[Cycl0ps]

I'm still not sure how this compromises VPN use. ISP routes the connection so of course they can see when I use my VPN. From there I would assume the VPN works as a mixer and handles multiple connections through the same exit point, so you couldn't tell my traffic from another users. Is that not the case?

[fulafel]

An adversary who can see your vpn traffic can use traffic analysis [1] to correlate known protocol packet patterns and timestamps to netflow traces to known destinations serving known content with matching timestamps from vpn termination points.

[1] https://en.m.wikipedia.org/wiki/Traffic_analysis

[OminousWeapons]

Would this still be an effective attack if you used a single VPN provider with multiple hops and your adversary was not someone like a nation state? Alternatively, what if you did basic VPN chaining (e.g. you vpn to a pfsense instance or something on a VPS and configure outbound traffic on that server to be routed through a commercial VPN)?

[fulafel]

Don't know about multiple hops but generally you don't need to be nsa to do this. bgp hacks can be used to divert traffic, your wlan can be monitored for TA, your adversary might already be someone on-path like your isp, employer, or law enforcement, your isp (or any upstream transit provider including ones in different countries) can be bribed to monitor and sell traffic traces sufficient for TA, etc.

[nyanpasu64]

The adversary doesn't have to be a nation state, they can just buy the netflow data to run correlation attacks on it.

[MrWiffles]

I’m wondering the same thing. The only thing I can think of is being able to correlate times, ports, and traffic volume from some origin, to some VPN node, then look for near identical data coming from that node to an ISP, and then on down the chain to identify the victi-err, I mean “person” accused of being a bad actor.

So I wonder: would the copyright nazis be able to use this kind of data corollary in court against an accused defendant? If the offense is civil I could see it being admissible since the burden of proof is lower (just has to be “fairly likely” AFAIK, but IANAL) than in criminal court. Though I don’t know if copyright infringement is a civil or criminal charge, and trust may depend on state.

Still, at best they could only match up pieces of the chain to dates times and data sizes, not see the actual data being transmitted over that connection (broken/weak crypto withstanding). But that might be enough to further persecute fair use, not to mention since other very dark stuff.

[CarelessExpert]

> I’m wondering the same thing. The only thing I can think of is being able to correlate times, ports, and traffic volume from some origin, to some VPN node, then look for near identical data coming from that node to an ISP, and then on down the chain to identify the victi-err, I mean “person” accused of being a bad actor.

Exactly that. As with Tor, if you can observe the entry and exit flows you can deanonymize the traffic.