VPNs

[Sam Losco]

Hmm. I can't profess to fully understand this, but there is this:

https://seclists.org/oss-sec/2019/q4/122

If you avoid using a VPN that routes IPv6 (there's very little reason to do so) and you don't use a distribution that has been infected by systemd malware, you are fine.

Yes, clearly you didn't understand what you read.
It's not limited to IPv6 or systemd.

The link you gave has the same lists of affected distros which includes
Devuan (sysV init)
MX Linux 19 (Mepis+antiX)
Void Linux (runit)
Slackware 14.2 (rc.d)
Deepin (rc.d)
FreeBSD (rc.d)
OpenBSD (rc.d)

All non-systemd distros. Also, again in the link you supplied which I think is the actual team that found this, they are using all IPv4 in their commands, and even state this at the beginning:

However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution, but this was how we discovered that the attack worked on Linux.

So it was discovered on IPv4 first.

That being said, it seems like a very, very tricky thing to do and I doubt this is a thing to be concerned about seeing in the wild.

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

Yes, clearly you didn't understand what you read.
It's not limited to IPv6 or systemd.

The link you gave has the same lists of affected distros which includes
Devuan (sysV init)
MX Linux 19 (Mepis+antiX)
Void Linux (runit)
Slackware 14.2 (rc.d)
Deepin (rc.d)
FreeBSD (rc.d)
OpenBSD (rc.d)

All non-systemd distros. Also, again in the link you supplied which I think is the actual team that found this, they are using all IPv4 in their commands, and even state this at the beginning:



So it was discovered on IPv4 first.

That being said, it seems like a very, very tricky thing to do and I doubt this is a thing to be concerned about seeing in the wild.

Yes, but if you read it carefully, it was discovered as part of an investigation into a ongoing systemd infection.

It is true that the same problem may apply to distros like devuan which do not have the systemd infestation, or BSDs, but only if IPv6 is enabled on your VPN.

Most commercial providers do not.

SYSTEMD CONSIDERED HARMFUL

 

[Sam Losco]

Yes, but if you read it carefully, it was discovered as part of an investigation into a ongoing systemd infection.

It is true that the same problem may apply to distros like devuan which do not have the systemd infestation, or BSDs, but only if IPv6 is enabled on your VPN.

Most commercial providers do not.

SYSTEMD CONSIDERED HARMFUL

I don't think so. This is the last post I'm making about it because you are a sperg and I shouldn't have engaged with you period, but I think you are reading into it too much to fuel your systemd hatred.

It's not 100% clear because they say odd things, but I don't think it's a IPv4 w/ systemd OR IPv6. That's not the take I get from it.

Most of the Linux distributions we tested were vulnerable, especially
Linux distributions that use a version of systemd pulled after November
28th of last year which turned reverse path filtering off. However, we
recently discovered that the attack also works against IPv6, so turning
reverse path filtering on isn't a reasonable solution, but this was how
we discovered that the attack worked on Linux.

They discovered it against distros, especially (but not only because that's exactly what that wording implies) ones with systemd dated after Nov 28th, THEN they also discovered it works against IPv6. That is from the top of the email which is their most recent statement on it. The original report did have this:

This attack did not work against any Linux distribution we tested until
the release of Ubuntu 19.10, and we noticed that the rp_filter settings
were set to “loose” mode. We see that the default settings in
sysctl.d/50-default.conf in the systemd repository were changed from
“strict” to “loose” mode on November 28, 2018, so distributions using a
version of systemd without modified configurations after this date are
now vulnerable. Most Linux distributions we tested which use other init
systems leave the value as 0, the default for the Linux kernel.

which would indicate it's a systemd problem, however that inference is contradicted by the distros they tested that are vulnerable that don't use systemd. There is zero mention of IPv6 in their original report, which means those distros would had to have been vulnerable without systemd, using IPv4. This is backed up by all their command examples using IPv4, not v6. They only mention IPv6 in the top email as a recent discovery.

Also, this same vulnerability affects macOS, iOS, Android, and BSD, on IPv4, you just have to go about it a little differently. None of those use systemd.

You are right that it appears to only be route based VPNs (again, nothing saying IPv6 only), as stated in the follow up email by Noel, however, he also says this attack works regardless of a VPN.

This attack works regardless of if you have a VPN or not. The attacker just needs to be able to
send packets to the other host. It's not systemd specific.

I'm not a fan of systemd, even though almost every distro I use is infected with it, but I'm not going to blame systemd for shit that isn't a systemd problem.

 

[bippu_as_fuck_ls400]

Mullvad's response to the CVE mentioned above. They released a new beta of their software a few days ago.


A closer look at VPN vulnerability CVE-2019-14899
https://mullvad.net/en/blog/2019/12/6/closer-look-vpn-vulnerability-cve-2019-14899/ (http://archive.vn/SuveV)

Spoiler

6 December 2019

A recent vulnerability affecting Linux and *nix systems can compromise VPN tunnel security. If you are using the Mullvad app with default settings, you are not affected. No action is necessary.

If you use the Mullvad app on Linux with local network sharing enabled, you are vulnerable to the first of three stages of the attack. A fix will be included in the next version of the app, due to be released next week. Read on for more details.

In order to exploit the vulnerability, an attacker needs to be on the same local network as your device. The attack consists of three stages:

1. In the first stage of attack, the internal IP address of your VPN connection is revealed.
2. The second stage leverages the previous stage to determine if you are currently visiting a specific website.
3. The third stage leverages the second stage in order to eavesdrop on and hijack your web session for the website, assuming it is not protected by HTTPS.

Even with local network sharing enabled, the Mullvad app is only vulnerable to stage one while stage two and three are prevented by the app’s existing network protections.

As always, if you are using Mullvad on a local network that you don’t trust, we strongly recommend that you disable local network sharing. In order to keep you protected from this vulnerability, even in the event that you do enable local network sharing, we will include additional protections in the next release of the app.

For technical details on the vulnerability, see the original post on the oss-sec mailing list. For technical details on our security patch, see our GitHub Pull request. At Mullvad, we believe in the open-source model in which a program's source code is made available, or open, to anyone for viewing and using.

edit: update beta link

 

[James Smith]

I disagree with that. Just connecting to tor at all is seen as suspicious in many jurisdictions.

It's technically impossible to effectively surveil people en masse simply based on the criteria "Uses Tor?" The number of Tor users in a given day exceeds 2 million. In any jurisdiction where your use of Tor bothers the government enough to get their attention your use of a VPN will bother them just as much.
Writeup here: https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-1-myth-busting-tor

How does it reduce it? Wouldn't all shit that goes through tor go through the VPN aswell?

Tor over VPN. Here a user will first connect to the VPN server, and then connect to Tor. The most common rationale behind this setup is to hide Tor usage from an ISP or circumvent censorship of the Tor network. This is unnecessary as you can hide Tor usage and circumvent censorship by using bridges. You can either use the bridges that are included in Tor Browser for this, or request other bridges from in any of the ways described here. A bonus of bridges is that they don’t leave a money trail, which VPNs often do. The last blog explained that even if you were to end up on a watch list, it would be a uselessly large list as Tor has more then 2 million daily users. It strikes me as very naive to imagine that someone powerful enough to trace you over the Tor network will be stopped by a $5 a month VPN service.

VPN over Tor. Here a user will first establish a connection to the Tor network before connecting to the VPN service. The purpose of this is to reach services that are blocking Tor nodes. This setup may succeed in making access to such services easier, but it is terrible for anonymity for two reasons: VPN providers often know you from the money trail; and Tor splits all data streams across different circuits to prevent correlation of traffic as a means to de-anonymize users, but all of your traffic will come from the VPN provider’s IP, making correlation a LOT easier.

The first time you screw up in connecting to Tor then your VPN you have permanently tied your actual IP address to your VPN account if they generally keep logs or are keeping logs at that moment in time.
Other writeups here:

• https://write.privacytools.io/my-th...-onions-part-2-onion-recipes-vpn-not-required
• https://tails.boum.org/blueprint/vpn_support/
• https://support.torproject.org/#faq-5
• https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h.html

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

VPN over Tor. Here a user will first establish a connection to the Tor network before connecting to the VPN service. The purpose of this is to reach services that are blocking Tor nodes. This setup may succeed in making access to such services easier, but it is terrible for anonymity for two reasons: VPN providers often know you from the money trail; and Tor splits all data streams across different circuits to prevent correlation of traffic as a means to de-anonymize users, but all of your traffic will come from the VPN provider’s IP, making correlation a LOT easier.

The first time you screw up in connecting to Tor then your VPN you have permanently tied your actual IP address to your VPN account if they generally keep logs or are keeping logs at that moment in time.
Other writeups here:

• https://write.privacytools.io/my-th...-onions-part-2-onion-recipes-vpn-not-required
• https://tails.boum.org/blueprint/vpn_support/
• https://support.torproject.org/#faq-5
• https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h.html

Ah, I see you're talking about using a VPN over Tor all the time, rather than using Tor in addition to a VPN you're using all the time anyway if you're doing something a little sensitive.

Yeah, see that there's some risk if you're relying on going over Tor to avoid your connection to a VPN being linked back to you. I'm sure it could be set up securely- OpenVPN will connect over a SOCKS proxy if you configure it to do so.

 

[James Smith]

Ah, I see you're talking about using a VPN over Tor all the time, rather than using Tor in addition to a VPN you're using all the time anyway if you're doing something a little sensitive.

Yeah I wouldn't go to all the effort of making the Tor client bypass a VPN just to avoid these issues during incidental Tor usage, I just wouldn't use a VPN and Tor together intentionally either.

 

[AnOminous]

The first time you screw up in connecting to Tor then your VPN you have permanently tied your actual IP address to your VPN account if they generally keep logs or are keeping logs at that moment in time.

This still doesn't put you in an actually worse situation than you were in if you had just always directly connected to the VPN. It just puts you in the same situation, except you've wasted your time doing something fairly cumbersome only to blow any advantage it gave you. I'm pretty sure TOR-Over-VPN is a lot more common, though. TOR is itself much more robust than a VPN so I doubt it adds more than minimal security, but I don't see how it actually makes anything worse.

I think most TOR-Over-VPN is going to be incidental, as people use TOR in addition to the VPN they always use anyway.

In any jurisdiction where your use of Tor bothers the government enough to get their attention your use of a VPN will bother them just as much.

That might apply to commercial VPNs that primarily exist to sell that as a service. Just like TOR, there will be lists of relevant IP addresses. There are also private VPNs and if you're in such a jurisdiction you're more likely to use something you set up yourself, such as tunneling out to someone you know or an ISP you have compromised.

 

[James Smith]

I mean there's half a dozen write-ups there saying why it's a bad idea. If you want to address the least compelling single argument they made then just repeat what they've all agreed is incorrect thinking, go ahead.

 

[Elhaym]

How do people feel about ExpressVPN? I've been using it for a while now but now that it is starting to go mainstream I am having second thoughts because I am a hipster faggot.

I need some paranoid fucker on the internet to either feed into my doubts or remove them.

 

[AnOminous]

I mean there's half a dozen write-ups there saying why it's a bad idea. If you want to address the least compelling single argument they made then just repeat what they've all agreed is incorrect thinking, go ahead.

Lots of people say lots of things.

I just hear people saying my pants are more likely to fall down if I wear a belt and suspenders at the same time.

 

[James Smith]

Lots of people say lots of things.

I just hear people saying my pants are more likely to fall down if I wear a belt and suspenders at the same time.

How many of those people are in the business of selling suspenders in a world where belts are free?

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

How many of those people are in the business of selling suspenders in a world where belts are free?

By all means, if you can use Tor only and never use the internet without going through Tor without enduring a level of added inconvenience that you can't live with, you definitely should just use Tor. Personally, even if it's not as much protection as I'd like (I'd like a VPN server in North Korea or Cuba, thanks), I'd rather use a VPN only for low risk activities and fire up the Tor Browser Bundle, without disconnecting, for higher risk stuff.

Tor over VPN. Here a user will first connect to the VPN server, and then connect to Tor. The most common rationale behind this setup is to hide Tor usage from an ISP or circumvent censorship of the Tor network. This is unnecessary as you can hide Tor usage and circumvent censorship by using bridges. You can either use the bridges that are included in Tor Browser for this, or request other bridges from in any of the ways described here. A bonus of bridges is that they don’t leave a money trail, which VPNs often do. The last blog explained that even if you were to end up on a watch list, it would be a uselessly large list as Tor has more then 2 million daily users. It strikes me as very naive to imagine that someone powerful enough to trace you over the Tor network will be stopped by a $5 a month VPN service.

This is true, you are unlikely to get much extra protection from using a VPN and then connecting to Tor vs just connecting to Tor.

However, if you don't use Tor for all internet activity, you aren't losing any protection by connecting to a VPN all the time, and then just using Tor in addition to that for more sensitive stuff or things that can easily be accessed over Tor.

NOTE: There are VPN services, NordVPN being one of them, that offer some sort of retarded version of this where you connect to their VPN server and apparently it routes your traffic over Tor. Yeah, this is obviously no better than just using a VPN.

VPN over Tor. Here a user will first establish a connection to the Tor network before connecting to the VPN service. The purpose of this is to reach services that are blocking Tor nodes. This setup may succeed in making access to such services easier, but it is terrible for anonymity for two reasons: VPN providers often know you from the money trail; and Tor splits all data streams across different circuits to prevent correlation of traffic as a means to de-anonymize users, but all of your traffic will come from the VPN provider’s IP, making correlation a LOT easier.

This is a bit of a weird scenario, and one that I doubt many people are using. Certainly, if you're paying your VPN provider with your own credit card, doing this would offer you no real extra protection over just using a VPN (the only thing 'less' they'd have is the source IP you're connecting from).

I can see that it would be useful if you had an anonymously obtained VPN account and wanted to maliciously access a service that was usable from some VPN server IPs but blocked Tor exit nodes. Not my thing.

https://write.privacytools.io/my-th...-onions-part-2-onion-recipes-vpn-not-required

This is in line with the above.

https://tails.boum.org/blueprint/vpn_support/

No real reasons cited to disconnect from VPNs while using Tor for some things- using a VPN or two, with a variety of servers, doesn't preclude using the bridges too.

https://support.torproject.org/#faq-5

Doesn't go into depth, but as the linked Wiki page explains, using Tor over a VPN (rather than the stupid opposite case)

can be a fine idea, assuming your VPN/SSH provider's network is in fact sufficiently safer than your own network.

https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h.html

Users may not lose any safety by adding a VPN, but they probably aren't gaining any.

 

[AnOminous]

How many of those people are in the business of selling suspenders in a world where belts are free?

What I'm saying is most of the arguments are just against using VPNs at all. The market clearly disagrees.

 

[James Smith]

What I'm saying is most of the arguments are just against using VPNs at all. The market clearly disagrees.

Defining the effectiveness of a policy based solely on the number of people who use it is actually insane. If you don't understand that you shouldn't be offering policy advice.

 

[AnOminous]

Defining the effectiveness of a policy based solely on the number of people who use it is actually insane. If you don't understand that you shouldn't be offering policy advice.

You haven't presented any particularly compelling arguments for something that is on its face counter-intuitive.

 

[soft kitty]

I plan on switching to ExpressVPN after my PIA subscription has expired. I'd like to use ProtonVPN to support Null but I hear the speeds aren't as good, and looking at the reviews everyone seems to agree that ExpressVPN is the best overall, even if it's more expensive.

Has anyone here used ProtonVPN that can vouch for it's speed?

 

[James Smith]

You haven't presented any particularly compelling arguments for something that is on its face counter-intuitive.

My arguments didn't compel you. Even you if you believe there's no harm, it's not counter-intuitive to refrain from spending money on something that does nothing beneficial.

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

My arguments didn't compel you. Even you if you believe there's no harm, it's not counter-intuitive to refrain from spending money on something that does nothing beneficial.

Do you use Tor all the time for everything?

 

[James Smith]

Do you use Tor all the time for everything?

No, I don't, why?