Question VPN Security

[MrEpix]

I am curious as to if the "security" provided by a VPN paid service only in terms of hiding the IP addresses you visit from your ISP is granted due to multiple people using the same server. For example, if I use VPN (Whatever) running out of a US server, and both my device and the server use the same ISP; I'd then imagine tracking the host connecting to ip:whatever and that server connecting to ip:whatever would make tracking fairly easy. However, I'd guess this ease is lost due to possibly thousands of people being connected to said server so traffic can't be as easily correlated.

If this is true, and your goal in using a VPN is to hide the sites you visit from your ISP, is there any option other than using paid VPN services? If I wanted to set up my own VPN running out of a paid online computer hosting service, and the ISPs are the same or different and happen to communicate with each other, I feel it would then not be a viable option. I also am aware some of these services are not US based, but I don't feel there is a legitimate way of knowing whether the two ISPs would share data with each other if requested.

I am also aware that HTTPS protocol includes encrypting the actual data in-between you and the site, I am again simply referring to removing an ISPs ability to see which IPs you are interacting with.

 

[Math Geek]

your isp only knows about the traffic that comes across it and where it came from. they don't try to trace and backtrack any traffic beyond what it needs to send it to the next hop. so with a VPN, either paid or one you make yourself, your isp would only see traffic coming from the ip of the vpn server and nothing else. a vpn is encrypted so they have no idea what the data is, only that it came from a specific ip address.

they do not have any reason to try and figure out what you are doing. now if you are doing something illegal, then the vpn service can be contacted and they can and will connect you to your traffic. it happens all the time. many vpn's if you look at their descriptions claim "no logs" which means they do not keep any browsing data history and would not be able to provide anything to law enforcement. but that is not really true and many cases have been shown that they can still figure out who did what even with little log data.

but none of that is important if your only goal is to keep your local isp from seeing what sites you visit.

do note that encrypting traffic will hide what is contained but the header info stays unencrypted and visible to everyone. it has to be that way. you can't mail a letter with no address on it ! same with internet traffic, it has to have the address on the outside so routers know where to send it.

i have my own vpn server on a cloud service like you mentioned. it is easy to do and i know that i am not keeping any logs trouble is though that when i turn it on to use it, the cloud service has to assign me a public ip address. they keep logs of who had what address and when. so if law enforcement contacted them asking who had some ip at 5 pm last saturday, they'd be able to tell them it was me since my account had that ip assigned at that time.

don't know what your concern is and/or what you are trying to hide from your isp, but it's not hard to do but in the end you just shift who has your browsing history from your isp to the vpn provider.

second side note, you should change your dns from your isp provided one to a public one. your isp uses the dns records as well to know what you are doing. so swapping it to maybe 1.1.1.1 or other public encrypted dns server takes that data away from your isp as well.

 

[MrEpix]

your isp only knows about the traffic that comes across it and where it came from. they don't try to trace and backtrack any traffic beyond what it needs to send it to the next hop. so with a VPN, either paid or one you make yourself, your isp would only see traffic coming from the ip of the vpn server and nothing else. a vpn is encrypted so they have no idea what the data is, only that it came from a specific ip address.

they do not have any reason to try and figure out what you are doing. now if you are doing something illegal, then the vpn service can be contacted and they can and will connect you to your traffic. it happens all the time. many vpn's if you look at their descriptions claim "no logs" which means they do not keep any browsing data history and would not be able to provide anything to law enforcement. but that is not really true and many cases have been shown that they can still figure out who did what even with little log data.

but none of that is important if your only goal is to keep your local isp from seeing what sites you visit.

do note that encrypting traffic will hide what is contained but the header info stays unencrypted and visible to everyone. it has to be that way. you can't mail a letter with no address on it ! same with internet traffic, it has to have the address on the outside so routers know where to send it.

i have my own vpn server on a cloud service like you mentioned. it is easy to do and i know that i am not keeping any logs trouble is though that when i turn it on to use it, the cloud service has to assign me a public ip address. they keep logs of who had what address and when. so if law enforcement contacted them asking who had some ip at 5 pm last saturday, they'd be able to tell them it was me since my account had that ip assigned at that time.

don't know what your concern is and/or what you are trying to hide from your isp, but it's not hard to do but in the end you just shift who has your browsing history from your isp to the vpn provider.

second side note, you should change your dns from your isp provided one to a public one. your isp uses the dns records as well to know what you are doing. so swapping it to maybe 1.1.1.1 or other public encrypted dns server takes that data away from your isp as well.

It's not that I'm necessarily trying to hide info from my ISP as I personally don't care and don't have need for a VPN, I am just curious. I also understand an ISP more than likely isn't going to attempt to track traffic, and at a surface level, they wouldn't see anything other than you sending encrypted data between yourself and the server. I am however interested in computer related security and it's more of the idea of whether they can over whether they necessarily would. From my previous point, assuming they wanted to, I again wonder if there's any solutions from preventing ISPs from tracking the IPs you interact with other than a widely used VPN company (assuming true no logging). This is if for one reason or another, they wanted to actively track what you interact with for 'x' reason.

In relation to your VPN service, assuming the cloud service didn't keep logs of who accessed the public IP assigned for you to connect; I still wonder if both you and the service sharing the same ISP could easily lead to your activity in terms of what you interact with being tracked. I am not very fond of any ISP companies personally and in learning a bit more in trying to gain a CompTIA certification, it was a question that came to mind.

Also regarding the DNS, I currently use cloudflares 1.1.1.1 service in the hopes it may be slightly faster and perhaps slightly more secure, but again, I don't have a current concern with my ISP accessing what sites I am visiting and don't need location masking provided by a VPN; being about the only utility I could see in using one.

It would seem to me that the very nature of how NICs send information with packets always including the host IP and recipient IP, as is obviously necessary, true security in this sense would only come from multiple users sharing the same server. This still would pose possible security risks as in the possibility of tracking through packet sizes, times certain things were accessed, etc but it seems to me that's the only option to get as close as possible in avoiding ISP tracking.

This is all in the scope of leaving things out like using TAILS on a random computer to obtain as much as anonymity as possible, as that is a bit too intensive for my question and not always practical.

 

[bill001g]

For the really paranoid or people doing illegal stuff where a government agency might be after you they use thing like tor networks that have multiple layers of vpn.

In general a ISP doesn't really care what you are doing as long as some lawyer or law enforcement forces them. Some ISP would monitor traffic for say advertising reasons but if you hide it inside a VPN they are not then going to take the next step to try to figure out which traffic coming out of a vpn matches the traffic going in. Gets even more unlikely when there are multiple ISP involved.

Now if you lived in say china or a couple countries in the mid east then you can assume the governments will attempt to force ISP to track data. Still all say china can do is block access to a vpn provider that is in a different country. Most vpn providers pulled out india when they changed the laws and required tracking but that was only for the data centers residing inside the country.
Many VPN providers host data centers where it is much harder for governments to force compliance. It is pretty easy to prevent access to data when they really do not log the data and there is no way for the government to force them to log the data.

 

[Math Geek]

your isp can see where packets are heading so they know what you are visiting. but using a vpn hides the true destination. so yes they can log that vpn server ip as a site you use, but they can not see the ultimate destination of the traffic. so yah it is easy to hide it from the isp.

they can't see inside the packet for the true header since that piece is encrypted by the vpn and is only unencrypted when it gets to the vpn server to continue on its path. your isp has no way to follow the traffic once it reaches what it believes is the destination. it just does not work that way.

this is why when someone starts looking into a persons habits they have to work backward from the site visited hoping to get to the user. it would lead to the vpn server from the site visited. if the server kept no logs of who is using what and when, then it would be a dead end and they'd get no further. but since even timestamps can be used to figure out who and when, even a true no log vpn would still give up some info. no way around it.

as for the cloud service, when i am given a public ip, i am the only one using it at that time. no one else can have it until i am done with it. the cloud service can easily keep track of who and when since it is not a shared ip address. one person gets it at a time. they may not keep any logs to avoid having to hand over the data, but from what i have seen there are still subtle ways to figure out who was using what and when. it's not talked about much but here and there you see reports of folks tracked down despite all the precautions.

even TOR was broken (anyone remember silk road?) and multiple people and sites were shut down and folks arrested for illegal activity.

it all boils down to the fact that some info has to stay out in the open for the traffic to flow from point a to point b. this little bit of info can be very useful if you really know what you are doing. but to most of the world, it is not hard to be "hidden". it's just that last small % that knows how to work the system that can and will find you if they really want to.

the certs are great to get and can help land that first job. i suggest starting with net+ since that is the basis for how networking and traffic flow starts. once you have those basics down, then the security+ or other certs come into play. but they each depend on your strong understanding on how networking works in general. headers and routing and those basics are what you manipulate for security purposes and other uses. start with getting a firm grasp on what we are talking about here and the rest of the net+ topics.

CCNA is also a good cert to look at. that's more local networking with routers and switches. i found it easy with some practice and i passed the test with no extra studying beyond what we did in class. it has changed some now with scripting being added in but the fundamentals are still the same. did that one after net+

 

[MrEpix]

your isp can see where packets are heading so they know what you are visiting. but using a vpn hides the true destination. so yes they can log that vpn server ip as a site you use, but they can not see the ultimate destination of the traffic. so yah it is easy to hide it from the isp.

they can't see inside the packet for the true header since that piece is encrypted by the vpn and is only unencrypted when it gets to the vpn server to continue on its path. your isp has no way to follow the traffic once it reaches what it believes is the destination. it just does not work that way.

this is why when someone starts looking into a persons habits they have to work backward from the site visited hoping to get to the user. it would lead to the vpn server from the site visited. if the server kept no logs of who is using what and when, then it would be a dead end and they'd get no further. but since even timestamps can be used to figure out who and when, even a true no log vpn would still give up some info. no way around it.

I'm thinking in terms of say the ISP would clearly have access to <ip1> talking to <ip2> (The VPN server). I understand the communications between these two IPs, headers, final destination, etc are encrypted and unviewable. However, let's say <ip2> accesses the internet through the same ISP. They could see at lets say 10am <ip1> requested encrypted data from <ip2>, then immediately after, <ip2> accessed "whatever website". If I was the only IP accessing that server, tracking in my mind would be very easy as somewhere downstream in the process, the any ISP has to provide the information for the site being accessed to someone. This is why I assume the only level of prevention in this relies on many IPs speaking to <ip2> at a given time.

So, my main thought was if there are methods that exist in which you could host your own vpn, while preventing this possible tracking. This would then however allow, assuming the ISP has access and ability to see the traffic on both ends, them to easily correlate <ip1> accessing <ip2>, then <ip2> accessing 'website'.

As a side note, this started from my interest in how with the basically infinite combinations provided by IPv6, the ISP is given a list of headers and assigns one to you. While I completely understand the necessity of this as to have a truly distinct public address, I have always disliked the necessity of ISPs and the power which they hold, all though majorly unused. While this is of course the foundation of the Internet working as a whole, I wish there were relatively 'foolproof' solutions that didn't involve nuclear options like TAILS and expert OPSEC. Privacy I feel is majorly important and these I suppose necessary gaps in it I find bothersome, although pointless in relation to my specific question as there doesn't seem to be other options.

I want to add that I understand this is a very basic level of tracking and relatively pointless in the grand scheme of tracking methods such as those used by ad companies, it's just something I was thinking about and don't really have anyone to BS with about topics like this lol.

-had to make many edits, I don't know how this post got so messed up.

 

[Math Geek]

oh ok i see what you are saying now.

i guess if both you and the vpn server were under the same isp provider, they could put 2 and 2 together to get the bigger picture if they wanted to. never really thought about it like that. it is an interesting thought experiment if nothing else.

not sure how you'd go about preventing it from happening other than adding a second layer on top of the vpn. you know like you hear on tv "he's behind 7 proxies!!" lol

i assume if you chose a server out of the country it is unlikely you'd run into this specific scenario since i don't believe isp's are international

i use European servers from the cloud service for my vpn when i fire it up, though i could use many other places if i wanted to. my dad wanted a vpn so i got him a paid one and i piggy back off of it as well. so i use both worlds at times. never tried running the paid one to my private one as a second layer. would be easy to do but i don't really need it. could be fun though just to say i did it once.

 

[MrEpix]

oh ok i see what you are saying now.

i guess if both you and the vpn server were under the same isp provider, they could put 2 and 2 together to get the bigger picture if they wanted to. never really thought about it like that. it is an interesting thought experiment if nothing else.

not sure how you'd go about preventing it from happening other than adding a second layer on top of the vpn. you know like you hear on tv "he's behind 7 proxies!!" lol

i assume if you chose a server out of the country it is unlikely you'd run into this specific scenario since i don't believe isp's are international

i use European servers from the cloud service for my vpn when i fire it up, though i could use many other places if i wanted to. my dad wanted a vpn so i got him a paid one and i piggy back off of it as well. so i use both worlds at times. never tried running the paid one to my private one as a second layer. would be easy to do but i don't really need it. could be fun though just to say i did it once

Yeah I didn't really conceive a way to do it was just a thought of mine. Ultimately depending on how intensive they wanted to be and assuming all internet providers were willing to share info with each other, it seems anything could be tracked back eventually following said trail.

I wish there was a way to have a public IP address that didn't completely depend on a company managing at least some of it. You can't trust people to not use the same address as someone else, but a system that mayhaps let users choose an IP and somehow checks to ensure it's not in use would be neat. This is impossible with IPv4 and I feel I won't live to see a full implementation of IPv6, but I feel some system like this could be possible with IPv6.

Currently I'm just about finished with the CompTIA book by Mike Meyers to pass the 1001 and 1002 exams. I'm paid well in my current job but it's far from my passion as I enjoy all things technological. I'm hoping to move into a Security Architect position after many years of dedication and becoming more versed in these various fields. Ideally I can land a job in something tied to what I enjoy after I start to rack up a few of these certs.

 

[USAFRet]

I wish there was a way to have a public IP address that didn't completely depend on a company managing at least some of it.

Unfortunately, that company is the entity that installs and maintains the physical wires, among other things.

 

[MrEpix]

Unfortunately, that company is the entity that installs and maintains the physical wires, among other things.

Very true, I like to imagine a system where IP addresses were delegated by a public forum perhaps like the Bitcoin ledger rather than an internet committee that delegates them out. With the ultimate number of possible combinations provided by IPv6 it seems possible although extremely unlikely. There is also no incentive to properly maintain this imaginary database either. ISPs could still maintain wires and profits without delegating out addresses, as that doesn't serve to benefit them. This is computers and not physical addresses after all so I think more user focused and privacy enhanced methods would be a good benefit to everyone.

Thinking more on it now I suppose a public database of every active IP address would probably cause some security concerns as well lol. Wishful thinking on a system that limits some ISP power without removing them as a whole as someone has to maintain connections.

 

[palladin9479]

There is indeed security, especially if it's a "no log" ISP that pipes connection logs to /dev/null. Fundamentally we have to understand that in pretty much every first world nation the ISP's are required, by various laws, to record every communication and be able to present those recordings to the Government upon request. Now "metadata" profiling and selling has become a huge market and more and more entities are looking to mine that pile for profit, this is why Microsoft has shoved so much spyware into recent versions of Windows and why your ISP is definitely keeping track of what you do and selling the metadata off to anyone willing to pay.

What VPN's do is move the internet connection side of the traffic from your ISP's endpoint to their own endpoint, your ISP just sees a ton of encrypted traffic to the VPN provider, while the VPN provider would be the entity seeing the rest. Now if the VPN provider is also storing all the communications and mining the data, then you didn't really solve anything, but if the provider is a "no log" provider, then there are no records to provide or data to mine. They will charge a premium for this service, which I feel is worth if it you are bothering to use a VPN in the first place.

And before anyone asks, setting up a "no log" VPN is trivial, you just route the connection logs to /dev/null or to a /var/tmp and have it overwrite every hour or so. That is a scratch file system in memory that isn't persisted after reboot.