Comment on Youtube can detect VPNs now... the fuck?
Bennyboybumberchums@lemmy.world 2 days ago
They always could. What appears to be happening is that channels now have the option to turn on “a switch” so that content wont play if a VPN is detected. Most VPN ip addresses are well known, because they arent a secret. Everyone who uses the VPN goes through it.
If you come across the above message, its because the content creator turned it on. I had it come up with “stick to football”. Its the only thing that it comes up with. I just unsubbed and wont watch anymore. Im not turning off my VPN for anyone or anything. Id rather just go with out. I encourage all of you to do the same.
GenosseFlosse@feddit.org 2 days ago
You could probably just record the users ID an it’s IP address. IP addresses that see a lot of different user IDs are either VPNs, companies or universities.
fatalicus@lemmy.world 2 days ago
Or they are just home users behind a CGNAT, which more and more ISPs use.
And even if they aren’t, home users usually have dynamic IPs, meaning it can change.
finitebanjo@lemmy.world 2 days ago
Another thing that only very large companies can do is see the response time and compare packet size from different servers to narrow down your location, effectively defeating the VPN in a lot of cases.
Hypothetically, a specific amount of bytes gets sent to server B, response time indicates it was received 300 miles away which matches the response time of going from Server B to Server A where the user lives.
Of course it’s still important to use a VPN, if only because those big companies don’t want us to.
i_am_not_a_robot@discuss.tchncs.de 2 days ago
The latency to your VPN server is a constant added to the latency between your VPN server and whatever servers you are connected to. As long as the user’s VPN service doesn’t use different VPN servers for different destinations, it is impossible to determine the location of the user behind the VPN based on latency, and in general it is impossible to determine how far a user is from their VPN server because of varying latency introduced by the user’s own network or by bad infrastructure at the local ISP level. You can only know how far they aren’t based on the speed of light across the surface of the earth.
But, without a VPN, this is a real attack that was proven by a high school student using some quirks of Discord CDNs. Even without using Discord’s CDNs, if somebody wanted to locate web visitors using this technique, they could just rent CDN resources like nearly every big company is doing. Of course, if you have the opportunity to pull this off, you normally have the user’s IP address and don’t care about inferring the location by latency. The reason why it was notable with Discord was because the attacker was not able to obtain the victim’s IP address.
finitebanjo@lemmy.world 2 days ago
You say what I described is impossible but it’s been demonstrated by researchers such as “CPV end of VPN identify location” by AbdelRahman Abdou with the Department of Systems and Computer Engineering, Carleton University Ontario.
Furthermore, on top of that method, if a company has access to data from servers in multiple places along the chain between endpoints, then they can see that a series of packets of specific size are traveling in a specific direction, narrowing down the location of the other endpoint. A company like Amazon, whose AWS servers make up almost 30% of the internet.
Crozekiel@lemmy.zip 1 day ago
The CPV paper was not doing what you are saying, defeating a VPN by finding your real location. It is basically the opposite - if you are using a VPN to claim you are in a place, it can verify that you are not in that place. It doesn’t find your location, it can only verify you aren’t in the area you claim to be.
finitebanjo@lemmy.world 1 day ago
If you can prove where people aren’t then you can prove where they are.
Seefoo@lemmy.world 2 days ago
This…sounds a bit like bs. Can you share a more detailed writeup? At best you could get a radius, but that wouldn’t really be helpful
Crozekiel@lemmy.zip 1 day ago
They kind of have it backwards. They aren’t triangulating your location, they are taking the location your connection tells them you are and tests to see if that is correct or not by checking with known servers in an area around your claimed location. It can verify you are not where you say you are, but beyond that it can’t find you. At least, not the paper the person is mentioning - this “other method” they mention doesn’t appear to be linked to any paper or anything and might just be their personal theory, not sure.
rami@ani.social 2 days ago
I imagine they could compile large datasets of ping times and server locations and do some extrapolation. I don’t think it ever goes past a best guess but they’d have an idea (if what this person said actually happens).
finitebanjo@lemmy.world 2 days ago
Yeah there was a cool paper on Delay Response method by AbdelRahman Abdou with Department of Systems and Computer Engineering, Carleton University called “CPV: Delay-Based Location Verification for the Internet”.
The other method I mentioned, checking packet size and general direction, would require accessing data along multiple stops before reaching the other endpoint with which to compare the sizes of encrypted data packets and use that to identify what is traveling where, which either has not been demonstrated or the companies utilizing it haven’t admitted to it, yet. It’s not a stretch to think it’s happening, though, with massive companies like AWS and CloudFlare or telecom giants like AT&T.