According to research published today by Paul Bischoff, privacy advocate for Comparitech.com, most top VPN applications can leak data during day-today use, despite their claims to the contrary. VPNs are used to improve users’ security and privacy by offering a safe, encrypted connection over a less secure internet network, but even ones that claim to use leak protection and kill switches were found to be leaky.
A handful of the top VPNs were put through the test using the (now freely available from GitHub) ExpressVPN Leak Testing Tools. Some key findings from the research include:
-
Slightly more leaks were detected on Mac VPNs, but Windows VPNs showed more leaks of the highest severity
• VPN apps struggle with WebRTC IPv6 leaks, some of which are severe, but do not affect the majority of users because most people still have no IPv6 connectivity
• Many VPNs leak DNS and IP traffic when a disruption occurs, such as a change in the network configuration
Comparitech.com is hoping that the findings will raise the standards in the VPN marketplace and encourages VPN providers to use the tool to run their own tests and fix these issues.
IT security experts commented below:
Professor Andrew Jones, Director of the Cyber Security Centre at University of Hertfordshire:
“While people are increasingly using the internet in all aspects of their lives, they are also, as a result of the ongoing publicity, becoming more aware of the risks to their privacy. People have reasonably assumed that the use of a VPN was offering some degree of protection to their online privacy; however, this research has shown that there are significant potential weaknesses in a number of the tools that we use and as a result, they are not as well protected as they believe. Users, rightly or wrongly, trust products that are designed to help them protect their information and when these are shown to have weaknesses, the impact can be significant.”
Kylie Wilhoit, senior security Researcher at DomainTools:
“VPNs are used every day to access bank accounts from coffee shops, circumvent government censorship, and to access work networks. Most users think they are secure when using a VPN, since they are designed to obfuscate a user’s tracks online. However, this research proves that not only are there information leaks, but they are also in many cases, severe. Many of the most popular VPN providers have critical information leakages when the network interface operating the VPN changes state. (For instance, dropping because of server maintenance) This is potentially damaging to thousands of users of some of the largest VPN service providers.
Remember, VPN software is just that…Software. If you’re not careful with your VPN selection, you may be inadvertently opening yourself up to risk.”
Harold Li, Vice President at ExpressVPN:
“With cyberattacks and hacks, government surveillance, and big data mining all on the rise, internet users are relying on VPNs to protect their privacy and security. But is their VPN really protecting them? Our internal research suggests that most VPN providers are falling short. That’s why we’ve released the ExpressVPN Leak Testing Tools—to empower users to evaluate providers and assess their own risks, as well as to help the entire VPN industry raise its privacy and security standards.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.