Skip to content

UK households could face VPN 'ban' after use skyrockets following Online Safety Bill

Technology
352 221 8.4k
  • Yeah, businesses will not accept this. Remote work and remote connections rely on VPN for ALL KINDS OF SHIT. If you must adhere to some kinds of government compliance, it is even MANDATED BY THE FUCKING GOVERNMENT. Explain to me how the hell that is going to just poof and not cause all kinds of problems.

    Individual customer VPN providers get banned, corporate VPN providers not banned. It's quite simple really.

    Or are you expecting the average Joe to spin up his own VPN server?

  • We didn't have a referendum on this though, and if we had done I don't think it would have passed

    Same was said during Brexit.

  • Convert churches into museums for art and displaying the horrors of religion

    Not all of them have pretty art. Just turn the boring looking ones into secular club houses or even just regular housing.

    True, and yes, please

  • And how do they update that IP list? Manually?
    If you set up your own overseas server, it's gonna be ok for a few days for sure. But they update the block list automatically so people had to e.g. use CloudFlare websocket as a jump host to avoid switching providers every other month. Of cos CF is mostly blocked these days too so it's probably just easier to offload the work to those VPN operators you mentioned.

    Universities are a different matter. They use Edu network and there used to be no censorship at all in Edu IPv6. Nowadays it's still relatively easy for them to get exemptions for their labs and whatnot.

    I don't know how they update their IP list. My university is an American university which I believe has no ties to China, but I can't say for sure. According to friends who use the clandestine OpenVPN services, they pay about 20 CNY a month and every month they are issued a new OVPN configuration file. Only occasionally do their servers get blocked before this, and then they have to issue new config files to everyone.

    As for myself, I have been to China two times using the OpenVPN server that I deployed on a US-based VPS I rented from a German hosting provider. Each trip lasted about one month. So far, the IP has not been blocked. The government's philosophy regarding the firewall and VPNs seems to be "make it as annoying as possible for the average uninformed layperson to bypass and go after people selling illegal VPNs, but otherwise, we don't give a shit". I do not sell access to my VPN to anyone else. It is strictly for my own use.

    Both times I was there, the firewall didn't apply to cellular data because they do not apply the firewall to holders of foreign SIM cards using their cellular service. I purchased a SIM from a Hong Kong carrier (SoSim) with a few gigabytes of data in both Hong Kong and mainland China for 100 HKD. The firewall doesn't apply within Hong Kong. It worked fine, though I do note that surveillance laws meant that I had to upload my passport to activate the service. I'm not a big fan of that, so I kept the VPN connected at all times, though normally-blocked websites did indeed work on cellular data even without the VPN. I checked on my cell phone's settings, and I know it connects to China Mobile towers when in mainland China. Note that China Mobile is owned by the Chinese state.

    I also confirmed that it doesn't apply the firewall when I have my T-Mobile (my US cell carrier) SIM in there. My carrier provides unlimited worldwide roaming at 2G speeds but I can confirm that it also connects to China Mobile towers and I could successfully access Wikipedia, a blocked site, without the VPN.

  • Prominent backbench MP Sarah Champion launched a campaign against VPNs previously, saying: “My new clause 54 would require the Secretary of State to publish, within six months of the Bill’s passage, a report on the effect of VPN use on Ofcom’s ability to enforce the requirements under clause 112.

    "If VPNs cause significant issues, the Government must identify those issues and find solutions, rather than avoiding difficult problems.” And the Labour Party said there were “gaps” in the bill that needed to be amended.

    China 1.5

  • this is obviously such a dumpster fire that I can't help but wonder, "When will they realize how dumb this is and back out of it?"

    then i remember that Brexit happened

    fuckin stubbornness is a national identity for you blokes innit

    Don't forget the raging alcoholism

  • Proxy is a step below VPN since it doesn't tunnelise data.

    Anti-detect browsers. Do you mean Tor? It's a decent solution, albeit the slowest one.

    What people use to bypass the great Chinese firewall is VPN with VLESS protocols. Unlike usual VPN protocols, those are specifically made to bypass censorship.

    no not TOr, there are better proxies than what you are thinking, no not tor browsers.

  • Same was said during Brexit.

    We very much did have a referendum on brexit though

  • We very much did have a referendum on brexit though

    What I meant was during the Brexit referendum most people were saying it wouldn't pass. In other words, if there was a referendum for this it probably WOULD pass since it's really easy to influence people through media.

  • This makes me feel like they were in a bind here. The so called "online safety bill" was a tory concoction that took years to pass through the courts because of how invasive it is and how anyone could easily bypass it.

    If labour want to stop it, they'll be accused of not wanting to protect children.

    Whatever anyone thinks of labour, I'd ask people to ask themselves, if you were in that position, what option do they have other than to let it play out as the spectacular failure it was always going to be and making sure everyone knows who's fault that was afterwards?

    No. They could put it into a review and quietly shitcan this. It's not particularly popular. They just want to say they're protecting kids.

    They're spineless and Keir is an authoritarian.

  • That's a problem is for ISPs and content providers to figure out. I don't see why the government has to care other than laying out the ground rules - you must offer and implement a parental filter for people who want it for free as part of your service. If ISPs have to do deep packet inspection and proxy certs for protected devices / accounts then that's what they'll have to do.

    As far as the government is concerned it's not their problem. They've said what should happen and providing the choice without being assholes to people over 18 who are exercising their rights to use the internet as they see fit.

    That’s a problem is for ISPs and content providers to figure out

    No, there are very good technical reasons why this approach can't work.

    ISPs ... deep packet inspection

    There is no deep packet inspection on properly encrypted TLS connections. I know TLS termination and interception and recertifying with custom certificates is a thing, but even if it were feasible to implement this on millions of client computers that you don't own, it is an absolutely god awful idea for a million reasons and much worse for privacy and security than the age-gate problem you're trying to work around.

  • I though the UK was a Western democracy. What the hell are you guys doing over there?

    Lol. Democracy.

    Democracies don't care about their citizens privacy. Just the optics of getting spied on citizens.

  • That’s a problem is for ISPs and content providers to figure out

    No, there are very good technical reasons why this approach can't work.

    ISPs ... deep packet inspection

    There is no deep packet inspection on properly encrypted TLS connections. I know TLS termination and interception and recertifying with custom certificates is a thing, but even if it were feasible to implement this on millions of client computers that you don't own, it is an absolutely god awful idea for a million reasons and much worse for privacy and security than the age-gate problem you're trying to work around.

    Actually it can be done and is being done. Software like Fortigate Firewall can do deep packet inspection on encrypted connections by replacing certs with their own and doing man in the middle inspection. It requires the browser has a root CA cert that trusts the certs issued by the proxy but that's about it. Filtering software could onboard a new device where the root cert could be installed.

    And if Fortigate can do it then any filtering software can too. e.g. a kid uses their filtered device to go to reddit.com, the filter software substitutes reddit's cert for their own and proxies the connection. Then it looks at the paths to see if the kid is visiting an innocuous group or an 18+ group. So basic filtering rules could be:

    1. If domain is entirely blocked, just block it.
    2. If domain hosts mixed content, deep packet inspection & block if necessary
    3. If domain is innocuous allow it through

    This is eminently possible for an ISP to implement and do so in a way that it ONLY happens when a user opts into it on a registered device while leaving everything open if they did not opt into it.

    And like I said this is an ISP problem to figure out. The government could have set the rules and walked away. And as a solution it would be far more simple that requiring every website to implement age verification.

  • @arc99 @SpaceCadet thats basically allowing the Government to force ISP to build a solution which is able to sensor every content. Sorry there is alot of reasons why you should be against it.

    Deep packet inspection already happens on encrypted traffic (Fortigate Firewall) so it's eminently possible for filtering software to do the same.

  • Attached below is a Wireshark trace I obtained by sniffing my own network traffic.

    I want to draw your attention to this part in particular:

    Underneath "User Datagram Protocol", you can see the words "OpenVPN Protocol". So anyone who sniffs my traffic on the wire can see exactly the same thing that I can. While they can't read the contents of the payload, they can tell that it's OpenVPN traffic because the headers are not encrypted. So if a router wanted to block OpenVPN traffic, all they would have to do is drop this packet. It's a similar story for Wireguard packets. An attacker can read the unencrypted headers and learn

    • The size of the transmission
    • The source and destination IP addresses by reading the IP header
    • The source and destination ports numbers by reading the TCP or UDP headers
    • The underlying layers, up until the point it hits an encrypted protocol (such as OpenVPN, TLS, or SSH)

    You're using the default port though, are you not? If the source port were not 1194, a port associated with openvpn, would wireshark still identify this as openvpn traffic?

  • Actually it can be done and is being done. Software like Fortigate Firewall can do deep packet inspection on encrypted connections by replacing certs with their own and doing man in the middle inspection. It requires the browser has a root CA cert that trusts the certs issued by the proxy but that's about it. Filtering software could onboard a new device where the root cert could be installed.

    And if Fortigate can do it then any filtering software can too. e.g. a kid uses their filtered device to go to reddit.com, the filter software substitutes reddit's cert for their own and proxies the connection. Then it looks at the paths to see if the kid is visiting an innocuous group or an 18+ group. So basic filtering rules could be:

    1. If domain is entirely blocked, just block it.
    2. If domain hosts mixed content, deep packet inspection & block if necessary
    3. If domain is innocuous allow it through

    This is eminently possible for an ISP to implement and do so in a way that it ONLY happens when a user opts into it on a registered device while leaving everything open if they did not opt into it.

    And like I said this is an ISP problem to figure out. The government could have set the rules and walked away. And as a solution it would be far more simple that requiring every website to implement age verification.

    I know how it works, so spare me the explanation. It's not that as easy as you make it out to be. OS and browser companies are actively fighthing "rogue" root CAs and making it harder and harder to use custom CAs, especially on mobile devices.

    And for good reason, because by accepting a rogue root CA that's not your own, you're basically undermining the whole trust system that SSL is based on and surrendering all your online privacy and security to the government and your ISP. Whoever has control over that custom root CA has the keys to your online life.

    Rolling such a system out countrywide is utter madness.

  • What I meant was during the Brexit referendum most people were saying it wouldn't pass. In other words, if there was a referendum for this it probably WOULD pass since it's really easy to influence people through media.

    I get what you mean, for it to be comparable I think we'd need a "should there be legislation to protect kids on the Internet" referendum and then this is the implementation and everyone hates it...

  • I know how it works, so spare me the explanation. It's not that as easy as you make it out to be. OS and browser companies are actively fighthing "rogue" root CAs and making it harder and harder to use custom CAs, especially on mobile devices.

    And for good reason, because by accepting a rogue root CA that's not your own, you're basically undermining the whole trust system that SSL is based on and surrendering all your online privacy and security to the government and your ISP. Whoever has control over that custom root CA has the keys to your online life.

    Rolling such a system out countrywide is utter madness.

    You obviously didn't know how it works if I had to explain it was already possible. And I am not aware of any mobile device that prevents you installing a new root CA.

    And it isn't "madness", it's a completely workable way to offer filtering for people who want it for kids and have no filtering or censorship for anybody else. It is a vastly better option than onerously demanding adults provide their identity to random and potentially adult themed websites where they could be victims of identity theft or extortion

  • You obviously didn't know how it works if I had to explain it was already possible. And I am not aware of any mobile device that prevents you installing a new root CA.

    And it isn't "madness", it's a completely workable way to offer filtering for people who want it for kids and have no filtering or censorship for anybody else. It is a vastly better option than onerously demanding adults provide their identity to random and potentially adult themed websites where they could be victims of identity theft or extortion

    You obviously didn’t know how it works if I had to explain it was already possible.

    If you read my comment properly, you'll see that I wrote: "I know TLS termination and interception and recertifying with custom certificates is a thing"

    And it isn’t “madness"

    Yes it is. TLS interception should never be normalized because it breaks the chain of trust upon which TLS is based. It can be useful in some situations, like the fortigate firewall where you control the certificate, but ISPs nor the government should be trusted to wield this power over virtually the whole country. It is a very slippery slope.

    I am not aware of any mobile device that prevents you installing a new root CA.

    On Android, apps can't install their own root CA. The user has to manually download it, then jump through a bunch of hoops and deeply nested menus to install it and in the process ignore all the scary warnings that their communication may be intercepted if they install and trust this certificate, and (at least on Pixel phones) they get a permanent warning in their notification tray that someone may be eavesdropping on them. Which is correct.

    It is a vastly better option than onerously demanding adults provide their identity to random and potentially adult themed websites where they could be victims of identity theft or extortion

    I'm strongly against government mandated age gates myself, but you're objecting for the wrong reasons. You're not providing your identity to the adult website. You're providing it to the third party identity verifier, who then certifies to the adult website that you are an adult without passing on your actual identity. Keep this in mind when you're arguing against it, because pro-age-gater puritans can use it to undermine your argument.

    I object to it first and foremost on principle. I shouldn't have to request permission from a third party or the government to do perfectly normal legal adult things in the privacy of my own home.

    Secondly, there is still a privacy problem at the "identity verifier". They may swear up and down that they do not store my identity data, but there is no way to prove that one way or another so I cannot trust that my data can't be leaked through them.

    Thirdly, when viewing adult content, I don't want there to be any association between my real identity and the adult content whatsoever, even through a third party, and I don't want there to be anything that uniquely identifies me.

    Finally, I object to the (re)demonization of all things sexual in our societies. We seem to be backsliding into puritanism under the guise of protecting the children, while we're doing nothing to protect them from real actually harmful online things that are damaging the younger generations beyond repair.

    I have a Gen Z stepson, and all the ways in which he is fucked up by the online world (no attention span, permanent online-ness, no real world friends, always seeking instant gratification, unrealistic expectations about life, an overly materialistic worldview, plenty of manosphere bullshit, ... ) have precious little do do with viewing porn.

  • You're using the default port though, are you not? If the source port were not 1194, a port associated with openvpn, would wireshark still identify this as openvpn traffic?

    Wireshark can't but there are other methods, such as checking for the known OpenVPN protocol opcodes in the headers:

  • 217 Stimmen
    39 Beiträge
    276 Aufrufe
    A
    True, they will always play the victim even as they're hurting and exploiting people they see as less than. Don't allow them to have any evidence of credibility. I think his idea of hell would probably be having to lower himself to the standard of living most people would consider normal and comfortable. Having to learn to actually survive day to day if he were to find himself suddenly without a cent of the money he was born into and all future wages and earnings garnished to pay the people he has harmed, would probably be a fate worse than any hell he could imagine. I know there's no justice and there is pretty much no chance of him ever facing any sort of proportional punishment or consequence for his actions. But, if I could make it happen, having to suddenly learn to survive with the rest of us mortals in the society he has helped create, in his late fifties, wondering how he will even afford something as basic as healthcare while his body rapidly ages from stress and gradually falls apart, after a lifetime of unimaginable privilege, unable to go anywhere or do anything he enjoys without being recognized and having people curse his name. That would be the fate I would wish on somebody like him.
  • 0 Stimmen
    1 Beiträge
    17 Aufrufe
    Niemand hat geantwortet
  • 12 Stimmen
    3 Beiträge
    38 Aufrufe
    tal@lemmy.todayT
    While details of the Pentagon's plan remain secret, the White House proposal would commit $277 million in funding to kick off a new program called "pLEO SATCOM" or "MILNET." Please do not call it "MILNET". That term's already been taken. https://en.wikipedia.org/wiki/MILNET In computer networking, MILNET (fully Military Network) was the name given to the part of the ARPANET internetwork designated for unclassified United States Department of Defense traffic.[1][2]
  • 440 Stimmen
    104 Beiträge
    1k Aufrufe
    P
    I'm pretty sure I disabled/removed it when I got this phone. I don't specifically remember doing it but when I get a new phone, I watch some YouTube videos on how to purge all the crap I don't want. I read an article that mentioned using command line stuff to eliminate it and it kind looked familiar. I think I did this. I really should write stuff down.
  • Google’s test turns search results into an AI-generated podcast

    Technology technology
    4
    1
    5 Stimmen
    4 Beiträge
    43 Aufrufe
    lupusblackfur@lemmy.worldL
    Oh, Google... Just eviler and eviler every day. Not only robbing creators of any monetization via clicking on links but now just blatantly stealing their content for an even more efficient theft model. FFS. I can't fucking wait to complete my de-googling project and get you the absolute fuck completely out of my life. I've developed a hatred for Google that actually rivals my hatred for Apple. ‍️
  • Building a slow web

    Technology technology
    37
    1
    175 Stimmen
    37 Beiträge
    452 Aufrufe
    I
    Realistically, you don't need security, NAT alone is enough since the packets have nowhere to go without port forwarding. But IF you really want to build front end security here is my plan. ISP bridge -> WAN port of openwrt capable router with DSA supported switch (that is almost all of them) Set all ports of the switch to VLAN mirroring mode bridge WAN and LAN sides Fail2Ban IP block list in the bridge LAN PORT 1 toward -> OpenWRT running inside Proxmox LXC (NAT lives here) -> top of rack switch LAN PORT 2 toward -> Snort IDS LAN PORT 3 toward -> combined honeypot and traffic analyzer Port 2&3 detect malicious internet hosts and add them to the block list (and then multiple other openwrt LXCs running many many VPN ports as alternative gateways, I switch LAN host's internet address by changing their default gateway) I run no internal VLAN, all one LAN because convenience is more important than security in my case.
  • lemm.ee is shutting down at the end of this month

    Technology technology
    130
    625 Stimmen
    130 Beiträge
    3k Aufrufe
    vopyr@lemmy.worldV
    If I know correctly, it is not possible to export posts, comments, replies.
  • 0 Stimmen
    1 Beiträge
    16 Aufrufe
    Niemand hat geantwortet