VPNs are insecure

delatjua · June 30, 2015, 7:16pm

I was just reading this articule:

And thought of sharing it here since I see a lot of questions and posts regarding what VPN services are out there, which one is the best option, etc. I’m using Private Internet Access myself, but now I’m considering switching to another.

Zavar · June 30, 2015, 7:40pm

I believe PIA has the option to block IPv6 traffic because of this exact issue. Just look in the settings.

delatjua · June 30, 2015, 7:44pm

Yes, but is still vulnerable to DNS hijacking.

Fistina · June 30, 2015, 7:45pm

PIA is one of the best VPN's out there, very secure :)

ToCKMan · June 30, 2015, 7:48pm

With one big vulnerability. Based in US

Raate · June 30, 2015, 7:49pm

You can enable DNS leak protection in the settings, but as far as I can tell if you're on a windows machine it will mess up your adapter and you'll only be allowed to use the internet if you're connected to the VPN.

Eden · June 30, 2015, 7:52pm

With the following conditions:

IPv6 over IPv4
VPN provider/services (not VPN its self)
does not include all OS' in attack vectors
not a single attack vector
requires knowledge of users VPN provider and settings (for DNS)
requires control of users DHCP server (effectively control of the network they are on)

The paper if anyone is interested http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

The article is a little click baity

Not read through the whole thing, but the paper lacks details on the setup that i think would give a clearer picture, Though there research seems fairly sound as long as you take into consideration that the affects vary depending on implementation, provider and OS, etc.

DeusQain · June 30, 2015, 9:46pm

The dual configuration IPv6/IPv4 while common is easily turned off.

which alleviates the IPv6 issues all together.

The DNS hijacking, requires control of the device from which you receive your local IP address.

So if you are using this at your house, your Router has to be compromised. if you are using this at your local coffee shop... That is where you may have issues.

Batman_Pooped_Too · July 1, 2015, 3:27am

You could alternatively use a DNS server from the openNIC Project, works on or off the VPN and prevents leaks.

Prototype · July 2, 2015, 3:44am

This along with DNSCrypt is probably the best solution.

anon25935656 · July 2, 2015, 4:06am

Not sure if you guys have seen this but its a response from VPN's themselves

InAUGral · July 3, 2015, 2:45am

It seems to be only the "best" if you reside in the US. Down under I cannot get many good VPN speeds. Proxy.sh seems to have been the only good one.

I knew there was a reason I stopped using HideMyAss.

EDIT:

This issue is going to be especially prevalent with reports that in the US they have run out of IPv4 addresses.

Geoff · July 3, 2015, 9:16am

Here's a couple of articles that might help. The first is a bit old (2012), but the info still looks relevant.

Link: https://torrentfreak.com/how-to-make-vpns-even-more-secure-120419/

The second may need a bit of tweaking for non-ubuntu distros. It details changes the /etc/sysctl.conf to disable IPv6.

Link: https://ubuntu-mate.community/t/vpn-how-to-connect-successfully-securely-ufw-openvpn-ubuntumate-15-04/1452

Hint: I'd seriously recommend you backup any system files before you change them.