A VPN is meant to ensure the privacy of your communications through strong encryption, but new tests suggest that the most popular VPN services have critical security flaws.
Picture: Maksim Kabakou/Shutterstock
When you pay for a VPN, what you’re really paying for is security, whether it’s the security of your business operations, or the security of privacy in relation to your communications.
So it’s quite troubling to find that a study of commercial VPN providers showed that they all leak IPv6 traffic at an alarming rate.
The study, A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients examined the services of Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad and Hotspot Shield Elite.
Of that list, every single VPN except for Astrill were open to IPv6 hijacking attempts, but even it was found to leak IPv6 data. As a result, none of them could be said to be secure, with significant possibilities to uncover user data in a way that makes a VPN essentially pointless.
The problem relates to VPNs not properly manipulating the routing table for IPv6 connections in the same way that they hide IPv4 results. With IPv6 traffic only set to grow, this is a problem that could get significantly worse.
VPNs are so insecure you might as well wear a KICK ME sign [The Register]
Comments
18 responses to “VPNs Fail Critical Security Tests”
“So it’s quite troubling to find that a study of commercial VPN providers showed that they all leak either IPv6 traffic at an alarming rate”
Did that ‘either’ slip in there, or was there going to be something else too?
Damned IPv6 traffic, leaking “either” into my nicely formed articles…
(Fixes error, hangs head in shame.)
Darn that leaky traffic for making a mess.
Alex, is there any information on other VPN services that are more secure?
Currently, most public VPN services are aimed at masking your traffic to ISP/Gov so that you can’t be held accountable for illegally downloading content or bypasses site blocks.
Not so much of the “security” side of things.
As long as it stops Hollywood from finding out who we are (which they do) I don’t think 99% of VPN users care
PIA has IPv6 leak protection in its advanced options. I can only assume this works, otherwise why have it there?
Ive heard good things about PIA’s leak protection, but then again they wearn’t tested as part of this study. NordVPN also have a similar feature that is on by default
It’s there, it just doesn’t look right all bunched up. 🙂
if you go the link, PIA arent protected from DNS hijacking though 🙁
I think you’ll find they are protected, if this info is correct. This is a couple of years ago too.
The majority of VPN users are using IPV4 at the moment though.
I checked my IPvanish connection with ipleak.net and everything seemed fine. I dunno if that tested ipv6 but it does check DNS leaking.
Also IPVanish has options for OpenVPN, L2TP and PPTP not just like OpenVPN like that “study” suggests…. So even based off that I’m going to take all this with a grain of salt
A link to the study results http://www.qmul.ac.uk/media/news/items/se/158459.html
Of note is that when using https, they were unable to get VPNs to leak information.
Its all Jullian Assange’s fault
Question, were these tests performed on computers using the Windows/etc based client or through DDWRT on a router? I have detected leaks on the clients before, but not on DDWRT.
I just read PureVPN’s response regarding this issue: http://www.purevpn.com/blog/ipv6-leakage-and-dns-hijacking-protection/
TL;DR – turn off IPV6 on your device while we scramble to actually cater for it now we’ve been caught with our pants down.
Pretty sure the only thing I have, that RELIES on ipv6 is – bittorrent.