Related papers: Bad Neighbors: On Understanding VPN Provider Networks

Bad Neighbors: On Understanding VPN Provider Networks

URL: http://arxiv.org/abs/2410.08737v1
Date: Fri, 11 Oct 2024 11:51:20 GMT
Title: Bad Neighbors: On Understanding VPN Provider Networks
Authors: Teemu Rytilahti, Thorsten Holz,
Abstract summary: We conduct a large-scale analysis of VPN providers and their thousands of VPN endpoints. Our results indicate a widespread lack of traffic filtering towards internally routable networks on the majority of tested VPN service providers. We have disclosed our findings to the affected providers and other stakeholders, and offered guidance to improve the situation.
Score: 18.382471188948283
License: http://creativecommons.org/licenses/by-nc-nd/4.0/
Abstract: Virtual Private Network (VPN) solutions are used to connect private networks securely over the Internet. Besides their benefits in corporate environments, VPNs are also marketed to privacy-minded users to preserve their privacy, and to bypass geolocation-based content blocking and censorship. This has created a market for turnkey VPN services offering a multitude of vantage points all over the world for a monthly price. While VPN providers are heavily using privacy and security benefits in their marketing, such claims are generally hard to measure and substantiate. While there exist some studies on the VPN ecosystem, all prior works omit a critical part in their analyses: (i) How well do the providers configure and secure their own network infrastructure? and (ii) How well are they protecting their customers from other customers? To answer these questions, we have developed an automated measurement system with which we conduct a large-scale analysis of VPN providers and their thousands of VPN endpoints. Considering the fact that VPNs work internally using non-Internet-routable IP addresses, they might enable access to otherwise inaccessible networks. If not properly secured, this can inadvertently expose internal networks of these providers, or worse, even other clients connected to their services. Our results indicate a widespread lack of traffic filtering towards internally routable networks on the majority of tested VPN service providers, even in cases where no other VPN customers were directly exposed. We have disclosed our findings to the affected providers and other stakeholders, and offered guidance to improve the situation.

Related papers

Differentially Private Data Release on Graphs: Inefficiencies and Unfairness [48.96399034594329]
This paper characterizes the impact of Differential Privacy on bias and unfairness in the context of releasing information about networks. We consider a network release problem where the network structure is known to all, but the weights on edges must be released privately. Our work provides theoretical foundations and empirical evidence into the bias and unfairness arising due to privacy in these networked decision problems.
arXiv Detail & Related papers (2024-08-08T08:37:37Z)
As Advertised? Understanding the Impact of Influencer VPN Ads [24.988957653689354]
We use a novel VPN ad detection model to calculate the ad exposure of 217 participants via their YouTube watch histories. We find that exposure to VPN ads is significantly correlated with familiarity with VPN brands and increased belief in (hyperbolic) threats. Although many participants agree with both factual and misleading mental models of VPNs that often appear in ads, we find no significant correlation between exposure to VPN ads and these mental models.
arXiv Detail & Related papers (2024-06-18T19:22:37Z)
Secure Aggregation is Not Private Against Membership Inference Attacks [66.59892736942953]
We investigate the privacy implications of SecAgg in federated learning. We show that SecAgg offers weak privacy against membership inference attacks even in a single training round. Our findings underscore the imperative for additional privacy-enhancing mechanisms, such as noise injection.
arXiv Detail & Related papers (2024-03-26T15:07:58Z)
An Extended View on Measuring Tor AS-level Adversaries [1.0170676980352482]
We use the Atlas framework to infer the risk of deanonymization for IPv4 clients in Germany and the US. For clients in Germany and the US, the overall picture, however, has not changed since 2020. Russian users are able to securely evade censorship using Tor.
arXiv Detail & Related papers (2024-03-13T13:27:02Z)
OpenVPN is Open to VPN Fingerprinting [10.58132231462485]
VPN adoption has seen steady growth over the past decade due to increased public awareness of privacy and surveillance threats. Certain governments are attempting to restrict VPN access by identifying connections using "dual use" technology. We develop mechanisms for accurately fingerprinting connections using DPI, the most popular protocol for commercial VPN services.
arXiv Detail & Related papers (2024-03-06T19:15:02Z)
"I just hated it and I want my money back": Data-driven Understanding of Mobile VPN Service Switching Preferences in The Wild [5.998704044356281]
We analyzed over 1.3 million reviews from 20 leading VPN apps, identifying 1,305 explicit mentions and intents to switch. Our NLP-based analysis unveiled distinct clusters of factors motivating users to switch. An examination of 376 blogs from six popular VPN recommendation sites revealed biases in the content.
arXiv Detail & Related papers (2024-03-04T00:02:46Z)
Trustworthy confidential virtual machines for the masses [1.6503985024334136]
We present Revelio, an approach that allows confidential virtual machine (VM)-based workloads to be designed and deployed in a way that disallows tampering even by the service providers. We focus on web-facing workloads, protect them leveraging SEV-SNP, and enable end-users to remotely attest them seamlessly each time a new web session is established.
arXiv Detail & Related papers (2024-02-23T11:54:07Z)
Exploring Security Practices in Infrastructure as Code: An Empirical Study [54.669404064111795]
Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools. scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
arXiv Detail & Related papers (2023-08-07T23:43:32Z)
Protecting User Privacy in Online Settings via Supervised Learning [69.38374877559423]
We design an intelligent approach to online privacy protection that leverages supervised learning. By detecting and blocking data collection that might infringe on a user's privacy, we can restore a degree of digital privacy to the user.
arXiv Detail & Related papers (2023-04-06T05:20:16Z)
Privacy Explanations - A Means to End-User Trust [64.7066037969487]
We looked into how explainability might help to tackle this problem. We created privacy explanations that aim to help to clarify to end users why and for what purposes specific data is required. Our findings reveal that privacy explanations can be an important step towards increasing trust in software systems.
arXiv Detail & Related papers (2022-10-18T09:30:37Z)
Smart Home, security concerns of IoT [91.3755431537592]
The IoT (Internet of Things) has become widely popular in the domestic environments. People are renewing their homes into smart homes; however, the privacy concerns of owning many Internet connected devices with always-on environmental sensors remain insufficiently addressed. Default and weak passwords, cheap materials and hardware, and unencrypted communication are identified as the principal threats and vulnerabilities of IoT devices.
arXiv Detail & Related papers (2020-07-06T10:36:11Z)

This list is automatically generated from the titles and abstracts of the papers in this site.