Getting Round Firewall Blockers

In some countries of the world, there has been a crack down in the usage of VPNs. One of the most well-known limiters is the Great Firewall of China.

Recently the Cyberspace Administration of China - as part of a cyber sovereignty campaign - defined new restrictions on Internet usage and that Chinese citizens would not be able to post to discussion forums and social network anonymously, along with blocking live video stream.

Now NordVPN has created an opportunity to avoid the monitoring from this type of firewall, by taking an alternative route around and using over 1,000 servers worldwide. The tool also allows users to hide their IP address, and select the best route based on loading, connection speed, and geographic distance. This could thus allow users in China to use censored applications such as Facebook, Twitter and Google. Currently NordVPN is only available as an Android app, but users in China are unable to access the Google Play Store. Currently, thought, it is available through NordVPN's Web site.

Going dark

Cryptography has a saint and sinner profile just now, with companies like Google pushing forward HTTPs, and governments around the world railing against it. While many countries have been close to forcing companies to add backdoors, few have taken the step of ban its operation.

Recently, a royal edict from the president of the United Arab Emirates (UAE), His Highness Sheikh Khalifa bin Zayed Al Nahyan, has taken this step the massive step by making it illegal to use a secure tunnel, VPN or secure proxy service. Those who are caught will risk jail and fines between 500,000 and 2,000,000 UAE dirham (US$136,130 and $544,521):

Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs 500,000 and not exceeding Dhs 2,000,000, or either of these two penalties.

Overall the pronouncement is rather difficult to interpret, both from a legal and a technical point-of-view, but basically it says [here]:

it is illegal to use a system which could hide someone who is committing a crime

So it fits with the scenario above, where the state cannot tell if you are committing a crime or not, so the usage of the system is illegal. If there was ever a Future World Police-state law, it is this one. Some could have a defence that they were not committing a crime, but it would be difficult to show the decrypted data streams, and for law enforcement to understand the traces.

Presently telecoms providers block any Web access which does not fit in with UAE values, including in accessing pornography sites and for VoIP services. Until recently Skype was banned, but has now been allowed due to business pressures. Only Etisalat and Du are, which are two relatively expensive VoIP packages, are official sanctioned to be used. At present, too, the majority of the residents in UAE are from other nations, and where it is often a standard part of their business to use VPNs and proxy systems.

Others having problems with proxies and VPNs

Secure tunnels and VPN connections have had a difficult time recently, as law enforcement has railed against their implement. Also with the increase in data loss, too, typically through an insider or from a remote access trojan (RAT), many companies are looking to ban VPN connections, and also to replace the digital certificate from the remote site with their own certificate (and thus be able to read the contents on a tunnel).

But now it is content streaming providers, such as Netflix, who are struggling to cope with them, as they allow users to "pretend" that they are based in the country where the service is licenced. The problem for Netflix is that many of the available TV and film content still restricted by location, so the usage of VPN proxies causes many problems in providing the same service across the world.

Netflix licencing problem

A proxy server is used to provide access to a remote system, and where the IP address of the proxy server appears in the access. Users can thus hide behind the proxies and hide their source. This is great for privacy, but it does little for services which depend on locating the access device, such as in streaming video services. 

So if a streaming content provider offers different rates around the world for accesses, users can simple proxy from that country and access the service at the reduced rate. Often content too is licenced for only certain regions of the world, and thus proxies can hide the origin, and the worry for Netflix is that they could be breaching licencing agreements.

Along with proxies, VPNs also hide the original source of the accesses, and thus cause problems for any service which relies on locating the accessor. The key feature with a VPN is that the IP address that appears for accesses is the IP address of the VPN server, thus users can hide behind them.

Proxies and VPN connections can thus be used to break the licencing agreements within the country that the content is being access from. For example, the BBC iPlayer restricts its licences to UK-based customers, but many access it through proxy/VPN servers that can be traced to the UK. Now it is Netflix that are banning proxy/VPN access. In Europe, too, Netflix users pay eight Euros per month, whereas in the US it is $8, but there is nowhere near the same service. With 190 countries to cover, thus, one must wonder if Netflix can provide the same service in each of these countries. 

VPN Proxies

Currently Netflix limits the access to content outside the US, with users in many countries gaining a reduced service. So, up to now, users in countries outside the US have paid for access to Netflix's content and used VPN connections to gain the core access. The company, though, is now looking to block VPN access, in order to protect content and comply with licencing agreements.

For Netflix the detection of proxies is likely to be done by:

• Monitoring high throughput connections.
• By reverse lookups on the IP addresses.
• By monitoring user logins, and mapping an IP addresses to them. If the user changes their connection too often, they may be using a VPN proxy.

Once we look past the usage of the known VPN proxies, it will then become difficult to detect, as users can easily create VPN connections themselves with Cloud-based systems.

The blocking of VPN proxies has been tried before, such as in 2014, with Hulu, but they failed to enforce it as VPN providers found ways to bypass restrictions.

Several VPN proxies providers are already quoting that, if they are banned, they will create a whole new network infrastructure within days. Within Cloud-based systems, too, a single IP address can quickly become millions, which will be much more difficult to detect and block.