Have you ever wondered how individuals' in countries with restricted Internet use services such as Facebook and Twitter? Are these users safe from their governments' ability to monitor their browsing behaviour? In many such places, Commercial Virtual Private Network (VPN) services have become a popular and convenient way for users seeking privacy and anonymity. They have been applied to a wide range of use cases, with commercial providers often making bold claims regarding their ability to fulfil each of these needs, e.g., censorship circumvention, anonymity and protection from monitoring and tracking.
In our new paper, to appear in The 15th Privacy Enhancing Technologies Symposium (PETS 2015), we investigated the claims of privacy and anonymity in commercial VPN services. We analyse 14 of the most popular ones, inspecting their internals and their infrastructures. To our surprise, and despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage.
IPv6 is an increasingly popular web access method being adopted worldwide. Hence, our paper highlights that people using these VPN services may actually have their web browsing habits leaked to any organisation monitoring them. Perhaps most concerning is the unfounded common belief that these VPN services are actually securely hiding users' web browsing activities. We have informed all of these VPN providers about this study and our findings, and we hope they will address this issue immediately.
Vasile Claudiu Perta, Marco Valerio Barbera, Gareth Tyson,
Hamed Haddadi, Alessandro Mei, "A Glance through the VPN Looking
Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN
clients”, The 15th Privacy Enhancing Technologies Symposium (PETS
2015), June 30 – July 2, 2015, Philadelphia, PA, USA (paper)