Go back
VPN's induced to leak your IP

VPN's induced to leak your IP

Science

rc

Joined
26 Aug 07
Moves
38239
Clock
06 Dec 15
3 edits
Vote Up
Vote Down

Thought you were safe behind your VPN? Well there is a security flaw that can be utilized to induce your VPN to leak your real IP address. Check it out.

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

http://lifehacker.com/how-to-see-if-your-vpn-is-leaking-your-ip-address-and-1685180082

twhitehead

Cape Town

Joined
14 Apr 05
Moves
52945
Clock
06 Dec 15

Originally posted by robbie carrobie
Thought you were safe behind your VPN?
No, I am well aware that it is very difficult to remain entirely anonymous. But then I generally don't bother trying given that I don't participate in too many behaviours that I am ashamed of.

I do download quite a lot of torrents but not had any need to use a VPN to do so. I have not tried using streaming sites not officially available in this country.

What is interesting though is the article is mainly about streaming sites checking the location of their users. If the technique used is somewhat shady, is it legitimate for them to use it to find the true location of their users?

rc

Joined
26 Aug 07
Moves
38239
Clock
06 Dec 15
1 edit
Vote Up
Vote Down

Originally posted by twhitehead
No, I am well aware that it is very difficult to remain entirely anonymous. But then I generally don't bother trying given that I don't participate in too many behaviours that I am ashamed of.

I do download quite a lot of torrents but not had any need to use a VPN to do so. I have not tried using streaming sites not officially available in this country ...[text shortened]... is somewhat shady, is it legitimate for them to use it to find the true location of their users?
VPN was not created because people were doing or planning to do anything immoral, it was created to protect the transmission of data. Naturally if you are engaging in activities where the compromise of your identity is paramount, for example a journalist reporting inside a censored area then you certainly don't want the source of those transmissions leaked by your VPN.

Yes it could be used to restrict access to content that is protected by region but I suspect the majority of people who use VPNs do so to protect their IP address and thus their identity. The extent to which you can remain anonymous online is a matter of some interest.

twhitehead

Cape Town

Joined
14 Apr 05
Moves
52945
Clock
06 Dec 15

Originally posted by robbie carrobie
VPN was not created because people were doing or planning to do anything immoral, it was created to protect the transmission of data.
And in this particular case, that data is not compromised in any way.

This is a case of people using a VPN for an entirely different purpose: to remain anonymous.

Naturally if you are engaging in activities where the compromise of your identity is paramount, for example a journalist reporting inside a censored area then you certainly don't want the source of those transmissions leaked by your VPN.
They are not leaked by the VPN. They are leaked by the browser using JavaScript on the web page you are viewing. I am not sure how journalists report but as long as the site they are reporting to is not trying to locate them, they should be safe (from this particular exploit).

Yes it could be used to restrict access to content that is protected by region but I suspect the majority of people who use VPNs do so to protect their IP address and thus their identity.
And the majority do so because they are doing something illegal.

The extent to which you can remain anonymous online is a matter of some interest.
I agree, and did not suggest otherwise. In general it is not at all easy.

I must point out here that knowing my IP address will not tell you who I am, only which ISP I use. You will need a court order to find out who I am based on my IP address. So at best you will find out which country I live in (which is what many people who use such services are trying to hide).

s
Fast and Curious

slatington, pa, usa

Joined
28 Dec 04
Moves
53321
Clock
06 Dec 15
Vote Up
Vote Down

Originally posted by twhitehead
And in this particular case, that data is not compromised in any way.

This is a case of people using a VPN for an entirely different purpose: to remain anonymous.

[b]Naturally if you are engaging in activities where the compromise of your identity is paramount, for example a journalist reporting inside a censored area then you certainly don't want t ...[text shortened]... ut which country I live in (which is what many people who use such services are trying to hide).
Of course that little note that says 'Capetown' is kind of a giveaway. I suppose you can put anything there though. One dude I play has Antarctica as his flag🙂

rc

Joined
26 Aug 07
Moves
38239
Clock
06 Dec 15
10 edits

Originally posted by twhitehead
And in this particular case, that data is not compromised in any way.

This is a case of people using a VPN for an entirely different purpose: to remain anonymous.

[b]Naturally if you are engaging in activities where the compromise of your identity is paramount, for example a journalist reporting inside a censored area then you certainly don't want t ...[text shortened]... ut which country I live in (which is what many people who use such services are trying to hide).
This is why i don't engage with you, your pedantry knows no bounds, you make assumptions about why people want to remain private and you are a knit picker extraordinaire, its just simply easier to ignore your texts altogether.

The article makes it clear that javascript is being used to exploit the browser. The fact is that people feel safe behind a VPN and when anonymity can be compromised in this way it most certainly appears is as if the VPN is leaking IP addresses although its a browser related issue. This of course was taken as being understood by anyone reading the article, everyone except for you that is. It is also understood that authorities need a court order, again why you feel the necessity to state the obvious is known only to you?

twhitehead

Cape Town

Joined
14 Apr 05
Moves
52945
Clock
06 Dec 15

Originally posted by robbie carrobie
This is why i don't engage with you, your pedantry knows no bounds, you make assumptions about why people want to remain private and you are a knit picker extraordinaire, its just simply easier to ignore your texts altogether.
You seem remarkably touchy. Feeling guilty perhaps? Nothing I said could rightly be called 'nitpicking' nor did I make unreasonable assumptions about why people want to remain private. It is well known why the majority of users use VPNs. They do not want their country to be identified because they are bypassing some system that stops them from accessing something based on their country.

The fact is that people feel safe behind a VPN ..
They shouldn't.

It is also understood that authorities need a court order, again why you feel the necessity to state the obvious is known only to you?
It is an important point. Your claim is that most users are concerned about privacy and not about masking what country they are from in order to do things they are not supposed to be doing. My point is that unless you are doing something that would warrant a court order to be served on your ISP, then your privacy is not, in fact, compromised. Now you know why I 'stated the obvious' despite it clearly not being so obvious to you prior to my stating it.

googlefudge

Joined
31 May 06
Moves
1795
Clock
08 Dec 15
Vote Up
Vote Down

Originally posted by twhitehead
You seem remarkably touchy. Feeling guilty perhaps? Nothing I said could rightly be called 'nitpicking' nor did I make unreasonable assumptions about why people want to remain private. It is well known why the majority of users use VPNs. They do not want their country to be identified because they are bypassing some system that stops them from accessing s ...[text shortened]... hy I 'stated the obvious' despite it clearly not being so obvious to you prior to my stating it.
My point is that unless you are doing something that would warrant a court order to be served on your ISP, then your privacy is not, in fact, compromised.


Um, nonsense.

Have you not read anything about present day mass surveillance?

By corporations and governments. ALL without any court orders or consent.

twhitehead

Cape Town

Joined
14 Apr 05
Moves
52945
Clock
08 Dec 15
1 edit
Vote Up
Vote Down

Originally posted by googlefudge
Um, nonsense.

Have you not read anything about present day mass surveillance?

By corporations and governments. ALL without any court orders or consent.
Yes, I know about them. But you won't be browsing their websites will you? Did you actually read the article?

And if you want to get put on their 'watch list' then the first thing you should do is install VPN software.

rc

Joined
26 Aug 07
Moves
38239
Clock
08 Dec 15
Vote Up
Vote Down

Originally posted by twhitehead
Yes, I know about them. But you won't be browsing their websites will you? Did you actually read the article?

And if you want to get put on their 'watch list' then the first thing you should do is install VPN software.
Dude please , lets keep it real.

A new document retrieved by the whistleblower Edward Snowden shows that the Canadian spy agency is tracking airline travelers even days after they left the terminal, just by capturing their device identification from the free Wi-Fi service at a major Canadian airport.

CBC News reported that the US Intelligence agency worked with its counterpart Communications Security Establishment Canada (CSEC) in Canada, and slurped information from the free Internet hotspots to track anyone who passed through the airport terminal, and could be tracked throughout the country by cross-referencing it with the intercepted information from Wifi at cafes, libraries and other public places, although it is not clear that they were tracking only the users who logged-in to the WiFi services or not.

But It is also possible that one can capture the MAC addresses of all the available devices within the range of a Wi-Fi device (using some special tools like Aircrack-NG, a wifi hacking toolkit), even without making a login connection.

http://thehackernews.com/2014/01/spying-agencies-tracking-your-location_31.html

twhitehead

Cape Town

Joined
14 Apr 05
Moves
52945
Clock
09 Dec 15
Vote Up
Vote Down

Originally posted by robbie carrobie
Dude please , lets keep it real.
I am keeping it real. I also have some understanding of the technology involved.
Did you know that every time you connect to public WIFI you are assigned a new IP address? Knowing your IP address simply isn't that useful in that case.
I also don't believe that you are genuinely concerned about being on a government terrorism watch list. (or is all your talk about pacifism just hogwash?)
Do many governments monitor citizens without their permission? Sure they do. Do they need to exploit the bug in the OP, or would it help them in any way? No, almost certainly not.

twhitehead

Cape Town

Joined
14 Apr 05
Moves
52945
Clock
09 Dec 15
Vote Up
Vote Down

The fact that governments make secret laws for themselves (or simply create laws that supposedly allow them to break any laws they like in secret) is something that we should be concerned about. But we should tackle it by changing the laws rather than worrying about how to evade detection.
I personally think that the use of secrecy is vastly over used by governments and we should not allow it. Sadly it seems a large proportion of people disagree and actually think governments should be allowed to do as they wish in total secrecy.

s
Fast and Curious

slatington, pa, usa

Joined
28 Dec 04
Moves
53321
Clock
09 Dec 15
Vote Up
Vote Down

Originally posted by twhitehead
The fact that governments make secret laws for themselves (or simply create laws that supposedly allow them to break any laws they like in secret) is something that we should be concerned about. But we should tackle it by changing the laws rather than worrying about how to evade detection.
I personally think that the use of secrecy is vastly over used by ...[text shortened]... e disagree and actually think governments should be allowed to do as they wish in total secrecy.
Governments will continue to do so even if expressly forbidden by law. Governments feel they are immune from laws, especially if the public knows nothing of the activities involved. Secret operatives killing people, stealing company and other government secrets, all that will ALWAYS go on no matter what the people say or do about it.

rc

Joined
26 Aug 07
Moves
38239
Clock
09 Dec 15
1 edit
Vote Up
Vote Down

Originally posted by twhitehead
I am keeping it real. I also have some understanding of the technology involved.
Did you know that every time you connect to public WIFI you are assigned a new IP address? Knowing your IP address simply isn't that useful in that case.
I also don't believe that you are genuinely concerned about being on a government terrorism watch list. (or is all your ...[text shortened]... y need to exploit the bug in the OP, or would it help them in any way? No, almost certainly not.
Yes I understand that you are assigned an IP address dynamically every time you connect to the Internet. This is why we have DHCP servers on the network. In a public Wifi you will probably connect to a router and the router will assign you an IP address. This also happens in most home networks as well. Probably a private IP address like 192.168.0.1 etc

I don't know why you are referencing the IP because what the article talks about is not tracking the IP address but the mac address which as you are probably aware is not dynamically assigned but is put on your device by the manufacturer, like an IMEI code for your phone. Sure you can change it or spoof it but you would need to do this manually every time you were being picked up by a monitored hot spot otherwise you are traceable.

I am not concerned with being on a government terrorism list for being a pacifist or anything else for that matter nor are many of the thousands of other people who want to protect the privacy of their data. Nor am I engaged in nefarious activities. The point is that if you are wanting to remain anonymous as can possibly be arranged on the net any exploits that compromise that anonymity need to be addressed, no matter how seemingly insignificant because its a layer thing after all, you want layers of protection.

twhitehead

Cape Town

Joined
14 Apr 05
Moves
52945
Clock
09 Dec 15
Vote Up
Vote Down

Originally posted by sonhouse
Governments will continue to do so even if expressly forbidden by law. Governments feel they are immune from laws, especially if the public knows nothing of the activities involved. Secret operatives killing people, stealing company and other government secrets, all that will ALWAYS go on no matter what the people say or do about it.
It goes on a lot more in countries that do allow it within their law or where the populace think it is acceptable behaviour. Public opinion does make a difference.

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.