More Web Proxy on the site http://driver.im/

research-article

Public Access

An Empirical Analysis of the Commercial VPN Ecosystem

Authors:

Mohammad Taha Khan,

Geoffrey M. Voelker,

Alex C. Snoeren,

Narseo Vallina-RodriguezAuthors Info & Claims

IMC '18: Proceedings of the Internet Measurement Conference 2018

Pages 443 - 456

https://doi.org/10.1145/3278532.3278570

Published: 31 October 2018 Publication History

Abstract

Global Internet users increasingly rely on virtual private network (VPN) services to preserve their privacy, circumvent censorship, and access geo-filtered content. Due to their own lack of technical sophistication and the opaque nature of VPN clients, however, the vast majority of users have limited means to verify a given VPN service's claims along any of these dimensions. We design an active measurement system to test various infrastructural and privacy aspects of VPN services and evaluate 62 commercial providers. Our results suggest that while commercial VPN services seem, on the whole, less likely to intercept or tamper with user traffic than other, previously studied forms of traffic proxying, many VPNs do leak user traffic---perhaps inadvertently---through a variety of means. We also find that a non-trivial fraction of VPN providers transparently proxy traffic, and many misrepresent the physical location of their vantage points: 5--30% of the vantage points, associated with 10% of the providers we study, appear to be hosted on servers located in countries other than those advertised to users.

References

[1]

Nasser Mohammed Al-Fannah. One Leak Will Sink A Ship: WebRTC IP Address Leaks. In Proceedings of the IEEE International Carnahan Conference on Security Technology (ICCST), Madrid, Spain, October 2017.

[2]

Jacob Appelbaum, Marsh Ray, Karl Koscher, and Ian Finder. vpwns: Virtual Pwned Networks. In USENIX FOCI, 2012.

[3]

The Best VPN. Are VPNs Legal In Your Country? https://thebestvpn.com/are-vpns-legal-banned-countries/, April 2018.

[4]

Center for Democracy & Technology. Complaint, Request for Investigation, Injunction, and Other Relief. AnchorFree, Inc. Hotspot Shield VPN. https://cdt.org/files/2017/08/FTC-CDT-VPN-complaint-8-7-17.pdf, April 2017.

[5]

Sambuddho Chakravarty, Georgios Portokalidis, Michalis Polychronakis, and Angelos D Keromytis. Detecting Traffic Snooping in Tor Using Decoys. In International Workshop on Recent Advances in Intrusion Detection. Springer, 2011.

Digital Library

[6]

Shinyoung Cho, Rishab Nithyanand, Abbas Razaghpanah, and Phillipa Gill. A Churn for the Better. In Proc. ACM Int. Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2017.

[7]

Taejoong Chung, David Choffnes, and Alan Mislove. Tunneling for Transparency: A Large-Scale Analysis of End-to-End Violations in the Internet. In Proc. ACM Int. Measurement Conference (IMC). ACM, 2016.

Digital Library

[8]

Manaf Gharaibeh, Anant Shah, Bradley Huffaker, Han Zhang, Roya Ensafi, and Christos Papadopoulos. A Look at Router Geolocation in Public and Commercial Databases. In Proc. ACM Int. Measurement Conference (IMC). ACM, 2017.

Digital Library

[9]

Google. Geocoding API Introduction. https://developers.google.com/maps/documentation/geocoding/intro, 2018.

[10]

GovTrack. S.J.Res. 34: A joint resolution providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Federal Communications Commission relating to 'Protecting the Privacy of Customers of Broadband and Other Telecommunications Services'. https://www.govtrack.us/congress/bills/115/sjres34/text, March 2017.

[11]

Lily Hay Newman. If You Want a VPN to Protect Your Privacy, Start Here. Wired, March 2017. https://www.wired.com/2017/03/want-use-vpn-protect-privacy-start/.

[12]

Lily Hay Newman. The Attack on Global Privacy Leaves Few Places to Turn. Wired, August 2017. https://www.wired.com/story/china-russia-vpn-crackdown/.

[13]

Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar, and Vern Paxson. An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps. In Proc. ACM Int. Measurement Conference (IMC), 2016.

Digital Library

[14]

IP2Location. Free IP Geolocation Database. https://lite.ip2location.com/, May 2018.

[15]

IT Portal. VPN is harming the future of content producers and this will end. https://www.itproportal.com/features/vpn-is-harming-the-future-of-content-producers-and-this-will-end/, November 2017.

[16]

Sheharbano Khattak, Tariq Elahi, Laurent Simon, Colleen M Swanson, Steven J Murdoch, and Ian Goldberg. SOK: Making Sense of Censorship Resistance Systems. Proc. Int. Privacy Enhancing Technologies Symposium (PETS), 2016.

[17]

Sheharbano Khattak, Mobin Javed, Syed Ali Khayam, Zartash Afzal Uzmi, and Vern Paxson. A Look at the Consequences of Internet Censorship Through an ISP Lens. In Proc. ACM Int. Measurement Conference (IMC). ACM, 2014.

Digital Library

[18]

Nate Lord. The History of Data Breaches. Digital Guardian, April 2018. https://digitalguardian.com/blog/history-data-breaches.

[19]

Anuradha Mathrani and Massoud Alipour. Website Blocking Across Ten Countries: A Snapshot. In PACIS, 2010.

[20]

MaxMind. GeoIP2 Databases. https://www.maxmind.com/en/geoip2-databases, May 2018.

[21]

Mozilla Foundation. Public Suffix List. https://publicsuffix.org/, May 2018.

[22]

Zubair Nabi. The Anatomy of Web Censorship in Pakistan. In FOCI, 2013.

[23]

Daiyuu Nobori and Yasushi Shinjo. VPN Gate: A Volunteer-Organized Public VPN Relay System with Blocking Resistance for Bypassing Government Censorship Firewalls. In Proc. USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2014.

Digital Library

[24]

NordVPN. Automatic Kill Switch. https://nordvpn.com/features/kill-switch-technique/, May 2018.

[25]

NordVPN. DNS Leakage test. https://nordvpn.com/features/dns-leak-test/, May 2018.

[26]

The One Privacy Site. https://thatoneprivacysite.net/, May 2018.

[27]

The Open Technology Fund. https://www.opentech.fund/, May 2018.

[28]

OpenVPN. https://openvpn.net/, May 2018.

[29]

Vasile C Perta, Marco V Barbera, Gareth Tyson, Hamed Haddadi, and Alessandro Mei. A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN Clients. Proc. Int. Privacy Enhancing Technologies Symposium (PETS), 2015.

[30]

Reddit: VPN. https://www.reddit.com/r/VPN//, May 2018.

[31]

Seed4Me The Blog: How to Install VPN Apps from China's App Store? https://seed4.me/blog/how-to-install-vpn-from-chinas-app-store/, May 2018.

[32]

Statista. Size of the virtual private network (VPN) market worldwide by type in 2014 and 2019 (in billion U.S. dollars). https://www.statista.com/statistics/542797/worldwide-virtual-private-network-market-by-type/, May 2018.

[33]

Ramesh Subramanian. The Growth of Global Internet Censorship and Circumvention: A Survey. Communications of the International Information Management Association (CIIMA), 11(2), 2011.

[34]

Tor Project. https://www.torproject.org/, May 2018.

[35]

Michael Carl Tschantz, Sadia Afroz, Vern Paxson, et al. SoK: Towards Grounding Censorship Circumvention in Empiricism. In Proc. IEEE Symposium on Security and Privacy (S&P). IEEE, 2016.

[36]

Giorgos Tsirantonakis, Panagiotis Ilia, Sotiris Ioannidis, Elias Athanasopoulos, and Michalis Polychronakis. A Large-scale Analysis of Content Modification by Open HTTP Proxies. In Proc. Network and Distributed System Security Symposium (NDSS), 2018.

[37]

TunnelBear. TunnelBear Completes Industry-First Consumer VPN Public Security Audit. https://www.tunnelbear.com/blog/tunnelbear_public_security_audit/, Aug 2017.

[38]

Tunnelblick. https://tunnelblick.net/, May 2018.

[39]

Gareth Tyson, Shan Huang, Felix Cuadrado, Ignacio Castro, Vasile C Perta, Arjuna Sathiaseelan, and Steve Uhlig. Exploring HTTP Header Manipulation In-The-Wild. In Proc. of the International Web Conference (WWW), 2017.

Digital Library

[40]

VPN Mentor. 5 Best VPNs Guaranteed to Beat Netflix's Block in April 2018. https://www.vpnmentor.com/blog/5-best-vpns-netflix-actually-work/, April 2018.

[41]

VPNMentor. https://www.vpnmentor.com/, May 2018.

[42]

Yuzhi Wang, Ping Ji, Borui Ye, Pengjun Wang, Rong Luo, and Huazhong Yang. GoHop: Personal VPN to Defend from Censorship. In Proc. Int. Conference on Advanced Communication Technology (ICACT). IEEE, 2014.

[43]

Philipp Winter, Richard Köwer, Martin Mulazzani, Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, and Edgar Weippl. Spoiled Onions: Exposing Malicious Tor Exit Relays. In Proc. Int. Privacy Enhancing Technologies Symposium (PETS). Springer, 2014.

[44]

Qi Zhang, Juanru Li, Yuanyuan Zhang, Hui Wang, and Dawu Gu. Oh-Pwn-VPN! Security Analysis of OpenVPN-based Android Apps. In Proceedings of the International Conference on Cryptology And Network Security (CANS), 2017.

Cited By

Lv LZhou P(2025)TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requestsComputers & Security10.1016/j.cose.2024.104147148(104147)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104147
Raj RNewar MMondal MBalzarotti DXu W(2024)"I just hated it and I want my money back"Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699237(6021-6037)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699237
Gegenhuber GHolzbauer FFrenzel PWeippl EDabrowski ABalzarotti DXu W(2024)Diffie-hellman picture showProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698926(451-468)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698926
Show More Cited By

Recommendations

Characterizing the VPN Ecosystem in the Wild
Passive and Active Measurement
Abstract
With the increase of remote working during and after the COVID-19 pandemic, the use of Virtual Private Networks (VPNs) around the world has nearly doubled. Therefore, measuring the traffic and security aspects of the VPN ecosystem is more ...
VPN Analysis and New Perspective for Securing Voice over VPN Networks
ICNS '08: Proceedings of the Fourth International Conference on Networking and Services

Security and privacy become mandatory requirements for VoIP communications that needs security services such as confidentiality, integrity, authentication, non-replay and non-repudiation. The available solutions are generic and do not respect voice ...
MPLS VPN Security

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '18: Proceedings of the Internet Measurement Conference 2018

October 2018

507 pages

ISBN:9781450356190

DOI:10.1145/3278532

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Open Technoloy Fund
National Science Foundation

Conference

IMC '18

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC '18: Internet Measurement Conference

October 31 - November 2, 2018

MA, Boston, USA

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

41
Total Citations
View Citations
12,545
Total Downloads

Downloads (Last 12 months)3,122
Downloads (Last 6 weeks)187

Reflects downloads up to 18 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lv LZhou P(2025)TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requestsComputers & Security10.1016/j.cose.2024.104147148(104147)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104147
Raj RNewar MMondal MBalzarotti DXu W(2024)"I just hated it and I want my money back"Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699237(6021-6037)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699237
Gegenhuber GHolzbauer FFrenzel PWeippl EDabrowski ABalzarotti DXu W(2024)Diffie-hellman picture showProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698926(451-468)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698926
Watanabe TShioji EAkiyama MMori T(2024)Understanding the Breakdown of Same-origin Policies in Web Services That Rehost WebsitesJournal of Information Processing10.2197/ipsjjip.32.80132(801-816)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.801
Du BFontugne RTestart CSnoeren Aclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Sublet Your Subnet: Inferring IP Leasing in the WildProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689010(328-336)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689010
Liu HAlshammari RZincir-Heywood N(2024)Edge-Cloud VPN Traffic Analysis over Cross Platforms2024 IEEE 10th World Forum on Internet of Things (WF-IoT)10.1109/WF-IoT62078.2024.10811218(1-6)Online publication date: 10-Nov-2024
https://doi.org/10.1109/WF-IoT62078.2024.10811218
Maesschalck SFantom WGiotsas VRace N(2024)These are Not the PLCs You are Looking for: Obfuscating PLCs to Mimic HoneypotsIEEE Transactions on Network and Service Management10.1109/TNSM.2024.336191521:3(3623-3635)Online publication date: Jun-2024
https://doi.org/10.1109/TNSM.2024.3361915
Zhang FLiu BLu CXing YDuan HLiu YChang L(2024)Investigating Deployment Issues of DNS Root Server Instances From a China-Wide ViewIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.337353021:6(5275-5292)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/TDSC.2024.3373530
Tran MMunyendo CSri Ramulu HRodriguez RBall Schnell LSula CSimko LAcar Y(2024)Security, Privacy, and Data-sharing Trade-offs When Moving to the United States: Insights from a Qualitative Study2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00004(617-634)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00004
Almutairi SNeumann YHarfoush K(2024)Fingerprinting VPNs with Custom Router Firmware: A New Censorship Threat Model2024 IEEE 21st Consumer Communications & Networking Conference (CCNC)10.1109/CCNC51664.2024.10454833(976-981)Online publication date: 6-Jan-2024
https://doi.org/10.1109/CCNC51664.2024.10454833
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents