UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.

14 tested, 11 leaked...

[rotaryexpress]

The 14 tested are listed, but not the ones that are leaking data? Why list one and not the other?

ipv6 incompetence is nothing new.

[nimbius]

we mandated ipv6 a while back and like alcoholics we refused to give up ipv4 for a myriad of nagging and petulent reasons. its coming back to haunt us now, with everything from legacy routers that cant grok ipv6 right to switches that cant tag or trunk v6. Many commercial firewalls even struggle to answer the questions "can you support ipv6?" and "can you route it?" with a definitive answer.

for the average user theres no clear or quick answer; youll just have to agree that some third party got it right. For slashdotters theres easy-rsa tools to start your CA and OpenVPN which has had support for ipv6 since 2.3. "leakage" is an ephemeral and undefined problem in TFA, but for those of us that live and breathe on planet RTFM an openvpn tunnel that supports v4 and v6 is trivial.

im speaking of the states, but here our cable and fibre providers have 90% coverage of a dual-stack configuration of ipv6 and ipv4 direct to the device. Sure, the modem only grants 1 ip for 1 customer (at least until the net neutrality suits are settled) but once you step into a fresh IPv6 address the measure of this ipv6 debacle becomes apparent. Big players arent playing: Amazons various services dont support ipv6 and most of your TLD's outside of the googleverse dont get AAAA. the open source community at freenode does support it however, and most shared/vps hosting providers do as well, so if you need a project this summer at least consider looking at your docsis3 options/ipv6 lease and get to work on that vpn!

Re:ipv6 incompetence is nothing new.

If address space were an important factor, they would have taken away large blocks to organizations that don't need them.

I know a university with a class B block and they have maybe 100 servers that need to have publicly routable IP addresses but they have an entire class B block. If you connect to the wifi on campus you get a public facing IP address! All the computers in every lab on campus has a public IP address. Your laptop or tablet will have an address like 166.127.34.139(first two octets changed to hide the incompetent) and their weak firewall only stops ICMP traffic to your device.

That is 65,000+ wasted addresses at just one location and they aren't the only address wasters, not even close.

Next you have loopback 127.0.0.1/24. That is a massive waste. What machine needs 16,777,216 local addresses?

Now you have private address spaces: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 which is nearly 18 million addresses. Far more than any one needs in a private address.

I wouldn't be surprised if 50% of the IPv4 address space is wasted.

The motivation behind IPv6 is security, and only pushed along because of IPv4 address waste.

Referenced Article is a Teaser Webpage

[Tokolosh]

The actual study is due to be presented at a future conference. In that sense the findings have not yet been made. So we are lured by clickbait into discussing something that has not happened. This is a waste of time.

Tangentially, what is the purpose of headlines that say things like "President will announce tomorrow that he is starting World War 3"? Isn't that the same as announcing it now? Does he think we are stupid? Oh, wait...

Re:Teredo leaks

[greenwow]

But don't do that! Disabling IPv6 is an "unsupported configuration" to use the phrase our former Microsoft support rep used. I say former because they canceled our support contract without a refund after we admitted to disabling IPv6. There are many things broken in Windows if you disable IPv6, so many that Microsoft won't even try to support it and punishes people that do in order to publicize that fact.

More Microsoft fanbois w/ mod points!

Amazing how they attack anyone here, like this guy, when someone posts the truth about Microsoft. Microsoft most certainly has a policy against disabling IPv6. They burned some of our license keys for disabling IPv6. Their official policy from:

https://technet.microsoft.com/en-us/network/cc987595.aspx

"IPv6 is a mandatory part of the Windows operating system"

It is not optional. Microsoft will hurt you for disabling it, if they can. The guy that runs Microsoft now, John Thompson, has talked about taking legal action against businesses that disable IPv6, but hey you Microsoft fanboi moderators, don't let the facts get in the way of lying and calling people trolls that point out official written Microsoft policy.