B2B Marketers » Reach Pre-Qualified IT Decision Makers with a Custom Lead Gen Program » Get Details
Welcome Guest | Sign In
TechNewsWorld.com
Salesforce Commerce Solution Guide

New Open Source Tools Test for VPN Leaks

By David Jones LinuxInsider ECT News Network
Dec 13, 2017 2:49 PM PT
expressvpn-open-source-vpn-leak-testing-tools

ExpressVPN on Tuesday launched a suite of open source tools that let users test for vulnerabilities that can compromise privacy and security in virtual private networks.

Released under an open source MIT License, they are the first-ever public tools to allow automated testing for leaks on VPNs, the company said. The tools are written primarily in Python, and available for download on Github.

Originally used to conduct automated regression testing on ExpressVPN's own software, the tools allow users to check VPNs that might not be providing complete protection to users, said Harold Li, vice president at ExpressVPN.

"We believe the VPN industry as a whole has a duty to properly protect users who place their trust in our products," he told LinuxInsider. "We're open-sourcing these tools as part of an initiative to encourage the entire VPN industry to join us in investing in and identifying and addressing leaks."

Leaky Gut

One-third of the participants in a November study Propeller Insights conducted for ExpressVPN cited cybersecurity as a reason to use a VPN, particularly to protect against cybersnooping over WiFi connections. About 25 percent cited the use of VPNs to make sure their ISP did not see their cyberactivity, while 15 percent said they used VPNs to protect against government surveillance.

The VPN testing tools can detect a wide range of potential leaks, the company said, including the exposure of an IP address during a WebRTC leak. Also, users' Web activity can be exposed when they switch from a wireless to a wired connection. Unencrypted data can leak when VPN software crashes or cannot reach its server.

ExpressVPN claims to be one the largest consumer virtual private networks in the world, providing one of the largest platforms for a variety of operating systems, including Windows, iOS, Android, Linux and others.

The company offers extensions for a variety of browsers, including Chrome, Firefox and Safari. It supports VPN configurations for a variety of gaming consoles, including Xbox and PlayStation, as well as streaming video platforms such as Amazon's Fire TV, Apple TV and others.

Trust but Verify

VPNs allow users to use private networks rather than untrusted public networks, but they still can leave them vulnerable in certain situations, said Andrew Howard, chief technology officer at Kudelski Security.

"They cannot protect data once it leaves the VPN, and administrators should not assume that a VPN connection to their network is safe, even if properly authenticated," he told LinuxInsider.

There are opportunities for data leakage when setting up or tearing down VPNs, and leaks can happen during connection drops or software crashes, Howard said.

VPNs can help mitigate the probability of successful attacks leveraging any Wifi vulnerability, including man-in-the-middle attacks, said Leigh Ann Galloway, cybersecurity resilience lead at Positive Technologies.

"VPN technology itself is quite well thought out from the point of information security, but the specific implementations might have flaws, just like any software," she told LinuxInsider.

Vulnerabilities have been found in implementations like OpenVPN, Galloway noted.

In terms of data transfer, there can be leaks during implementation, she added. Leaks also might be attributable to certain software settings or applied encryption algorithms, depending upon stability, length of keys, and methods of key generation.


David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.


Salesforce Commerce Solution Guide
When using a search engine, how often do you look beyond the first page of results?
Never -- There's always enough information on the first page to meet my needs.
Rarely -- There's usually enough on the first page, but sometimes I want to see more.
Occasionally -- If there are too many paid-for results, or if I don't find an answer on the first page.
Often -- Even if there's enough information on the first page, I like to know what else is available.
Always -- First page search results are rigged; I don't want to be limited to what an algorithm highlights.
Salesforce Commerce Solution Guide
Salesforce Commerce Solution Guide