What Happened?

Last week, we were notified by a couple VPN review sites that they had been running a new suite of publicly-available tools to test VPN applications for "leaks". This tool set specifically focused on situations where internet traffic temporarily goes outside of the tunnel or personally-identifiable information such as your IP address is available from within the tunnel.

Your online privacy is our top priority. When we were notified that TunnelBear hadn’t passed every test, we began our own investigation.

Before discussing the investigation itself, it’s worth pointing out that for TunnelBear to provide protection for some of the leaks discussed in the reports we’ve seen, VigilantBear must be enabled. We’ve discussed the benefits of VigilantBear before, but at the moment, VigilantBear is not enabled by default because in many cases we had feedback from users that it was too disruptive to their browsing experience. We’re working on making it more seamless so that we can confidently make it the default behaviour for all users in early 2018.

Ok, so what were the results?

In the majority of circumstances, we found that VigilantBear was protecting your data as expected. So for example, if you are browsing and your Wi-Fi is disrupted through a weak signal or you connect to a new Wi-Fi network, VigilantBear would prevent any data from leaking outside the secure tunnel.

However, we also found that in less common circumstances leaks could still take place. The three cases identified were:

  • Leaks may occur if the network adapter being used to connect to the internet is manually interfered with (macOS and Windows).
  • Leaks may occur if a secondary network adapter is added (macOS).
  • Web browsers that support WebRTC may expose users to leaks when using IPv6 (in some browsers).

Interrupting the Primary Network Adapter
On both macOS and Windows, an unexpected change to the primary network adapter (e.g. unplugging an ethernet cable or manually disabling the adapter) could result in brief leak occurring while the system reconfigures itself. We’ve now thoroughly tested these conditions and have developed a fix for the issue on both macOS and Windows.

Adding a second network adapter into the mix
On macOS only, we discovered that adding a second active network adapter alongside an existing connection could also cause a leak to occur momentarily. Modern Macs typically only have the one network adapter, so this won’t occur on most devices unless an external Ethernet adapter is connected. We have fixed this by changing the way VigilantBear interacts with the macOS firewall so the rules we add apply to all networking interfaces.

WebRTC and IPv6
WebRTC is a technology that allows two browsers to talk directly to each other. WebRTC is typically used to facilitate things like browser-based video chat. We previously blogged about the IP leaking risks posed by WebRTC a couple of years ago. At the time, we fixed the leaks identified by making some changes to our apps, however, it turns out that there are additional risks involved if you connect using IPv6 (about 20% of web users).

We evaluated the pros and cons of adding the ability for TunnelBear to block IPv6 leaks in WebRTC, but we agreed that a VPN network isn’t the right method to protect people from this sort of risk. While some VPN applications protect against this by simply blocking IPv6 completely, it’s been our experience that this approach degraded our user’s internet experience in unexpected and difficult to diagnose ways.

If your internet provider supports IPv6 and you’re concerned about potential leaks with WebRTC, our recommendation is to disable WebRTC on your web browser. Some web browsers do not include the ability to disable WebRTC, but most have browser extensions available that provide a solution. Our very own TunnelBear Blocker for Chrome blocks WebRTC by default.

What have we learned?

When VigilantBear was first developed, we tested it thoroughly and fixed any leaks that we discovered. It’s now apparent that we didn’t consider every possible case, which led us to missing the pair of leaks described above. As a result of this investigation, we’ve expanded our scope and integrated these additional leak testing tools into our QA process to help prevent these issues from happening again. We will of course continue to think up new ways to try to break VigilantBear so that we can further expand our tests and make sure it is always protecting users in every scenario.

Fixes for the issues described above are available today as beta releases:
TunnelBear for macOS 3.5.1
TunnelBear for Windows 3.1.1

The final builds will be rolled out as auto-updates over the coming weeks.

Editor's note: Fixes for the issues described above are available in our lastest versions of TunnelBear. Links to the original beta releases have been removed.