We are, however, a little more interested in exactly what the VPN ban does, how it impacts the “legit” businesses and what, if there were some smarter ways to have a “crackdown” since a blanket ban really is so 1990s.
A Little Lesson in Technology
Search for “PTA Bans” and you’ll come up with a more than unhealthy list of instances where blocks and bans have been imposed by the Pakistan Telecom Authority on ISPs. While the reasons are debatable, the track record is less than impressive. While proxies and other workarounds always make most URLs accessible eventually, is there really a load on the overall bandwidth pipe that is shared by the few million users?
According to the article on CIO.com:
Some commentators have taken this as a blanket ban on VPNs, but it is more likely aimed at proxy services that allow encrypted connections to be set up in a way that hides the IP address of the two ends of a link. These can fairly straightforwardly be blocked using domain filtering at ISP level although such an action is indiscriminate.
Informal VPNs – those between two or more PCs – can’t easily be detected let alone blocked without somehow looking for the ports opened by specific programs, an almost needle-in-a-haystack job. The packets themselves offer no clues as they are encrypted. There are also encrypted services such as Skype that use local PCs as supernodes and can’t be blocked at ISP level.
The Profiles
There are a number of different kinds of profiles that use some method of encryption for transaction of information:
- Internet: This is when one user interacts with a service online, kind of a business-to-consumer interaction. It could be your Gmail account or any site where you may have some kind of authentication. These use SSL connections and usually go through a ‘https’ connection. This constitutes pretty much all of us;
- Intranets: This is where one branch connects with a headoffice – it could be a bank or an ISP or mobile service outlet, any office which engages in ‘intra-office’ communication or transaction with its main network through an IPSEC Tunnel. These branches are usually ‘always on’ connections.
- Extranets: When there is a Business-to-Business transaction that needs to take place through a VPN. Telecom companies or banks having a direct line into NADRA where the pipe that connects the telecom operator into NADRA for verification of identity through a secure tunnel. Or perhaps a telco needs to be connected to a bank to enable a mobile banking transaction. These are examples of how businesses connect to each other via VPNs.
- Consumer Connections: Individuals, remote workers who may need to connect to the organization via a secure connection.
For at least three of the four profiles of VPN users, it is relatively simple to justify why a virtual private network is needed. It is this last profile that is going to be tricky since the remote user can dial into a VPN from any location and there isn’t a fixed IP or location for this to happen.
Is there a better way to do this?
Blanket bans are ineffective and inefficient. By forcing each user to justify why they need to have access to their VPN, the PTA is doing nothing more than creating another hoop for each profile user (above) to jump through.
There is no way any authority is going to be able to monitor the traffic passing through any gateway, nor is there an efficient and economical way to store all the data passing through. So that is out.
Perhaps rather than asking each user to justify their utility of a VPN, it might make better sense to have each ISP apply a loose monitoring system to help red flag and identify who might be abusing the system.
Even this, however, should not take place without a legal order in place allowing ISPs to snoop traffic. Once identified, the PTA (or the legal authority) should be able to physically meet with the ‘suspected individual’ and gain access to a VPN key. This is how access can be gained into the VPN traffic of one specific user with his/her consent.
Businesses, however, may not be open to sharing their encryption keys because they are using encrypted communication as per business requirements or to share corporate secrets. The PTA may be able to enforce individuals to share their VPN keys, however businesses may not necessarily comply.
Legal coverage is extremely critical here because of the owner privacy issue.
Practically speaking, every node that conducts an information handshake online, has an identity attached to it. Since you cannot legally purchase any connection without an NIC which connects the user to the activity conducted from a specific IP, it is very possible for the PTA to red flag a specific user and profile him or her.
But the problem appears to be a little more unclear than most people would be comfortable with.
For starters, it is unclear who exactly this ‘VPN Blanket Ban’ is protecting or soliciting. The language on notice given out by ISPs seems characteristically vague.
If it is a counter-terrorism step, it just doesn’t seem to be very well thought out. Besides, there are countless other measures which must be taken alongside for a notice like this to actually be effective. Until the PTA or requisite authority thinks this through a bit more, there is always going to be a way to circumvent the ban.
Talha Ghafoor is an Information Security Consultant and Editor at CSO Pakistan; Rabia Garib is the Editor-in Chief of CIO Pakistan.
This post was originally published on the CIO Pakistan website here.
COMMENTS (2)
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ
1710998259-0/pti-(1)1710998259-0-270x192.webp)
VPN is not used by crininals as much as for legitimate use. Even if PTA gets the means to block VPN traffic that will be disastor for businesses and pakistan will loose a lot of revenue from individuals as well as companies doing business with pakistan.
Having everyone register the IP address which he will be accesing securely is absurd and will create a havoc. The idea in itslef is damaging for business.
China and Russia abandoned their efforts to restrict encryption over ten years back. Both countries are more technically sophisticated and their governments have far greater resources to devote to controlling the Internet than PTA.
Contractually, businesses in Pakistan are often required to use VPNs and other forms of encryption. Client contracts would have to be terminated if encryption were outlawed. Many consumer applications automatically default to some form of encryption.
More immediate threats are from breached machines and from groups of them organized into botnets, some within the country itself, and which stand ready to attack government facilities and essential infrastructure. Fortunately, machines at risk can be easily identified and taken offline or patched. There would be widespread support for doing so, since breached machines are now being used as spam relays or to attack individual, corporate and university targets.
This is a good time to attack the need for encryption, which is in response to domestic snooping and spamming. PTA could play a positive role in initiating prosecutions of such snoopers, spammers and scammers, many of whom prey on the most defenseless members of society.