Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Encryption Networking United Kingdom Your Rights Online

UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers 65

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.
This discussion has been archived. No new comments can be posted.

UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers

Comments Filter:
  • by Michael Casavant ( 2876793 ) on Tuesday June 30, 2015 @09:17AM (#50018593)
    The 14 tested are listed, but not the ones that are leaking data? Why list one and not the other?
  • by Anonymous Coward

    "Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back."

    What? How is this "similar"? The topic is that most VPN providers aren't encrypting IPv6 for some reason. What does that have to do with the US spying program?

  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Tuesday June 30, 2015 @09:34AM (#50018721) Journal

    The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as âIPv6 leakageâ(TM).

    No.... That has nothing to do with IPv6, it has to do with what those VPN's support. What that statistic really means is that 11 out of fourteen VPN providers don't really support IPv6 in the first place.

    • by MobyDisk ( 75490 )

      mod up. That statement, along with the following one, made no sense to me.

      The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6.

      I wasn't aware that IPv6 was fundamentally flawed. This sounds more like bad network design or something.

    • by Geordish ( 751892 ) on Tuesday June 30, 2015 @10:42AM (#50019211) Homepage

      Exactly this.

      The problem occurs when you have an IPv4 VPN tunnel, and IPv6 native connectivity. The IPv6 connectivity will be preferred over the IPv4 tunnel, and you will connect natively.

      The fix? There are two

      1) Add IPv6 support to the VPN, and default route traffic over that.
      2) Drop the IPv6 connection while connected to the VPN.

      The first solution is obviously best.

      • If this is the model that any VPN service uses, it's really stupid, for 2 reasons:

        • - It combines the weakness of IPv4 tunnels i.e. overlapping private address ranges, and the weakness of IPv6 gateways - proactively assigning node addresses if DHCPv6 ain't supported
        • - It ignores one of the greatest strengths of IPv6 - better connectivity for VPNs

        In IPv6, there would be 3 ways to natively support a VPN:

        • - Use Unique Local Addresses (fd00::/8) which would ensure a good likelihood of non-overlapping address ra
    • by dissy ( 172727 )

      No.... That has nothing to do with IPv6, it has to do with what those VPN's support. What that statistic really means is that 11 out of fourteen VPN providers don't really support IPv6 in the first place.

      Well if IPv6 packets can pass at all, clearly they support IPv6.

      The problem is that they likely are accidentally supporting it with no knowledge about doing so.

      Would you put your Windows box on the IPv4 Internet with no firewall what so ever?
      I don't mean having a firewall and accidentally misconfiguration it, I mean having a firewall and not adding a single rule.

      Well, that's exactly what these VPN providers did for the IPv6 protocol. They have zero IPv6 firewall rules.

      So while inbound IPv4 packets are filte

      • For example in the Linux iptables packet filter, you can disable the IPv6 protocol completely with a single command:
        iptables -I INPUT -p 41 -j DROP

        No, that will drop just one of many ways of tunnelling IPv6 over IPv4. To drop or manipulate IPv6 packets, you need to use ip6tables instead.

        And you really shouldn't be using DROP here, as it will delay every connection until timeout expires. You want REJECT instead.

      • It looks like the issue here is that since IPv6 addresses are freely assigned to any node in a network devoid of DHCPv6, nodes that shouldn't belong in that network get IP addresses, and thereby access to all traffic within the network. In IPv4, if DHCPv4 weren't there, a node has to be manually configured, or else, it doesn't get an address. In IPv6, if DHCPv6 ain't there, a node still gets an address courtesy the combination of SLAAC, ND and DAD.

        The solution to this would be to mandate DHCPv6,

  • by nimbius ( 983462 ) on Tuesday June 30, 2015 @09:43AM (#50018795) Homepage
    we mandated ipv6 a while back and like alcoholics we refused to give up ipv4 for a myriad of nagging and petulent reasons. its coming back to haunt us now, with everything from legacy routers that cant grok ipv6 right to switches that cant tag or trunk v6. Many commercial firewalls even struggle to answer the questions "can you support ipv6?" and "can you route it?" with a definitive answer.

    for the average user theres no clear or quick answer; youll just have to agree that some third party got it right. For slashdotters theres easy-rsa tools to start your CA and OpenVPN which has had support for ipv6 since 2.3. "leakage" is an ephemeral and undefined problem in TFA, but for those of us that live and breathe on planet RTFM an openvpn tunnel that supports v4 and v6 is trivial.

    im speaking of the states, but here our cable and fibre providers have 90% coverage of a dual-stack configuration of ipv6 and ipv4 direct to the device. Sure, the modem only grants 1 ip for 1 customer (at least until the net neutrality suits are settled) but once you step into a fresh IPv6 address the measure of this ipv6 debacle becomes apparent. Big players arent playing: Amazons various services dont support ipv6 and most of your TLD's outside of the googleverse dont get AAAA. the open source community at freenode does support it however, and most shared/vps hosting providers do as well, so if you need a project this summer at least consider looking at your docsis3 options/ipv6 lease and get to work on that vpn!
    • I can see a few ways informatoin could leak in a dual stack situation involving a VPN that would not happen if everything was IPv4 only

      1: The users local connectivity is dual stack (or v6 only) but the VPN is IPv4 only. The result is IPv4 goes via the VPN but IPv6 doesn't. The user thinks the VPN is hiding the origin of their traffic but it isn't hiding the origin of all of it. With a bit of extra work it may also be possible for a website or an attacker in the network to tie the direct v6 address(es) to the VPN v4 address.
      2: IPv6 traffic does go via the VPN but addresses are generated in such a way that the users MAC address is revealed (for example the user has a network behind the VPN and that network uses MAC based IP autoconfiguration). This MAC address can later be tied
      3: The machine has an IPv6 address from the local ISP. Even if routing tables or firewall configurations are such that this address won't be used for making connections an application could still mistakenly send it as part of a payload. The same could in principle happen with IPv4 but it's much less likely due to pervasive use of NAT.

    • by gstoddart ( 321705 ) on Tuesday June 30, 2015 @10:05AM (#50018955) Homepage

      Well, then the real thing here is that despite everybody claiming IPv6 is awesome and super, there's crappy and inconsistent support for it.

      So why should any small company or individual be doing anything about IPv6 when the big players aren't, and most of the existing products are apparently doing a terrible job of it?

      IPv6 has been coming "Real Soon Now" for what feels like an eternity. People aren't going to spend money to change when they still need to figure out how to work with the legacy stuff.

      You describe both the epic failure of IPv6 to gain widespread adoption, and the reasons why people are staying the hell away from it.

      • For some reason I have always had two problems with IPv6. One is that it offers me as an end user exactly nothing terribly tangible. Yes yes I know of the whole running out of addresses stuff but I have never contacted a server host who said, "Sorry we are out of addresses." My ISP has never said, "Sorry no more customers we are out of addresses." So why should the average user even give a crap.

        The other thing that I have found is that without exception those who I have met who are pushing IPv6 remind me
    • I don't like what you're saying, but it's true. For this reason I disable ipv6 wherever I care about security (vmlinuz ipv6.disabled=1), because I can't trust the existing implementations and I'm pretty sure there will be data leakage if I don't (this story doesn't help assuage my concerns). Therefore, I'm not engaged in filing bug reports very much, because I mostly have to avoid it. Quite a Catch-22.

      Also my ISP doesn't offer it and most endpoints don't offer it, so it just adds latency for Internet ope

  • Facepalm (Score:4, Informative)

    by jones_supa ( 887896 ) on Tuesday June 30, 2015 @09:43AM (#50018797)

    The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6.

    Aaarggghh!!! The summary does not explain the issue properly at all.

    All that happens here is that the user's IPv4 traffic is tunneled through the VPN, but his IPv6 traffic is broadcasted past the VPN.

    I'm sure this problem can be avoided with some reconfiguration. The easiest solution would be to simply chuck off the IPv6 subsystem in the operating system.

  • TFA: (Score:5, Informative)

    by Kiyyik ( 954108 ) on Tuesday June 30, 2015 @09:48AM (#50018833)

    http://www.eecs.qmul.ac.uk/~ha... [qmul.ac.uk]

    (Since there doesn't seem to be a link).

    Basically, the table on page 3 is probably where you want to start looking. TorGuard, PrivateInternetAccess, VyperVPN & Mullvad are proof against IPv6 leakage, so it's actually 10 of 14 that aren't.

    Also, they found Astrill is proof against OpenVPN and PPTP/L2TP DNS hijacking. Interesting read.

  • by Tokolosh ( 1256448 ) on Tuesday June 30, 2015 @09:55AM (#50018871)

    The actual study is due to be presented at a future conference. In that sense the findings have not yet been made. So we are lured by clickbait into discussing something that has not happened. This is a waste of time.

    Tangentially, what is the purpose of headlines that say things like "President will announce tomorrow that he is starting World War 3"? Isn't that the same as announcing it now? Does he think we are stupid? Oh, wait...

  • by Streetlight ( 1102081 ) on Tuesday June 30, 2015 @10:01AM (#50018927) Journal
    Quote:

    "Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked."

    Whew... Although there are some privacy implications, HTTPS seems to work for your most important web use. And, with the transition to almost all sites running HTTPS encryption - hopefully with no bugs in that - the problem cited in the article may go away. There have been some concerns about HTTPS reliability, such as forged certificates, but hopefully the problems will be solved. I'm not completely up to date an the problems w/ HTTPS, though.
  • Why blame IPv6 for this? Any VPN only carries traffic which matches its traffic criteria - for IpSec the SA definition (Encryption Domain in Cisco speak). So IPv4 has the same issue if the source/destination IP addresses and Ports do not match those which are configured to pass over the VPN. Amongst other things, this allows a single system (host, router or security device) to terminate multiple VPNs and route traffic over the appropriate one (or directly).

  • They are sweet tasting, gooey, oh what is that word?... you know, that stuff that bees make...

    Anyway they got caught... in a way... since proving intent would be very difficult.

  • Teredo [wikipedia.org] is one cause of the leaks in Windows. Disable it with:

    netsh interface teredo set state disabled

    in the command prompt.

    • Re:Teredo leaks (Score:4, Interesting)

      by greenwow ( 3635575 ) on Tuesday June 30, 2015 @12:02PM (#50019693)

      But don't do that! Disabling IPv6 is an "unsupported configuration" to use the phrase our former Microsoft support rep used. I say former because they canceled our support contract without a refund after we admitted to disabling IPv6. There are many things broken in Windows if you disable IPv6, so many that Microsoft won't even try to support it and punishes people that do in order to publicize that fact.

      • by Anonymous Coward

        Amazing how they attack anyone here, like this guy, when someone posts the truth about Microsoft. Microsoft most certainly has a policy against disabling IPv6. They burned some of our license keys for disabling IPv6. Their official policy from:

        https://technet.microsoft.com/en-us/network/cc987595.aspx

        "IPv6 is a mandatory part of the Windows operating system"

        It is not optional. Microsoft will hurt you for disabling it, if they can. The guy that runs Microsoft now, John Thompson, has talked about taking le

      • by Anonymous Coward

        It's sad to see how people that post the truth about Microsoft, and other large corporations, are buried as trolls. That post is 100% correct, and I have personally seen Microsoft go on the offensive against a customer that disabled it. This used to be a tech site instead of a corporate site. It's sad to see just how much this site has gone downhill.

      • by Anonymous Coward

        This site is dead. That post was not a troll. There's just too many Microsoft fan boys here now. This used to be a tech site.

  • I can't even brain after read that summary...

  • Isn't IPv6 bigger than IPv4, and newer? If you can't carry my ipv6 without leaking, can you just switch me back to ipv4? You should be able to fit more ipv4 in there without it leaking.
  • That's what you get when offering VPN access must include proper client configs because users are clueless and want to be "secure" by hitting a button.

    I guarantee you that I could take the credentials of each and every one of these VPN offers, put them into my router and tunnel all my clients properly(!) without any leaks.

    It's not the VPN that is flawed, it's the CLIENT SETUP. For people with a clue, that's a distinction.

Each new user of a new system uncovers a new class of bugs. -- Kernighan

Working...