By Marvel Kinantan, DIGITS Staff Writer
Internet contains a lots of knowledge and entertainment which millions of people enjoy every single day, may it be for searching journals due to assignments from the campus, or just for Netflix and chill purpose. Yet there are times when you want to access a certain web and it is blocked by the government due to some “explicit” content -which might actually is not that explicit- or you desire to secure your browsing trail which is so “confidential” so that the FBI wouldn’t know what were you doing and do not have any reason to break in to your house, the answer is the one and only the Virtual Private Network or VPN for short. VPN is so popular with the internet surfers since it offers Security and Anonymity features, but is it always be the case?
How it works?
A VPN connection usually works like this. Data is transmitted from your client machine to a point in your VPN network. The VPN point encrypts your data and sends it through the internet. Another point in your VPN network decrypts your data and sends it to the appropriate internet resource, such as a web server, an email server, or your company’s intranet. Then the internet resource sends data back to a point in your VPN network, where it gets encrypted. That encrypted data is sent through the internet to another point in your VPN network, which decrypts the data and sends it back to your client machine. Easy peasy!
Different VPNs can use different encryption standards and technologies. Here’s a quick list of some of the technologies that a VPN may use:
- Point-to-Point Tunneling Protocol: PPTP has been around since the mid-1990s, and it’s still frequently used. PPTP in and of itself doesn’t do encryption. It tunnels data packets and then uses the GRE protocol for encapsulation. If you’re considering a VPN service which uses PPTP, you should keep in mind that security experts such as Bruce Schneier have found the protocol, especially Microsoft’s implementation of it, to be quite insecure.
- IPSec: You should consider IPSec to be a better alternative to PPTP. IPSec is actually a suite of different protocols and technologies. Packet encapsulation is done through the ESP protocol, and AES-GCM, AES-CBC, 3DES-CBC, or HMAC-SHA1/SHA2 may be used for encryption.
- Layer 2 Tunneling Protocol: L2TP can be used for tunneling with IPSec for added security.
- Secure Shell, otherwise known as SSH can be used to handle both the tunneling and encryption in a VPN network.
What’s the problem then?
The VPN service providers would say that they give 100% Anonymity to the subscriber, but do they really? The answer is NO, the VPN would not give 100% anonymity, since when you subscibe and pay to the service provider, they will ask your personal information, at the very least your email address but let’s just assume that the service provider that you subscribed to is trustworthy, then comes up the second question: does it really help you secure your data? Umm… Probably.
As a study conducted by researchers from Sapienza University of Rome and Queen Mary University of London which named “A Glance through the VPN Looking Glass: Ipv6 Leakage and DNS Hijacking in Commercial VPN Clients”. The answer to the second question is also a NO to some extend, the study conducted highlighted 14 VPN service provider chosen based on the popularity and advertised features, one of the concerns presented in the study is that some of the service providers tend to offer the server selection based on the geographic proximity and/or network speed while neglecting the main point of VPN, the security and anonymity.
The research also highlights another problem of the 14 VPN service providers is that some of these VPNs does not provide enough protection to IPv6 which is the latest version of Internet Protocol, most of them provide protections mostly to IPv4 which will lead to a data leakage. The tests are done by executing a small measurement tool simulating a generic IPv6-enabled web application. The tool connects to port 80 of the first address returned by the operating system’s resolver for the www.google.com domain, which is available both via IPv4 and IPv6. This is sufficient to explore how IPv6 traffic is treated by the operating system and VPN. Under perfect circumstances, the connection will be performed through the VPN tunnel, and theWiFi access point will only see encrypted VPN traffic. The result is that only 3 of 14 VPNs that did not entirety of IPv6 traffic.
During the team’s experiments to test the exposure of websites to the leakage they observed that majority of websites also embed a number of third party “plug-ins” (e.g., ad brokers, trackers, analytics tools, social media plugins). The large diffusion of these objects has already raised concerns about a decreasing number of external, large entities being able to get a detailed view of the web browsing activity of all the Internet users.
A substantial contribution to this leakage is the Referer HTTP header, disclosing the exact URL of the visited page in the fetches of each of the third party objects embedded in it. If just a single one of these fetches were to happen outside of the VPN tunnel (through IPv6 leakage), the actual user IP would be revealed to the relevant third-party, and, perhaps most importantly, the Referer header would reveal the page the victim is visiting to any other Passive Adversary, the same goes for mobile application the team found that of all applications tested 80% of them indirectly leak sensitive information through third party plug-ins.
What to do then?
The first thing to do to make sure that your data is not leaked due to the incompetencies of your VPN is by choosing a good VPN, make sure you know what services they offer, how do they works, look for one with good customer service. After you choose certain VPN to use then the next tip is by disabling the IPv6 traffic on the host if feasible, another possible solution is using Tor as an alternative of VPN. VPN might not give you an absolute protection over evildoers all over the internet but at least it provides a reasonable assurance over your data, so rest assured dear internet surfers!
Crawley, Kim.December 7 2018. Explain How VPN Works. Retrieved from https://www.alienvault.com/blogs/security-essentials/explain-how-vpn-works
VC Perta, MV Barbera, G Tyson. “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients”. Sapienza University of Rome & Queen Mary University of London.2015.