IPv6 Leakage and DNS Hijacking
Is Freedome vulnerable to the attacks as described in this recently published study?http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf
To be fair, Freedome was not tested here. Nevertheless it got me curious.
Comments
-
I'm surprised there has still been no comment on these issues from F-Secure, either to this post or the blog. It makes one assume they are vulnerable to one or both of these issues across the platforms they support, and they're either ignoring the issue or hopefully working to resolve it. Any comment from those who would know?
-
We're sorry for the slow replies - due to summer holiday season, our communications have been a bit slow.
IPv6 and Freedome:
Freedome provides working IPv6 connectivity to Android, Windows and OS X clients, so that IPv6 traffic will not bypass the VPN.
On Android, Windows and OS X, IPv6 is always available when Freedome is connected, if the client operating system has enabled IPv6, even if IPv6 is otherwise not available to the client system on its local network.
On iOS, the VPN configuration disables IPv6 to prevent IPv6 leaks while the VPN is connected. IPv6 over IPSEC for iOS is not available yet in our setup, but at least there's no leakage.
DNS hijacking through DHCP (PETS2015VPN):
Freedome on Android, Windows and OS X currently sets a different DNS server address for every VPN client connected to a single VPN gateway. The DNS server address is the same as the default gateway address used over the VPN by that client (the VPN tunnel point-to-point link destination address). This protects Freedome clients against the DNS hijacking attack described in the article.
Unfortunately we have not yet confirmed whether the DNS hijacking attack works on our iOS client at this point, and will have to get back to you later regarding it.
[edit 2015-10-21: Current Android clients, starting at version 2.0.21, always enable IPv6 routing over the VPN, even if local network would not provide IPv6. To reduce risk of incompatibilities with some client apps and Android versions, older versions of the Android client only enabled IPv6 over the VPN if it could detect local IPv6 connectivity being available to the Android device.]
-
I disagree with the assessment that Freedome doesn't leak over IPv6. While using Freedome on my Windows PC, I tested this at ipv6leak.com and it pulled up my IPv6 address without a problem. So any website equipped for IPv6 traffic should be able to do the same thing, which is very insecure. In fact, Freedome requires IPv6 be enabled in order to run. I have since disabled IPv6, and Freedome will no longer connect.
I've used and tested other VPNs in the past (AirVPN, Cyberghost) and both purposely blocked my IPv6 address from being revealed, which is a positive thing.
Can you please comment on this?
-
OK this is cool, first I was doubtful when I tested for ipv6 dns leak here
http://ipv6leak.com/results?token=yrkmwm9wop7j8qcn
It showed this IPv6 IP, and said that I most likely had an ipv6 dns leak.
2607:f0d0:1005:1c::4
But looking up the IP on Arin shows that it is in fact a Freedome owned ipv6 IP, so I think we are good:
https://whois.arin.net/rest/net/NET6-2607-F0D0-1005-1C-1/pft?s=2607%3Af0d0%3A1005%3A1c%3A%3A4
So far, I am very impressed with Freedome in terms of speed, ease of setup, security, and no dns leakage that I can detect! My only complaint is that I dont see a Linux version of Freedome.
(feature request?)
Thanks
David
-
Ok, thank you for this feedback. It seems like some leak testing sites are suspicious for some reason if the VPN provides IPv6, even if the IPv6 would be correctly routed via the VPN and the VPN provider IPv6 address would be shown.
I edited my previous reply to reflect the current Android client versions, they always enable IPv6 connectivity over the VPN tunnel even if the local network would not provide IPv6, so that IPv6 will not start bypassing the VPN if the local network suddenly does start to provide IPv6.
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!