• BearOfaTime@lemm.ee
    link
    fedilink
    English
    arrow-up
    125
    arrow-down
    3
    ·
    edit-2
    9 months ago

    Hahahahaha

    Unintended consequences - what are they going to do once 90% of connections are encrypted, include use of VPNs and encrypted DNS?

    This is what they’re promoting.

    Host your own encrypted DNS on a VPS in a non-compliant location, use a VPN to connect to it.

    So many ways these idiots are cutting their own throats.

    Also, let’s list the companies rather than say “Movie Industry”. Or let that be a link to a Wiki article listing all the companies and their holdings.

    Fuck em all at this point. I go to maybe 2 movies a year, at most. And I’m cutting subscription services, down to 2 at this point.

    • khorovodoved@lemm.ee
      link
      fedilink
      English
      arrow-up
      41
      arrow-down
      1
      ·
      9 months ago

      As a guy from Russia, I must admit that vpns are not a big problem for censors. They can be easily blocked, including self-hosted ones by protocol detection. And DNS would not do much with IP and clienthello-based blocks. And most users are not enough tech-savvy to constantly switch to new protocols as old ones get blocked.

      • conciselyverbose@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        48
        arrow-down
        8
        ·
        edit-2
        9 months ago

        You have no rights in Russia.

        VPNs can’t be categorically banned in the US without major first amendment issues. It’s not a huge technical issue, but unless the courts just throw out the Constitution (a risk that we’re seeing too much of, but still a meaningful bar to cross), there are huge legal barriers to doing so.

        Your government doesn’t need to care about legal barriers because you have a dictator who can act unilaterally.

        • RedFox@infosec.pub
          link
          fedilink
          English
          arrow-up
          29
          arrow-down
          1
          ·
          9 months ago

          We are just a little behind trying to elect our new dictator…

          But just for a day…

          /S 🙄

        • khorovodoved@lemm.ee
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          9 months ago

          VPNs are not categorically banned in Russia either. Just 95% of them. Categorical ban is not actually required here. Government can just create licensing procedure and license only those VPNs, which follow “rules”. I do not see how this is different from ISP bans.

          • conciselyverbose@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            edit-2
            9 months ago

            Entirely unconstitutional restriction of speech.

            The government can shut down specific illegal acts, such as sharing other people’s intellectual property. They can’t ban tools or protocols, or do things that are functionally bans. There’s plenty of precedent of the government trying to restrict encryption and being shut down. Removing the ability to communicate securely is a first amendment violation.

            • khorovodoved@lemm.ee
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              9 months ago

              By the same logic they should not be able to force ISPs to ban sites, but here we are. If they can enforce bans with ISPs, why can’t they do the same with VPN providers?

              • conciselyverbose@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                They may or may not be able to require ISPs to block specific sites. Piracy isn’t protected speech. It’s going to be a moot point because it’s not something that can get actually passed.

                They cannot require ISPs to block VPNs. General tools for/access to the internet are protected speech. They could require VPNs that have physical servers in the US to block exits to specific sites (if the first part is valid), but that doesn’t do anything when it’s trivial to have exit nodes elsewhere and structure your service/corporate structure so the exit nodes are not subject to US jurisdiction.

      • Syn_Attck@lemmy.today
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        9 months ago

        CBaaS

        Censorship Bypass as a Service, where your new updates are your [unique user ID].com

        Let us manage your bypass for you! Payable in crypto or cash.

        • khorovodoved@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Https does not actually make difference here. You can still detect VPN usage by unencrypted clienthello, encryption-inside-encryption, active probing, obscure libraries that vpn protocol depends on, etc.

          • rottingleaf@lemmy.zip
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            3
            ·
            9 months ago

            WTF? How are you going to look inside HTTPS?

            Or is the word “encapsulation” (misspelled it first) unfamiliar to you in the network context? Maybe shouldn’t argue then?

            obscure libraries that vpn protocol depends on

            What? Are you an LLM bot? Answer honestly.

            • khorovodoved@lemm.ee
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              9 months ago

              At first, please, be a little bit more patient and no, I am not a LLM.

              All https traffic is https-encapsulated by definition. And you can look inside https just fine. The problem is that most of data is TLS-encripted. However, there is so-called “clienthello” that is not encripted and can be used to identity the resource you are trying to reach.

              And if you are going to https-encapsulate it again (like some VPN and proxy protocols do) data will have TLS-encription on top of TLS-encription, which can be identified as well.

              And about libraries: VPN protocol Openconnect, for example uses library gnutls (which almost no one else uses) instead of more common openssl. So in China it is blocked using dpi by this “marker”.

              • rottingleaf@lemmy.zip
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                However, there is so-called “clienthello” that is not encripted and can be used to identity the resource you are trying to reach.

                Yes, so how is it going to inform you that this is a VPN server and not anything else? You put your little website with kitties and family photos behind nginx on a hosting somewhere, and some resource there, like /oldphotos, you proxy to a VPN server, with basic auth before that maybe.

                And about libraries: VPN protocol Openconnect, for example uses library gnutls (which almost no one else uses) instead of more common openssl. So in China it is blocked using dpi by this “marker”.

                Ah. You meant fingerprinting of clients.

                Banning everything using gnutls (which, eh, is not only used by openconnect) is kinda similar to whitelists.

                Both applicable to situations like China or something Middle-Eastern, but not most of Europe or Northern America.

                • khorovodoved@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  9 months ago

                  It is going to show the censor that you are trying to reach different banned websites (and, probably, google, facebook, etc), all hosted on your server. Your beautiful website is all fine, but in clienthello there is still google.

                  It is not necessary fingerprinting of clients, you can fingerprint the server as well. GnuTLS for this particular purpose is used only by Openconnect and that is just an example. This tactic is very effective in China and Russia and collateral damage is insignificant.

                  And various western anti-censorship organizations wrote articles, that such methods are not possible in Russia as well, but here we are. China’s yesterday is Russia’s today, American tomorrow and European next week. Here it all started in the exact same manner, by requiring ISPs to block pirate websites. And between this and blocking whatever you want for the sake of National Security (for example, against Russian hackers) is not such a long road as you think it is.

                  • rottingleaf@lemmy.zip
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    9 months ago

                    It is going to show the censor that you are trying to reach different banned websites (and, probably, google, facebook, etc), all hosted on your server. Your beautiful website is all fine, but in clienthello there is still google.

                    WTF? No, in clienthello there is www.mysite.com . I’m talking about encapsulating traffic in an encrypted tunnel. We are assuming that FSB can’t decipher your TLS traffic.

                    The beautiful website I’ve imagined for a situation where some DPI robot will, say, visit it to check that there really is a website there. Or where you have to show that it’s a real website to get into a whitelist. Or something like that.

                    I don’t get it, you seem to be interested in the subject, but say weird things.

                    You also seem to be mixing up such entities as VPNs, proxies and encapsulation.

                    GnuTLS for this particular purpose is used only by Openconnect and that is just an example.

                    I’ve definitely seen more things using it even for similar purposes. Can’t remember anything specific, but I suppose a search in pkgsrc will yield something.

                    This tactic is very effective in China and Russia and collateral damage is insignificant.

                    BTW, I’m using VPNs in Russia from time to time. Something doesn’t work, something does.

                    And various western anti-censorship organizations wrote articles, that such methods are not possible in Russia as well,

                    I’m describing a specific kind of encapsulation. What you can do to guess that it’s a VPN is to analyze the amounts of data transmitted. That’d just require sending garbage from time to time. I think I’ve even seen a ready piece of software to make such tunnels.