Hi!
https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks
User-accessed Virtual Private Network systems allow authorized users
remote access to protected or otherwise privileged networks while
avoiding dependence on ISPs along the route for data confidentiality and
integrity. This direct expression of the internet’s end-to-end principle
of security is generally accepted as a highly successful design.
VPN services and technology advertising censorship circumvention,
resistance to data retention, and anonymity as features are
proliferating rapidly. But it is unclear that these security properties
were included in the original design requirements of VPN protocols and
product implementations. Experience with dedicated anonymity networks
(e.g., Tor) shows that strong anonymity is not achieved by accident. The
‘P’ in VPN notwithstanding, not all privacy methods are equal or
strongly anonymizing, which opens opportunities for attackers when
VPN-based systems are used for anonymity or even simple censorship
circumvention.
This paper evaluates VPN anonymity, security and privacy features
including identity, geographic location, confidentiality of
communications, and generalized security issues such as reachability and
prevention of network tampering. We find many popular VPN products are
susceptible to a variety of practical user deanonymization attacks.
Weaknesses stem from lack of security analysis of the composition of
VPNs, applications, and the TCP/IP stack on each respective operating
system. Although we describe some potential mitigations for vendors, the
primary goal of this paper is to raise awareness of the inherent risks
which come from repurposing off-the-shelf VPN systems to provide strong
anonymity.
Mitar
--
http://mitar.tnode.com/
https://twitter.com/mitar_m