hngopher.com

       [HN Gopher] OpenVPN Is Open to VPN Fingerprinting
       ___________________________________________________________________
        
       OpenVPN Is Open to VPN Fingerprinting
        
       Author : PaulHoule
       Score  : 49 points
       Date   : 2024-03-15 17:34 UTC (5 hours ago)
        
 (HTM) web link (arxiv.org)
 (TXT) w3m dump (arxiv.org)
        
       | thwarted wrote:
       | This required research and publication on arxiv? OpenVPN is meant
       | for access control to/between private networks, not for skirting
       | public access controls put in place on your immediate, local
       | upstream. The default config even encourages the use of the
       | defined ports.
        
         | nimbius wrote:
         | correct. it sorta depends on what OpenVPNs goals are...
         | 
         | the boilerplate of the corporate face insists its for your
         | businesses and their connectivity, so you could argue that
         | confidentiality doesnt really include clandestine or obfuscated
         | traffic presence at all.
         | 
         | However, you could also argue for OpenVPN (and several others)
         | that as a security tool they should at least consider Goguen
         | and Meseguer type noninterference as a conformant operation
         | model by reducing the awareness of the traffic.
        
         | grubbs wrote:
         | Default config with port 1194 is super common with "anonymous"
         | VPN providers. It can very well be fingerprinted. But I hope
         | the data in transit would be secure. Maybe not from NSA.
        
       | jerhewet wrote:
       | Jesus wept.
       | 
       | https://www.doileak.com/classic.html
        
         | LegitShady wrote:
         | this site says I have third party cookies enabled when firefox
         | says I do not.
        
           | nickburns wrote:
           | then you have 3P cookies enabled.
        
       | guardiangod wrote:
       | All those firewalls with Application Control IPS (Checkpoint,
       | Palo Alto Network, Fortinet etc.) can already block OpenVPN
       | connections, so this is no surprise that you can fingerprint
       | them.
        
         | nickburns wrote:
         | you have the cart before the horse here. modern IPS uses, and
         | has been using, more or less the same methodology the
         | researchers mention in their abstract (full disclosure: i read
         | no further): "[. . .] fingerprints based on protocol features
         | such as byte pattern, packet size, and server response."
         | 
         | this technique has been around for a very long time and is no
         | way novel. applying it to OpenVPN traffic specifically isn't
         | either.
        
         | lilsoso wrote:
         | They can determine a connection to their network is through an
         | OpenVPN server even if that server has a clean/normal IP
         | address? Is there some otherwise basic tell that the host is
         | running a VPN server? Could Palo Alto Network also identify say
         | a different VPN server, such as Wireguard?
        
           | nickburns wrote:
           | literal bytes. this is one of the primary methods modern
           | IDS/IPS engines, like Snort and Suricata for example, use to
           | fingerprint traffic types and otherwise indicators of
           | compromise.
           | 
           | OpenVPN traffic, even encrypted, can look unique enough
           | somewhere in the 'stream' (to borrow the IDS/IPS term) to be
           | reliably idenitfied.
        
             | lilsoso wrote:
             | Thanks, I didn't know that. So if you have a VPN server at
             | home and you bounce through it from a foreign location to a
             | corporate job then perhaps the employer could identify the
             | connection is a relay.
             | 
             | I'm talking about the part of the connection outgoing from
             | the VPN, not the incoming traffic to the VPN, to be clear.
             | I know for example that China can do deep packet inspection
             | and that there are a number of projects to attempt to
             | thwart this technique. But you seem to be saying that the
             | part after the VPN can be identified?
        
       | iLoveOncall wrote:
       | Fingerprinting? This is just clickbait. Identifying that the
       | murder weapon was a knife isn't remotely the same as getting the
       | fingerprint of the killer.
        
         | rileymat2 wrote:
         | The term fingerprinting is in really common usage for this,
         | "browser fingerprinting"
        
           | nickburns wrote:
           | you guys...
           | 
           | https://en.wikipedia.org/wiki/Fingerprint_(computing)
        
       | mianos wrote:
       | A simple search "OpenVPN traffic detection" leads you to many
       | pages on how this is not a thing OpenVPN tries to do and how to
       | detect it. This whole paper is no more notable than a stack
       | overflow question and answer, maybe less than something on quora.
        
       | tamimio wrote:
       | I remember years ago someone made a site that detects if you are
       | using a vpn based on some packets latency, and it was pretty
       | accurate! Unfortunately, I don't know what's the website now.
        
         | madars wrote:
         | Might be http://witch.valdikss.org.ru/ , e.g., using number of
         | flows and MTU (and maybe other techniques)
        
           | tamimio wrote:
           | > Might be http://witch.valdikss.org.ru/
           | 
           | I think so! It looks slightly different than how I remember
           | it but same elements in there, thanks for sharing it.
        
       ___________________________________________________________________
       (page generated 2024-03-15 23:00 UTC)