This article is very light on the details, but the fact that someone has actually gone ahead and done this will mean other leaders / politicians will now be thinking - "oh right, this is actually something we may be able to do."
> the fact that someone has actually gone ahead and done this[...]
Well it's not exactly a novel idea. China, North Korea, Iran, Iraq, Oman, Turkey and others have implemented bans or heavy restrictions for quite some time now.
I saw an article from about 15 years ago that said Comcast blocked VPNs for a few weeks as a "test". Apparently the test was stopped because a large amount of businesses complained that they required VPNs to access their internal data.
I imagine it might be trickier for the US to implement such a plan vs. a country like Russia.
If I rate-limit VPN outright, I'm an ugly dictator bent on destroying privacy.
If I rate-limit popular bandwidth-intensive traffic, I'm just a guy trying to keep network usage fair for every user. If that involves limiting VPNs as well, they are simply collateral damage, the end justifies the means, and I'm still a good guy.
They're using the wrong terminology, then; "ISP rate limits" refers to artificial bandwidth restrictions placed—at the data-link layer—on the last mile of a connection, to either upsell better plans or as proactive, aggressive form of QoS traffic-shaping to prevent oversubscribed head-end nodes from actually having to deal with multiple saturated downstream links they don't have the capacity to multiplex.
You're talking here more about avoiding the preferential site-by-site traffic-class-based shaping that goes on when Net Neutrality is not enforced. Which doesn't really happen, because it's far easier to just have a thinner peerage link between the ISP and the content-provider in the first place, and then do regular QoSing on that thin pipe with priority to the people on better plans. (The result is exactly like telephone service on New Year's Eve: local calls go through just fine, but long-distance calls mostly fail because the POTS peerage links are saturated.)
You may recall that before Title 2 was asserted by the FCC, ISPs would prohibit "commercial use" in their consumer AUPs and once in awhile enforce this against someone who was telecommuting.
Time Warner affiliates would charge you an additional $20/mo for business access.
Not that I can recall, and I'm having a hard time finding anything about this. There's "business class" which means you get to run inbound servers, and maybe send email, etc. but I can't find any penalties for something like VPNing to an office network.
US doesn't need to block anything because many Internet companies' headquarters (domain name registrars, SSL certificate providers, cloud providers, OS developers, messengers, search engines, video publishing platforms) are located in USA and therefore are the subject of US laws.
For example, US doesn't have to block access to online casinos - they just order the banks and financial institutions not to work with such sites.
But Russia doesn't have such authority over Facebook or Skype. It cannot issue a NSL to Google for example. Therefore they are looking for other methods of controlling those companies (such as laws requiring to keep russian users' data in Russia).
China blocks many foreign web services and as a result they have their national messengers, search engine, social networks that will comply with national laws.
I do not approve Russian or China (especially China) policies, I just want to notice that Internet being an international medium without borders and customs creates new problems for applying national legislation (like taxation or spreading information violationg the laws).
I was referring to the act of interference, not the motivation behind it.
The government may not need to decrypt or block most traffic, but telcos will want to extract a levy for various uses of their circuits. Using the argument used against Netflix, why should your employer just be able to benefit from pushing ActiveSync down to your phone without paying Verizon?
Duh? If it's forbidden to access certain websites in a country then logically so is any service that enables such access.
VPN services can't exactly hide behind being an impartial carrier since they sell themselves as tools precisely for circumventing censorship, tracking, region locking, and providing anonymity.
I've said it before and I'll keep saying it, this is a political problem that can't be solved through more tunnels.
> VPN services can't exactly hide behind being an impartial carrier since they sell themselves as tools precisely for circumventing censorship, tracking, region locking, and providing anonymity.
I really wish some VPN providers would try advertising themselves as desirable technical solutions to the technical shortcomings of many ISPs -- e.g. my ISP here doesn't give me native IPv6, and has a crappy last mile. OpenVPN-over-UDP helps with both.
VPNs can also simply protect against attacks on public networks in e.g. cafes, libraries, airports.
> this is a political problem that can't be solved through more tunnels
Yes, but they help in that they increase people's headroom for informing and acting.
> VPNs can also simply protect against attacks on public networks in e.g. cafes, libraries, airports.
To expand on that, you could argue this for any network, even home and company networks -- who knows which of the many windows computers and android phones of my colleagues/family are bots?
So much like China then. Fine for email getting through on all@internationalcompany.com from the Chinese office, just an added hassle for the IT department to setup.
Then you would be fine if your VPN provider:
a) either relies only on ISPs following Russian laws;
b) or technically enforces restrictions specified in Russian blacklist.
or c) you use VPN provided by your company and it's used for work. If you can access restricted sites with it, neither you nor your company is responsible.
We need something that tunnels over HTTPS/Websockets, and utilizes domain fronting [1] with e.g. Google Cloud or Azure. Ideally it'd also work over WebRTC in unreliable mode, but I'm not sure that works with domain fronting.
> We need something that tunnels over HTTPS/Websockets, and utilizes domain fronting [1] with e.g. Google Cloud or Azure. Ideally it'd also work over WebRTC in unreliable mode, but I'm not sure that works with domain fronting.
The Tor Browser already comes with the meek transport[1] that uses domain fronting, one with Amazon and the other with Azure. There's also a recent PT titled snowflake[2], that uses WebRTC to connect to short lived proxies that people can make by just running some JS code in their browser, it's currently available in the alpha builds for Linux and Mac.
Note that meek is expensive, and the Tor Project pays for each byte. It should only be used when no other PT works.
Many users in Russia use russian social network (Vkontakte), russian email services and russian search engine (Yandex). There is also popular dating service (Badoo). So Google and Facebook can be blocked without causing much trouble. But there is no good replacement for Youtube and Android Store (yet).
One more idea to add to this (that sits on top of the idea that the distributed internet heals itself from attacks) would be to make it super simple for every HTTPS site to donate a portion of its bandwidth to defeating censorship. Imagine a world where VPN traffic was indistinguishable from a normal browsing session.
It can be enforced reliably enough to make it too hard for most people to keep circumventing censorship. Even with only current capabilities they can gather metadata on everyone's internet usage and see into a bit of data if needed, which is enough to statistically detect most attempts to hide traffic in something else.
It doesn't need to be enforced reliably. It just needs to be reliable enough that your average person who might want to access one of the blocked resources doesn't manage to do so after spending a couple of hours trying the popular VPNs and such, and gives up because it's not worth the effort.
The idea is to make it hard for average person to use it - problem solved.
Most likely will ban commercial vpn providers that refuse to implement blocklist for users from Russia.
If you are able to set up a personal openvpn server, they wont bother hunting you down.
The important thing is that people are not charged in crime if they try to circumvent the bans. So it's still race in technology field. They'll ban VPNs, we will find ways to hide our VPNs. As long as regular user won't be prosecuted for trying to access prohibited information, those laws doesn't matter much IMO.
Every time Gosduma passes some law restricting citizen's freedom for the sake of security we have morons bleating "Don't worry, guys, the strictness of Russian laws is compensated by the optionality of compliance".
Yet in the past few years we had hundreds of people jailed and/or fined for the content they posted on social media or even for reposts and likes. Yet the morons do not learn. Can't wait for Yarovaya's law to come in full effect.
Everytime I read posts about VPNs and ban attempts, I can't resist to link to the Streisand project: https://github.com/jlund/streisand. Used that when there were crackdowns on VPNs (Astrill, Express, etc.) while I was living in China and it never disappointed.
The bigger news, IMO, is that Putin also signed the messenger law. To remind, this demands that all IM services that operate in Russia must provide technical means to de-anonymize the users, by linking their accounts to a phone number, a service contract number where the contract has identifying information, or other similar scheme. They're also required to be able to block any materials censored in Russia. If these are not complied with, the regulatory agency can block the service entirely.
Waiting for the "can't stop me using VPNs L0Lz" comments..
VPN use for a free and open Internet is abnormal - not a long term solution to issues like censorship.
They're already out of reach for normal users. Companies will offer better ways to block or detect usage for lucrative gov contracts. Simply making it illegal will detour most people.
I don't understand why VPN crackdown is thought to be impossible. ISPs have a good idea of what normal traffic looks like and a very good map of the Internet. The Internet may be big. To an ISP, is it really that big? Netflix, Google, YouTube, Dropbox etc are normal. Your companies VPN IP are normal.
That's unusual! Open connection to a DNS port? sending large amounts of data? its encrypted? No one has accessed that digital ocean IP before on this network! Lets throttle, interrupt it periodically or flag that user. Someone else sending large amounts data to a known VPN IP range? block, throttle, close connection, police knock on door etc.
Exactly. It baffles me how people think political problems can be solved with technological workarounds. What's next, being gay is illegal again so "just hide your relationship lulz"? Sometimes, I feel like a part of the crowd here is like a bunch of toddlers who try to work around some rules the parents made and feel clever at the same time.
Ahem..You are talking to a bunch of technologists. Technologists who believe that technology can actually change the world. We can see tech's influence from Arab Spring[1] to Defcon's recent vandalism[2]. We make up the people pushing the buttons behind the scene. In the name of humanity I know I will try everything to keep the Internet free and open and I hope many like minded people will to. Free sharing of ideas is the best way for us to advance.
This is why you and OP's comment are detracting and unproductive. We made this. We run the show.
A responce to this by a barrister friend of mine. Re-phrased because I don't remember it verbatim:
"We've only been trying technological solutions for the past hundred years and look at what they've achieved. We've been trying political solutions for thousands of years."
Though, I agree that we need to be aware of the limitations we and our systems impose on technical solutions. That said, perhaps we should play to our strengths?
>We've only been trying technological solutions for the past hundred years and look at what they've achieved
Holocaust, Nazi Science, Atomic bombs, Stalin's industrialization, mass surveillance, cold war? Man, 20-th century was such a mess, technology only made that mess more messy, and good stuff was achieved by political discussion, dialog, not because of new technologies (although technologies makes both dialog and murdering much easier)
We absolutely need policy change, but we also need to use and encourage tech that makes it impossible for bad policies to take these to gain a foothold.
> Simply making it illegal will detour most people.
Don't mean to be pedantic but I think you mean "deter". "Detour" = reroute, like "we're taking a detour to get some gas". "Deter" = Discourage, like "making something illegal deters law abiding citizens from doing it".
> I don't understand why VPN crackdown is thought to be impossible.
Because it's hard to distinguish VPN traffic from legitimate traffic and false positives will be extremely bad for the ISP.
> Open connection to a DNS port? sending large amounts of data? its encrypted? No one has accessed that digital ocean IP before on this network!
In order: Many VPNs will use standard HTTPs ports rather than DNS. There are numerous reasons to send large amounts of data, like backups. Encryption is quickly becoming the default, major video sites like YouTube and Netflix are encrypted for instance. Software developers are likely to access DigitalOcean IP addresses.
I do believe that at ISP scale it's possible to identify VPNs though and the things you've mentioned could contribute to a heuristic algorithm. Some other things to add are the geographical diversity of the users accessing a server (legitimate video services will have PoPs near a user, so few will cross the country), the distribution of response times and sizes (a pure web server will have lots of small, ~100ms responses, a video server will have lots of infrequent very high bandwidth transfers) and if you can access it, the outgoing connections of the servers themselves (e.g. Cogent can tell that a server is generating user traffic rather than business traffic).
> Because it's hard to distinguish VPN traffic from legitimate traffic
I don't think so. Chinese firewall can block VPN. For example, the easiest way to see if the user is using a VPN is to count a number of IP addresses they connect to.
> and false positives will be extremely bad for the ISP.
> I don't think so. Chinese firewall can block VPN. For example, the easiest way to see if the user is using a VPN is to count a number of IP addresses they connect to.
China is a special case as unlike most other countries, all major ISPs are state owned. When you own every internet connection in the country, it's much easier to spot VPNs.
When you're say Comcast, you only see the connections your customers make and accept, you can't see what VPN servers are doing.
> How exactly?
In countries other than China, where government control is less prevalent and the government is overtly democratic, false positives will result in anger in the populace, which will lead to the person implementing the policy losing power or at the very least, a degree of support.
> China is a special case as unlike most other countries, all major ISPs are state owned. When you own every internet connection in the country, it's much easier to spot VPNs.
It doesn't matter who owns the ISPs if the government has the power and will to force all of them to comply.
Worth mentioning the UK has blocked access to all major torrent websites and it is very effective on all ISPs.
It was implemented in a matter of months and has improved over time from a simple DNS redirect to now blocking IP ranges and DPI.
Internet Censorship and ISP wide blocking to us westerners is a new thing and I think people here are speaking during a time where we have it pretty good.
There is no ISP proactive battle against VPNs. Yes, you may be able to get through your companies firewall but is that the same? VPN use in China is difficult and becoming more so.
UK ISPs are now logging DNS requests from order of the government. In the beginning the ISPs complained and said it was technologically difficult. I wouldn't be surprised if that was just a call to access some gov funds and hey presto both parties win.
That is not important. In Russia even private ISP are required to install a firewall to block access to sites that are spreading illegal information (and they are also required to install a device that is monitoring whether the blocking policies are followed). There is also a law that will oblige ISPs record and keep customers' traffic in the future.
> When you're say Comcast, you only see the connections your customers make and accept, you can't see what VPN servers are doing.
A user of VPN typically has a single outgoing connection to a data center IP and that is easy to detect for an ISP. There is no need to see the VPN server's connections if you see the user's ones.
> where government control is less prevalent and the government is overtly democratic, false positives will result in anger in the populace
In those countries there will be no censorship and no need for a VPN. Also, most people don't use tools like VPNs and use Internet mostly for sites like social networks. Even if there are 1% of annoyed customers that cannot use VPN or SSH, the rest 99% won't notice that.
This is hardly surprising. Putin is an autocrat who wants to become a full-scale, ruler-for-life dictator. And so to achieve that end he has been steadily chipping away at freedoms and human rights.
He's also concerned that the US government and their assets will use this to undermine the country that he is charged with defending. Which isn't really irrational, because many anonymity tools have been funded by the US government for exactly this reason.
It's not a reasonable tradeoff and I disagree with him, but one can easily see why someone in his position would be concerned about this for reasons other than attempting to secure a dictatorship.
The fact is the US government has a well documented history of undermining elections, and then funding rebellion and civil wars if the election doesn't turn out how they hoped. When leaders attempt to shut down mediums used for propaganda/psyops/adversary coordination, they get to play the fascist dictator card against them, which is pretty convenient.
Putin is up for reelection spring '18. With all of the symmetric responses going on between the US and Russia at the moment (tit for tat game), one can only expect shenanigans.
I haven't heard of any instance where the Duma disagreed with any of Putin's ideas. I don't think the Duma is providing any checks and balances to the power that Putin has.
Meh, their collective decision is to follow Putin's orders. Gosduma's sessions are streamed online but they still don't give a fuck and play games on smartphones, read newspapers, chat and even don't show up at all so others have to vote for them[1]. No wonder most those draconian laws are passed with 90%+ approval.
I'm really curious how this affects HN users in Russia now. Is this a concern for you all? Or is it just a blip? Do you think it affects your less technical friends and family in any way?
Funny thing: two month ago, when Ukraine blocked access to Mail.ru Group's (which is owned by Kremlin linked bussinessman Usmanov) websites (Vkontakte, Odnoklassniki, russian 4chan (sort of)), state-owned TV ran a couple of infomertials teaching people how to bypass blocks using VPNs and anonymyzers.
96 comments
[ 2.7 ms ] story [ 68.2 ms ] threadAnother few feet down that slippery slope.
Well it's not exactly a novel idea. China, North Korea, Iran, Iraq, Oman, Turkey and others have implemented bans or heavy restrictions for quite some time now.
I imagine it might be trickier for the US to implement such a plan vs. a country like Russia.
Second, this doesn't make any sense. How would you avoid rate limits by using a VPN?
The ISP is still sending and receiving all of that data for you.
Step 2) Block VPNs to prevent circumvention of your rate limts
Step 3) Profit?
I don't see this happening, but I think that's what the comment you were responding to is suggesting.
If I rate-limit VPN outright, I'm an ugly dictator bent on destroying privacy.
If I rate-limit popular bandwidth-intensive traffic, I'm just a guy trying to keep network usage fair for every user. If that involves limiting VPNs as well, they are simply collateral damage, the end justifies the means, and I'm still a good guy.
You're talking here more about avoiding the preferential site-by-site traffic-class-based shaping that goes on when Net Neutrality is not enforced. Which doesn't really happen, because it's far easier to just have a thinner peerage link between the ISP and the content-provider in the first place, and then do regular QoSing on that thin pipe with priority to the people on better plans. (The result is exactly like telephone service on New Year's Eve: local calls go through just fine, but long-distance calls mostly fail because the POTS peerage links are saturated.)
What prevents companies from artificially slowing things coming from known VPN endpoints?
Time Warner affiliates would charge you an additional $20/mo for business access.
For example, US doesn't have to block access to online casinos - they just order the banks and financial institutions not to work with such sites.
But Russia doesn't have such authority over Facebook or Skype. It cannot issue a NSL to Google for example. Therefore they are looking for other methods of controlling those companies (such as laws requiring to keep russian users' data in Russia).
China blocks many foreign web services and as a result they have their national messengers, search engine, social networks that will comply with national laws.
I do not approve Russian or China (especially China) policies, I just want to notice that Internet being an international medium without borders and customs creates new problems for applying national legislation (like taxation or spreading information violationg the laws).
The government may not need to decrypt or block most traffic, but telcos will want to extract a levy for various uses of their circuits. Using the argument used against Netflix, why should your employer just be able to benefit from pushing ActiveSync down to your phone without paying Verizon?
Since when have western leaders ever taken policy direction from Russia?
VPN services can't exactly hide behind being an impartial carrier since they sell themselves as tools precisely for circumventing censorship, tracking, region locking, and providing anonymity.
I've said it before and I'll keep saying it, this is a political problem that can't be solved through more tunnels.
I really wish some VPN providers would try advertising themselves as desirable technical solutions to the technical shortcomings of many ISPs -- e.g. my ISP here doesn't give me native IPv6, and has a crappy last mile. OpenVPN-over-UDP helps with both.
VPNs can also simply protect against attacks on public networks in e.g. cafes, libraries, airports.
> this is a political problem that can't be solved through more tunnels
Yes, but they help in that they increase people's headroom for informing and acting.
To expand on that, you could argue this for any network, even home and company networks -- who knows which of the many windows computers and android phones of my colleagues/family are bots?
I'm hopeful the united states will get there too
[1] https://bamsoftware.com/papers/fronting/
// edit: why the downvotes?
The Tor Browser already comes with the meek transport[1] that uses domain fronting, one with Amazon and the other with Azure. There's also a recent PT titled snowflake[2], that uses WebRTC to connect to short lived proxies that people can make by just running some JS code in their browser, it's currently available in the alpha builds for Linux and Mac.
Note that meek is expensive, and the Tor Project pays for each byte. It should only be used when no other PT works.
[1] : https://trac.torproject.org/projects/tor/wiki/doc/meek
[2] : https://trac.torproject.org/projects/tor/wiki/doc/Snowflake
As with everything else, this isn't a 100% technical solution, it has a political component of how expensive the fronting website is to block.
If you are able to set up a personal openvpn server, they wont bother hunting you down.
Yet in the past few years we had hundreds of people jailed and/or fined for the content they posted on social media or even for reposts and likes. Yet the morons do not learn. Can't wait for Yarovaya's law to come in full effect.
VPN use for a free and open Internet is abnormal - not a long term solution to issues like censorship.
They're already out of reach for normal users. Companies will offer better ways to block or detect usage for lucrative gov contracts. Simply making it illegal will detour most people.
I don't understand why VPN crackdown is thought to be impossible. ISPs have a good idea of what normal traffic looks like and a very good map of the Internet. The Internet may be big. To an ISP, is it really that big? Netflix, Google, YouTube, Dropbox etc are normal. Your companies VPN IP are normal.
That's unusual! Open connection to a DNS port? sending large amounts of data? its encrypted? No one has accessed that digital ocean IP before on this network! Lets throttle, interrupt it periodically or flag that user. Someone else sending large amounts data to a known VPN IP range? block, throttle, close connection, police knock on door etc.
policy change, not more VPNs.
This is why you and OP's comment are detracting and unproductive. We made this. We run the show.
[1]https://www.researchgate.net/profile/Ghazali_Sulong/publicat... [2]https://www.cnet.com/news/everything-looks-like-a-hack-when-...
"We've only been trying technological solutions for the past hundred years and look at what they've achieved. We've been trying political solutions for thousands of years."
Though, I agree that we need to be aware of the limitations we and our systems impose on technical solutions. That said, perhaps we should play to our strengths?
Holocaust, Nazi Science, Atomic bombs, Stalin's industrialization, mass surveillance, cold war? Man, 20-th century was such a mess, technology only made that mess more messy, and good stuff was achieved by political discussion, dialog, not because of new technologies (although technologies makes both dialog and murdering much easier)
We absolutely need policy change, but we also need to use and encourage tech that makes it impossible for bad policies to take these to gain a foothold.
Don't mean to be pedantic but I think you mean "deter". "Detour" = reroute, like "we're taking a detour to get some gas". "Deter" = Discourage, like "making something illegal deters law abiding citizens from doing it".
> I don't understand why VPN crackdown is thought to be impossible.
Because it's hard to distinguish VPN traffic from legitimate traffic and false positives will be extremely bad for the ISP.
> Open connection to a DNS port? sending large amounts of data? its encrypted? No one has accessed that digital ocean IP before on this network!
In order: Many VPNs will use standard HTTPs ports rather than DNS. There are numerous reasons to send large amounts of data, like backups. Encryption is quickly becoming the default, major video sites like YouTube and Netflix are encrypted for instance. Software developers are likely to access DigitalOcean IP addresses.
I do believe that at ISP scale it's possible to identify VPNs though and the things you've mentioned could contribute to a heuristic algorithm. Some other things to add are the geographical diversity of the users accessing a server (legitimate video services will have PoPs near a user, so few will cross the country), the distribution of response times and sizes (a pure web server will have lots of small, ~100ms responses, a video server will have lots of infrequent very high bandwidth transfers) and if you can access it, the outgoing connections of the servers themselves (e.g. Cogent can tell that a server is generating user traffic rather than business traffic).
I don't think so. Chinese firewall can block VPN. For example, the easiest way to see if the user is using a VPN is to count a number of IP addresses they connect to.
> and false positives will be extremely bad for the ISP.
How exactly?
China is a special case as unlike most other countries, all major ISPs are state owned. When you own every internet connection in the country, it's much easier to spot VPNs.
When you're say Comcast, you only see the connections your customers make and accept, you can't see what VPN servers are doing.
> How exactly?
In countries other than China, where government control is less prevalent and the government is overtly democratic, false positives will result in anger in the populace, which will lead to the person implementing the policy losing power or at the very least, a degree of support.
It doesn't matter who owns the ISPs if the government has the power and will to force all of them to comply.
It was implemented in a matter of months and has improved over time from a simple DNS redirect to now blocking IP ranges and DPI.
Internet Censorship and ISP wide blocking to us westerners is a new thing and I think people here are speaking during a time where we have it pretty good.
There is no ISP proactive battle against VPNs. Yes, you may be able to get through your companies firewall but is that the same? VPN use in China is difficult and becoming more so.
UK ISPs are now logging DNS requests from order of the government. In the beginning the ISPs complained and said it was technologically difficult. I wouldn't be surprised if that was just a call to access some gov funds and hey presto both parties win.
That is until some government official learns about them.
That is not important. In Russia even private ISP are required to install a firewall to block access to sites that are spreading illegal information (and they are also required to install a device that is monitoring whether the blocking policies are followed). There is also a law that will oblige ISPs record and keep customers' traffic in the future.
> When you're say Comcast, you only see the connections your customers make and accept, you can't see what VPN servers are doing.
A user of VPN typically has a single outgoing connection to a data center IP and that is easy to detect for an ISP. There is no need to see the VPN server's connections if you see the user's ones.
> where government control is less prevalent and the government is overtly democratic, false positives will result in anger in the populace
In those countries there will be no censorship and no need for a VPN. Also, most people don't use tools like VPNs and use Internet mostly for sites like social networks. Even if there are 1% of annoyed customers that cannot use VPN or SSH, the rest 99% won't notice that.
It's not a reasonable tradeoff and I disagree with him, but one can easily see why someone in his position would be concerned about this for reasons other than attempting to secure a dictatorship.
The fact is the US government has a well documented history of undermining elections, and then funding rebellion and civil wars if the election doesn't turn out how they hoped. When leaders attempt to shut down mediums used for propaganda/psyops/adversary coordination, they get to play the fascist dictator card against them, which is pretty convenient.
[1] https://www.youtube.com/watch?v=Usmji_xRe0U
https://www.reddit.com/r/darknetplan/ and https://www.reddit.com/r/Rad_Decentralization/ may be interesting from a purely technical perspective.
Did this affect to ransomware collector too?