UK households could face VPN 'ban' after use skyrockets following Online Safety Bill
-
That's a problem is for ISPs and content providers to figure out. I don't see why the government has to care other than laying out the ground rules - you must offer and implement a parental filter for people who want it for free as part of your service. If ISPs have to do deep packet inspection and proxy certs for protected devices / accounts then that's what they'll have to do.
As far as the government is concerned it's not their problem. They've said what should happen and providing the choice without being assholes to people over 18 who are exercising their rights to use the internet as they see fit.
That’s a problem is for ISPs and content providers to figure out
No, there are very good technical reasons why this approach can't work.
ISPs ... deep packet inspection
There is no deep packet inspection on properly encrypted TLS connections. I know TLS termination and interception and recertifying with custom certificates is a thing, but even if it were feasible to implement this on millions of client computers that you don't own, it is an absolutely god awful idea for a million reasons and much worse for privacy and security than the age-gate problem you're trying to work around.
-
I though the UK was a Western democracy. What the hell are you guys doing over there?
Lol. Democracy.
Democracies don't care about their citizens privacy. Just the optics of getting spied on citizens.
-
That’s a problem is for ISPs and content providers to figure out
No, there are very good technical reasons why this approach can't work.
ISPs ... deep packet inspection
There is no deep packet inspection on properly encrypted TLS connections. I know TLS termination and interception and recertifying with custom certificates is a thing, but even if it were feasible to implement this on millions of client computers that you don't own, it is an absolutely god awful idea for a million reasons and much worse for privacy and security than the age-gate problem you're trying to work around.
wrote last edited by [email protected]Actually it can be done and is being done. Software like Fortigate Firewall can do deep packet inspection on encrypted connections by replacing certs with their own and doing man in the middle inspection. It requires the browser has a root CA cert that trusts the certs issued by the proxy but that's about it. Filtering software could onboard a new device where the root cert could be installed.
And if Fortigate can do it then any filtering software can too. e.g. a kid uses their filtered device to go to reddit.com, the filter software substitutes reddit's cert for their own and proxies the connection. Then it looks at the paths to see if the kid is visiting an innocuous group or an 18+ group. So basic filtering rules could be:
- If domain is entirely blocked, just block it.
- If domain hosts mixed content, deep packet inspection & block if necessary
- If domain is innocuous allow it through
This is eminently possible for an ISP to implement and do so in a way that it ONLY happens when a user opts into it on a registered device while leaving everything open if they did not opt into it.
And like I said this is an ISP problem to figure out. The government could have set the rules and walked away. And as a solution it would be far more simple that requiring every website to implement age verification.
-
@arc99 @SpaceCadet thats basically allowing the Government to force the ISP's to build a solution which is able to sensor every content. Sorry there is alot of reasons why you should be against it.
PS: even your deep packet inspection falls short to end 2 end encryption / decryption ...
Deep packet inspection already happens on encrypted traffic (Fortigate Firewall) so it's eminently possible for filtering software to do the same.
-
Attached below is a Wireshark trace I obtained by sniffing my own network traffic.
I want to draw your attention to this part in particular:
Underneath "User Datagram Protocol", you can see the words "OpenVPN Protocol". So anyone who sniffs my traffic on the wire can see exactly the same thing that I can. While they can't read the contents of the payload, they can tell that it's OpenVPN traffic because the headers are not encrypted. So if a router wanted to block OpenVPN traffic, all they would have to do is drop this packet. It's a similar story for Wireguard packets. An attacker can read the unencrypted headers and learn
- The size of the transmission
- The source and destination IP addresses by reading the IP header
- The source and destination ports numbers by reading the TCP or UDP headers
- The underlying layers, up until the point it hits an encrypted protocol (such as OpenVPN, TLS, or SSH)
You're using the default port though, are you not? If the source port were not 1194, a port associated with openvpn, would wireshark still identify this as openvpn traffic?
-
Actually it can be done and is being done. Software like Fortigate Firewall can do deep packet inspection on encrypted connections by replacing certs with their own and doing man in the middle inspection. It requires the browser has a root CA cert that trusts the certs issued by the proxy but that's about it. Filtering software could onboard a new device where the root cert could be installed.
And if Fortigate can do it then any filtering software can too. e.g. a kid uses their filtered device to go to reddit.com, the filter software substitutes reddit's cert for their own and proxies the connection. Then it looks at the paths to see if the kid is visiting an innocuous group or an 18+ group. So basic filtering rules could be:
- If domain is entirely blocked, just block it.
- If domain hosts mixed content, deep packet inspection & block if necessary
- If domain is innocuous allow it through
This is eminently possible for an ISP to implement and do so in a way that it ONLY happens when a user opts into it on a registered device while leaving everything open if they did not opt into it.
And like I said this is an ISP problem to figure out. The government could have set the rules and walked away. And as a solution it would be far more simple that requiring every website to implement age verification.
wrote last edited by [email protected]I know how it works, so spare me the explanation. It's not that as easy as you make it out to be. OS and browser companies are actively fighthing "rogue" root CAs and making it harder and harder to use custom CAs, especially on mobile devices.
And for good reason, because by accepting a rogue root CA that's not your own, you're basically undermining the whole trust system that SSL is based on and surrendering all your online privacy and security to the government and your ISP. Whoever has control over that custom root CA has the keys to your online life.
Rolling such a system out countrywide is utter madness.
-
What I meant was during the Brexit referendum most people were saying it wouldn't pass. In other words, if there was a referendum for this it probably WOULD pass since it's really easy to influence people through media.
I get what you mean, for it to be comparable I think we'd need a "should there be legislation to protect kids on the Internet" referendum and then this is the implementation and everyone hates it...
-
I know how it works, so spare me the explanation. It's not that as easy as you make it out to be. OS and browser companies are actively fighthing "rogue" root CAs and making it harder and harder to use custom CAs, especially on mobile devices.
And for good reason, because by accepting a rogue root CA that's not your own, you're basically undermining the whole trust system that SSL is based on and surrendering all your online privacy and security to the government and your ISP. Whoever has control over that custom root CA has the keys to your online life.
Rolling such a system out countrywide is utter madness.
wrote last edited by [email protected]You obviously didn't know how it works if I had to explain it was already possible. And I am not aware of any mobile device that prevents you installing a new root CA.
And it isn't "madness", it's a completely workable way to offer filtering for people who want it for kids and have no filtering or censorship for anybody else. It is a vastly better option than onerously demanding adults provide their identity to random and potentially adult themed websites where they could be victims of identity theft or extortion
-
You obviously didn't know how it works if I had to explain it was already possible. And I am not aware of any mobile device that prevents you installing a new root CA.
And it isn't "madness", it's a completely workable way to offer filtering for people who want it for kids and have no filtering or censorship for anybody else. It is a vastly better option than onerously demanding adults provide their identity to random and potentially adult themed websites where they could be victims of identity theft or extortion
wrote last edited by [email protected]You obviously didn’t know how it works if I had to explain it was already possible.
If you read my comment properly, you'll see that I wrote: "I know TLS termination and interception and recertifying with custom certificates is a thing"
And it isn’t “madness"
Yes it is. TLS interception should never be normalized because it breaks the chain of trust upon which TLS is based. It can be useful in some situations, like the fortigate firewall where you control the certificate, but ISPs nor the government should be trusted to wield this power over virtually the whole country. It is a very slippery slope.
I am not aware of any mobile device that prevents you installing a new root CA.
On Android, apps can't install their own root CA. The user has to manually download it, then jump through a bunch of hoops and deeply nested menus to install it and in the process ignore all the scary warnings that their communication may be intercepted if they install and trust this certificate, and (at least on Pixel phones) they get a permanent warning in their notification tray that someone may be eavesdropping on them. Which is correct.
It is a vastly better option than onerously demanding adults provide their identity to random and potentially adult themed websites where they could be victims of identity theft or extortion
I'm strongly against government mandated age gates myself, but you're objecting for the wrong reasons. You're not providing your identity to the adult website. You're providing it to the third party identity verifier, who then certifies to the adult website that you are an adult without passing on your actual identity. Keep this in mind when you're arguing against it, because pro-age-gater puritans can use it to undermine your argument.
I object to it first and foremost on principle. I shouldn't have to request permission from a third party or the government to do perfectly normal legal adult things in the privacy of my own home.
Secondly, there is still a privacy problem at the "identity verifier". They may swear up and down that they do not store my identity data, but there is no way to prove that one way or another so I cannot trust that my data can't be leaked through them.
Thirdly, when viewing adult content, I don't want there to be any association between my real identity and the adult content whatsoever, even through a third party, and I don't want there to be anything that uniquely identifies me.
Finally, I object to the (re)demonization of all things sexual in our societies. We seem to be backsliding into puritanism under the guise of protecting the children, while we're doing nothing to protect them from real actually harmful online things that are damaging the younger generations beyond repair.
I have a Gen Z stepson, and all the ways in which he is fucked up by the online world (no attention span, permanent online-ness, no real world friends, always seeking instant gratification, unrealistic expectations about life, an overly materialistic worldview, plenty of manosphere bullshit, ... ) have precious little do do with viewing porn.
-
You're using the default port though, are you not? If the source port were not 1194, a port associated with openvpn, would wireshark still identify this as openvpn traffic?
Wireshark can't but there are other methods, such as checking for the known OpenVPN protocol opcodes in the headers:
-
Deep packet inspection already happens on encrypted traffic (Fortigate Firewall) so it's eminently possible for filtering software to do the same.
@arc99 please inform yourself about end to end encryption and decryption.
All i say is you haven't understand what is happening on this firewall and what this firewall can do and what the firewall can't do. -
Individual customer VPN providers get banned, corporate VPN providers not banned. It's quite simple really.
Or are you expecting the average Joe to spin up his own VPN server?
And how do you expect that to work on a technical level?
-
@arc99 please inform yourself about end to end encryption and decryption.
All i say is you haven't understand what is happening on this firewall and what this firewall can do and what the firewall can't do.I'm intimately aware about what it can and cannot do. And it can intercept and man in the middles any https traffic
-
I'm intimately aware about what it can and cannot do. And it can intercept and man in the middles any https traffic
@arc99 but end 2 end encryption is not by default https traffic
ssh / vpn are protocolls ( end 2 end encryption, decryptio) and this firewall can't deep inspect while this protocoll can easy tunnel other tunnels. -
@arc99 but end 2 end encryption is not by default https traffic
ssh / vpn are protocolls ( end 2 end encryption, decryptio) and this firewall can't deep inspect while this protocoll can easy tunnel other tunnels.I really do not know what you are saying. I have just told you that Fortigate Firewall can and does do deep packet inspection on https connections. It does so by man in the middle proxying. If one filter / proxy can do it then any other could too. There would be ways for kids to circumvent this, e.g via VPN but that is no different than with age verification.
-
I really do not know what you are saying. I have just told you that Fortigate Firewall can and does do deep packet inspection on https connections. It does so by man in the middle proxying. If one filter / proxy can do it then any other could too. There would be ways for kids to circumvent this, e.g via VPN but that is no different than with age verification.
I said (picture) your deep inspection falls short to real end 2 end. You said your firewall can break end 2 end ... nope they can't and never will and you exactly said this in your last post too. (Sidenote -> i can gpg a text and post it public even with https .. for 99% it will be giberish and only the person who got the right key material will be able to read it ) ... so using deep package inspection to identify something you want to protect kids from is just a lie ...
-
I said (picture) your deep inspection falls short to real end 2 end. You said your firewall can break end 2 end ... nope they can't and never will and you exactly said this in your last post too. (Sidenote -> i can gpg a text and post it public even with https .. for 99% it will be giberish and only the person who got the right key material will be able to read it ) ... so using deep package inspection to identify something you want to protect kids from is just a lie ...
I honestly do not know what you are saying. Deep packet inspection through a firewall that does mitm interception demonstrably happens. It is not up for debate.
-
I honestly do not know what you are saying. Deep packet inspection through a firewall that does mitm interception demonstrably happens. It is not up for debate.
@arc99 you still don't understand end 2 end encryption. Yes man in the middle decryption can be done. First for this to happen you need to accept the certificates of the firewall ( which in terms of a home PC you can't force anyone to do ). Second even if you can decrypt the https packets , you can still put an additional layer on top which only you and the reciever has the keys too.
To give you an example you can easy write down a base64 encoded binary blob in any text field on a website. If this binary blob has been encrypted before noone will be able to tell what is inside.
So breaking https is useless if someone really wants to hide informations. So no your deep packet inspection is totally useless. The only thing you know is that someone did put strange stuff in a text on a website.
-
No. They could put it into a review and quietly shitcan this. It's not particularly popular. They just want to say they're protecting kids.
They're spineless and Keir is an authoritarian.
"Oh, i see. You want to help paedophiles do you? Why do you hate children then, hey? Of course keef comes out to help the Jimmy Savile brigade again."
Congratulations, you just lost the media narrative and now all but one paper is going to write about how all the things that hurt every child in the UK is your fault, for the next 3 years. The whole system is compromised and they're passengers, only a little more engaged than we are.
-
"Oh, i see. You want to help paedophiles do you? Why do you hate children then, hey? Of course keef comes out to help the Jimmy Savile brigade again."
Congratulations, you just lost the media narrative and now all but one paper is going to write about how all the things that hurt every child in the UK is your fault, for the next 3 years. The whole system is compromised and they're passengers, only a little more engaged than we are.
Not really the narrative. Reform opposes it and Tories likely will. Only Lib Dems will complain and media ignore them anyway.
Our media are bad, but not that tabloid.
