Jump to content
Sign in to follow this  
Master_Scythe

VPN - Is fingerprinting a concern?

Recommended Posts

Just genuinely curious here.

All my education and experience says that I'm barking up the wrong tree, but there are elements of the internet that I've fallen behind on (like webRTC, for example).

 

Scenario:

If you're using a VPN.

Your DNS records go somewhere secure.

Your real IP doesn't leak.

 

Then you log into something, like your mail server, STEAM, Atomic;

something that identifies you; can that fingerprint be used in any way to pinpoint the user?

I'm fairly sure the answer is no.... but I'm just making sure I'm not overlooking something.

 

For a long time I was thinking of a VPN like a private proxy:

Me > Proxy > Site.

Which means that you can just reverse those arrows, and you have a path backward (so, as long as there's no logs, it's private until you log into a trackable service, like mail)

 

But in reality; unless there's a technology I'm missing; it's more like.

Me+Person+Person+Person+Person+Person+Person+Person+Person+Person+Person > VPN > Site.

So this would mean that trying to reverse the chain would mean that the link goes cold at step2, because without VPN logs, there's no tracing it further, yeah?

 

The tldr;

Due to having messed with caching proxys for SO many years at work, my brain was stuck in the idea that, if you connect to a VPN, for privacy, you'd need to be careful NOT to log into any 'named'\tracable services.

Otherwise bam, they can link the chain and it's no longer private.

 

But in reality, because the VPN is log-free; I can log into steam, log into email, log into..... anything, and they still can't trace it back.

So I can have Steam logged in, and my Browsing is still 'private' right?

 

I feel like a noob asking; because I already know the answer, but sometimes I just need reassurance... my Networking degree was a long time ago now, and my eyes limiting my reading has slowed my progress; and really hurt my confidence.

Share this post


Link to post
Share on other sites
Posted (edited)

It sounds like there are a lot of gaps in your knowledge here.

 

"Reversing the arrows" when accessing a website through a proxy is, in most instances, not possible. There are fields in the HTTP spec for a proxy to indicate what IP it is requesting on behalf of, but there is absolutely no reason that the proxy server must populate them:

 

$HTTP_proxy_headers = array(
	'HTTP_VIA',
	'VIA',
	'Proxy-Connection',
	'HTTP_X_FORWARDED_FOR',  
	'HTTP_FORWARDED_FOR',
	'HTTP_X_FORWARDED',
	'HTTP_FORWARDED',
	'HTTP_CLIENT_IP',
	'HTTP_FORWARDED_FOR_IP',
	'X-PROXY-ID',
	'MT-PROXY-ID',
	'X-TINYPROXY',
	'X_FORWARDED_FOR',
	'FORWARDED_FOR',
	'X_FORWARDED',
	'FORWARDED',
	'CLIENT-IP',
	'CLIENT_IP',
	'PROXY-AGENT',
	'HTTP_X_CLUSTER_CLIENT_IP',
	'FORWARDED_FOR_IP',
	'HTTP_PROXY_CONNECTION');

WIthout this information in the header, the remote host cannot know that the page was requested through a proxy. Technically they could operate an IP blacklist of known proxies, but even then, they cannot know from where the request originated.

 

On the topic of VPNs, there's no concept of your application connecting "through" the VPN service. It connects through an available IP interface, of which the VPN virtual interface is one. That interface is connected, for all intents and purposes, PHYSICALLY to the VPN provider's network, as if there was a long-arse Cat5 cable from your PC to them.

 

Not just "basically", but in a very real, practical sense, connections to services ORIGINATE at the VPN provider's datacentre. Only the VPN provider knows what L2TP/PTPP/IPsec/etc connections their clients have to their concentrators, that information is on another very separate layer to the encrypted IP traffic.

 

 

There are other ways someone could come to know your real public IP, but they're more bedded in sloppy handling of information than design weaknesses. E.g. Off-VPN you might visit a site that sets a cookie containing a session ID, then log on to your VPN and visit that same site, the host now knows that the same person used two IP's consecutively, one has a PTR record revealing an Aussie ISP name, the other is leased by "XYZ Networks" in Country A. Know what I mean?

Edited by SquallStrife

Share this post


Link to post
Share on other sites
15 hours ago, SquallStrife said:

It sounds like there are a lot of gaps in your knowledge here.

 

 

Oh yes, and I'm the first to admit it; 

I've forgotten a lot of my Dipolma, from being stagnated.

 

My original dream was to be a coder, or a much lower-level network engineer than I am, but when my ability to read lines of text without triple spacing and 16pt became a reality, emotions went shit, education slowed, and now I just have to struggle to catch back up now I'm older with more discipline!

 

16 hours ago, SquallStrife said:

That interface is connected, for all intents and purposes, PHYSICALLY to the VPN provider's network, as if there was a long-arse Cat5 cable from your PC to them.

 

This bit I understood, I haven't forgotten THAT much 😛

 

16 hours ago, SquallStrife said:

Not just "basically", but in a very real, practical sense, connections to services ORIGINATE at the VPN provider's datacentre. Only the VPN provider knows what L2TP/PTPP/IPsec/etc connections their clients have to their concentrators, that information is on another very separate layer to the encrypted IP traffic.

 

This bit was what I wanted to be sure of.

 

I was concerned that if ONE traceable service came from the VPN IP, then they can assume that all of them are from that user; or fingerprint the connections somehow.

So if they see 'Hey MS logged into Atomic on IP xxxyyyxxxyyy(vpn), AND that same IP now just did naughty things'

However, because there are SO MANY people using that same IP is it a matter of a needle hiding in a haystack?

And since the VPN has no logs, no proof who's who?

 

The reason I asked, was because I want to add my OpenVPN to my pfsense box and direct everything through it; but I was concerned that being connected 24/7 would compromise it's usefulness.

 

16 hours ago, SquallStrife said:

that information is on another very separate layer to the encrypted IP traffic.

 

I still remember the TCP\IP layers fairly well 🙂 so yep, gotcha.

 

16 hours ago, SquallStrife said:

There are other ways someone could come to know your real public IP, but they're more bedded in sloppy handling of information than design weaknesses.

 

So, if a user had a browser with cookies off; scripts off, and basically no (known) holes; having the VPN on 24/7 and using traceable services (I guess, by username alone, as the IP is still the VPN);

that wouldn't compromise the privacy one received while in that 'other' browser?

 

Same IP, but only the VPN provider could know they're the same originating source; which they don't record.

Correct?

No reason not to leave it on 24/7 at a router level?

Share this post


Link to post
Share on other sites
15 minutes ago, Master_Scythe said:

So if they see 'Hey MS logged into Atomic on IP xxxyyyxxxyyy(vpn), AND that same IP now just did naughty things'

However, because there are SO MANY people using that same IP is it a matter of a needle hiding in a haystack?

And since the VPN has no logs, no proof who's who?

 

Sorta. It's conceivable that when you disconnect from the VPN service, the IP you had gets recycled the same way a dynamic IP on your ISP's network would. Only the VPN provider could possibly know which customer had which of their IPs at a given point in time.

 

24 minutes ago, Master_Scythe said:

So, if a user had a browser with cookies off; scripts off, and basically no (known) holes; having the VPN on 24/7 and using traceable services (I guess, by username alone, as the IP is still the VPN);

that wouldn't compromise the privacy one received while in that 'other' browser?

 

Same IP, but only the VPN provider could know they're the same originating source; which they don't record.

Correct?

No reason not to leave it on 24/7 at a router level?

 

The only reasons I wouldn't use a VPN 24/7 for the entire network are speed, latency, and cost.

 

If you're especially paranoid, you could recycle the VPN connection every 12-24 hours or something to change your public IP, unless the VPN provider assigns you a static one. (Or the VPN provider uses CG-NAT)

Share this post


Link to post
Share on other sites
3 minutes ago, SquallStrife said:

The only reasons I wouldn't use a VPN 24/7 for the entire network are speed, latency, and cost.

 

 

The cost that I pay is already paid; and it's worth it because the VPN ensures I actually GAIN speed to most sites, not lose.

 

It seems only the budget ones tank your speed; if you pick the country your data going to (like when my mate and I  use e-amuse servers in japan) for your VPN, you normally see SIGNIFICANT improvements.

Share this post


Link to post
Share on other sites
3 minutes ago, Master_Scythe said:

 

The cost that I pay is already paid; and it's worth it because the VPN ensures I actually GAIN speed to most sites, not lose.

 

It seems only the budget ones tank your speed; if you pick the country your data going to (like when my mate and I  use e-amuse servers in japan) for your VPN, you normally see SIGNIFICANT improvements.

 

Fair enough, but won't using the "One VPN for entire network" solution eat in to your ability to switch them around like that?

Share this post


Link to post
Share on other sites
4 minutes ago, SquallStrife said:

Fair enough, but won't using the "One VPN for entire network" solution eat in to your ability to switch them around like that?

 

Sort of, but I'm also finding that the VPN is very good at routing inside itself; showing near no speed loss also.

 

So if I set my 24\7 VPN to somewhere close and fast; but with better data retention policies (like, say, NZ); I find that using a software VPN tunnel on the PC in addition has less than a 5% hit on speed.

Share this post


Link to post
Share on other sites
Posted (edited)

If you're happy with the performance then I reckon go for it.


See if your VPN provider uses CG-NAT, or provides a real public IP to clients.

 

If they use CG-NAT, then it will appear to the outside world that every customer is accessing resources from the one (or a handful) of IPs.

 

If they don't use CG-NAT, then it'll still only appear that somebody in the VPN's datacentre is accessing resources. If the public IPs are recycled, you get your obfuscation that way. If you have concerns about your metadata tying you to a public IP, then make sure it gets refreshed every now and then. That will all depend on your VPN provider's configuration.

 

 

If you want to get real technical, there are other forensic details inside application traffic that can betray a user (or at least establish that a collection of points belong to the same user), and using a VPN will do nothing to prevent these attacks but make the data harder to find.

Edited by SquallStrife

Share this post


Link to post
Share on other sites
2 hours ago, SquallStrife said:

If you want to get real technical, there are other forensic details inside application traffic that can betray a user (or at least establish that a collection of points belong to the same user), and using a VPN will do nothing to prevent these attacks but make the data harder to find.

 

Thanks heaps man.

It's not within a specific app I'm worried about, it was purely to make sure that being on 1 service doesn't link them all back.

 

Using a secure browser, and an insecure gaming service doesn't compromise the browser (under any realistic, likely, circumstance); so with that I'm happy 🙂

 

Turns out I did understand it (well enough); as per usual, I was just full of self doubt.

Share this post


Link to post
Share on other sites
On 5/22/2019 at 10:36 AM, Master_Scythe said:

Sort of, but I'm also finding that the VPN is very good at routing inside itself; showing near no speed loss also.

 

So if I set my 24\7 VPN to somewhere close and fast; but with better data retention policies (like, say, NZ); I find that using a software VPN tunnel on the PC in addition has less than a 5% hit on speed.

 

just checking if i understand.  you are talking about

 

connecting 24/7 through some box with VPN credentials 

plus, an occasional second instance using the same VPN provider but established over the existing VPN connection via a software client?

 

Share this post


Link to post
Share on other sites

Surely the NSA has all our browsers fingerprinted, yeah? So how is a VPN going to stop you being identified?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×