Hackfest 2023 - Back to the Future

VPNs are Internet snake oil
2023-10-13, 14:30–15:20, Track #2

Many information security professionals recommend VPN services to end-users, especially to protect against the dreaded man-in-the-middle attack on your local coffee shop's open Wi-Fi network. The commercial VPN vendors advertise heavily, making bold statements such as "we encrypt your network data so no one can see what you’re doing", "surf the web without a trace!", "avoid government eavesdropping", and assure you that "your web traffic can't be tracked anymore". These claims are all "snake oil", and attendees will watch them be debunked. The actual benefits and limitations of VPNs will be reviewed, and a discussion of the myriad ways that are used to surveil your online activities that go far beyond browser cookies . Some tactics to minimize and mitigate this online tracking will be discussed, as well as what it takes to be truly untraceable online.

Brief outline
- History lesson on “snake oil” & Virtual Private Networks (VPNs). Why people may want to hide their identity online
- What a commercial Virtual Private Network (VPN) service can and cannot do for you.
- The surveillance problem in your pocket.
- Beyond VPNs: Recommendations to help limit online tracking and surveillance, for various levels of paranoia

This talk is a rapid-fire and comprehensive takedown of the entire concept that use of commercial VPN services create any real privacy or security benefits for most users.

It will give a summary of what things a VPN service can and cannot do to hide your online activities and footprint. It will provide an overview of the many methods used by advertisers and social media companies for tracking and monitoring end-uses that go far beyond browser cookies. It will also offer suggestions on mitigations against these methods, and a short discussion of how to truly be anonymous or untraceable online -- a harder problem than you think.
Below is a collection of information fragments to be organized into the final presentation format.

The reality is that VPNs actually do almost nothing to improve your security online.

Using a VPN can hide your IP address and make it appear that you are connecting from another location, but by itself a VPN doesn't hide your identity or your online activities, browsing patterns, or websites site visit.

Yes, VPNs can provide some limited value when dealing with public Wi-Fi networks that do not use any encryption.
This defends against the "coffee shop" sort of attacks with a compromise of the NAT router or a man-in-the-middle attack, or against passive surveillance of your traffic. Most endpoint Internet traffic is encrypted with TLS these days, making it hard to intercept.

A commercial VPN services primary use case is to present a different geographic location to the various content providers and governments that try to control access based on geoip lookup. However, most VPN services utilize IPv4 blocks in data centers that are easily blocked by the content providers. VPN services buy and deploy new IPv4 subnets, but it is "whack a mole". Legitimate ISPs are also caught up in the geo blocking game, and are often banned by content providers erroneously.

Some VPN services have very murky ownership. There are free VPN services (who is the product here?). Foriegn purchase and ownership of VPn services and motivations is an entire rabbit hole.
Web and advertising tracking -- hard to escape.

Tracking cookies are everywhere and if you are not using a clean browser without cookies, you will be tracked. DNS traffic can still be monitored by the VPN service unless DoH/DoT is in use.

Browser fingerprinting methods - can get your down to a unique down to 1 out of 250k+ browsers. Things you don’t think about that can get you, what fonts you have installed can be used to help provide that unique fingerprint
Ok, ok, so I use a VPN and a clean browser in a Virtual machine, I’m good right? I can do the shady thing safely, right? No.

Your traffic is still visible from the source point of the VPN provider, and even the ones that say they don’t do logging are doing logging (or the local government is) plus the wire tapping going.

Yes, much of your session traffic will be HTTPS encrypted, but that leaks data with SNI and certificate checks. DNS queries can leak.

wiretapping... known legal and otherwise. Room 641A and others all over the place. NSL and other government powers to compel cooperation. https://en.m.wikipedia.org/wiki/Room_641A
The USA is far from the only government doing this sort of broad traffic collection. Some are also doing censorship/filtering at the national level (deep packet inspection and also DNS based). In some places, ISPs are required to install "middle boxes" that not only try to censor information, but are also used for survelliance.
netflow data aggregation currently in the hands of corporations and governments. What is netflow? Records to sample activities based on 5 Tuple src/dst ip and and port, plus interface source, protocol type. There are broadband equipment vendors that use netflow data to report on subscriber online activity, and have interesting privacy policies. Some are selling these data streams to traffic intelligence services. Think of it as Nielsen ratings for online activities. There are ISPs that use netflow cloud services (Kentik) . Which make convenient Central places to send NSLs if you want some data..

Listen carefully to statements or legal policies. Hairs are split. “We don’t listen to all your phone calls” — no, but you can record them and listen to them later.

special browsers for privacy. Browser plugins for ad blocking and tracking. Discuss all the options in detail.
VPN technical requirements (ciphers and strength) that are desirable and NIST guidlines. .

Some recommendations for actual security, which is much harder, but recommended if you are wanting to do shady things online or your threat model includes nation state actor risks. Journalist discussion.
1. Use a dedicated local hardware device (NAT routers) for your VPN to your own cloud VPS (small home router or rasp PI). Change your external faciny MAC address, and you can double-NAT this through your normal firewall.

  1. Use TAILs on an old laptop, connected to your VPN device with zero state, via ethernet wire. Could be an entire discussion.

  2. Make your last mile as untraceable to you as possible — long distance wireless, business/school etc without cameras and logging. Not easy to do.

  3. Many ISPs keep DHCP logs with MACs.. Sometimes for years. CGNAT translation, records of all session traffic. . They can tie your physical location and account to your Ethernet MAC of your router. For subpoenas.

  4. Disable laptop camera and microphone in hardware.

  5. Don’t do shady things from your home or work or anyplace else that can be
    traced to you.

  6. Best way to do shady things is use other people’s computers remotely over
    covert channels, from additional other untraceable locations (I'm behind seven proxies!)

Some resources that will be used:

Are you releasing a tool? – No