Research on key VPN vulnerabilities recognized with USENIX Internet Defense Prize, Best Paper Award

The study authored by Prof. Roya Ensafi's lab found that network administrators, like ISPs and governments, could easily detect and block the use of VPNs on a large scale.
VPN user on a tablet
VPNs are a popular tool for users to access content banned in their region, or keeping their browser activity private. Research indicates that popular providers fall short of these promises. | Dan Nelson, Creative Commons

A study casting light on the vulnerability of VPN users to identification and interception by governments and internet service providers (ISPs) has been recognized twice at the USENIX Security Symposium for its contributions to the protection and defense of the internet. The study, tilted “OpenVPN is Open to VPN Fingerprinting,” received both a Best Paper Award and first place in the USENIX/Meta Internet Defense Prize at the August 10, 2022 event.

The project, led by assistant professor Roya Ensafi and doctoral student Diwen Xue at the University of Michigan, explores how accurate user expectations are when they turn to popular virtual private networks (VPNs) to protect their privacy and circumvent a variety of access blocking techniques. They looked in particular at OpenVPN, the most popular VPN protocol in widespread use. Tools like OpenVPN have recently drawn booming userbases in response to network data collection practices, region-based content blocking, and online censorship.

As it turns out, the researchers found, VPNs are far from a magic bullet for masking browser activity and accessing blocked content.

“We conclude that tracking and blocking the use of OpenVPN, even with most current obfuscation methods, is straightforward and within the reach of any ISP or network operator,” the team writes in their paper.

To make this determination, the researchers played the role of an attacker who controls the network. They make use of a detection framework inspired by the design of the Great Firewall of China, including a two-step passive filter and active prober. Destination probing is the decisive phase of any attempt at content blocking, as it provides the network administrator specific details about the addresses a user is attempting to access. In fact, OpenVPN has mechanisms in place to impede fingerprinting attempts.

The team’s configuration was able to accurately “fingerprint” over 85% of OpenVPN browser requests, “with only negligible false positives.”

“This suggests that OpenVPN-based services can be effectively blocked with very little collateral damage,” they write.

Despite OpenVPN’s countermeasures designed to prevent active probing and passive filtering, the team’s framework successfully identified connections to 34 out of 41 “obfuscated” VPN configurations. In order to do so, their two-step process was designed to elicit protocol-specific behaviors. Some of the telltale signs the team looked for included an OpenVPN packet header which exhibits unique, fingerprintable patterns and additional packets sent by the VPN as it performs an encryption handshake. If the passive filter catches either of these features in a message, the prober extends an unauthenticated connection to the suspected VPN server and watches for a particular connection-dropping process unique to OpenVPN. Once this behavior is measured, the VPN user can be confidently ID’d and blocked.

The probe’s high degree of accuracy calls into question the privacy and counter-censorship promises VPN providers make to users around the world.

“ISPs and government censors are motivated to detect OpenVPN flows in order to enforce traffic policies and information controls,” the team writes. They also note that, given this, continued use of VPNs in the face of potential detection can even prove dangerous.

To counter the techniques they discovered, the team advises VPN providers to consider three short term solutions: physically separating servers that provide additional obfuscation services from their vanilla servers, randomizing the padding the providers use in their obfuscation services, and modernizing their approach to responding to failed handshakes.

These will only prove effective as short-term fixes, they caution, and more work will need to be done if private browsing is to be achieved without detection.

“In the longer term,” the researchers write, “we urge commercial VPN providers to be more transparent about their obfuscation approaches and to adopt more principled detection countermeasures, such as those developed in censorship circumvention research.”

The paper was authored by Diwen Xue, Reethika Ramesh, and Arham Jain, University of Michigan; Michalis Kallitsis, Merit Network, Inc.; J. Alex Halderman, University of Michigan; Jedidiah R. Crandall, Arizona State University/Breakpointing Bad; and Roya Ensafi, University of Michigan. It was published in the Proceedings of the 31st USENIX Security Symposium.