Governments do not even need any of the providers to comply, they can access global NetFlow data. This is conveniently not discussed by any commercial VPN provider.
It ultimately depends on your threat model. But assuming a state actor has access to NetFlow data, an attack could work like this:
* State actor determines that an IP belonging to a VPN company had a session on example.com around t1-t2
* You -> VPN server at t1
* VPN server -> example.com at t1+latency
* More traces from both sides until around t2 as you browse the site
By correlating multiple samples, and accounting for latency between you and the VPN server and delay introduced by the VPN itself, they would be able to get decent confidence that it was you.
The threat actor most use to talk about this is a global passive adversary: a threat actor who can see all relevant traffic on the Internet but who can't decrypt or adjust the traffic.
This adversary would have the ability to ingest massive amounts of data and metadata[0] it acquires from tier 1 ISPs all over the country[1] and the world[2]. They'll not see raw HTTP traffic because most everything of interest is encrypted, but can store and capture (time, srcip, srcport, dstip, dstport, bytes).
From there, it's a statistical attack: user A sent 700 kilobytes to a VPN service at time t; at t+epsilon the VPN connected to bad site B and sent 700 kilobytes+epsilon packets. Capture enough packet flows that span the user, the VPN, and the bad site and you can build statistical confidence that user A is interacting with bad site B, even with the presence of a VPN.
This could go other directions too. If bad site B is a Tor hidden site whose admin gets captured by the FBI and turns over access, they'll be unmasking in reverse – I got packets from Tor relay A, which relay sent packets at time-epsilon to it, (...), to the source.
There's very little you can do to fight this kind of adversary. Adding hops and layers (VPN + VPN, Tor, Tor + VPN, etc.) can only make it harder. It's certainly an expensive attack both in terms of time consumption, storage, and it requires massive amounts of data, but if your threat model includes a global passive adversary, game over.
Could you protect against NetFlow analysis by pushing a bunch of noise over the VPN tunnel at all times? I'd assume it would at least make the analysis significantly more challenging.
Some of the prior works in this paper[0] address noise in anonymity networks, but in general: you either add noise at the link level which malicious nodes can identify & ignore, or you add noise by injecting fake chaff packets that are dropped somewhere inside the network which are statistically identified when you look at packet density across the network.
This might or might not extend to VPN nodes depending on your threat model - I'd personally assume every single node offered to me by a company in exchange for money is malicious if I was concerned about privacy.
pinecamp|1 year ago
https://www.ivpn.net/privacy-guides/isp-netflow-surveillance...
hypeatei|1 year ago
Cyph0n|1 year ago
* State actor determines that an IP belonging to a VPN company had a session on example.com around t1-t2
* You -> VPN server at t1
* VPN server -> example.com at t1+latency
* More traces from both sides until around t2 as you browse the site
By correlating multiple samples, and accounting for latency between you and the VPN server and delay introduced by the VPN itself, they would be able to get decent confidence that it was you.
ortichic|1 year ago
thrwaway1985882|1 year ago
This adversary would have the ability to ingest massive amounts of data and metadata[0] it acquires from tier 1 ISPs all over the country[1] and the world[2]. They'll not see raw HTTP traffic because most everything of interest is encrypted, but can store and capture (time, srcip, srcport, dstip, dstport, bytes).
From there, it's a statistical attack: user A sent 700 kilobytes to a VPN service at time t; at t+epsilon the VPN connected to bad site B and sent 700 kilobytes+epsilon packets. Capture enough packet flows that span the user, the VPN, and the bad site and you can build statistical confidence that user A is interacting with bad site B, even with the presence of a VPN.
This could go other directions too. If bad site B is a Tor hidden site whose admin gets captured by the FBI and turns over access, they'll be unmasking in reverse – I got packets from Tor relay A, which relay sent packets at time-epsilon to it, (...), to the source.
There's very little you can do to fight this kind of adversary. Adding hops and layers (VPN + VPN, Tor, Tor + VPN, etc.) can only make it harder. It's certainly an expensive attack both in terms of time consumption, storage, and it requires massive amounts of data, but if your threat model includes a global passive adversary, game over.
[0] https://en.wikipedia.org/wiki/XKeyscore
[1] https://en.wikipedia.org/wiki/Room_641A
[2] https://en.wikipedia.org/wiki/FVEY
push0ret|1 year ago
thrwaway1985882|1 year ago
This might or might not extend to VPN nodes depending on your threat model - I'd personally assume every single node offered to me by a company in exchange for money is malicious if I was concerned about privacy.
[0] https://www.cs.utexas.edu/~shmat/shmat_esorics06.pdf
zikduruqe|1 year ago
https://www.youtube.com/watch?v=9_b8Z2kAFyY
Just use Tor.
ziddoap|1 year ago
echoangle|1 year ago