VPN services are undermined by security failings, so what can you do about it? Um, not a lot, actually

The majority of VPN services suffer from IPv6 traffic leakage - and there ain't much you can do about it

Internet users relying on virtual private networks (VPNs) to maintain their privacy have been warned that the services they are using may not be as secure as they think. And, furthermore, there is little remedial action they can take to prevent IPv6 "traffic leakage" or sophisticated DNS hijacking attacks.

It follows a research report by five computer scientists working at Queen Mary University in London and Sapienza University in Rome.

Their report examined 14 of the most popular subscription VPN service providers, which are typically used by people who want extra security and privacy. They provide an encrypted tunnel from the users' PCs to the service providers' own servers and, hence, promise anonymous surfing that is also secure from eavesdropping. It also prevents users' own internet service providers from logging the websites that they peruse - an increasingly relevant consideration with the spread of eavesdropping laws.

However, the researchers warn that not only is it challenging to preserve privacy and anonymity online, but that a VPN provides only one layer of security. "A VPN cannot provide the same anonymity guarantee of more rigorous (and vetted) systems such as Tor... as VPNs were not originally intended to provide anonymity and/or privacy," they say.

The problem, they continue, is that many providers are actually relying on outdated technology such as PPTP that, in many cases, can easily be broken with brute-force and other attacks. "PPTP's authentication protocol, MS-CHAPv2, is affected by serious security vulnerabilities that have been well-known in the community for years."

Many VPNs also suffer from "data leakage", in dual-stack networks supporting both IPv4 and IPv6. "Significant amounts of traffic are... exposed to public detection, while users retain the belief that all their interactions are securely occurring over the tunnel."

They add: "Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage." Furthermore, only one service they surveyed even mentioned protection from IPv6 data leakage - Mullvad - implying that for the rest it was an issue they would rather ignore.

Part of the security required here is the correct configuration of the operating system's own routing table, which isn't secured. More ominously, they continue: "Whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the [VPN] tunnel. This can result in all IPv6 traffic bypassing the VPN's virtual interface."

With increasing volumes of traffic (at last) moving to IPv6, and all popular web browsers pushing users' traffic over IPv6, where possible, this is becoming an increasing security problem for VPN services that needs to be addressed, especially as dual-stack implementations tend to push traffic into IPv6. The VPNs that do not suffer from IPv6 leakage do so by disabling IPv6 on users' PCs.

None of the providers offered protection from both IPv6 data leakage and DNS hijacking, however, according to the researchers' results.

In terms of privacy, they continued, all many services do is shield users' originating IP addresses from websites - although their identity may easily be discoverable via cookies and other privacy-busting browser features.

[Next page: Is Tor basically more secure than a VPN service?]

VPN services are undermined by security failings, so what can you do about it? Um, not a lot, actually

The majority of VPN services suffer from IPv6 traffic leakage - and there ain't much you can do about it

More ominously, they suggest, users are manifestly not anonymous to their VPN provider, who they must trust implicitly. "A number of them admit they retain timestamps, the amount of data transmitted, and the client IP address of each VPN connection," they warn. Tor, in contrast, works by not expecting users to trust to a single relay, but by the fact that no single entity controls access as exit nodes are rotated.

These issues were the main ones - among many - that the researchers highlighted. But there were few solutions that the casual user might be able to adopt. For example, they suggested disabling IPv6 on the host device, which isn't possible in Android and is, in any case, only a short-term solution.

Preventing DNS hijacking, likewise, doesn't have too many satisfactory defences either. Firewall rules can be specified so that even local network requests are routed via the VPN tunnel, but this will affect performance, they warn. Local network resources would effectively be unavailable.

"Another effective solution could be to take complete control of the DNS queries by making sure the DNS server can only be accessed through the [VPN] tunnel," they add. "Configuring the gateway of the virtual interface to be also the DNS resolver... would make it impossible for the adversary to hijack the DNS queries with our attacks."

Unfortunately for commercial VPN service providers, the researchers conclude that, for privacy and security at least, Tor would be the better option - especially as software to configure and run Tor on ordinary PCs is becoming easier to set up and use, even if performance often leaves a lot to be desired.