Abstract
User-accessed Virtual Private Network systems allow authorized users remote access to protected or otherwise privileged networks while avoiding dependence on ISPs along the route for data confidentiality and integrity. This direct expression of the internet’s end-to-end principle of security is generally accepted as a highly successful design.
VPN services and technology advertising censorship circumvention, resistance to data retention, and anonymity as features are proliferating rapidly. But it is unclear that these security properties were included in the original design requirements of VPN protocols and product implementations. Experience with dedicated anonymity networks (e.g., Tor) shows that strong anonymity is not achieved by accident. The ‘P’ in VPN notwithstanding, not all privacy methods are equal or strongly anonymizing, which opens opportunities for attackers when VPN-based systems are used for anonymity or even simple censorship circumvention.
This paper evaluates VPN anonymity, security and privacy features including identity, geographic location, confidentiality of communications, and generalized security issues such as reachability and prevention of network tampering. We find many popular VPN products are susceptible to a variety of practical user deanonymization attacks. Weaknesses stem from lack of security analysis of the composition of VPNs, applications, and the TCP/IP stack on each respective operating system. Although we describe some potential mitigations for vendors, the primary goal of this paper is to raise awareness of the inherent risks which come from repurposing off-the-shelf VPN systems to provide strong anonymity.
VPN services and technology advertising censorship circumvention, resistance to data retention, and anonymity as features are proliferating rapidly. But it is unclear that these security properties were included in the original design requirements of VPN protocols and product implementations. Experience with dedicated anonymity networks (e.g., Tor) shows that strong anonymity is not achieved by accident. The ‘P’ in VPN notwithstanding, not all privacy methods are equal or strongly anonymizing, which opens opportunities for attackers when VPN-based systems are used for anonymity or even simple censorship circumvention.
This paper evaluates VPN anonymity, security and privacy features including identity, geographic location, confidentiality of communications, and generalized security issues such as reachability and prevention of network tampering. We find many popular VPN products are susceptible to a variety of practical user deanonymization attacks. Weaknesses stem from lack of security analysis of the composition of VPNs, applications, and the TCP/IP stack on each respective operating system. Although we describe some potential mitigations for vendors, the primary goal of this paper is to raise awareness of the inherent risks which come from repurposing off-the-shelf VPN systems to provide strong anonymity.
| Original language | English |
|---|---|
| Title of host publication | 2nd USENIX Workshop on Free and Open Communications on the Internet, FOCI '12, Bellevue, WA, USA, August 6, 2012 |
| Number of pages | 7 |
| Publication status | Published - 2012 |
| Externally published | Yes |
| Event | 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI 2012) - Bellevue, WA, United States Duration: 6 Aug 2012 → 6 Aug 2012 Conference number: 2 |
Conference
| Conference | 2nd USENIX Workshop on Free and Open Communications on the Internet (FOCI 2012) |
|---|---|
| Abbreviated title | FOCI 2012 |
| Country/Territory | United States |
| City | Bellevue, WA |
| Period | 6/08/12 → 6/08/12 |