VPN security breach
kudzu at tenebras.com
Fri Nov 27 18:09:48 UTC 2015
On Fri, Nov 27, 2015 at 8:01 AM, Terje Elde <terje at elde.net> wrote:
> In order for it to work, you depend on letting attackers "book" port
mappings on the same IP that other customers "dial in" to. "Dial in" and
"exit" IPs needs to be the same.
> That's such a broken concept that any serious service couldn't possible
come up with it. In fact, in order to do that, you more or less have to
take extra precautions towards making sure you fail.
There are plenty of commercial VPN (Internet proxy) services, and the
conditions described for the leak aren't too hard to create. The problem is
that any VPN server that supports UPnP or any other form of port mapping
has already compromised security such that it cannot be taken seriously.
User want these things for convenience, but... no.
More information about the freebsd-questions