How can regimes 'ban' VPNs?

[Ron CM]

There are many ways to get info out of the country, any 'smart techs' involved in communications know the tricks. 

Shortwave 'Burst' systems are probably the easiest way. Myanmar distance to Thailand over a small river, 100 mtrs at best. Easy TRX - RX install, only risk is the person at the TRX end. Shortwave can be found reasonably easily, but  'Burst' systems almost perfect. But nothing is perfect. Judging by some comments i read here - indicates we have some very smart people here. Other older technology can fly under the radar as well.

Personally i wouldn't recommend doing anything to get info out of the country, there be dragons.

[matador007]

There was a new VPN protocol released, I think it makes blocking a little bit harder and also difficult to detect.

Its called WireGuard.

 

Here is a decent writeup for those that want to get more familiar:
https://restoreprivacy.com/vpn/wireguard/

 

So that can help to get around blocks for now.  And also Tor Browser is a good tool.

[Burma Bill]

A glimmer of hope - reference BBC World News (Asia - Burma) this morning:-

Internet returns

The monitoring group NetBlocks Internet Observatory said connectivity rose to about 50% by 14:00 local time (07:30 GMT) but access to social media, including Facebook and Twitter, remained blocked.

The shutdown was criticised by human rights groups. Amnesty International said the blackout was "heinous and reckless" and warned it could put people at risk of human rights violations.

[fdsa]

1 hour ago, matador007 said:

There was a new VPN protocol released, I think it makes blocking a little bit harder and also difficult to detect.

Its called WireGuard.

 

Here is a decent writeup for those that want to get more familiar:
https://restoreprivacy.com/vpn/wireguard/

 

So that can help to get around blocks for now.  And also Tor Browser is a good tool.

Wrong, Wireguard is much easier to detect even than common OpenVPN because it does not use traffic obfuscation, uses a fixed, single type of encryption, uses a fixed packet size, et cetera.

 

https://lists.zx2c4.com/pipermail/wireguard/2018-September/003289.html

[Srikcir]

On 2/6/2021 at 11:48 AM, robblok said:

Once they know what IP adress a VPN uses to connect too. They just put that on the block list and done. The problem is for governments to keep the blocked list updated and for VPN makers to have adresses off the blocked list.

 

NO need to break encryption at all just make sure the connection can never be made.

I think a problem for a rogue government (ie., coup or quasi-elected authoritarian regime) to stop wholesale use of VPN is that it is a frequent secure use by domestic enterprises internal communication with foreign branches, suppliers and customers. 

An indiscriminate VPN ban essentially shuts down global enterprise communications. Knowing an ISP doesn't give access to encrypted content. The government would also have to require enterprises to provide their encryption keys so as to monitor content to assure that its communications were "legal."

I think this was raised as an issue byThai-based enterprises when NCPO Chief Prayut considered duplicating China's cyber Great Wall. 

[Phuketshrew]

Perfect Privacy VPN allows VPN cascading with up to 4 chains and has a good range of VPN server choices.  Below is an example of connections:

It also has something called NeuroRouting that uses AI for optimization.

It seems to be quite highly configurable. Just testing it at the moment.

I would imagine there will be trade offs with speed but if privacy is your prime objective then it looks like a reasonable option.

It can also be set up and configured on a VPN capable router.

[robblok]

2 minutes ago, Srikcir said:

I think a problem for a rogue government (ie., coup or quasi-elected authoritarian regime) to stop wholesale use of VPN is that it is a frequent secure use by domestic enterprises internal communication with foreign branches, suppliers and customers. 

An indiscriminate VPN ban essentially shuts down global enterprise communications. Knowing an ISP doesn't give access to encrypted content. The government would also have to require enterprises to provide their encryption keys so as to monitor content to assure that its communications were "legal."

I think this was raised as an issue byThai-based enterprises when NCPO Chief Prayut considered duplicating China's cyber Great Wall. 

Yes your totally right, however if we are talking about Miramar then its just something they have to do for a short while. Until disturbances are quelled (im against this coup just explaining their POV).  But if this was long term a lot of companies would not be able to work as a VPN is often used. 

When my GF works she connects to a VPN of her company to keep it all safe. I am sure in Miramar its the same. But maybe less people working like that. But it would certainly screw up things for businesses.

[fdsa]

9 minutes ago, Phuketshrew said:

I would imagine there will be trade offs with speed but if privacy is your prime objective then it looks like a reasonable option.

Not reasonable as all servers in the chain belong to the same company.

[Bangkok Barry]

I thought that Myanmar had blocked the internet entirely.

[khunPer]

You can stop VPNs from working simply by blocking IP-numbers, or whole groups of IP-numbers, a robot (program/script) should be able to search for IP's that offers VPN's.

 

Alternatively, like Myanmar did during the coup, and again Saturday, is to "cut" the wire (fiber) – i.e. having the ISPs (ISP = Internet Service Provider) to block the data network. Only 16 percent of Myanmar's Internet worked last Saturday...

 

[Katipo]

Internet traffic within Myanmar has dropped to 16% of what it was pre-coup. They aren't just blocking sites, they are turning off the internet. 

[RocketDog]

On 2/6/2021 at 10:26 AM, tifino said:

in Burma though it's quicker, cheaper and less techsavvy required, for them soldiers to simply bash down every household front door; for a look-see 

They could do but a VPN is software, not hardware black box (excepting routers like mine with the VPN installed on it). They would have to cruise your computer or phone to find it, delete it, etc. When they leave you just install it again. Fruitless endeavor for them. 

 

VPNs work by encrypting all traffic in and out of your computer/phone to your ISP. 

It's pretty easy to know if you're using one: they can't read your data stream. So your ISP could simply block you from using their bandwidth if they can't read your traffic. If you then started using public access points it would be a constant cat/mouse game for them. 

Burma simply cut off all web access in the country. That will always work except for satellite access links.

 

In short it is difficult for regimes to regulate traffic but if you have enough people you can do it. Even the CCP has trouble with censoring the web. 

[me4175]

15 hours ago, fdsa said:

Decrypting and manipulating network packets take much less resources than you think.

google:// blue coat dpi

their servers have similar CPU power & amount of RAM as your smartphone.

That is not entirely correct. DPI of TLS traffic only works when the certificate of the target system can be switched to the certificate of the DPI appliance. The appliance then opens another connection to the target system and acts as a man in the middle. It's not trying to brute force encrypted packets. So of course you don't need massive processing power for that.

DPI of TLS traffic is feasible in an enterprise environment, but not with ISPs because this activity would need to happen transparently, which is not possible as it by design breaks the end to end encryption. You can easily see that your encrypted connection is to another system than the website you want to reach.

[fdsa]

54 minutes ago, me4175 said:

DPI of TLS traffic is feasible in an enterprise environment, but not with ISPs because this activity would need to happen transparently, which is not possible as it by design breaks the end to end encryption. You can easily see that your encrypted connection is to another system than the website you want to reach.

There are companies selling "SSL inspection" hardware with embedded certificate authority inside, which generate a valid certificate for every HTTP request in real time, allowing a completely transparent interception of SSL/TLS traffic at the ISP level.

One example is an abovementioned Blue Coat:

 

http://web.archive.org/web/20161107050520/https://www.bluecoat.com/company/press-releases/blue-coat-acquires-netronome-ssl-technology-extend-leadership-enterprise

 

- their hardware allowed to intercept 10 gbit/s of SSL traffic already in 2013, so I assume terabits per second is possible now with the current hardware performance level.

 

More read:

https://media.defense.gov/2019/Dec/16/2002225460/-1/-1/0/INFO SHEET MANAGING RISK FROM TRANSPORT LAYER SECURITY INSPECTION.PDF

 

https://www.niap-ccevs.org/MMO/PP/MOD_STIP_V1.0.pdf

 

in short: SSL/TLS is a global hoax.

[fdsa]

↓↓↓↓↓↓↓↓↓

 

 

[thcosh]

Even China cannot ban vpn, they can only ban some IPs but the next day hundreds different IPs addresses are available.

 

[Iron Tongue]

Regimes can ban whatever they want, it's the enforcement that is difficult.  This is why they also shut down all internet traffic as well as cell phones when necessary.  

 

 

[me4175]

4 hours ago, fdsa said:

There are companies selling "SSL inspection" hardware with embedded certificate authority inside, which generate a valid certificate for every HTTP request in real time, allowing a completely transparent interception of SSL/TLS traffic at the ISP level.

One example is an abovementioned Blue Coat:

 

http://web.archive.org/web/20161107050520/https://www.bluecoat.com/company/press-releases/blue-coat-acquires-netronome-ssl-technology-extend-leadership-enterprise

 

- their hardware allowed to intercept 10 gbit/s of SSL traffic already in 2013, so I assume terabits per second is possible now with the current hardware performance level.

 

More read:

https://media.defense.gov/2019/Dec/16/2002225460/-1/-1/0/INFO SHEET MANAGING RISK FROM TRANSPORT LAYER SECURITY INSPECTION.PDF

 

https://www.niap-ccevs.org/MMO/PP/MOD_STIP_V1.0.pdf

 

in short: SSL/TLS is a global hoax.

SSL/TLS is not a hoax. The embedded CA can still only issue certificates which are different from the target system's actual cert. So while the cert may be trusted (as long as the cert of the DPI device's CA is in the trusted root CA store of the client), it's different and that can easily be verified.

 

And for non-enterprise clients there's no way the CA cert of the DPI device would end up in the trusted root CA store of the client, if not by some form of malware.

[fdsa]

2 hours ago, me4175 said:

SSL/TLS is not a hoax. The embedded CA can still only issue certificates which are different from the target system's actual cert. So while the cert may be trusted (as long as the cert of the DPI device's CA is in the trusted root CA store of the client), it's different and that can easily be verified.

yes, you could easily verify every websites' certificate fingerprint with an assistance of browser addon such as CertPatrol, but how many people actually verify every certificate? one in a million or in ten millions?

 

2 hours ago, me4175 said:

And for non-enterprise clients there's no way the CA cert of the DPI device would end up in the trusted root CA store of the client, if not by some form of malware.

these certificates come already preinstalled in your operating system, and also a separate copy in the browser.

for Firefox: open Edit - Preferences - Advanced - View Certificates - Authorities, and be amazed that your browser will trust an certificate for google.com domain issued by "Chunghwa Telecom Co., Ltd" or Hongkong Post or incredible "ACCVRAIZ1" certification authority.

[onebir]

On 2/6/2021 at 6:36 AM, uncleP said:

China's great firewall can't  beat well known VPN's so I doubt Burma can either. 

It's possible China allows some VPNs (eg which only accept foreign credit cards, don't advertise in China/Chinese etc) for the convenience of foreigners in the country (&/ hefty bribes).

[Disparate Dan]

I am also puzzled how many Thai websites are unobtainable (here in LoS) when my VPN is switched on. Big deal? I suppose not, but it's a real nuisance to have to remember to switch the VPN off and then on again, instead of just leaving it on permanently - which to my mind is elementary security, not paranoia.

Things like Lazada or JD, for instance - implying that if I am in (eg) Aus or Singapore, I can't order to Thailand. That makes no sense, especially now, with people stuck all round the world. But I can order from Tops' online site.

I just noticed the Immigration website (I want to do my 90-day report) won't connect via VPN.

Minor irritation, you will say, but I don't recall having similar problems in other countries using the same VPN system.

 

 

[KhunHeineken]

On 2/8/2021 at 8:25 PM, Iron Tongue said:

Regimes can ban whatever they want, it's the enforcement that is difficult.  This is why they also shut down all internet traffic as well as cell phones when necessary.  

 

 

 

Whatever happened to the one internet gateway in Thailand?  Has it been completed? 

 

A VPN is no good to anyone if they pull the plug on the whole internet in Thailand in times when the Government may not want the outside world to know what's going on in Thailand.  

Edited February 11, 2021 by KhunHeineken

[me4175]

On 2/8/2021 at 10:03 PM, fdsa said:

these certificates come already preinstalled in your operating system, and also a separate copy in the browser.

for Firefox: open Edit - Preferences - Advanced - View Certificates - Authorities, and be amazed that your browser will trust an certificate for google.com domain issued by "Chunghwa Telecom Co., Ltd" or Hongkong Post or incredible "ACCVRAIZ1" certification authority.

The list of root CAs do not include the CAs integrated into DPI appliances. The cert for that would need to be distributed separately, which, again, can easily be done in a corporate environment but not on private computers.

So even though some of the Trusted Root CAs in the OS and browsers may seem sketchy, I'm sure that if any of them would issue a fake certificate for google.com, they would be out of business pretty quickly. Happened before to DigiNotar for example.

So while the CA trust model is not perfect (what is?), it is pretty effective so far.

Edited February 11, 2021 by me4175

[fdsa]

6 hours ago, me4175 said:

The list of root CAs do not include the CAs integrated into DPI appliances.

I have heard a rumor that there are 3 companies selling appliances with root CAs inside, at least 1 of them is US company and at least 1 is Israeli one. Unfortunately I do not have any documented proofs. However as I have learned in the past years, if something could be hacked theoretically - then it was already hacked by the governments.

Question yourself - why your browser should trust any certificate issued by the Hongkong Post? Does a simple postal service own so many domains that it was cheaper for them to put a root CA in most computers on the planet, than just buying all the necessary certs from some large company such as Symantec or Comodo? Or because it needs to issue thousands of new certificates every single day? Then ask the same question about every other root CA in your browser.

 

Also think about inter-server communication. While you could manually verify a certificate fingerprint in the local computer to detect if it was forged or not, all the server software such as curl or whatever else does not verify the fingerprints, the server software just verifies that the certificate: 1) is not expired; 2) was issued by any of the trusted CAs. So all SSL communication between servers in the Internet could be MITM'ed and it is way more difficult to detect than interception of SSL communication between one's local computer and some website.

So the current situation with SSL certificates is not just a theoretical vector - it is a clear attack surface, that's why I call it a global hoax.

 

 

6 hours ago, me4175 said:

So even though some of the Trusted Root CAs in the OS and browsers may seem sketchy, I'm sure that if any of them would issue a fake certificate for google.com, they would be out of business pretty quickly. Happened before to DigiNotar for example.

Diginotar was hacked by the "wrong people". The "right people" just buy the DPI appliance with trusted root CA, be it ACCVRAIZ1 or even Symantec itself ????

[fdsa]

7 hours ago, me4175 said:

The cert for that would need to be distributed separately, which, again, can easily be done in a corporate environment but not on private computers.

This is applicable to the legitimate DPI appliances that are used for protecting companies from the corporate espionage and intellectual property theft.

And I am talking about illegitimate appliances advertised for "fighting terrorism" but actually used by regimes to oppress their citizens and to collect compromising materials about the select people.

Edited February 11, 2021 by fdsa