IPv6 Leakage and DNS Hijacking

Is Freedome vulnerable to the attacks as described in this recently published study?http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

 

To be fair, Freedome was not tested here. Nevertheless it got me curious.

 

Comments

  • SSNC
    SSNC Posts: 2

    I'm surprised there has still been no comment on these issues from F-Secure, either to this post or the blog. It makes one assume they are vulnerable to one or both of these issues across the platforms they support, and they're either ignoring the issue or hopefully working to resolve it. Any comment from those who would know?

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    We're sorry for the slow replies - due to summer holiday season, our communications have been a bit slow.

     

    IPv6 and Freedome:

     

    Freedome provides working IPv6 connectivity to Android, Windows and OS X clients, so that IPv6 traffic will not bypass the VPN.

     

    On Android, Windows and OS X, IPv6 is always available when Freedome is connected, if the client operating system has enabled IPv6, even if IPv6 is otherwise not available to the client system on its local network.

     

    On iOS, the VPN configuration disables IPv6 to prevent IPv6 leaks while the VPN is connected. IPv6 over IPSEC for iOS is not available yet in our setup, but at least there's no leakage.

     

    DNS hijacking through DHCP (PETS2015VPN):

     

    Freedome on Android, Windows and OS X currently sets a different DNS server address for every VPN client connected to a single VPN gateway. The DNS server address is the same as the default gateway address used over the VPN by that client (the VPN tunnel point-to-point link destination address). This protects Freedome clients against the DNS hijacking attack described in the article.

     

    Unfortunately we have not yet confirmed whether the DNS hijacking attack works on our iOS client at this point, and will have to get back to you later regarding it.

     

    [edit 2015-10-21: Current Android clients, starting at version 2.0.21, always enable IPv6 routing over the VPN, even if local network would not provide IPv6. To reduce risk of incompatibilities with some client apps and Android versions, older versions of the Android client only enabled IPv6 over the VPN if it could detect local IPv6 connectivity being available to the Android device.]

  • Pootis
    Pootis Posts: 4 Observer
    Any update on iOS client?
  • TonyT228
    TonyT228 Posts: 6 New Member

    I disagree with the assessment that Freedome doesn't leak over IPv6.  While using Freedome on my Windows PC, I tested this at ipv6leak.com and it pulled up my IPv6 address without a problem.  So any website equipped for IPv6 traffic should be able to do the same thing, which is very insecure.  In fact, Freedome requires IPv6 be enabled in order to run.  I have since disabled IPv6, and Freedome will no longer connect.

     

    I've used and tested other VPNs in the past (AirVPN, Cyberghost) and both purposely blocked my IPv6 address from being revealed, which is a positive thing.

     

    Can you please comment on this?

  • DenverCyber
    DenverCyber Posts: 1 New Member

    OK this is cool, first I was doubtful when I tested for ipv6 dns leak here

    http://ipv6leak.com/results?token=yrkmwm9wop7j8qcn

    It showed this IPv6 IP, and said that I most likely had an ipv6 dns leak.

    2607:f0d0:1005:1c::4

    But looking up the IP on Arin shows that it is in fact a Freedome owned ipv6 IP, so I think we are good:

    https://whois.arin.net/rest/net/NET6-2607-F0D0-1005-1C-1/pft?s=2607%3Af0d0%3A1005%3A1c%3A%3A4

    So far, I am very impressed with Freedome in terms of speed, ease of setup, security, and no dns leakage that I can detect! My only complaint is that I dont see a Linux version of Freedome.

    (feature request?)

    Thanks

    David

     

  • TonyT228
    TonyT228 Posts: 6 New Member

    My mistake.  I tried again as well and ran an ARIN Whois check and found the same results.  I didn't know IPv6 could be checked that way.  Oh well--live and learn!Smiley LOL

  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Ok, thank you for this feedback. It seems like some leak testing sites are suspicious for some reason if the VPN provides IPv6, even if the IPv6 would be correctly routed via the VPN and the VPN provider IPv6 address would be shown.

     

     

    I edited my previous reply to reflect the current Android client versions, they always enable IPv6 connectivity over the VPN tunnel even if the local network would not provide IPv6, so that IPv6 will not start bypassing the VPN if the local network suddenly does start to provide IPv6.

This discussion has been closed.
Product & Pricing Info