SoylentNews is people
SoylentNews
An increasing number of Internet Service Providers (ISPs) around the world have been blocking more and more access based on accusations of copyright infringement. Those demanding the blocking assert that high standards are followed when making the decision. However, those studying the situation are finding otherwise. Given the scope creep demonstrated by these activities there is legitimate concern for the future availability of Virtual Private Networks (VPN) on those providers.
TorrentFreak covers analysis from University of Ottawa law professor Michael Geist on the topic via his personal blog:
A group of prominent Canadian ISPs and movie industry companies are determined to bring pirate site blocking efforts to North America. This plan has triggered a fair amount of opposition, including cautioning analyses from law professor Michael Geist, who warns of potential overblocking and fears that VPN services could become the next target.
Michael Geist's personal blog jumps right in with a discussion of likely expansions to the scope of blocking and other sources of blocking over-reach.
The Bell coalition website blocking proposal downplays concerns about over-blocking that often accompanies site blocking regimes by arguing that it will be limited to "websites and services that are blatantly, overwhelmingly, or structurally engaged in piracy." Having discussed piracy issues in Canada and how the absence of a court order makes the proposal an outlier with virtually every country that has permitted site blocking, the case against the website blocking plan now turns to the inevitability of over-blocking that comes from expanding the block list or from the technical realities of mandating site blocking across hundreds of ISPs for millions of subscribers. This post focuses on the likely expansion of the scope of piracy for the purposes of blocking and the forthcoming posts will discuss other sources of blocking over-reach.
Once a technology or practice is in place, it is usually extended and abused beyond its original purpose. Even in the short history of the World Wide Web as well as the Internet, scope creep has shown itself to be a real problem.
Sources :
Canadian Pirate Site Blocks Could Spread to VPNs, Professor Warns
The Case Against the Bell Coalition's Website Blocking Plan, Part 5: The Inevitable Expansion of the Block List Standard for "Piracy" Sites
(Score: 4, Informative) by pipedwho on Wednesday February 21 2018, @02:40AM
The only problem with routing over a TLS VPN for everything, is that TLS runs over TCP, and TCP over TCP means compounding retransmissions and timeouts. The best underlying protocols for VPN are UDP and ipSEC at the IP level. This lets TCP handle retransmission through the tunnel, without the tunnel also trying to retransmit lost packets.
OpenVPN does TLS over port 443, so it looks like HTTPS to the ISP. OpenVPN also works over UDP, so it can be used efficiently where protocols/ports aren't being tracked and blocked.
I even occasionally use an SSH tunnel as a VPN because port 22 is generally open on most networks, probably because it is so widely used for remote server administration and other remote terminal based activities. Too many corporate networks block SMTP and some even block IMAP and POP (even the secure variants), and I like to be able to get my mail through something other than a web client.
Another problem with many commercial VPN providers is they provide reverse DNS domain names for their VPN end points that resolve as the VPN Company's domain. So a blacklist is easy to create and track once you decide that 'Company X VPN Service' needs to be blocked, just by doing a reverse lookup.
A good VPN provider should be modulating it's endpoints through a large pool of diverse IP addresses. Reverse lookups should resolve as some innocuous domain. And VPN clients should be using a private distributed network protocol to share IP addresses between clients to avoid DNS lookups during the connection phase. Optionally TLS should be used to blind the use/protocol from visibility to simple protocol based blocking tools, and other methods should be employed to thwart traffic analysis.
Anything less than the above and I have trouble getting back to my mail server from various 'hostile' corporate (or country) networks.