They added recommendations to fix these vulnerabilities for VPN companies. @ruihildt @viktorivpn
5 Likes
thanks for the ping @jerm shared internally and we will review the findings
8 Likes
Because they tested that ShadowSocks and Tor are not vulnerable. Unlike other VPN software.
The easiest option for users is to use a protocol such as ShadowSocks or Tor. The attacks we found do not affect those systems because ShadowSocks servers and Tor routers do not rely on the problematic connection tracking framework of the host operating system.
so when can we move to a proper, designed for the usage protocol for what VPN services are trying to provide and leave VPNs to enterprise and business users where this is barely a vuln? 
If I am understanding the article clearly, it is saying that it is a problem on the OS implementation side, and not necessarily the VPN protocol side, right? It seems to me that Linux (which tries so hard to always connect to the internet anyways, using every port and method) is once again not implementing enough safeguards to prevent its security from being bypassed. The article even has the authors saying that they contacted OpenVPN and WireGuard devs, but understood that they could not rectify this on the protocol front (so either VPN clients or Linux will have to mitigate this).
I also don’t think that the authors “tested” shadowsocks or Tor, and instead ignored them as these implementations simply don’t use the method the authors were exploiting. So its less “shadowsocks and tor are not affected” and more “shadowsocks and tor are not affected by THIS exploit”.
Offtopic, but all this just makes me more and more eager to have good microkernels instead of the mess Linux is right now.
2 Likes
I guess we like to hear from @Proton_Team here also. Woukd be good to see how all VPN options on PG respond to these findings.
1 Like
Thanks for tagging us! Proton VPN is not vulnerable to this attack.
6 Likes