VPN providers did for the IPv6 protocol. They have zero IPv6 firewall rules.
So while inbound IPv4 packets are filte
Re: (Score:3)
For example in the Linux iptables packet filter, you can disable the IPv6 protocol completely with a single command:
iptables -I INPUT -p 41 -j DROP
No, that will drop just one of many ways of tunnelling IPv6 over IPv4. To drop or manipulate IPv6 packets, you need to use ip6tables instead.
And you really shouldn't be using DROP here, as it will delay every connection until timeout expires. You want REJECT instead.
Re: (Score:3)
It looks like the issue here is that since IPv6 addresses are freely assigned to any node in a network devoid of DHCPv6, nodes that shouldn't belong in that network get IP addresses, and thereby access to all traffic within the network. In IPv4, if DHCPv4 weren't there, a node has to be manually configured, or else, it doesn't get an address. In IPv6, if DHCPv6 ain't there, a node still gets an address courtesy the combination of SLAAC, ND and DAD.
The solution to this would be to mandate DHCPv6,
Comment removed (Score:5, Interesting)
Re:ipv6 incompetence is nothing new. (Score:5, Insightful)
I can see a few ways informatoin could leak in a dual stack situation involving a VPN that would not happen if everything was IPv4 only
1: The users local connectivity is dual stack (or v6 only) but the VPN is IPv4 only. The result is IPv4 goes via the VPN but IPv6 doesn't. The user thinks the VPN is hiding the origin of their traffic but it isn't hiding the origin of all of it. With a bit of extra work it may also be possible for a website or an attacker in the network to tie the direct v6 address(es) to the VPN v4 address.
2: IPv6 traffic does go via the VPN but addresses are generated in such a way that the users MAC address is revealed (for example the user has a network behind the VPN and that network uses MAC based IP autoconfiguration). This MAC address can later be tied
3: The machine has an IPv6 address from the local ISP. Even if routing tables or firewall configurations are such that this address won't be used for making connections an application could still mistakenly send it as part of a payload. The same could in principle happen with IPv4 but it's much less likely due to pervasive use of NAT.
Re:ipv6 incompetence is nothing new. (Score:5, Insightful)
Well, then the real thing here is that despite everybody claiming IPv6 is awesome and super, there's crappy and inconsistent support for it.
So why should any small company or individual be doing anything about IPv6 when the big players aren't, and most of the existing products are apparently doing a terrible job of it?
IPv6 has been coming "Real Soon Now" for what feels like an eternity. People aren't going to spend money to change when they still need to figure out how to work with the legacy stuff.
You describe both the epic failure of IPv6 to gain widespread adoption, and the reasons why people are staying the hell away from it.
Re: (Score:3)
The other thing that I have found is that without exception those who I have met who are pushing IPv6 remind me
Re: (Score:2)
People don't want to use IPv6 because it's stupidly complex and hard to secure. There is too much broadcasting/announcing/autorouting/and other bullshit in IPv6. The address format sucks and is something only a Lisp design committee could love (wait, did I put 7 or 8 empty colons there?! Ah, dammit).
This sounds like you don't know what you are talking about. To start with, in IPv6 there is no broadcasting at all. Anywhere broadcast was used (eg ARP) this has been replaced with multicast. Announcing and autorouting? Not sure what you mean by this, but if its the router advertisements when using SLAAC then how is this different from IPv4 and DHCP? FYI this doesn't have to be turned on. From a pure routing point of view (I work for ISPs) it works no different than to IPv4. Address length aside of course.
A
Re: (Score:1)
It's nothing to do with routers being powerful it's just straight forward mathematics, and is the WHOLE POINT of the new protocol version. IPv4 specifies exactly 32-bits of addresses. That means there are only about 4 billion possible addresses. Any system that has MORE addresses is incompatible. Since adding even four extra addresses would be incompatible, you might as well add a LOT more, and IPv6 does that.
Every person who thinks man, if only they had designed IPv6 they'd have made it compatible is a MORON. They're basically saying "Well, mathematicians might think there are only 2^32 different possible values in 32-bits, but I know better".
Every person who says well, IPv4 should have been made extensible to allow for more addresses is exactly as useful as the people who say well, now I know how that horse race turned out I would have bet differently. Wow, you can see the future, once it's the past. Brilliant.
And this idiocy has been rife, not just among laymen (who can't be blamed for not knowing anything about mathematics or history) or on tech fan sites like Slashdot, it's even found among people running ISPs. Blithering idiots are running the average ISP, still not really sure what the difference is between VPN and Vhosts, and hoping that nobody will notice they just once again bought a bunch of cheap IPv4-only crap that means when they're obliged to transition they'll either go bankrupt or squeeze their customers for yet more money to pay for their screw-up.
This is a lot of rage. I'm clearly pro-IPv6. I'm aware of the limitations in address space in IPv4. I'm aware that IPv6 adds 96 more bits, and makes the space ridiculously large. My point was merely an observation on why the uptake has been slow. The ISP I work for is in the habit of making any new purchase or deploying anything new IPv6 capable. I think a lot of operators with clue are doing the same.
I don't think that you can disagree my point though? If IPv4 and IPv6 were able to interop, then uptake wou
Re: (Score:2)
But they can inter-operate. There are so many transport mechanisms for them - Dual Stack, Dual Stack-Lite, Teredo, CGNAT, et al.
Compatibility is an irrelevant term here: the correct concept would be 'inter-operable'. It's like the comparison b/w a freeway and a surface street. I could get from Santa Clara to San Mateo via El Camino Real, or I could get there via the I-280. It would be stupid to suggest that I-280 should have been built right next to El Camino Real so that people would use the former i
Re: (Score:2, Interesting)
If address space were an important factor, they would have taken away large blocks to organizations that don't need them.
I know a university with a class B block and they have maybe 100 servers that need to have publicly routable IP addresses but they have an entire class B block. If you connect to the wifi on campus you get a public facing IP address! All the computers in every lab on campus has a public IP address. Your laptop or tablet will have an address like 166.127.34.139(first two octets changed to
Re: (Score:1)
If address space were an important factor, they would have taken away large blocks to organizations that don't need them.
I know a university with a class B block and they have maybe 100 servers that need to have publicly routable IP addresses but they have an entire class B block.
No they don't. Classfull addressing was deprecated over 20 years ago. They may have a /16. (Obligatory wikipedia link https://en.wikipedia.org/wiki/... [wikipedia.org])
If you connect to the wifi on campus you get a public facing IP address! All the computers in every lab on campus has a public IP address. Your laptop or tablet will have an address like 166.127.34.139(first two octets changed to hide the incompetent) and their weak firewall only stops ICMP traffic to your device.
That is 65,000+ wasted addresses at just one location and they aren't the only address wasters, not even close.
Excellent! This is the way it should be done (firewall part aside). A globally routable IP address per machine is the dream!
Next you have loopback 127.0.0.1/24. That is a massive waste. What machine needs 16,777,216 local addresses?
Now you have private address spaces: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 which is nearly 18 million addresses. Far more than any one needs in a private address.
I wouldn't be surprised if 50% of the IPv4 address space is wasted.
Reclaiming address space just isn't worth the time. At its peak, ARIN (the RIR for North America) was going through a /8 in a few months. These days there is a lot of buzz about 'The Internet of Things'. Whether you buy into all that or
Re: (Score:2)
Excellent! This is the way it should be done (firewall part aside). A globally routable IP address per machine is the dream!
Even if you accept that's a good idea; that doesn't actually require 128bits, 40 would give us a trillion addresses, ~140 each. (That assumes we're all equal and the population is stable. The former is clearly false, though population is expected to peak at less than 10 billion.) Given the impossibility of everyone having US lifestyles, 1 trillion addresses is effectively unlimited, you don't actually need enough to address every atom in the observable universe.
I would not agree with you here. The motivation is a larger address pool.
IPv6 is always sold as being security aware, i
Re: (Score:3)
Problem is if you tried to redefine everything within the 127. space that's not 127.0.0.1 as public unicast space, you'd have to fiddle w/ the IPv4 protocol of every router, and then you'd have 2 versions of IPv4 in supposedly IPv4 compatible equipment. That would pretty much end IPv4 communications as we know it. Even today, there is IPv4 equipment that's unaware of CIDR or subnet masks or even NAT.
You are right about the wastage, but you're forgetting something: IPv4 was never designed for global use.
Re: (Score:2)
The idea of solving the problem by reclaiming IPv4 addresses was considered, but the math doesn't work [jakma.org]:
Looking at the /8 blocks assigned to organizations other than regional [wikipedia.org]
Re: (Score:2)
I don't like what you're saying, but it's true. For this reason I disable ipv6 wherever I care about security (vmlinuz ipv6.disabled=1), because I can't trust the existing implementations and I'm pretty sure there will be data leakage if I don't (this story doesn't help assuage my concerns). Therefore, I'm not engaged in filing bug reports very much, because I mostly have to avoid it. Quite a Catch-22.
Also my ISP doesn't offer it and most endpoints don't offer it, so it just adds latency for Internet ope
Re: (Score:3)
Facepalm (Score:4, Informative)
The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6.
Aaarggghh!!! The summary does not explain the issue properly at all.
All that happens here is that the user's IPv4 traffic is tunneled through the VPN, but his IPv6 traffic is broadcasted past the VPN.
I'm sure this problem can be avoided with some reconfiguration. The easiest solution would be to simply chuck off the IPv6 subsystem in the operating system.
Re: (Score:2)
TFA: (Score:5, Informative)
http://www.eecs.qmul.ac.uk/~ha... [qmul.ac.uk]
(Since there doesn't seem to be a link).
Basically, the table on page 3 is probably where you want to start looking. TorGuard, PrivateInternetAccess, VyperVPN & Mullvad are proof against IPv6 leakage, so it's actually 10 of 14 that aren't.
Also, they found Astrill is proof against OpenVPN and PPTP/L2TP DNS hijacking. Interesting read.
Referenced Article is a Teaser Webpage (Score:4, Interesting)
The actual study is due to be presented at a future conference. In that sense the findings have not yet been made. So we are lured by clickbait into discussing something that has not happened. This is a waste of time.
Tangentially, what is the purpose of headlines that say things like "President will announce tomorrow that he is starting World War 3"? Isn't that the same as announcing it now? Does he think we are stupid? Oh, wait...
According to the article... (Score:3)
"Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked."
Whew... Although there are some privacy implications, HTTPS seems to work for your most important web use. And, with the transition to almost all sites running HTTPS encryption - hopefully with no bugs in that - the problem cited in the article may go away. There have been some concerns about HTTPS reliability, such as forged certificates, but hopefully the problems will be solved. I'm not completely up to date an the problems w/ HTTPS, though.
Re: (Score:2)
Why blame IPv6? (Score:2)
Why blame IPv6 for this? Any VPN only carries traffic which matches its traffic criteria - for IpSec the SA definition (Encryption Domain in Cisco speak). So IPv4 has the same issue if the source/destination IP addresses and Ports do not match those which are configured to pass over the VPN. Amongst other things, this allows a single system (host, router or security device) to terminate multiple VPNs and route traffic over the appropriate one (or directly).
Ahem, these aren't "leaks" (Score:1)
They are sweet tasting, gooey, oh what is that word?... you know, that stuff that bees make...
Anyway they got caught... in a way... since proving intent would be very difficult.
Teredo leaks (Score:2)
Teredo [wikipedia.org] is one cause of the leaks in Windows. Disable it with:
netsh interface teredo set state disabled
in the command prompt.
Re:Teredo leaks (Score:4, Interesting)
But don't do that! Disabling IPv6 is an "unsupported configuration" to use the phrase our former Microsoft support rep used. I say former because they canceled our support contract without a refund after we admitted to disabling IPv6. There are many things broken in Windows if you disable IPv6, so many that Microsoft won't even try to support it and punishes people that do in order to publicize that fact.
More Microsoft fanbois w/ mod points! (Score:2, Interesting)
Amazing how they attack anyone here, like this guy, when someone posts the truth about Microsoft. Microsoft most certainly has a policy against disabling IPv6. They burned some of our license keys for disabling IPv6. Their official policy from:
https://technet.microsoft.com/en-us/network/cc987595.aspx
"IPv6 is a mandatory part of the Windows operating system"
It is not optional. Microsoft will hurt you for disabling it, if they can. The guy that runs Microsoft now, John Thompson, has talked about taking le
/. has gone full blown corporate (Score:1)
It's sad to see how people that post the truth about Microsoft, and other large corporations, are buried as trolls. That post is 100% correct, and I have personally seen Microsoft go on the offensive against a customer that disabled it. This used to be a tech site instead of a corporate site. It's sad to see just how much this site has gone downhill.
Re: Teredo leaks (Score:1)
This site is dead. That post was not a troll. There's just too many Microsoft fan boys here now. This used to be a tech site.
What (Score:2)
I can't even brain after read that summary...
Concerned users will ask (Score:1)
That's what you get... (Score:2)
That's what you get when offering VPN access must include proper client configs because users are clueless and want to be "secure" by hitting a button.
I guarantee you that I could take the credentials of each and every one of these VPN offers, put them into my router and tunnel all my clients properly(!) without any leaks.
It's not the VPN that is flawed, it's the CLIENT SETUP. For people with a clue, that's a distinction.