"Show me all the VPN startups in country X, and give me
the data so I can decrypt and discover users."
Can someone explain this bit to me please? I read this as:
1) The NSA have a list of companies (grouped by country),
which analysts can 'target' for further inspection.
2) The NSA can 'decrypt' that encrypted data.
3) The NSA can 'discover' users.
2) and 3) are weird and scary. This suggests that VPN traffic is not secure at all. It also suggests that they can target specific users exiting at that VPN provider. There is nothing stated about restrictions on particular VPN protocols, suggesting that all are decryptable. Hence, OpenVPN could be also as vulnerable as PPTP and L2TP/IPSEC.
To me this suggests that VPN's provide no privacy value against NSA spying.
How have other people interpreted this slide?
@thepackrat comments suggested that:
"By VPN startups, they mean initiation of a VPN session.
Specifically, this means they can grab the credentials
at the beginning of a PPTP VPN session, and then decrypt
it. PPTP has been known to be vulnerable to this sort of
attack for some time."
It still isn't clear which types on VPN are vulnerable and which are safe. Based on the fact that the slides didn't specify VPN protocols that we all know are vulnerable (i.e. PPTP), one has to assume that they all possibly are.
Here is another possibility:
- The NSA might just have 'catch all' filters where
VPN's exit.
- Using the data from this you could match up traffic
which leak the user's identity.
- Hence, I use a VPN that exits in London. I have
specific browser signatures that can help to isolate
my traffic.
- I visit Facebook using that VPN. That action has now
leaked my identity. I now start searching for how to
make a pressure cooker bomb. Bam, you're on the
'potential terrorist' list and identified via your
matched traffic.
1 comment
[ 36.3 ms ] story [ 672 ms ] threadTo me this suggests that VPN's provide no privacy value against NSA spying.
How have other people interpreted this slide?
@thepackrat comments suggested that:
(https://news.ycombinator.com/item?id=6148869)It still isn't clear which types on VPN are vulnerable and which are safe. Based on the fact that the slides didn't specify VPN protocols that we all know are vulnerable (i.e. PPTP), one has to assume that they all possibly are.
Here is another possibility: