CIO Pakistan: The Insecurity Blanket
A look at how the PTA's VPN ban impacts businesses, and what smarter ways there are to "crackdown".
PTA Bans VPNs. Every website has the report so go ahead and read the details there.
We are, however, a little more interested in exactly what the VPN ban does, how it impacts the “legit” businesses and what, if there were some smarter ways to have a “crackdown” since a blanket ban really is so 1990s.
A Little Lesson in Technology
Search for “PTA Bans” and you’ll come up with a more than unhealthy list of instances where blocks and bans have been imposed by the Pakistan Telecom Authority on ISPs. While the reasons are debatable, the track record is less than impressive. While proxies and other workarounds always make most URLs accessible eventually, is there really a load on the overall bandwidth pipe that is shared by the few million users?
According to the article on CIO.com:
The Profiles
There are a number of different kinds of profiles that use some method of encryption for transaction of information:
For at least three of the four profiles of VPN users, it is relatively simple to justify why a virtual private network is needed. It is this last profile that is going to be tricky since the remote user can dial into a VPN from any location and there isn’t a fixed IP or location for this to happen.
Is there a better way to do this?
Blanket bans are ineffective and inefficient. By forcing each user to justify why they need to have access to their VPN, the PTA is doing nothing more than creating another hoop for each profile user (above) to jump through.
There is no way any authority is going to be able to monitor the traffic passing through any gateway, nor is there an efficient and economical way to store all the data passing through. So that is out.
Perhaps rather than asking each user to justify their utility of a VPN, it might make better sense to have each ISP apply a loose monitoring system to help red flag and identify who might be abusing the system.
Even this, however, should not take place without a legal order in place allowing ISPs to snoop traffic. Once identified, the PTA (or the legal authority) should be able to physically meet with the ‘suspected individual’ and gain access to a VPN key. This is how access can be gained into the VPN traffic of one specific user with his/her consent.
Businesses, however, may not be open to sharing their encryption keys because they are using encrypted communication as per business requirements or to share corporate secrets. The PTA may be able to enforce individuals to share their VPN keys, however businesses may not necessarily comply.
Legal coverage is extremely critical here because of the owner privacy issue.
Practically speaking, every node that conducts an information handshake online, has an identity attached to it. Since you cannot legally purchase any connection without an NIC which connects the user to the activity conducted from a specific IP, it is very possible for the PTA to red flag a specific user and profile him or her.
But the problem appears to be a little more unclear than most people would be comfortable with.
For starters, it is unclear who exactly this ‘VPN Blanket Ban’ is protecting or soliciting. The language on notice given out by ISPs seems characteristically vague.
If it is a counter-terrorism step, it just doesn’t seem to be very well thought out. Besides, there are countless other measures which must be taken alongside for a notice like this to actually be effective. Until the PTA or requisite authority thinks this through a bit more, there is always going to be a way to circumvent the ban.
Talha Ghafoor is an Information Security Consultant and Editor at CSO Pakistan; Rabia Garib is the Editor-in Chief of CIO Pakistan.
This post was originally published on the CIO Pakistan website here.
We are, however, a little more interested in exactly what the VPN ban does, how it impacts the “legit” businesses and what, if there were some smarter ways to have a “crackdown” since a blanket ban really is so 1990s.
A Little Lesson in Technology
Search for “PTA Bans” and you’ll come up with a more than unhealthy list of instances where blocks and bans have been imposed by the Pakistan Telecom Authority on ISPs. While the reasons are debatable, the track record is less than impressive. While proxies and other workarounds always make most URLs accessible eventually, is there really a load on the overall bandwidth pipe that is shared by the few million users?
According to the article on CIO.com:
Some commentators have taken this as a blanket ban on VPNs, but it is more likely aimed at proxy services that allow encrypted connections to be set up in a way that hides the IP address of the two ends of a link. These can fairly straightforwardly be blocked using domain filtering at ISP level although such an action is indiscriminate.
Informal VPNs – those between two or more PCs – can’t easily be detected let alone blocked without somehow looking for the ports opened by specific programs, an almost needle-in-a-haystack job. The packets themselves offer no clues as they are encrypted. There are also encrypted services such as Skype that use local PCs as supernodes and can’t be blocked at ISP level.
The Profiles
There are a number of different kinds of profiles that use some method of encryption for transaction of information:
- Internet: This is when one user interacts with a service online, kind of a business-to-consumer interaction. It could be your Gmail account or any site where you may have some kind of authentication. These use SSL connections and usually go through a ‘https’ connection. This constitutes pretty much all of us;
- Intranets: This is where one branch connects with a headoffice – it could be a bank or an ISP or mobile service outlet, any office which engages in ‘intra-office’ communication or transaction with its main network through an IPSEC Tunnel. These branches are usually ‘always on’ connections.
- Extranets: When there is a Business-to-Business transaction that needs to take place through a VPN. Telecom companies or banks having a direct line into NADRA where the pipe that connects the telecom operator into NADRA for verification of identity through a secure tunnel. Or perhaps a telco needs to be connected to a bank to enable a mobile banking transaction. These are examples of how businesses connect to each other via VPNs.
- Consumer Connections: Individuals, remote workers who may need to connect to the organization via a secure connection.
For at least three of the four profiles of VPN users, it is relatively simple to justify why a virtual private network is needed. It is this last profile that is going to be tricky since the remote user can dial into a VPN from any location and there isn’t a fixed IP or location for this to happen.
Is there a better way to do this?
Blanket bans are ineffective and inefficient. By forcing each user to justify why they need to have access to their VPN, the PTA is doing nothing more than creating another hoop for each profile user (above) to jump through.
There is no way any authority is going to be able to monitor the traffic passing through any gateway, nor is there an efficient and economical way to store all the data passing through. So that is out.
Perhaps rather than asking each user to justify their utility of a VPN, it might make better sense to have each ISP apply a loose monitoring system to help red flag and identify who might be abusing the system.
Even this, however, should not take place without a legal order in place allowing ISPs to snoop traffic. Once identified, the PTA (or the legal authority) should be able to physically meet with the ‘suspected individual’ and gain access to a VPN key. This is how access can be gained into the VPN traffic of one specific user with his/her consent.
Businesses, however, may not be open to sharing their encryption keys because they are using encrypted communication as per business requirements or to share corporate secrets. The PTA may be able to enforce individuals to share their VPN keys, however businesses may not necessarily comply.
Legal coverage is extremely critical here because of the owner privacy issue.
Practically speaking, every node that conducts an information handshake online, has an identity attached to it. Since you cannot legally purchase any connection without an NIC which connects the user to the activity conducted from a specific IP, it is very possible for the PTA to red flag a specific user and profile him or her.
But the problem appears to be a little more unclear than most people would be comfortable with.
For starters, it is unclear who exactly this ‘VPN Blanket Ban’ is protecting or soliciting. The language on notice given out by ISPs seems characteristically vague.
If it is a counter-terrorism step, it just doesn’t seem to be very well thought out. Besides, there are countless other measures which must be taken alongside for a notice like this to actually be effective. Until the PTA or requisite authority thinks this through a bit more, there is always going to be a way to circumvent the ban.
Talha Ghafoor is an Information Security Consultant and Editor at CSO Pakistan; Rabia Garib is the Editor-in Chief of CIO Pakistan.
This post was originally published on the CIO Pakistan website here.