Login to account Create an account  


Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
VPNs haven't been useful since 2002
#1
I offer this under the heading "Mildly paranoid, but still real."

As it is reported, ever since about 2002 a vulnerability, referred to as "TunnelVision" existed within all VPN traffic which has not yet been directly addressed, and until now, not spoken of...  Why not? I don't know.

From ArsTechnica: Novel attack against virtually all VPN apps neuters their entire purpose
Subtitled: TunnelVision vulnerability has existed since 2002 and may already be known to attackers.

I resent the term "novel" for a number of reasons. First this means that for over 20 years, everyone who thought themselves protecting their privacy was NEVER a reality.  Second, the report "hints" that the vulnerability may be known to malicious actors... which leads me, at least, to presume that they "know" and "have known" - along with the very architects of DHCP protocols who inexplicably created the protocol which allows all VPN traffic to be redirected to whatever address they wish, unencrypted.  Stop right there... we can't be certain that this was an intentionally implemented design feature for the benefit of "someone somewhere"... (there, I have theoretically protected "the man.")
 

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.



It's an odd technical way to completely erase the functionality of the 'service' that so many have spent many millions on over the years... their 'peace of mind' has apparently only a notional value of "appearance."
 

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself.


Leviathan Security researchers mention in their work that ...
 

Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.

[bolding is mine]

Here's a video explaining the vulnerability...



[Image: TunnelVision_Diagram_DHCP_121_Reroute_Traffic.png]
Reply
#2
I’ll keep virus scan, popup blockers, and vpn apps/extensions just the same.

I go back and forth to the Philippines. VPN more than covers it’s cost in usefulness.
Reply
#3
(05-07-2024, 04:07 PM)pianopraze Wrote: I’ll keep virus scan, popup blockers, and vpn apps/extensions just the same.

I go back and forth to the Philippines. VPN more than covers it’s cost in usefulness.

That alright.  I too pay for a VPN service, along with anti-virus, and anti-everything else stuff...

It just bothers me that at every turn, without fail, every single thing I pay for along these lines only provides a "feeling" of being protected... I never truly am. 

Again and again, over and over, each one is revealed as devastatingly ineffectual, and vacuously implemented.
Reply
#4
(05-07-2024, 04:15 PM)Maxmars Wrote: That alright.  I too pay for a VPN service, along with anti-virus, and anti-everything else stuff...

It just bothers me that at every turn, without fail, every single thing I pay for along these lines only provides a "feeling" of being protected... I never truly am. 

Again and again, over and over, each one is revealed as devastatingly ineffectual, and vacuously implemented.

Ever since they exposed the Utah data centers in Wired magazine decades ago I’ve given up on the notion of online privacy.

pisses me off

black pills the hell out of me

but what the hell ya gonna do?
Reply
#5
Sometimes there are advantages to being poor and living a simple life me thinks.

When vpns were first offered I was skeptical and assumed it is impossible to hide all from everyone. Seems like another good hunch which stopped me submitting my pocket money to another bully just like all the scaremongering from anti-virus companies.

Ultimately, I suppose it depends on what a person does online and I could see it's uses regarding viewing censored content on some websites or doing admin and banking online.

The other advantage to not using a vpn is not having to learn how to use one.. lol  Less buttons is good.



Wisdom knocks quietly, always listen carefully. And never hit "SEND" or "REPLY" without engaging brain first.
Reply
#6
(05-07-2024, 07:28 PM)pianopraze Wrote: Ever since they exposed the Utah data centers in Wired magazine decades ago I’ve given up on the notion of online privacy.

pisses me off

black pills the hell out of me

but what the hell ya gonna do?

I’m not familiar with this data center incident.

I’ll do some research but if you know a lot about it please do a thread!

I also pay for VPN, secure email, antivirus, etc. for all devices. Better than nothing I guess.
Reply
#7
(05-07-2024, 08:43 PM)VulcanWerks Wrote: I’m not familiar with this data center incident.

I’ll do some research but if you know a lot about it please do a thread!

I also pay for VPN, secure email, antivirus, etc. for all devices. Better than nothing I guess.

Here is the wired magazine article
Reply
#8
(05-07-2024, 08:53 PM)pianopraze Wrote: Here is the wired magazine article

Just read it.

Well, at least I can narrow down who can beat all of my encryption :|.

What’s funny is I never really thought that some agency wouldn’t be able to get past my security measures. I don’t love that but I also don’t care about that so much as I do some criminal trying to get into my information.

If some agency wanted to take someone down they have numerous tools at their disposal to do so that have nothing to do with even touching the data.

So there’s some solace there I guess. :)
Reply
#9
(05-07-2024, 09:03 PM)VulcanWerks Wrote: Just read it.

Well, at least I can narrow down who can beat all of my encryption :|.

What’s funny is I never really thought that some agency wouldn’t be able to get past my security measures. I don’t love that but I also don’t care about that so much as I do some criminal trying to get into my information.

If some agency wanted to take someone down they have numerous tools at their disposal to do so that have nothing to do with even touching the data.

So there’s some solace there I guess. :)

That was over a decade ago.

supercomputers have come a long way since then.

so privacy is an illusion.

your phone and car record everything unless you drive older vehicle.

ediit to add video:
Reply
#10
I saw that video earlier and found it "too depressing" to share...  Lol on it's own... I'm glad you found a use for it!

I no longer care to even debate with the "who cares? whatever" crowd.  I figure, "Well, you were told." and leave it there.
Reply



Forum Jump: