安全专家可以告诉你哪些VPN知识?

  • 安全专家可以告诉你哪些VPN知识?已关闭评论
  • A+
所属分类:业界资讯

Adrián Lamo, privacy is a myth

我开始回答“美国的VPN是否也会泄漏用户信息?”,但由于斯坦·汉克斯在那里的回答非常好,我将在这里看看这个问题以及相关的问题。 我继续回答这个问题:“Adrian Lamo告诉我关于VPN的什么?”,并且完成了回答:“安全专家可以告诉我关于VPN的什么?”

首先,虚拟专用网络不是解决您的隐私问题的一站式解决方案。 这是一个很好的步骤。 而且是重要的一步。 但取决于你必须隐藏多少,一些安全可能比没有安全更糟,在未能全面保护你的同时引起你的注意。

安全是一门学科。 如果你只是担心下载BitTorrent的电影和电视节目,你不用过多担忧。 但是如果你是一个压迫地区的记者或活动家,你的生活可能取决于这个纪律,而且这是一个你必须在生活的许多方面内化的学科,而不是一个可以用单一的fire-and-forget的解决方案。 没有单一的解决方案可以解决您的隐私问题,就像昂贵的报警系统如果您忽视武器并将窗户打开一样对您不那么有用。 一些VPN的泄漏信息。 这不是美国的问题,而是数量不等的VPN专用问题和用户配置问题。

 

qmul.ac.uk上的报告:通过VPN展望的一瞥:商用VPN客户端中的IPv6泄漏和DNS劫持

 

如上图所示,许多VPN提供商为自身提供全面的安全保证,坚持提供主要用于Windows的PPTP,并支持(可能)作为降低Windows用户VPN使用限制的手段。 关于为什么这是一个可怕的想法,以及它如何牺牲安全性以便于使用的简要解释可以在Schneier on Security上找到。 问题的摘录:

3. How bad is it?
Very. Microsoft PPTP is very broken, and there’s no real way to fix it without taking the whole thing down and starting over. This isn’t just one problem, but six different problems, any one of which breaks the protocol.
4. Doesn’t Microsoft know better?
You’d think they would. The mistakes they made are not subtle; they’re “kindergarten cryptographer” mistakes. The encryption is used in a way that completely negates its effectiveness … [a]nd the control channel is so sloppily designed that anyone can cause a Microsoft PPTP server to go belly up.
5. Anyone?
Well, anyone who can see the server. If it’s inside a firewall, it might be safe. But the point of these servers is to act as VPNs; users outside the firewall use Microsoft PPTP to tunnel inside the network. So if the server is set up in this manner, it can be kicked over from anywhere in the world.
6. What’s the answer?
Don’t use Microsoft PPTP. Again, this attack is against Microsoft PPTP, not PPTP in general …. if you are a VPN user, use IPSec. This is a much more robust protocol.

如果您打算使用VPN,我个人建议使用OpenVPN。它相当安全,可用于多种操作系统(OpenVPN下载)。高级用户可能有兴趣加强他们的OpenVPN配置。

Credit cards should pretty much be a no-brainer. You get a statement in the mail, to your house, with your name on it. It’s not the apex of privacy. Still, there are some modest ways to increase your financial privacy. If your privacy concerns are of the more everyday kind – ducking stalking and improving personal safety – many states have programs which allow you to keep your address confidential, even on utility bills and credit statements. One such program is California’s “Safe At Home”, (California Secretary of State) which unlike the more quotidian PO box assigns you an address indistinguishable from a normal mailing address.

This still doesn’t solve the issue of your payment card being associated with your identity, however. A popular dodge for this issue involves the use of prepaid credit or “gift” cards. While re-loadable ones may perform
some cursory identity checks, single-use cards are typically bought in cash and accept whatever information you elect to put on them, instead of the more onerous Know Your Customer requirements of longer-term accounts. Also, the Address Verification System used for most card transactions, AVS has the quirk of being number based. If you’re John Doe at 123 Fake St, 20505, DC, USA, AVS will still approve your transaction if you say you’re John NoMoe from 123 Real St in 20505, McLean, USA.

You should check with both your card and your payment processor’s TOS/AUP to ensure that such hijinks aren’t illegal in your area, though typically such proscriptions only kick in if your use is fraudulent. While fraud will probably always be a component of anonymity services, it only helps to stigmatize them and their users, not to mention being very poor netizenship.
Privacy and Anonymity Techniques Today, PenTest Magazine

仅仅因为你身后有一个合理安全的VPN并不意味着你是安全的。根据他们的位置,VPN可能需要根据法律要求提交您的活动证据。

Different countries have varying degrees of receptivity to the idea of privacy services, ranging from outlawing to heavy surveillance to enthusiastic adoption. Services in the United States and allied countries have come under increasing suspicion from the rest of the free world following Edward Snowden’s revelations this year, but even before that it was known that many privacy services would bow to political and legal pressure, as Sony hacker Cody Kretsinger discovered in 2011.

Kretsinger, then 23, used the UK-based HideMyAss VPN/proxy service to launch an SQL injection attack against the electronics giant’s Internet presence and was promptly shopped to the authorities by the service upon receipt of a court order, a move which some would condemn as hypocritical, but which HideMyAss at the time dismissed as their legal duty. (HideMyAss defends role in LulzSec hack arrest)
HideMyAss did not immediately respond to my requests for comment.

由于这个原因和其他原因,并不是所有的VPN服务都创建(或运行)相同。有些人选择避免积累首先可能被视为证据的任何东西。

Even if your VPN provider has solid security and resides in an otherwise friendly country, what do you really know about it? Free VPN services frequently publish little information about themselves and rarely have entirely altruistic motives. Romania is a prolific host of VPN services, but also of cybercrime, with at least one Romanian town being declared something of a Mecca of Internet fraud. (Page on le-vpn.com). Neither can VPN reviews be trusted entirely – there is compelling evidence that some roundups of VPN services in the tech press may have ulterior motives, especially funneling subscribers into hand-picked services to score commissions from affiliate relationships which are not disclosed in reviews. Typically, if a site is dedicated entirely to VPN reviews (Top 5 Best Romania VPN) with no mention of authorship potential users should be wary, but even some well-known tech sites have been sucked into the cash grab at the expense of accuracy.

Still, such penny ante abuse is small potatoes compared to some of the allegations that surround larger players. Anonymizer, one of the earliest and best-known anonymity services on the ‘net, quietly changed hands in 2008. The beneficiary of this acquisition was Richard “Hollis” Helms, former chief of the CIA’s National Resources Division (Examining the ties between TrapWire, Abraxas and Anonymizer | ZDNet), and presumably proud owner of a complex nesting of companies best known for their association with the controversial Trapwire system. (Anonymizer tied to company selling TrapWire surveillance to governments) Given the complex chain of corporate ownership and the common controlling interest, the best thing that can be said about the arrangement is that Helms would probably have been happier if it had never been identified at all.
Anonymizer founder Lance Cottrell found my reporting “disappointing.”

继续关注可能影响VPN用户的当前安全问题是值得的。 最近,谷歌浏览器扩展程序(Google发布了Chrome扩展程序以修复关键的VPN安全漏洞)发布,以帮助解决允许网站获取VPN用户的实际IP地址的安全问题。
我发现自己处于马拉维(ctrl + F)之间,写了大量关于某事的文章,并计划在未来写更多关于它的文章,并因此遇到了我在最初的文章中发现的同样的问题 – 没有足够的时间和空间 涵盖了我想要得到的所有内容,以及重复努力的附加因素。 我有点不愿意按主题引用我的文章主题(但是更不用说重写它),所以对其余部分感兴趣的读者(有很多,大约4000字)可以在Privacy and Anonymity 技术今天。
相反,这不是我最好的答案,部分原因是我发现更具体的方向有助于涵盖技术主题。 但就目前而言,最好只是将答案拿出门外,而不是再花上一两个月的时间来研究它。 当我完成我写作关于互联网隐私的更全面内容的目标时,可能以电子书的形式出现,我会让我的同事Quorans知道。 与此同时,我将给你留下与我在文章中使用的结尾相同的结论,现在它保持如此真实:

The world of privacy as a service is a complex, sometimes even scary landscape of services which are often poorly defined and often benefit from an even greater lack of accountability than the users they protect. By no means is this true of all, but there’s a lot more to think about than price and convenience when settling on one to use. I make no recommendation because there’s no single best product to recommend.

The Internet and its users, who have long enjoyed having their privacy and security be someone else’s problem, need to start taking responsibility for their own security. Is your GMail insecure? Don’t wait for Google to fix it. ISP blocking your torrents? Don’t wait for legislation to make it better. Such things are inevitably in a constant game of catch-up against the last threat, just in time to be bowled over by the new one. Legislation has never solved a problem on the Internet. For that matter, when has relying on a corporation to take your best interests to heart?

Each user has a responsibility to maintain their own virtual situational awareness, their own threat model, and their own plans to ensure their best interests. No one else is going to do it for them, and the one security measure I really can endorse is “Stop waiting for someone else to.”