Computer Security: Tunnel Madness

A series of users of the CERN network recently received a warning about using a particular VPN tunneling plug-in (named here as “Allo VPN” for the sake of brevity) with their favourite browser. VPN tunneling is a perfectly legitimate way to preserve the anonymity of your communications, and to make your remoteness seem local. But using this particular plug-in comes with a risk. For CERN. And for you, when using it at home…

While the use of Virtual Private Networks (VPNs for short) out of CERN provides lots of advantages with regards to privacy and security, for example, and while this does not pose a problem to the overall cyber-protection of the Organization, the “Allo VPN” service is different. It is a peer-to-peer VPN service, allowing other people to access the Internet through your Internet connection. Its business model is based on the underlying VPN technology, “Luminati SDK”, selling CERN’s or your home’s network bandwidth for re-use by other users.

This means that with any usage of “Allo VPN”, any third party can have unfiltered direct access into CERN’s internal office network (the so-called “General Purpose Network”) as any PC or laptop running this particular VPN plug-in becomes part of their worldwide peer-to-peer overlay network. And, consequently, this increases our liability if illegal activities are tunnelled through this network… It’s the same if you use this plug-in at home on your home Wi-Fi: If someone commits crimes through your – now shared – connection, the police are likely to come knocking on YOUR door, take away your hardware for forensic examination, and you may be subject to investigations related to whatever crime was committed (copyright violation, hacking, propaganda or sexual abuse material)…

Worse still, the “Allo Unblocker” Windows client, Firefox add-on, Chrome extension and Android application have been found to contain multiple vulnerabilities that allow a remote or local attacker to execute code and potentially take control of your computer. Additional design flaws allow any user to be tracked across the Internet via a persistent ID. And, as such users – wittingly or otherwise – act as exit nodes for the overlay network, each is capable of acting as a middleman for other users of the free or premium peer-to-peer network, or its commercial “bandwidth” service (“Luminati”), thereby compromising the privacy and anonymity of their browsing and exposing them to further attacks

Consequently, the “Allo Unblocker”, “Allo Better Internet” and “Allo VPN” plug-ins have been explicitly banned from being used at CERN. Violations are supposed to be detected and the owners of the corresponding devices are informed and asked to refrain from that activity. In parallel, we have blocked the associated commercial “bandwidth” service (“Luminati”). If you use these plug-ins at home, time to re-consider. Apologies for the inconvenience, but we hope we can count on your understanding.


/Public Release. The material in this public release comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.