Current Filter: Security>>>>>Comment>

   

Virtual Private Networks (VPNs) are increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance or access geographically limited services like Netflix and BBC iPlayer. Used by around 20% of European internet users, they encrypt their internet communications, making it more difficult for people to monitor their activities.

Now a study of 14 VPN providers by researchers at Queen Mary University of London (QMUL) and others has found eleven of them leaked information about the user, because of a vulnerability known as 'IPv6 leakage'. The leaked information ranged from the websites a user is accessing to the actual content of user communications. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. This replaces the previous IPv4, but many VPNs only protect user's IPv4 traffic. The researchers chose fourteen of the most famous VPN providers and connected various devices to a WiFi access point, designed to mimic the attacks that hackers might use: 'passive monitoring' - simply collecting the unencrypted information that passed through the access point; and DNS hijacking - redirecting browsers to a controlled web server by pretending to be commonly visited websites like Google and Facebook.

There are a variety of reasons why someone might want to hide their identity online, in most instances quite legitimately. so it's worrying that they could be leaving themselves open to attack, despite using a service that has been specifically designed to protect them. Dr Gareth Tyson, a lecturer from Queen Mary University of London and co-author of the study, picks up on that point: "We're most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity, while actually revealing all their data and online activity, and exposing themselves to possible repercussions."

It seems that wherever people are turning to reveal their personal information, with the expectation of 100% confidentiality and security of those details, they are being let down time and again. The problem is that, once they make a commitment to hand over their data, how safe that remains is entirely a matter of how much care and resource is invested in its protection. A brief daily scan of the media tells us how often that trust is now beng breached.

Brian Wall Editor Computing Security brian.wall@btc.co.uk