Is it possible to Identify a VPN user by finding relations in traffic?

  • If I am using VPN service to protect my identity, can my traffic be used to identify all my traffic?

    For example, if I am accessing two services:

    1. Some service A, where I do not leave any identifying information.
    2. My personal E-Mail account.

    Can someone find a relation between (1) and (2), such that he will be able to tell that both are accessed by the same person.

    Naively I would think that it is impossible and someone would at most be able to tell that I am using VPN provider to access my E-Mails, without knowing about (1).

    But perhaps my computer, browser or something else leaves some kind of signature in the data, which would enable someone to find a relation?

    It's difficult to answer this question with 100% certainty... without knowing additional details about the type of VPN. In the most common VPN technologies, (ipsec+l2tp, pptp, openvpn, etc...) the default behavior is that ALL traffic is routed through your VPN gateway... meaning that ALL traffic generated by your workstation appears to come from the remote network. So, accessing your email or accessing work-related stuff is all the same thing. Some VPN technologies only route connections to a very specific application (sslvpn) to the remote network. Some config options can change all.

    While not directly VPN related, encrypted traffic can be statistically analysed to identify the type. Theoretically, you could link traffic patterns and behaviours in this way (adjusted for encryption overhead) This link: http://caia.swin.edu.au/reports/090914A/CAIA-TR-090914A.pdf is from a uni lecturer who specialized in telecom interception. Interesting read.

    use prepaid debit card with no name - you can find them any where, pay for VPN with that. use 3g internet sticks with prepaid internet SIM inside, charge it with cash at designated stores That's max anonymity - even if they trace your IP - it doesn’t give them any name or address. after a while throw the SIM and buy a new one, does anyone see any setback with that?

    @preston - Having done radio direction finding, I can tell you it only takes minutes. And all th

    @Everett And if the dongle is modified to use a directional LTE antenna, then how long?

    @user400344 Directional antennas aren't null in the "off" direction. They are reduced. You might even be able get down in the noise. Then it's an issue of finding you down there, isolating the frequency... And back to triangulation. You'll slow people down, but it isn't impossible. And with todays signal analysis (look at what nVidia RTX cards can do), you've only added a minute or two of work.

  • Everett

    Everett Correct answer

    9 years ago

    This depends on whether you are worried about being convicted, or dealing with probable cause (in the U.S.).

    Let's assume that you are at home. You start up your VPN and connect to your offsite VPN provider. If I am monitoring outgoing traffic (from your house), I know that you just connected to a certain IP address, and that the IP address is a VPN provider. Everything inside the payload of the packet is encrypted.

    You then decide while at home, to check your email. I happen to be monitoring outgoing traffic from the VPN provider (which is not encrypted). I record it all using snort, and run Wireshark against the output. I see a connection to your email address and an email written. This may be protected by SSL if it's webmail. If it's regular email, it's likely plain text. If it's not plain text, I can try to intercept it at the receiver. The email is of no legal significance (i.e. you aren't using it to plan something unlawful). However, I make note of the fact that you confuse the use of their, there, and they're. I'll also notice a few idioms you like to use.

    Over the course of monitoring outgoing traffic I see your account write several emails. I note patterns of misspellings, and more figures of speech. I collect these over a period of a month or two.

    I then put the items that I notice into Wireshark. I add several things that you are known to say. Every time a misspelling occurs, or the use of an idiom (that you use) is found in the content of ANY packet that is outgoing from the VPN service you use, I view it.

    Given another month or two I have a lot of data points. Some are sites you went to, others are not. The first thing I do is eliminate all of the data points that exited the VPN service provider while you were NOT on line (i.e. I didn't see you online from home, remember I started by monitoring that connection).

    Then I look at the remaining traffic and see if I have any cluster points. Lots of recurring themes. Same subject matter over an over. I compare that to your unencrypted traffic, and your email.

    I haven't applied enough filters to isolate you from the noise (people that use the same idioms/spelling errors you do), but I would have a good case for probable cause. If I have enough points of reference, it is just like a fingerprint.

    Essentially I'm applying a Bayesian analysis to a corpus of work, to state something about the likelihood that I believe an exemplar to be a member of the set constructed by my suspect. The collection of works that I would compare to comes from any work that the suspect has publicly acknowledged they are responsible for. That analysis is well-known (and there's a whole statistics StackExchange site, too).

    I'll let you answer, what would I come up with at this point?

    Excellent answer. Thought provoking, too.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM