1

In using a VPN service I want to feel comfortable in the knowledge that outsiders cant simply build up metadata on my browsing activities. The fact it is done is somewhat unsettling. I have spent days setting up and configuring a VPN connection for the purpose of transmitting only data which is absolutely necessary to navigate the internet. I ran many tools, conducted online tests and followed many tutorials in configuring patches/fixes for known security flaws.

Whilst running VPN service I used https://ipleak.net/ for checking status of the connection and it revealed things were able to be obtained and had to be fixed. The methods I used to fix them all are described at the bottom of the page.

PROBLEM is even when every measure I can find on the internet has been taken the website (https://ipleak.net/) is still able to obtain knowledge about:

  • My Screen Display (Resolution, Pixels & Colour Depth).

  • Information on all my installed browser plugins.

  • Types of documents my system can read.

  • The Referrer. (Website I Came From)

I would rather transmit as little as possible and feel some of this information obtained is completely irrelevant. I cannot find anything via the internet on any methods which I can take to resolve any of these issues and to stop the information being passed on. Looking for advice and opinions regarding this matter. Appreciated In Advance.

After deciding on using VPN service I conducted the following steps:

  • Set up Client VPN Gate Relay.
  • Configured IPv4 settings to set Ip address to static. Also changed DNS Servers to 8.8.8.8 and alternate of 8.8.4.4.(Google Servers)
  • Disabled IPv6.
  • Patched known security flaw known as WebRTC which allows website owners to attain both the VPN Server address as well as your ISP assigned IP.
  • Configured and fixed the system so no DNS requests were being leaked. In the leaking of DNS Requests cause a problem as information can be obtained through the fact you are using the ISP Servers to navigate through the internet.(I.E Browser Search)

Here are some Images showing the fact the the website can retrieve all this information while I am using VPN software even after everything I have tried and searched for.

taken from https://ipleak.net/

taken from https://ipleak.net/

taken from https://ipleak.net/ taken from https://ipleak.net/

taken from https://ipleak.net/ taken from https://ipleak.net/

Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38
Star's Studio
  • 21
  • 5
  • You may want to use the Tor browser package. If you use it with the default settings you'll have reasonably good anonymity. https://panopticlick.eff.org/ is a good source to test how anonymous your browser is. – Neil Smithline Jan 17 '16 at 23:26
  • I have read into tor and attempted using it myself though I have found it to be rather inadequate for my purposes. Thanks for the link though I have already sorted all the problems in relation to the things tested on this site. It is just the information above shown in Images which is transmitted and I am at a loss as to why I cant have an opinion on the availability of that information. Thanks. – Star's Studio Jan 17 '16 at 23:32
  • Star - Tor hides your screen size information assuming you don't resize the window and ignore the warnings. See https://www.reddit.com/r/TOR/comments/34u6m9/why_does_tor_warns_me_about_using_monitor_size/. Tor also comes with a preset list of plugins that you should not change. So using Tor makes you look like all other Tor users in terms of screen size and browser plugins. That's 2 of the 4 issues you raised. – Neil Smithline Jan 17 '16 at 23:37
  • I will look into it. Thanks for sharing. Will the tor browser work perfectly with my vpn service? If so that is helpful though I would still need to look into it in depth. Check there are no known vulnerabilities such as webRTC or anything similar which tor may incorporate. Thanks – Star's Studio Jan 17 '16 at 23:51
  • Tor will work with VPN. And Tor doesn't do dumb things like enable webRTC by default. Tor is maintained by some very talented, privacy-focused developers. They've likely done everything you would ever think of. – Neil Smithline Jan 18 '16 at 00:01
  • I created a full answer containing this information. – Neil Smithline Jan 18 '16 at 00:03

3 Answers3

0

The information about OS etc. comes from the HTTP User-Agent header. You can install some plugin to fake the User-Agent to any other you like, or strip it out altogether.

The information about screen resolution comes from the Javascript layer and you can do nothing sensible about it. You could go and hack the browser binary, for example replacing "availHeight" and "availWidth" with "awailHeight" and "awailWidth". The browser will then no longer understand requests from "availHeight". The calling site will be unable to determine your screen size, and several sites you browse will appear broken (Also, several file integrity schemes will now trip and report your browser as corrupt, infected, or otherwise unreliable).

Another possibility is disable Javascript support altogether, but then many more sites will appear broken.

Finally you can install a virtual machine with different characteristics from your own machine, and browse from there.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • Most useful Information I have seen on it. Thanks that will send me in the right direction. :) – Star's Studio Jan 17 '16 at 23:33
  • If you use Tor at it's default size, it gives you anonymity because everyone using Tor is using the same size. See https://www.reddit.com/r/TOR/comments/34u6m9/why_does_tor_warns_me_about_using_monitor_size/. – Neil Smithline Jan 17 '16 at 23:35
  • Unaccepted as I would like to see if any other things can be said :) Many Many thanks for your explanation – Star's Studio Jan 17 '16 at 23:42
  • You do not describe your use case, but perhaps might be interested in this other answer: http://security.stackexchange.com/a/23055/11144 . – LSerni Jan 17 '16 at 23:52
0

You are correct by saying that browsers send information that can be used to narrow down the possible source(s). There are quite a few points which need to be made here since this touches particular subjects.

VPN service

As long as the VPN server/service is not in your possession, nothing can guarantee your identity and/or security, which is often overlooked. You cannot check their configuration or their implementation, which puts you already at risk. Even when the VPN provider has everything in order, they might be bound by law (or paid) to log request or create client profiles.

Browser

All the information sent by the browser is tweakable in some way. Firefox allows many settings to be changed like DNS resolution (which you already did), user-agent, referers etc... Same is true for HTTP headers. Disable scripts (no js) and flash-like plugins to make sure the webapplication is unable to acquire information provided by the browser. Most modern browsers can also accomplish the same with do-not-track-me plugins.

If you want to be certain that all the information sent by the browser is 'clean', run a proxy behind your browser which strips all HTTP, headers and operating system specific info. Some sites will appear weird or do not show anything at all when taking such measurements.

IP

VPN only hides your public network address after the VPN gateway. All the VPN traffic can still be traced to you, which makes it possible to map you into specific regions. This is usually not much of a problem though.

Operating System

Run services and clients in an container or closed environment like a VM. This ensures that even the operating system cannot be detected accurately.

PS. When IPv6 is setup correctly by either SLAAC or static it should not provide an additional security risk abore IPv4.

Yorick de Wid
  • 3,346
  • 14
  • 22
0

You mention four problems. All of them can be remediated by using Tor. Tor does not maintain your anonymity by hiding every detail. This is good because, for example, it is unclear how a browser could function with window size being hidden. Rather Tor has defaults that everyone using Tor should use. Once you do this, you become indistinguishable from all of the other Tor users.

  1. My Screen Display (Resolution, Pixels & Colour Depth). Tor hides this by providing a default window size and warns you if you try to change it. See this Reddit discussion for more information.

  2. Information on all my installed browser plugins. Tor comes with a preconfigured set of plugins. You should not change these.

  3. Types of documents my system can read. All people with the default Tor configuration accept the same types of documents.

  4. The Referrer. (Website I Came From) I think it is somewhat unclear how much removing the referrer helps, but Tor (actually the underlying Firefox browser) supports disabling referrer support by going to about:config, searching for network.http.sendrefererheader and changing its value from 2 to 0.

I think that https://panopticlick.eff.org may be a better site to evaluate your anonymity. Instead of just telling you if it could get details about your configuration, it tells you how unique your configuration is. As long as your browser looks like lots of other browsers, you are achieving some degree of anonymity.

Note that you can start your VPN and then run Tor through it. This may provide a bit more anonymity. Search this site for questions involving Tor and VPN if you wish to research this further.

If you are willing to use a different OS, Tails is a whole OS designed to maintain your anonymity. Tails is what Snowden used to evade the NSA.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • Thanks I suppose It does do everything I asked. Hopefully tor will remain that way for a long time with no hiccups. Its not the annoymity for myself I am primarily interested in. Its more for a larger scale deployment of services aimed at keeping incoming/outgoing data transmission of a LAN as secure as possible. Thanks :) – Star's Studio Jan 18 '16 at 00:10