I contacted Proton VPN about the TunnelVision exploit and I got a response. I feel great about it, thank you Proton!

Hi,

Thank you for your patience.

Our engineers have conducted a thorough analysis of this threat, reconstructed it experimentally, and tested it on Proton VPN. Please note that the attack can only be carried out if the local network itself is compromised.

Regardless, we’re working on a fix for our Linux application that will provide full protection against it, and it’ll be released as soon as possible.

If there’s anything else that I can help you with in the meantime, please feel free to let me know.

Have a nice day!

    • ryannathans@aussie.zone
      link
      fedilink
      English
      arrow-up
      24
      arrow-down
      1
      ·
      edit-2
      8 months ago

      To be fair if you used it on a public network like an airport or restaurant… yeah

      • 4am@lemm.ee
        link
        fedilink
        English
        arrow-up
        23
        ·
        8 months ago

        Yeah, it’s kind of incredible the responses I see to this story that are like “bro if they got as far as planting a rogue DHCP server on your network you were already owned anyway, yawn”

        Like, you do realize people use VPNs over unsecured WiFi all the time right? That’s one of the primary use cases. You can’t guarantee every network hasn’t been compromised.

        Armchair netsec quarterbacks need to get out more.

        • gencha@lemm.ee
          link
          fedilink
          English
          arrow-up
          7
          ·
          8 months ago

          If I learned one thing from TunnelVision, it’s how blindly people are operating right now. If you open a VPN tunnel, also ensure traffic is actually routed through it, especially if you don’t control the network. Adding a tunnel on top of the insecure network also does not protect your client from other malicious clients on that network. I feel like people have seen one too many VPN snake oil salesman on social media.

        • Socsa@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          I am skeptical of this being viable on public Wi-Fi tbh. You’d need to know ahead of time which VPN servers the target will attempt to contact, some information about the target ahead of time, and you need to DHCP poison the entire network prior to the target connecting. That would effectively bring down the network for all but two hosts - the attacker and target.

          I mean at that point, you can also just repeatedly deauth the target until it connects to your spoofed network and do whatever you want, and it would be way less obvious to an outside observer.

        • BarbecueCowboy@kbin.social
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          I think it’s because lot of us have been just kind of over-exposed to things like this. It’s like, yes, I’d imagine you could do a lot of interesting stuff if you’ve already compromised everything else first, thanks pen test. This one is not quite at that level, but I think we’re all just exhausted with similar ones, ya know.

        • The Uncanny Observer@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          11
          ·
          8 months ago

          I suppose you have a degree in it, then? What was your major, what qualifications do you have that make you more than an “armchair netsec quarterback”? Obviously you must have years of experience in the field, no?

          Many people who travel for work are explicitly banned from using public networks to connect in the first place. I know every corporation I’ve worked at has expressly forbidden it if we are accessing confidential data. With the ability of all modern phones to share their internet connection with PCs they are connected to through USB, there shouldn’t be many circumstances where you are forced to use public WiFi unless you specifically want to use an unsecured network for some reason.

          Of course, many people accessing corporate data on the go will be using SSH, and a bad actor using TunnelVision can’t read that encrypted data any easier than anyone else, as the exploit breaks only the VPN encapsulation, according to the CVE.

          You did read the CVE, correct? You are, after all, not an armchair netsec quarterback.

          • atzanteol@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            2
            ·
            8 months ago

            Your derogatory tone and little-dick energy is hilariously over-the-top and just completely unwarranted. Go big or go home eh?

            • The Uncanny Observer@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              2
              ·
              8 months ago

              Why would I have any desire to be nice to somebody tossing around insults? Especially some random idiot on the internet? When I talk to people, they get one chance to not be a dick. After that, fuck them, and I’ll piss in their bean curd all I want. And if that bothers you, then fuck off?

          • 4am@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            8 months ago

            Not a fucking thing you said matters if the exploit still exists because it can be used to get someone, somewhere.

            corporate policy

            Oh, there’s an air-tight solution. Let’s rely on everyone doing exactly the right thing every time, especially those nontechnical people. That never goes wrong.

            obviously you have years of experience in the field

            Not at all, but when there is a fucking CVE about it, blowharding about “eh it’s not really a big deal guy, trust me I know better” kinda makes me question the blowhard’s experience. I think I’ll go with the CVE and say that yeah, this is an issue that needs to be addressed.

            Also did you think my comment was a direct reply to yours? Have you not seen the multitude of other comments in other threads just writing this off like as if it can be ignored entirely? Yours, while flippant, was not even the worst of the bunch.

      • The Uncanny Observer@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        5
        ·
        8 months ago

        You will likely never run into any circumstances where the only option you have is to use public WiFi. You don’t even need to use WiFi at all to tether your phone to a PC, the charging cable will allow you to share your mobile data.

        • runswithjedi@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          The exploit is possible because the local network may have a rogue DHCP server overwriting IP routes. If you’re on a mobile network, they are the local network. TunnelVision means a mobile carrier can spy on your VPN traffic now. Unless you run Android.

          • The Uncanny Observer@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            8 months ago

            Right, which is why most jobs use SSH to access remote data, especially any jobs in the tech sector. VPNs hide your geolocation, they don’t make your data private. This idea that VPNs are some kind of privacy tool is propaganda by VPN companies. You don’t need a VPN except in very specific situations, and any other time you’re just slowing down your connection.