Researchers from the Max Planck Institute for Informatics conducted a study analyzing VPN traffic to evaluate the overall security of the VPN ecosystem.
The resulting technical paper raises serious concerns, especially for the SSTP and OpenVPN protocols, like the presence of many VPN servers vulnerable to known cryptographic flaws, such as the ROBOT attack.
The challenges of detecting VPN traffic in the wild are far too substantial for WireGuard and AnyConnect protocols, so the scientists focused on IPsec/L2TP, OpenVPN, SSTP, and PPTP.
By conducting internet-wide searches involving connection requests (probes) on a range of 530 million IPv6 addresses and the entire IPv4 address range, the team found 9,817,450 responses that can be identified as VPN servers.
Roughly seven million of the VPN servers detected to use the IPsec protocol, 2.4 million use PPTP, 1.4 million rely on OpenVPN, and just 187k use SSTP.
Out of the 1.4 million OpenVPN servers, about 70% were detected over UDP, and 30% were using TCP, which is considered a fallback option.
The paper claims that roughly 90% of the SSTP detections are vulnerable to ROBOT (Return of Bleichenbacher’s Oracle Threat) attacks. This cryptographic attack exploits a weakness in the RSA encryption standard.
This would allow an attacker to decrypt the content of TLS traffic by sending specially crafted requests to the target server. For this reason, the paper suggests avoiding SSTP altogether, as it’s based on an outdated version of SSL.
For OpenVPN, the team found 32,294 servers vulnerable to RC4 attacks, 232 servers vulnerable to Heartbleed, 7,005 servers vulnerable to Poodle, 31 vulnerable to FREAK, eight vulnerable to Logjam, and 95,301 vulnerable to ROBOT.
This means that 134,891 OpenVPN servers are vulnerable to dangerous attacks, or about 9.64% of those detected using the particular protocol.
In addition to the mentioned flaws, the researchers found that many VPN servers use self-issued and self-signed certificates, with around 4.7% of them being “snake oil” TLS certificates, which means they’re invalid and have no real practical purpose.
It should also be noted that a significant percentage of OpenVPN servers (3.8%) and SSTP servers (9%) were using expired certificates, potentially allowing attackers to intercept and manipulate the communication between clients and servers.
Finally, the study found that many VPN servers did not provide an SNI extension in their TLS handshake, which makes it difficult for clients to verify the server’s identity, opening up the way to server spoofing and exposing man-in-the-middle attacks.
Although the study was subject to practical limitations, it has proven that SSTP is highly insecure and OpenVPN can be very risky in the current landscape. There’s still much work to be done for some VPN products to fulfill their marketing promises. One of the latest developments in the VPN protocol landscape is WireGuard, which offers upgraded security and better performance over legacy protocols.
For more details on all security/privacy findings and the VPN hitlist with the probe-generating modules that can be used to reproduce the results, check out the technical paper on Arxiv.org.