In a recently published security paper researchers reported about potential data leaks with VPN providers by the means of IPv6 and DNS. The report included a review of 14 VPN providers where the researchers tested their methods. While Perfect Privacy was not among the providers being tested we would still like to respond to this paper and explain to Perfect Privacy users if they are at risk and what to do about it.
The researchers describe two methods to acquire a data leak: Via DNS and via IPv6. We will examine these methods seperately.
DNS-Leak: The researchers pointed out three different cases for achieving DNS leaks: In the first two, the VPN provider doesn’t use dedicated VPN servers, it either uses third party nameservers or doesn’t change the provider assigned DNS at all. This is not the case with Perfect Privacy, we use dedicated and secure nameservers for the exclusive use of our customers.
In the third case, in which the VPN provides its own Domain Name Servers, the researchers describe a scenario in which an attacker gains access to the DHCP server used by the victim host. If this is the case (feasible if the victim is using a public WiFi hotspot, for instance) the system might be vulnerable to a route injection attack. Perfect Privacy users who are using our client software are protected even in this case because firstly the used nameserver is being verified and secondly, bacause the integrated dns leak protection ensures that only Perfect Privacy nameservers are being used.
IPv6: The data leak via IPv6 exploits the fact that most VPN providers do not support IPv6 so that an attacker can force the victim’s host to use the insecure IPv6 interface instead of the VPN protected IPv4. As the researchers state themselves, there is an easy protection against this attack by disabling IPv6. Additionally, if you are using the Perfect Privacy VPN Manager, the integrated firewall protection will ensure that traffic is only being sent over the encrypted tunnel.
Update: If you are using the Perfect Privacy VPN Manager, you should not deactivate IPv6 because we have anonymous IPv6 addresses on most servers. This way you get secure access to all internet services which require IPv6.
Kind regards,
Your Perfect Privacy Team