VPNs are insecure

I was just reading this articule:

And thought of sharing it here since I see a lot of questions and posts regarding what VPN services are out there, which one is the best option, etc. I'm using Private Internet Access myself, but now I'm considering switching to another.

I believe PIA has the option to block IPv6 traffic because of this exact issue. Just look in the settings.

Yes, but is still vulnerable to DNS hijacking.

PIA is one of the best VPN's out there, very secure :)

With one big vulnerability. Based in US

2 Likes

You can enable DNS leak protection in the settings, but as far as I can tell if you're on a windows machine it will mess up your adapter and you'll only be allowed to use the internet if you're connected to the VPN.

1 Like

With the following conditions:

  • IPv6 over IPv4
  • VPN provider/services (not VPN its self)
  • does not include all OS' in attack vectors
  • not a single attack vector
  • requires knowledge of users VPN provider and settings (for DNS)
  • requires control of users DHCP server (effectively control of the network they are on)

The paper if anyone is interested http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

The article is a little click baity

Not read through the whole thing, but the paper lacks details on the setup that i think would give a clearer picture, Though there research seems fairly sound as long as you take into consideration that the affects vary depending on implementation, provider and OS, etc.

2 Likes

The dual configuration IPv6/IPv4 while common is easily turned off.

which alleviates the IPv6 issues all together.

The DNS hijacking, requires control of the device from which you receive your local IP address.

So if you are using this at your house, your Router has to be compromised. if you are using this at your local coffee shop... That is where you may have issues.

6 Likes

You could alternatively use a DNS server from the openNIC Project, works on or off the VPN and prevents leaks.

2 Likes

This along with DNSCrypt is probably the best solution.

Not sure if you guys have seen this but its a response from VPN's themselves

It seems to be only the "best" if you reside in the US. Down under I cannot get many good VPN speeds. Proxy.sh seems to have been the only good one.

I knew there was a reason I stopped using HideMyAss.

EDIT:

This issue is going to be especially prevalent with reports that in the US they have run out of IPv4 addresses.

Here's a couple of articles that might help. The first is a bit old (2012), but the info still looks relevant.

Link: https://torrentfreak.com/how-to-make-vpns-even-more-secure-120419/

The second may need a bit of tweaking for non-ubuntu distros. It details changes the /etc/sysctl.conf to disable IPv6.

Link: https://ubuntu-mate.community/t/vpn-how-to-connect-successfully-securely-ufw-openvpn-ubuntumate-15-04/1452

Hint: I'd seriously recommend you backup any system files before you change them.