Abstract
Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client’s traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client’s real IP address from online services, and they also shield the user’s connections from perceived threats in the access networks. In this paper, we study the security of such commercial VPN services. The focus is on how the client applications set up VPN tunnels, and how the service providers instruct users to configure generic client software. We analyze common VPN protocols and implementations on Windows, macOS and Ubuntu. We find that the VPN clients have various configuration flaws, which an attacker can exploit to strip off traffic encryption or to bypass authentication of the VPN gateway. In some cases, the attacker can also steal the VPN user’s username and password. We suggest ways to mitigate each of the discovered vulnerabilities.
Original language | English |
---|---|
Title of host publication | Secure IT Systems |
Subtitle of host publication | 24th Nordic Conference, NordSec 2019, Aalborg, Denmark, November 18–20, 2019, Proceedings |
Publisher | Springer |
Pages | 103-119 |
Number of pages | 17 |
ISBN (Electronic) | 978-3-030-35055-0 |
ISBN (Print) | 978-3-030-35054-3 |
DOIs | |
Publication status | Published - 2019 |
MoE publication type | A4 Conference publication |
Event | Nordic Conference on Secure IT Systems - Aalborg, Denmark Duration: 18 Nov 2019 → 20 Nov 2019 Conference number: 24 https://nordsec2019.cs.aau.dk/ |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 11875 |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | Nordic Conference on Secure IT Systems |
---|---|
Abbreviated title | NordSec |
Country/Territory | Denmark |
City | Aalborg |
Period | 18/11/2019 → 20/11/2019 |
Internet address |
Keywords
- Commercial VPN
- Insecure configuration
- client-side vulnerabilities
Fingerprint
Dive into the research topics of 'Client-Side Vulnerabilities in Commercial VPNs'. Together they form a unique fingerprint.Press/Media
-
Security Failures in Modern Software
Tuomas Aura & Markku Antikainen
14/04/2021
1 item of Media coverage
Press/Media: Media appearance