OpenVPN is Open to VPN Fingerprinting
- URL: http://arxiv.org/abs/2403.03998v1
- Date: Wed, 6 Mar 2024 19:15:02 GMT
- Title: OpenVPN is Open to VPN Fingerprinting
- Authors: Diwen Xue, Reethika Ramesh, Arham Jain, Michalis Kallitsis, J. Alex Halderman, Jedidiah R. Crandall, Roya Ensafi,
- Abstract summary: VPN adoption has seen steady growth over the past decade due to increased public awareness of privacy and surveillance threats.
Certain governments are attempting to restrict VPN access by identifying connections using "dual use" technology.
We develop mechanisms for accurately fingerprinting connections using DPI, the most popular protocol for commercial VPN services.
- Score: 10.58132231462485
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: VPN adoption has seen steady growth over the past decade due to increased public awareness of privacy and surveillance threats. In response, certain governments are attempting to restrict VPN access by identifying connections using "dual use" DPI technology. To investigate the potential for VPN blocking, we develop mechanisms for accurately fingerprinting connections using OpenVPN, the most popular protocol for commercial VPN services. We identify three fingerprints based on protocol features such as byte pattern, packet size, and server response. Playing the role of an attacker who controls the network, we design a two-phase framework that performs passive fingerprinting and active probing in sequence. We evaluate our framework in partnership with a million-user ISP and find that we identify over 85% of OpenVPN flows with only negligible false positives, suggesting that OpenVPN-based services can be effectively blocked with little collateral damage. Although some commercial VPNs implement countermeasures to avoid detection, our framework successfully identified connections to 34 out of 41 "obfuscated" VPN configurations. We discuss the implications of the VPN fingerprintability for different threat models and propose short-term defenses. In the longer term, we urge commercial VPN providers to be more transparent about their obfuscation approaches and to adopt more principled detection countermeasures, such as those developed in censorship circumvention research.
Related papers
- Efficacy of Full-Packet Encryption in Mitigating Protocol Detection for Evasive Virtual Private Networks [0.0]
Full-packet encryption is a technique used by modern evasive Virtual Private Networks (VPNs) to avoid protocol-based flagging from censorship models by disguising their traffic as random noise on the network.
I tested several machine learning-based classification models against the Aggressive Circumvention of Censorship (ACC) protocol, a fully-encrypted evasive VPN protocol.
arXiv Detail & Related papers (2024-12-23T07:24:36Z) - Bad Neighbors: On Understanding VPN Provider Networks [18.382471188948283]
We conduct a large-scale analysis of VPN providers and their thousands of VPN endpoints.
Our results indicate a widespread lack of traffic filtering towards internally routable networks on the majority of tested VPN service providers.
We have disclosed our findings to the affected providers and other stakeholders, and offered guidance to improve the situation.
arXiv Detail & Related papers (2024-10-11T11:51:20Z) - As Advertised? Understanding the Impact of Influencer VPN Ads [24.988957653689354]
We use a novel VPN ad detection model to calculate the ad exposure of 217 participants via their YouTube watch histories.
We find that exposure to VPN ads is significantly correlated with familiarity with VPN brands and increased belief in (hyperbolic) threats.
Although many participants agree with both factual and misleading mental models of VPNs that often appear in ads, we find no significant correlation between exposure to VPN ads and these mental models.
arXiv Detail & Related papers (2024-06-18T19:22:37Z) - "I just hated it and I want my money back": Data-driven Understanding of Mobile VPN Service Switching Preferences in The Wild [5.998704044356281]
We analyzed over 1.3 million reviews from 20 leading VPN apps, identifying 1,305 explicit mentions and intents to switch.
Our NLP-based analysis unveiled distinct clusters of factors motivating users to switch.
An examination of 376 blogs from six popular VPN recommendation sites revealed biases in the content.
arXiv Detail & Related papers (2024-03-04T00:02:46Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - The Key to Deobfuscation is Pattern of Life, not Overcoming Encryption [0.7124736158080939]
We present a novel methodology that is effective at deobfuscating sources by synthesizing measurements from key locations along protocol transaction paths.
Our approach links online personas with their origin IP addresses based on a Pattern of Life (PoL) analysis.
We show that, when monitoring in the correct places on the Internet, DNS over HTTPS (DoH) and DNS over TLS (DoT) can be deobfuscated with up to 100% accuracy.
arXiv Detail & Related papers (2023-10-04T02:34:29Z) - Sound and Complete Verification of Polynomial Networks [55.9260539566555]
Polynomial Networks (PNs) have demonstrated promising performance on face and image recognition recently.
Existing verification algorithms on ReLU neural networks (NNs) based on branch and bound (BaB) techniques cannot be trivially applied to PN verification.
We devise a new bounding method, equipped with BaB for global convergence guarantees, called VPN.
arXiv Detail & Related papers (2022-09-15T11:50:43Z) - Is Vertical Logistic Regression Privacy-Preserving? A Comprehensive
Privacy Analysis and Beyond [57.10914865054868]
We consider vertical logistic regression (VLR) trained with mini-batch descent gradient.
We provide a comprehensive and rigorous privacy analysis of VLR in a class of open-source Federated Learning frameworks.
arXiv Detail & Related papers (2022-07-19T05:47:30Z) - SPAct: Self-supervised Privacy Preservation for Action Recognition [73.79886509500409]
Existing approaches for mitigating privacy leakage in action recognition require privacy labels along with the action labels from the video dataset.
Recent developments of self-supervised learning (SSL) have unleashed the untapped potential of the unlabeled data.
We present a novel training framework which removes privacy information from input video in a self-supervised manner without requiring privacy labels.
arXiv Detail & Related papers (2022-03-29T02:56:40Z) - Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy.
We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
arXiv Detail & Related papers (2020-06-10T16:05:05Z) - CryptoSPN: Privacy-preserving Sum-Product Network Inference [84.88362774693914]
We present a framework for privacy-preserving inference of sum-product networks (SPNs)
CryptoSPN achieves highly efficient and accurate inference in the order of seconds for medium-sized SPNs.
arXiv Detail & Related papers (2020-02-03T14:49:18Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.