VPNs and how to use them correctly...

wally1990 · 30-12-2018 3:32pm #1

Im always thinking about the about of information and data we share online.

I started using a VPN recently, mainly for streaming purposes.

I'm not exactly a genius at tech stuff but was talking to a friend who works for a large multinational company

He was saying that they have to do internal checks on new customers signing up to verify they are legit and not scammers

Their checks he said are
where the people are living,
their real identity,
Stalking their linkedin, Instagram,Facebook etc
they can get access to their IP addresses
Device make and model upon sign up

He was saying when a customer signs up with their general information on their site(stantandard form filling stuff) they can see their IP address, device make and model and so on

Then i mentioned VPNs about masking IP addresses and he (in a nice way) laughed it off and said basically they don't work due to their software

That if a customer is using a VPN when signing up, not only can they see the masked address but the real address too.

I was surprised but probably shouldnt be.

Could he be lying?

Is their a correct way to use VPNs?

How about protecting our information or whatever is left of it due to online activity..

Paranoid Bob · 01-01-2019 10:52am

If the system includes any sort of software that runs on the end user's device (even JavaScript running in a browser) then the local IP can be gained from that.
In a typical home setup that is likely to be the private NATted address (in 10.0.0.0/8 or 192.168.0.0/16), so not useful for GeoIP. If your ISP allocates IPv6 then the IPv6 address with global scope will identify the ISP.

Sleeper12 · 01-01-2019 11:12am

wally1990 wrote:

Could he be lying?

I have tracking software on my website. I have no interest in anyone's personal data. It gives me the ip address of all users. It also tells me if you use different ip addresses on my site. For example landing on the site using your mobile phone. Then landing again using the same phone but on a WiFi network. It can also tell me if you are using a vpn. It doesn't tell me what you're real ip address is when you are using a vpn but it will link your vpn visits to visits from the same device using other ip addresses. I can get your ip ad this way but if you always use your vpn on my site then that is all the information I get

wally1990 · 02-01-2019 9:14pm

Sleeper12 wrote: »

I have tracking software on my website. I have no interest in anyone's personal data. It gives me the ip address of all users. It also tells me if you use different ip addresses on my site. For example landing on the site using your mobile phone. Then landing again using the same phone but on a WiFi network. It can also tell me if you are using a vpn. It doesn't tell me what you're real ip address is when you are using a vpn but it will link your vpn visits to visits from the same device using other ip addresses. I can get your ip ad this way but if you always use your VPN on my site then that is all the information I get

How do you know it's the exact same device?

Out of interest ,what information on the device is available...........

Sleeper12 · 02-01-2019 9:25pm

wally1990 wrote:

How do you know it's the exact same device?

Here's an example of one
Safari 12.0
Ios 12.1
Iphone
Screen 375x667

The software knows the individual device id. If you visit my site with the same phone on WiFi instead of the network the software knows it is the same device.

I also have Google analytics. This won't give ip addresses but it will tell me if its phone, tablet or desktop. It will tell me if its a Samsung s6 or s8 or iPhone 6. None of this information interests me but its there if you do a little digging. Your device gives out a lot more information than just the ip address.

Cuddlesworth · 03-01-2019 11:10am

Sleeper12 wrote: »

Here's an example of one
Safari 12.0
Ios 12.1
Iphone
Screen 375x667

The software knows the individual device id. If you visit my site with the same phone on WiFi instead of the network the software knows it is the same device.

I also have Google analytics. This won't give ip addresses but it will tell me if its phone, tablet or desktop. It will tell me if its a Samsung s6 or s8 or iPhone 6. None of this information interests me but its there if you do a little digging. Your device gives out a lot more information than just the ip address.

It knows its the same device from a cookie. If you browse with incognito mode, then the website can only see the device as unique(IP aside).

It can try do a level of fingerprinting like you said, app and OS version, screen sizes etc. But with newer updated phones/browsers, they would all tend to show as non-unique version from auto updates.

flexcon · 03-01-2019 11:14am

Paranoid Bob wrote: »

If the system includes any sort of software that runs on the end user's device (even JavaScript running in a browser) then the local IP can be gained from that.
In a typical home setup that is likely to be the private NATted address (in 10.0.0.0/8 or 192.168.0.0/16), so not useful for GeoIP. If your ISP allocates IPv6 then the IPv6 address with global scope will identify the ISP.

interesting. I wonder then how this allows DNS spoofing to work with bbciplayer apps on say - Apple tv. The app would be broadcasting the inside and outside local/global and therefor it wouldn’t work. But i’ve been using a DNS for a year and works flawlessly. Just curious to how this can escape through.

09-01-2019 2:35pm

wally1990 wrote: »

Then i mentioned VPNs about masking IP addresses and he (in a nice way) laughed it off and said basically they don't work due to their software

That if a customer is using a VPN when signing up, not only can they see the masked address but the real address too.

Is their a correct way to use VPNs?

I don't know where to begin with this but I'll try.

Yes software can be buggy but it's inaccurate to say VPNs don't work due to 'their software'. A VPN basically provides a proxy point between you and the destination you're trying to access. If you're point A and you want to access point C you'd first connect to point B. Point C will only see a connection inbound from point B.

There are many ways point C can attempt to fingerprint who you are. This includes HTTP request headers, cookie tracking, running a fingerprint script in your browser (search fingerprintjs) etc. However, this won't help to identify your routers assigned public IP address as the public IP address is not assigned to your device, rather you're assigned a private IP address within the network which is NATTED behind the public IP.

This means even if I've gone to the extent of running javascript on your system I'll only be able to see your privately assigned IP address.

The only chance is if the routing on your system was somehow screwed up and all traffic was not routed over the secured tunnel with the VPN server. This does happen, and I've had many problems with traffic routing on Linux systems. We've also found attackers when they didn't realise their VPN connection dropped and connected directly from their network.

I highly doubt he understands what the 'real address' is, either that or he's confusing fingerprinting with 'real address'.

As for the correct way to use a VPN, I personally use it to secure my communications on unsecured networks (public wifi) or to access sites when outside the country (RTE player, News sites etc). So I'm not too concerned with being 'anonymous'. But you should use a browser with a generic user-agent, disable cookies where possible, clear them regularly, disable Flash, Javascript etc and use a DNS server with privacy in mind (Cloudflare). And even if you go to this extent there is no guarantee that something won't be misconfigured and potentially reveal who you are.

For further reading you should check out research into unmasking Tor users. Tor is technically not a VPN but it's seen as one of the most secure forms of communication and some of the vulnerabilities are similar to VPNs.

VPNs and how to use them correctly...

Comments