38

As per the question. If I am connected to a website, streaming content from my native IP and I then enable my VPN, what does the website see?

Monica Apologists Get Out
  • 4,021
  • 1
  • 14
  • 21
Matt
  • 397
  • 3
  • 3

5 Answers5

72

Since you asked specifically what the website will see, rather than any intermediary watching your network connection, we should think in terms of requests:

  • Your old ("native") IP will disconnect any long-running requests, and stop making any new requests.
  • Your new (VPN) IP will connect and start making requests.

On their own, those two events will be unconnected as far as the web server is concerned, however there may be various things which can be used to guess, with reasonable confidence, that they are related:

  • A cookie may have been set for your browser to send with each request, and the old and new requests will send the same cookie.
  • A client-side script (code running in your browser) may be feeding additional stateful data with the content requests, possibly stored in LocalStorage so that it will resume if you reload the page.
  • The URLs for the content may have been dynamically generated for you, so any request to that URL is assumed to be the same user.
  • The site may take a "fingerprint" of your browser - User Agent, detection of features and settings, etc - and recognise that before and after you connect to the VPN.
  • The server could log where in the stream you had got to, and line up the first position the new IP requests (e.g. with the Range HTTP header) with the last position the old IP requested.

All of these things are technically information which you are providing to the website, and can be altered, spoofed, or removed; but doing so will not happen automatically in a standard browser.

IMSoP
  • 3,780
  • 1
  • 15
  • 19
  • 7
    In addition, even without any directly identifying information, it’s fairly obvious that if client A stops downloading/streaming chunks of a large file at point X (e.g. via a `Range` header), and immediately afterwards client B starts downloading/streaming at point X, these two clients are the same. – Konrad Rudolph Jun 26 '18 at 12:33
  • 2
    @KonradRudolph That's certainly another clue, although I suspect a less likely one for the server to be tracking. Most servers wouldn't even log the `Range` header, and analysis would need to be slightly fuzzy, as the client might well re-request some data that was dropped when the old connection was closed. Still, I'll add it to the answer. – IMSoP Jun 26 '18 at 12:38
  • 2
    @IMSoP Yes, it’s far from foolproof and a server wouldn’t usually benefit from trying to perform such a correlation. I just thought that, given this is the Security SE, the question might be in the context of hiding OP’s identity from an adversary, which would justify paranoia. – Konrad Rudolph Jun 26 '18 at 12:42
  • So, basically the same thing will happen as with any provider with dynamic-ip. – Agent_L Jun 27 '18 at 10:23
  • 4
    @Agent_L Indeed, as others have pointed out, phones switch networks all the time, most obviously when switching from mobile data to wi-fi, and switching to a VPN is no different as far as the rest of the Internet is concerned. – IMSoP Jun 27 '18 at 10:27
  • 1
    @IMSoP: Or even just jumping cells (particularly if you're jumping a lot of them — think car or train journeys); in a good network you'll keep your IP when doing so but there's no guarantee, particularly if the network has poor sync. – Lightness Races in Orbit Jun 28 '18 at 09:53
17

Your old http session will end and a new one will start. If you haven't so much as switched to a new browser, the site will be able to very easily figure out that you're the same person, just coming from a different IP. This situation happens routinely when, for example, you switch from your home wifi to a mobile connection, so all sites are able to cope and recognize that you're the same user.

mricon
  • 6,238
  • 22
  • 27
  • 16
    I think the phrase "http session" is unfortunate here - HTTP has no notion of a "session", and is fundamentally stateless. You *might* have a TCP connection open (with `Connection: Keep-Alive` or HTTP/2), but closing and reopening that isn't a significant event. As for "all sites are able to cope...", that doesn't really answer the question, which is what they will see; they cannot directly see that you are the same user, but they can see specific things (most obviously, cookies) from which they can *assume* that you're the same user. – IMSoP Jun 26 '18 at 11:09
  • 1
    “So all sites are able to cope and recognize that you're the same user.” This is “truthy” at best. For a site to know this they would need to be tracking you in some way. Either via cookies or a login session. If the site is a plain HTML site, the browser fingerprint will be the same… But browser fingerprints of “Mac user using this specific version of Chrome…” are a dime a dozen. – Giacomo1968 Jun 26 '18 at 11:43
  • 4
    @JakeGould It's not as dime a dozen as you seem to think. Combining operating system and browser version with locale settings, time zone, etc. you become about one in a million, I'd say. Maybe one in a hundred thousand if you're common enough. See https://amiunique.org – Arthur Jun 26 '18 at 12:43
  • 2
    To the extend of how "easily" they'd know it was the same user, it's like, *super* easy, if you have a session cookie from an Apache/PHP server (or any login cookie at all) then it would be *obvious*. Not to mention also if the page has Google analytics or another one of their 234+ tracking services, Google will most assuredly be able to continue tracking you as the same user from site to site – Brian Leishman Jun 26 '18 at 13:04
  • @BrianLeishman Talking about Google analytics just begs the question: how do *they* know you're the same user? In the end it comes back to a) cookies, or b) fingerprinting; neither of which are mentioned in this answer. – IMSoP Jun 26 '18 at 13:10
  • @Arthur Even less than one in a million. AudioContext fingerprinting has up to 100% accuracy. – forest Jun 26 '18 at 13:11
  • @IMSoP exactly, in the context of cookies (or anything else like uncommon screen resolutions, or specific browser minor versions) makes the VPN practically useless if you switch it on while browsing in my opinion – Brian Leishman Jun 26 '18 at 13:14
  • I think it should be added that a VPN and a browser do different things (obviously), and if there are security or privacy concerns the major fault point is your machine itself -- like @IMSoP says, "fingerprinting" can use the size of the browser window, your machine's GPU or CPU number, local network information... Essentially, if you want to use a VPN and NOT have people associate different sessions, you absolutely need to (1) always use the or a VPN, (2) configure IP-table and gateway rules to enforce ALL traffic goes through the VPN (not just browser traffic), and (3) harden your OS. – RoboBear Jun 28 '18 at 01:13
10

They see that the user Matt (identified by cookie 1234…) two seconds ago had IP address 1.1.1.2 but now has IP 8.8.8.9

(I am assuming you are streaming via http(s), and the streaming happens by downloading chunks on multiple http connections)

Ángel
  • 17,578
  • 3
  • 25
  • 60
6

Presuming you are using VPN to hide your identity, you are putting yourself at risk as the likelihood of success is low. Depending on your VPN provider, they may be keeping logs, your ISP may be monitoring the traffic and logging it too.

If you are streaming live content, you will be seen by your ISP as receiving a continuous stream of packets from 1 or more IP addresses, which is revealing as it matches the time of the live event.

Even if you are not registered, the remote website may be attaching headers (auth tokens) to your requests for the content as a unique ID of a guest user, they may be writing to your browser's local storage and session storage or attach cookies to your requests.

Starting a new incognito window in Chrome starts with fresh browser cookies, local storage, etc.

What's inevitable is hiding the meta data about the traffic (usage amount, where it's coming from, etc.).

This article on Medium would be very helpful: What you’re revealing to your ISP, why a VPN isn’t enough, and ways to avoid leaking it

Dimitar Nikovski
  • 161
  • 3
3

It depends how split tunneling is configured on your VPN. Your VPN may decide base on this configuration to send the Internet traffic via VPN tunnel or via your regular connection to the Internet.

If your traffic will go via regular connection then the website will not even see that you are connected to VPN. If your VPN is configured to route all request via VPN network then website will see that you are connected from different IP address, so the effect is similar to changing your network connection (like changing WiFi connection or connecting via mobile device). Your session stored in your browser can still be accessible.

rumburak
  • 131
  • 2
  • +1 for not forgetting that starting VPN tunneling wont always terminate connections and wont always change ip address. it depends on VPN software installed on your machine or VPN software on your FW/router. – Sampo Sarrala - codidact.org Jun 27 '18 at 17:57
  • Good point. I'd assumed that this was a VPN designed for anonymisation, rather than remote access to something, and would route all the traffic it could, but it's definitely something to be aware of. – IMSoP Jun 28 '18 at 09:18