• mozz@mbin.grits.dev
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    7 months ago
    1. Sounds like it requires that your DHCP server is hostile, which is actually a very small (though nonzero, yes) number of the attack scenarios that VPNs are designed for
    2. “there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android” is a very funny way of saying “in practice applies only to Windows and iOS”.
    • Arthur Besse@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      Sounds like it requires that your DHCP server is hostile, which is actually a very small (though nonzero, yes) number of the attack scenarios that VPNs are designed for

      In most situations, any host on the LAN can become a DHCP server.

      “there are no ways to prevent such attacks except when the user’s VPN runs on Linux or Android” is a very funny way of saying “in practice applies only to Windows and iOS”.

      No. There are certainly ways of mitigating it, but afaict no Linux distros have done so yet.

      • mozz@mbin.grits.dev
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        7 months ago

        When I use a VPN, I very rarely imagine that the coffee shop / home internet that I’m hooked up to will have a malicious actor or compromised host physically inside it. I mean, maybe. But more likely is that I’m protecting against a malicious ISP, or effectively doing an extra level of authentication to my work network before I get access to non-world-visible elements of it (that shouldn’t be exposed to anyone in the world that wants to poke at it). The “someone else at the cafe is malicious” case isn’t un-heard of, but it’s not the most common threat model. That’s my point.

        From the article:

        When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.

        “Deanonymize” and denial of service are very very different from hijacking the connection and rerouting destination traffic to a hostile device, which it sounds like are what’s possible on iOS and Windows.

        I don’t really know the full details (e.g. what does it mean that “there’s a setting”, and is activating that setting starting this week any different in practice from applying the patch that will surely come this week for Windows and iOS). But it does sound fair to say that there’s a serious level of vulnerability that’s exclusive to Windows and iOS.

        • atzanteol@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          5
          ·
          7 months ago

          When I use a VPN, I very rarely imagine that the coffee shop / home internet that I’m hooked up to will have a malicious actor

          That’s like 90% of the reason to actually use a VPN at a coffee shop.

          • mozz@mbin.grits.dev
            link
            fedilink
            arrow-up
            1
            ·
            7 months ago

            For this scenario, are you imagining that a person may have physically entered the coffee shop who’s both tech savvy and malicious enough to run a malicious device there?

            Or were you thinking a remote compromise of their router? That one seems moderately more probable, but eliminates anything special about the coffee shop’s router specifically as opposed to your home router or your workplace’s router.

            • atzanteol@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              7 months ago

              For this scenario, are you imagining that a person may have physically entered the coffee shop who’s both tech savvy and malicious enough to run a malicious device there?

              I mean… Yeah. I’ve sat in a coffee shop or airport in the past and sniffed traffic out of mere curiosity. Why wouldn’t a malicious actor be there?

              • mozz@mbin.grits.dev
                link
                fedilink
                arrow-up
                1
                ·
                7 months ago

                I have done, and friends of mine have done a lot more than that. My point is that I’m unusually nerdy and the number of people who’ve ever been subjected to it by me being near them is probably in the double digits for a few minutes over my entire life.

                I will bet you any amount of money that you can go to any coffee shop and set up an insecure VPN there all day and not a single person will randomly come in, set up a malicious DHCP server, and reroute the VPN traffic through their hardware so they can spoof it and spy on your traffic.

                The fact that it’s possible means it’s worth defending against, sure. If it sounds like I’m saying it’s not a big deal I am not. I’m just saying that it is not the most common threat that you need to defend against most urgently or even in the top 10 (primarily because it requires one of this little handful of people nearby to you to be a malicious actor, where most of the ones that are really commonly-encountered threats are the ones that literally any one of billions of people on the planet could at any time randomly target you with, so you’re going to run into a lot more frequently.)

                • atzanteol@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  7 months ago

                  Sorry - but you think

                  But more likely is that I’m protecting against a malicious ISP

                  I’d take that bet.

  • corroded@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    7 months ago

    It doesn’t sound to me like this really negates the purpose of a VPN, more accurately it provides a way for someone on your local network to snoop on VPN traffic, if I understand correctly.

    From how the article describes the attack, someone on your local network would have to set up a malicious DHCP server/gateway. The average home user who is using a VPN to mask their public IP probably doesn’t need to worry about this.

    Or am I misunderstanding?

    • athairmor@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      Sounds like the attack bypasses the VPN entirely. It’s not a worry on your home network if you control the DHCP server. But, on public networks, where you really should always use a VPN, you can’t be sure your traffic is going through the VPN.

      Maybe, you can check a trusted site like the VPN provider’s webpage to see if you’re going through the VPN. But, a really sophisticated attack could potentially route just that traffic through the VPN and everything else outside of it.

      If my reading of it is correct.

    • Arthur Besse@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      VPNs have several purposes but the big two are hiding your traffic from attackers on the local area network and concealing your location from sites that you visit.

      If you’re using a VPN on wifi at a cafe and anyone else at the cafe can run a rogue DHCP server (eg, with an app on their phone) and route all of your traffic through them instead of through the VPN, I think most VPN users would say the purpose of the VPN has been defeated.

      • MotoAsh@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        If some random user is able to configure themselves as DHCP, NOONE should be connected to that insecure trash.

        • Arthur Besse@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          The vast majority of LANs do not do anything to prevent rogue DHCP servers.

          Just to be clear, a “DHCP server” is a piece of software which can run anywhere (including a phone). Eg, if your friend’s phone has some malware and you let them use the wifi at your house, someone could be automatically doing this attack against your laptop while they’re there.

          • MotoAsh@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            7 months ago

            Seems like quite an amateur move to run a public network without filtering everyrhing, including dhcp. Again; insecure trash.

            Yes, I know there is a lot of insecure trash out there. The commonality doesn’t magically make it not insecure trash.