Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS Vulnerability Prevents VPNs From Encrypting All Traffic

len5 said:
Isn't that the main reason why consumers use a VPN?
Click to expand...

I know you're probably just kidding, but there are lots of reasons to use a VPN.
You might want to VPN your connection if you're at a coffee shop or airport.
Your employer might want you using a VPN if you're remote-working.
I often used to use a VPN when doing web-development to test a site from different locations (ex. troubleshooting DNS propagation, or issues with a particular ISP).
Appearing in a different location than you really are (for privacy, or to access info blocked in your actual location).


chucker23n1 said:
As others have said, it would be problematic to silently kill existing connections when connecting to a VPN. That's certainly not the behavior I would expect. I suppose it depends on whether you use a VPN to add certain networks (such as your corporate office), or to globally route all your traffic (such as for privacy reasons). In the former case, I don't want my non-office connections to be reset.
Click to expand...

Yeah, depending on your purpose, you might want it work either way.
If I'm working from home, accessing the office, I might want all my personal traffic to still be from my network (vs going through the office). Or, maybe I want absolutely everything to go through the VPN, say while working at the airport.

One of my concerns with most of the iOS (or MacOS) software VPNs, is that the moment modern OSs detect a connect, bunches of apps and services start communicating before you could even get a VPN connection established. (Especially on one of those silly networks where you have to check some box on a web-page before it starts internet service.)
 
“I feel that people need to learn about the expected behaviour of VPNs before commenting.
There’s actually two types on iOS. Split vpn and full tunnel. Split allows some stuff to be routed elsewhere. Full tunnel tunnels everything.“

Finally some one that understands that this is not a vulnerability but expected behavior. Split tunnel is the most compatible with most apps and full tunnel will causes issues with some applications due to latency Siri will time out or notifications will come through few seconds later. Encrypted DNS servers also work through split and full tunnel. It’s up to user to decide if given the option. But some experts believe that split tunnel is less secure. The point is it’s not a vulnerability and no fix is coming.
 
Will Tisdale 🎗 said:
I don’t think so.
iOS used to handle this correctly, then stopped.
Not tearing down existing connections completely undermines the point of a VPN.
Click to expand...

You mean not masking the IP..

A least turning on airplane mode may work.. I've never VPN from my iphone.. never have even needed to. I have my Mac for that.
 
PinkyMacGodess said:
Oops... Has iOS gotten too complicated, or is it just lazy programmers?
Click to expand...

There is an apparent amount of vindictiveness (or mischievousness?) on the part of the programmers. After the last update, if you go to 'Move' in mail, they swapped the position of the previous folder messages like that have been moved to. Apparently 'just because they can'? It's petty, and somewhat nuts to change such small parts of an OS, or app, 'just because'.

 
PinkyMacGodess said:
There is an apparent amount of vindictiveness (or mischievousness?) on the part of the programmers. After the last update, if you go to 'Move' in mail, they swapped the position of the previous folder messages like that have been moved to. Apparently 'just because they can'? It's petty, and somewhat nuts to change such small parts of an OS, or app, 'just because'.
Click to expand...

I think the problem is more that at least among some areas at Apple, they've gone from being some of the best at UI, to not even understanding what it is. Or, to put that another way, rather than vindictive/mischievous, it is probably just being unaware that they should be concerned with such things.
 
SteveW928 said:
I think the problem is more that at least among some areas at Apple, they've gone from being some of the best at UI, to not even understanding what it is. Or, to put that another way, rather than vindictive/mischievous, it is probably just being unaware that they should be concerned with such things.
Click to expand...

Well, moving the cheese is fine, but to swap positions is kinda odd. Yeah, either careless contract programmers, or a programmer that just doesn't care. It's just so weird that they would just flip that. Oh, a thought: perhaps the original placement was in error. Could be, could be. So, 'attention to detail' then? The devil is in the details. Doesn't anyone look at the gold master updates to see if they even make sense from a UI perspective? It would seem not?

This is no biggie, but I do remember my mom having issues when there was an update and Apple decided to 'move the cheese'. That was after getting just totally burned out by Windows through several versions, and computers. 'Why would they do that?' she would ask. All I could say is 'Because they could?'...

Cheers! Stay safe!!!
 
Last edited:
  • Like
Reactions: SteveW928
konqerror said:
This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail. Windows built-in VPN client has this exact same behavior.
Click to expand...
Could we clean up on the use of the word "fake". It's not fake. It may be irrelevant. If you think it's irrelevant, say it's irrelevant. The whole of your post states clearly that it is not fake. And downvoting someone for daring to correct your incorrect use of language is very bad style.
[automerge]1588249239[/automerge]
PinkyMacGodess said:
Oops... Has iOS gotten too complicated, or is it just lazy programmers?
Click to expand...
Neither. If you have a connection _before_ VPN is turned on, then changing that connection to use VPN will break it. Users will not be happy. Most applications are not clever enough to switch to another connection when VPN is turned on (most are not aware of VPN at all).

Everything you did before you turned on VPN is unprotected obviously. Nobody complains. Everything you start after you turn on VPN is protected. The few connections that you started before you started VPN have been unprotected all the time, and the stay unprotected. Like you make a phone call. If you turn on VPN halfway through the call, the first half is unprotected anyway. The second half of the call _works_. You just need to know that you can't protect the second half of a call with VPN. The whole call, or nothing.
[automerge]1588249408[/automerge]
PinkyMacGodess said:
Oops... Has iOS gotten too complicated, or is it just lazy programmers?
Click to expand...
Neither. If you have a connection _before_ VPN is turned on, then changing that connection to use VPN will break it. Users will not be happy. Most applications are not clever enough to switch to another connection when VPN is turned on (most are not aware of VPN at all).

Everything you did before you turned on VPN is unprotected obviously. Nobody complains. Everything you start after you turn on VPN is protected. The few connections that you started before you started VPN have been unprotected all the time, and the stay unprotected. Like you make a phone call. If you turn on VPN halfway through the call, the first half is unprotected anyway. The second half of the call _works_. You just need to know that you can't protect the second half of a call with VPN. The whole call, or nothing.
 
Last edited:
  • Like
Reactions: Johnny Jackhammer and SteveW928
SergZzz said:
Finally some one that understands that this is not a vulnerability but expected behavior. Split tunnel is the most compatible with most apps and full tunnel will causes issues with some applications due to latency Siri will time out or notifications will come through few seconds later. Encrypted DNS servers also work through split and full tunnel. It’s up to user to decide if given the option. But some experts believe that split tunnel is less secure. The point is it’s not a vulnerability and no fix is coming.
Click to expand...

My company insists that every data that I exchange from home with the company goes through VPN. My company doesn't give a hoot about my traffic with MacRumors for example. And I don't worry about that traffic to MacRumors either. So clearly, I want a split tunnel: All the company stuff goes through VPN, all my normal stuff doesn't need VPN. Also a matter of capacity; if posting to MacRumors goes through the company VPN, it takes company resources away without any need.
[automerge]1588249728[/automerge]
Skyx5010 said:
Apple has admitted this is a bug. It is not acceptable for current network connections to continue after the VPN has been enabled. iOS behavior before this bug was exactly as I have described.
Click to expand...
It's not a bug really. They have the choice: Kill connections that were turned on before VPN was started (which may affect the user) or leave these connections running and unprotected. Neither choice is perfect. The other way round, people would have complained that turning on VPN kills running connections. It's a choice. (Right now I have a customer who wants a feature removed because it is insecure, which is a feature that other customers love because it adds security. And they are both right).
[automerge]1588249874[/automerge]
Will Tisdale 🎗 said:
Well, that’s the point isn’t it. The connection has to be dropped, then the TCP connection will be retried.
Pretty sure that iOS apps should be link state aware.
Click to expand...
Pretty sure they should be. Pretty sure many are not.
 
Oh yay, someone ‘helpfully’ bumped a month old dormant thread. 🙈

Well, they must be link state aware, as how would they handle the transition from WiFi to mobile and vice versa, when all the connections get torn down because the endpoint has gone.
Apps must be aware that they need to re-connect. Switching a VPN on is no different.
 
Will Tisdale 🎗 said:
Oh yay, someone ‘helpfully’ bumped a month old dormant thread. 🙈

Well, they must be link state aware, as how would they handle the transition from WiFi to mobile and vice versa, when all the connections get torn down because the endpoint has gone.
Apps must be aware that they need to re-connect. Switching a VPN on is no different.
Click to expand...

And that's what I meant by 'lazy programmers'. They should at least popup a box that lets the user know that the existing communications are not encrypted. It seems simple, and makes sense. People that use a VPN want their data to be sheathed. Starting a VPN with open connections is very possible, and forgettable. The OS needs to either ask and terminate all connections if told to, or at least notify the user that 'x' numbers of connections aren't 'protected'.

It's lazy to ignore this issue. It's presumptuous to assume that the user knows about the connections not sheathed.
 
  • Like
Reactions: SteveW928
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back