Hacker News new | past | comments | ask | show | jobs | submit login
Most Internet anonymity software leaks users’ details (qmul.ac.uk)
53 points by Libertatea on June 30, 2015 | hide | past | favorite | 18 comments

I can't agree with many facts in that article:

> "[VPNs are] used by around 20 per cent of European internet users they encrypt users’"

I think it is more like 2%. I don't know anyone but me who uses a VPN. I'd even say that if I picked 100 people I know, less then 20% know what a VPN is.

Furthermore, the article makes IPv6 sound bad. If I didn't know what IPv6 and VPNs are, I might think it IPv6 is bad, too. I'm also interested in knowing which VPN softwares they tested. While I'm certain that old VPN Softwares leak IPv6 IPs, I can't say that for all VPN softwares I use: OpenVPN (on Linux and Tunnelblick on Mac) and Mac's built-in VPN software (which supports L2TP over IPsec and PPTP). It is really a shame, though, that my VPN provider does not support IPv6, yet.

The only thing that really leaks my real IP is WebRTC. Thanks to WebRTC, everyone can see my real IP address and I can't disable in google chrome. If you want to check what information your VPN is leaking, checkout: https://ipleak.net/

> I'd even say that if I picked 100 people I know, less then 20% know what a VPN is.

I think you significantly underestimate VPN usage. Many jobs, including large public service employers, require connection to a VPN.

That's to access corporate resources, the article was specifically talking about general purpose VPN providers which people use to avoid various restrictions.

So yeah the chance that 20% of internet users in the EU use some sort of a privacy oriented VPN service is nill.

IPv6 has always had many issues, it's entire auto discovery mechanism is a big big security gap.

The second article fails to mention the country of origin. It wouldn't surprise me if more then 20% percent of Chinese use a VPN, however, but I still don't think many in Europe use it because we don't have censorship. In some countries, a few YouTube videos (that contain copyrighted music) are blocked, however, people don't use a proxy to watch them. They have a browser plug in that uses a proxy to load the blocked videos (and only the blocked ones). You can't really say that someone is hiding their IP if the only use a proxy to watch a YouTube video without really knowing nor explicitly selecting one.

The first one does, though, and many European countries are above 20% there. I think that given that data, it's not unreasonable to accept that 20% of Europeans overall who use the internet use a vpn, especially when that is explicitly claimed elsewhere (in OP).

As for your plugin claim, if they don't know what's going on, they wouldn't answer yes to the question about VPNs.

> I think that given that data, it's not unreasonable...especially when that is explicitly claimed elsewhere (in OP).

Both the OP and the first link use data from the same source: http://www.globalwebindex.net/.

You have a point ... I didn't check the source of OP.

Lot's of Europeans I know use US VPNs to get hulu and avoid dreaded geoIP blocking on youtube "This media is unavailable in your region"

Europeans normally don't use a VPN to watch blocked YouTube videos. They use a browser plug in that uses a proxy for the blocked videos (and only the blocked ones). Hulu (or netflix to be precise) is one of the reasons I use a VPN but again not many people do that. I can only observe that people who frequently have contact with Americans are more likely to want to watch their shows in English and thus use a VPN. Most people I know just stream series that don't pay the they want to watch, which is not illegal in Germany and Austria[1].

[1] although cooperations try to sue people for streaming from sites that don't pay the IP owner, they don't have a lot of success since the video is not saved to disk nor is it redistributed. Only distribution of illegal in Germany and Austria

For what definition of normal? European VPN user asking.

Apparently the DNS hijacking issue is a little outdated (applies up to OpenVPN 2.0.9). At least with AirVPN it seems you can prevent IPv6 address leaking with the Network Lock feature.


It's really doesn't matter which VPN protocol or client you use its more about how the OS responds to IPv6 router and other service discovery requests.

Some OS's will grant IPv6 priority routing, and virtually all of them will issue DNS requests on both IPv6 and IPv4 if a DNS server is also configured on the IPv6 interface.

The DNS hijacking happens because a DNS request sent over IPv6 to a DNS server doesn't have to be for a AAAA entry, you can request simple A entries with DNS6. Since the attacker is on the same network his replies to your DNS requests would usually arrive much faster unless the entry is cached so they can return anything they want and they'll get their first :)

In that link you've posted the OP basically suggests that AirVPN client (which is i assume an OpenVPN preconfigured client) will configure the IPv6 address settings on the host with either real or dummy IPv6 routes to mitigate against these attacks.

Speaking of which, have there been any checks of Telegram or Tox regarding leaking and such?

Of course, Telegram is just plain awful, and rather than a leak, it is a free flow.

I once posted to /r/tor (or /r/onions, I forget) that the Tor Browser Bundle leaks the current browser window size ( instead of providing a universal value) thus increasing uniqueness on tools like Panopticlick. Firefox, for the same value, provides screen resolution, not window resolution.

It seems like the Tor Browser at least pops up a message saying you should leave the window to its original size when you maximize it. It still lets you do it.

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact