✨ Feature Suggestion | Warnings for VPNs using insecure port forwarding policy #1442
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1442
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description:
I believe some VPNs described in the privacytools.io recommended VPN list may have insecure implementations of port forwarding and users who want to use the port-forwarding feature should be warned about it.
The problem description:
IVPN, for example, will assign a forwarded port to your account and will not change it until you stop using it for 14 days. This cannot be changed by default. The staff has the port number associated with your account (fact), which potentially ties your network activity down to your person. Quick example: If you're connected to a P2P/torrent network & downloading/uploading using your assigned port, an authority can come over to the VPN provider and ask for the account details of whoever was using the forwarded port at that time and get the account data. This wouldn't be possible knowing just the address itself but since your port is assigned to you and you only (and the provider keeps logs of it), it very easily ties it to you. Another issue is that a user can potentially be tracked by finding out when and if he/she is connected to the VPN by another entity.
IVPN will claim that it doesn't store anything that could be used to identify a customer, however I believe this isn't quite correct.
Perfect Privacy VPN tackles this issue by deriving three ports from your internal VPN IP.
From FAQ:
The ports for the default forwarding are always 1XXXX for the first forwarding, 2XXXX for the second and 3XXXX for the third. The XXXX is determined by the last 12 bits of the internal IP address.
Example: Your internal IP is 10.0.203.88. Converting to binary this is 00001010 00000000 11001011 01011000. Converting the last 12 bit 101101011000 to decimal results in 2904. So the forwarded ports will be 12904, 22904 and 32904.
The following bash script for Linux calculates the ports. It expects the internal IPv4 address as the first argument.
These three ports change with every established connection, which makes it much harder for anybody to track an individual and his/her activities.
With a insecure port-forwarding system, anybody can scan the IP and find out who's doing what and correlate the activities across all servers, because (IVPN, for example) will only assign 1 port across the whole platform.
In the above examples I only used IVPN & Perfect Privacy because I only tried those. I do not have information about other providers at this time
sorry if I missed something