Use of Linux Cryptofree config seems to leak info, and yields France-only IP

[ABISprotocol]

There are two elements to this issue:

1) Use of Linux Cryptofree seems to leak info, for example the IPv6 address and actual user location is revealed via the site, http://whatismyipaddress.com/ A test of the use of Cryptofree based on suggestions found at http://lifehacker.com/how-to-see-if-your-vpn-is-leaking-your-ip-address-and-1685180082 suggests that (for Firefox users) so long as one has disabled WebRTC directly by opening a tab and going to “about:config” in the address bar, and then set the “media.peerconnection.enabled” setting to false, that there will be less leakage. This is correct (it minimizes the leakage that is detectable through https://diafygi.github.io/webrtc-ips/ but there is still leakage detectable via http://whatismyipaddress.com/)

2) Currently, the use of Linux Cryptofree config file as shown below on github and at the Cryptostorm site, results in an IP address in France consistently, example: 212.129.34.154 France Lorraine Nancy ISP: Online S.a.s. Hostname: linux-cryptofree1-a.xn--cdaan2d.be

Example site which yields information: http://www.whereisip.net/

https://github.com/cryptostorm/cryptostorm_client_configuration_files/blob/6b3fc9df86edf71d01a312f0418a4dcab13237fc/cryptofree_linux.ovpn

https://cryptostorm.org/viewtopic.php?f=58&t=8725

Supposing one did not want your IP when operating this VPN to be an apparent France IP, and you wanted to change it, how would one go about it?

[df-cryptostorm]

I just tested on an Ubuntu laptop using Firefox, I'm not seeing any IPv6 IPs being leaked on that website (Yes, I have an IPv6 address), but we've always suggested to people that they should disable IPv6 as there are plenty of ways to make it leak.

On Windows, the widget disables IPv6 automatically for this reason. On Linux users will need to do something like add to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

followed by a sysctl -p, or they could use ip6tables to DROP all IPv6 packets.

As for the Cryptofree IP always being in France, it's true, both Cryptofree servers are in France. If someone needs an IP in a different location (and wants uncapped bandwidth), they have to pay for the service.

[ABISprotocol]

Thanks for the details on how to disable IPv6 in Linux. Could you add steps on how to do that here also at: https://cryptostorm.org/viewtopic.php?f=58&t=8725 (the cryptofree howto ubuntu page) and maybe also here: https://cryptostorm.org/viewtopic.php?f=58&t=6384 (the cryptofree linux page, general)

The other issue, importantly, is France.

While this (Cryptofree) is indeed a free service, it is important to note here that if there are Cryptofree servers in France then anything that the users of Cryptofree are doing ends up being subjected to the problems associated with the current state of affairs in France, which is not looking like it is going to change anytime soon and is getting worse.

Amongst these issues are:

1) France's sweeping new surveillance powers, approved in May and June of 2015 https://www.rt.com/news/255869-france-new-surveillance-bill/ http://www.theguardian.com/world/2015/jul/24/france-big-brother-surveillance-powers "Private residences can be monitored using geolocation measures, mobile communications can be intercepted and web-page use can monitored using “black boxes;” a complex algorithm that Internet providers will be forced to install. (...) The bill also removes the need for judicial warrants to deploy hidden microphones, cameras and phone taps."

2) Social Media Censorship Gains New Ground in U.K., France https://reason.com/blog/2015/02/10/social-media-censorship-in-uk-and-france

3) France begins blocking suspected "terror" websites without a court order https://www.theverge.com/2015/2/9/8003907/france-terrorist-child-pornography-website-law-censorship

4) France attacks anonymity, and even the use of cash, while also railing against the use of bitcoin and encryption generally http://www.zerohedge.com/news/2015-05-05/following-terrorist-fighting-ban-cash-france-passes-le-patriot-act

In summary, the corporation-state of France is run by a bunch of fascist fuckwits who don't give a rat's ass how tight the settings are on your servers. And users (regardless of the fact that Cryptofree is a free service) shouldn't be subjected to having to be exposed to potential action by frothing-at-the-mouth French authorities.

The point of my ramble here is that I like the idea of Cryptofree, but I think you should pull up roots from France and do it in a country that is not so (ahem) nuts.

[df-cryptostorm]

Just added those commands to the forum..

As for the current state of France, it's well known that every country is susceptible to the same problems. Even if a particular country has liberal laws regarding Internet privacy, it doesn't mean that the NSA or any other hacker can't still do their own remote surveillance of internet traffic.

That's why CS servers weren't designed simply with "tightened security" (Although they do have that :-P), they were also designed in a way that allows us to detect any type of physical tampering, along with a lack of any useful information so if someone were to attempt to do forensics on the physical server, they wouldn't be able to disclose anything about any particular client.

That being said, it would still be possible to do correlation attacks if someone were to (for example) hack into the gateway router at the ISP/DC of a CS server and setup packet sniffing on the entire subnet and analyze enough of that data to determine which incoming traffic's client IP matches which outgoing traffic's destination IP.

To deal with those issues, we've started working on something called "voodoo". Details are at https://github.com/cryptostorm/voodoo.network

[ABISprotocol]

Hello @df-cryptostorm / @cryptostorm/cleanvpn-ops ~ Reviewing your recent comment on this issue, regarding the potential of (the example given in your prior comment) of correlation attacks, I certainly see that as possible (in various countries) though I see France as particularly problematic due to the forced use of "black boxes" by ISPs and the removal of any kind of need for judicial warrant (as an obstacle, however temporary, between 'the law' and your servers or any user's device where data may transit through them).

Having read about the Cryptostorm voodoo details on github prior to the receipt of your last comment, I can say that I was interested by it, but what I can say about it is that the average user is not likely to use it or configure it properly. A "click and go" approach (in which one utilizes the config file and OpenVPN) is what is most likely to be used, where the options can be imported directly into OpenVPN. To the extent that the Cryptostorm voodoo network is being developed for broader use, I would suggest hacking something up that allows the user to import it directly into their OpenVPN through a config file or files, if possible.

More on the subject of countries such as France, China, Russian Federation, the United States (you get my drift): These are corporation-states that you don't want to have servers in unless you had no other choice.

I am guessing that there are better choices out there for corporation-states to have servers in (that you would run Cryptofree from, for example), and here are some thoughts on the matter:

1. Notes on the Netherlands: Although the Netherlands' Hague District Court suspended its telecom data retention act (http://www.debrauw.com/newsletter/court-suspends-dutch-telecom-data-retention-act/), which initially made the place seem promising, the Netherlands corporation-state continues to pursue a high degree of surveillance through legislation: https://blog.cyberwar.nl/2015/07/dutch-intelligence-bill-proposes-non-specific-bulk-interception-powers-for-any-form-of-telecom-or-data-transfer-incl-domestic/ It therefore seems unlikely that the Netherlands is a logical place to set up an online business in the near future.
2. Slovakia (http://www.slate.com/blogs/future_tense/2015/05/07/netizen_report_slovakia_says_mass_surveillance_is_unconstitutional.html) - Slovakia may hold some promise for a better location, but would need careful review by someone considering placement of servers there. (Edit / Additional note: Additionally, Slovakia appears generally friendly to decentralized, distributed cryptocurrency users. https://en.wikipedia.org/wiki/Legality_of_bitcoin_by_country#Slovakia)
3. Slovenia - data retention unconstitutional, decision (https://edri.org/slovenia-data-retention-unconstitutional/) Also may hold some promise for a better location, would need careful review by anyone considering placement of servers there. (Edit / Additional note: Additionally, Slovenia appears somewhat friendly to decentralized, distributed cryptocurrency users. https://en.wikipedia.org/wiki/Legality_of_bitcoin_by_country#Slovenia)
4. Iceland - Uncertain / Possibly not so great. The reason for this kind of blah assessment of Iceland is that, although it has developed strong privacy laws and guidelines, it also decided it will attempt to ban (by a law it has passed) all forms of decentralized virtual currency other than its own virtual currency, Auroracoin (AUR). (Incidentally, AUR spectacularly, completely, and permanently failed in a flaming ball of something, although that's another story.) In late 2013, the Icelandic Central Bank confirmed that "it is prohibited to engage in foreign exchange trading with the electronic currency bitcoin, according to the Icelandic Foreign Exchange Act," (source [Icelandic]: http://www.mbl.is/vidskipti/frettir/2013/12/19/hoftin_stodva_vidskipti_med_bitcoin/) and thus locked Iceland squarely in the stone age as there are hundreds of decentralized virtual currencies that people happen to use and don't really care what the Icelandic Central Bank thinks.

Slovenia and Slovakia would certainly be better options than France for placement of servers. France is certainly on par with Russia in terms of its hostility to users of modern crypto.

It's also worth mentioning the "Five Eyes" countries - Australia, Canada, New Zealand, the United Kingdom, and the United States. (One of which I've already mentioned above as a "corporation-state that you don't want to have servers in unless you had no other choice.") While traffic for a service such as a VPN can come from anywhere around the world, there is no need to place physical resources and infrastructure squarely within the jurisdiction of such corporation-states. I've used Australia, Canada, New Zealand, the United Kingdom, the United State, France, Russia, and China, as corporation-states to avoid, but it would be easy enough to add to that list.

Basis for these above suggestions: The following list (updated periodically), titled "Overview of national data retention policies" http://wiki.vorratsdatenspeicherung.de/Transposition

[df-cryptostorm]

Regarding the voodoo network, while it sounds pretty complicated (and it is, server-side), it's designed to work the same way a normal CS session would via OpenVPN. So a CS openvpn config will work fine with those test instances for users that like to connect to CS using OpenVPN GUI or Network Manager or plain OpenVPN at the console, provided you've got a "voodoo access token" as the normal CS tokens don't work on it because we will probably do a trial run of our v2.0 of the tokens for this. Still not sure if traditional/v1.0 tokens will ever work on the voodoo nodes. But the next CS widget (our open-source OpenVPN frontend that comes with several useful features) will have voodoo support, so it will be just as point-n-click as it's always been.

And thanks for that list! We'll definitely be looking for new servers in those locations (We've had Iceland before, we'll probably go there again, although bandwidth is pretty expensive there).

The main [only?] reason we've kept nodes in some clearly unfriendly places (like the US) is for clients that want to access geo-restricted services (netflix n such). But with this whole voodoo thing, it would allow us to put a VPS in the US for geo-restricted stuff, and because of the way voodoo works, it would protect the user much more than using a traditional core node, even more so if the core node tied to that VPS voodoo node was in a friendlier location.

[ABISprotocol]

It's good news to hear that a "voodoo access token" could be gotten by users who would then connect via, as you aptly put it, "OpenVPN GUI or Network Manager or plan OpenVPN at the console." A single, easy to use process (one that would allow people to access cryptostorm + voodoo), granting them access to a single file that a user could utilize just in the same way they would by using any conf / ovpn file. (The widget approach being even simpler / more feature laden.)

However, I want to clarify that I wasn't suggesting that you continue using Iceland. Quite the contrary. To be clear, any corporation-state that claims to position itself as a paragon of virtue with respect to online privacy, while declaring various forms of routine encrypted traffic to be illegal (specifically, in Iceland's case, its declaration that decentralized virtual currency use with the exception of AUR is illegal there) places Iceland, as I have pointed out in my previous comment, "squarely in the stone age as there are hundreds of decentralized virtual currencies that people happen to use and don't really care what the Icelandic Central Bank thinks."

Iceland has made no effort whatsoever to mitigate this situation and has decided to remain in the dark ages. To say that all kinds of forms of digital expression are OK online and should be protected through privacy initiatives, but to exclude literally hundreds (or as they grow in number, type, and form, thousands upon thousands) of digital currency initiatives, is a form of digital fascism.

Anyone who is wishing to avoid coming to the attention of Icelandic authorities who uses digital currencies at all (however briefly and for any purpose) therefore should avoid utilizing VPNs which carry traffic to an Iceland exit. (There is also the matter to consider that the encryption layer provided by OpenVPN ends on the VPN exit node for outgoing packets, and starts on the VPN servers for your incoming packets.)

Digital currency use is only growing (see: http://coinmarketcap.com/ ~ http://mapofcoins.com/) and, in my view, I think Cryptostorm should seriously make a business decision about whether or not to continue having Iceland as a location. In light of Iceland's current policy, which is to say the least profoundly unfriendly towards users of modern decentralized, distributed cryptocurrencies, I suggest that Cryptostorm at the very least consider ending its connection(s) with Iceland until Iceland's policy towards cryptocurrency users changes.

I realize that I am in a very tiny minority in making such critiques, but I feel compelled nonetheless.

Thanks for reading.

[ABISprotocol]

Though I thought that my previous comment would be my last in this issue, some recent events have led me to add some additional information. In addition to my earlier remarks on France submitted in a comment of Nov. 6, 2015, I also would like @cryptostorm/cleanvpn-ops / @cryptostorm/cs_widget-dev to take a look at recent developments in France as posted here to consider (again) re-orienting Cryptofree away from France, and to take new measures such that users of the CS widget or openvpn configs / confs will no longer have the Paris exitnode (cstorm_linux_paris_1-4.conf).

Thank you for your consideration of these suggestions.

[df-cryptostorm]

Sorry, I was half-asleep when I commented last, so I quickly skimmed through your country list, and incorrectly assumed you were suggesting Iceland would be a good place for a VPN to have servers in.

After actually reading the list, I would like reiterate my views on data retention laws. From my perspective, the laws are irrelevant since hackers (or agencies) can and do illegally implement their own version of data retention across the globe. For example, if a country like Pakistan suddenly enacted some sort of privacy laws (heh) where it would be illegal for any company/agency there to record phone calls, internet traffic, etc., I can guarantee you that some agency (or group of bored hackers, or both) somewhere is sitting on rootkits installed in the major telecom/ISP providers in Pakistan and sending traffic somewhere else where it can be analyzed later. I've seen this with the popular brain.net.pk provider, where a friend gained more access then she was supposed to have (which was none), and she noticed at least 3 other rootkits on that system (and several systems near that one). 2 of them were simple(ish) backdoors that some hackers probably installed to retain access, but at least 1 of them was actively sending all VoIP traffic to a remote server nearby, probably other traffic too.

Just food for thought :-)

Oh and regarding Cryptofree and France, the only real reason we have those servers in France is because a dedicated server there is so cheap (cheaper than most VPSes) and we really don't want to spend a lot of money on a free service. It should suffice for anyone wanting to check out the basic service (no transparent .onion/.i2p/etc. on cryptofree), but everyone should be aware that any plaintext traffic leaving those servers is observable from anyone that has access to any hop/router between the server and the thing you're connecting to. The same applies to any other VPN server in any location.

Though I can see how mandatory data retention is a problem even when using strong crypto (like with CS ;-d), since although the crypto is probably not breakable right now, it might be in the future and that recorded incoming traffic (from the perspective of the Cryptofree server) could be later cracked. But for the reasons I mentioned above, I find it better to assume all ISPs are doing it, legally or otherwise.

[df-cryptostorm]

Also, regarding Iceland, we haven't had a dedicated server (node) there in a while (almost a year I think). We do have an Iceland VPS though from edis.at for voodoo. That one's got an entry/core node in Moldova (5.154.191.26 for win, 5.154.191.27 for nix) so when people tell their OpenVPN client to connect to one of those two IPs, they'll get an Iceland IP (151.236.24.12 for win, 151.236.24.85 for nix). Because of the way voodoo works, anyone sniffing that Iceland VPS will only be able to see the IPs of the Moldova server and not any client IPs. They will be able to see outgoing traffic though, if it's plaintext (or weak SSL/TLS).

[ABISprotocol]

@df-cryptostorm This issue should be re-opened again (I know it seems like it is good and done), but, in light of the fact that the French parliament has just voted on an amendment to jail tech execs who refuse to decrypt data, I just really don't think that you should have that French server anymore. The aforementioned French amendment is not law yet, but there are no real obstacles to its passage. Cryptofree should have its server in another country, and I'd recommend ditching any CS servers you have in France actually. There are just better places to do business / server placement that don't put you, server administrators / companies that manage them, or customers / users at (as much) risk.

[ABISprotocol]

@df-cryptostorm Once again, it seems that this issue should be re-opened. For reasons, please see previous comments in this thread and the recent announcement from a VPN provider who has opted to discontinue Russian presence due to new internet law and seizure of servers: https://www.privateinternetaccess.com/forum/discussion/21779/we-are-removing-our-russian-presence