By Azdhan
At the moment, it’s almost impossible to use advanced machine learning algorithms to detect and block VPN traffic for widespread use because it’s too expensive. Most technology is based on patterns and regular expressions.
What does VPN traffic look like to detect? Detection can be based on specific signatures or constant byte patterns. For example, with WireGuard, it’s very easy to implement this regular expression because WireGuard is a well-known protocol, and there are predictable bytes that are constant. However, there are more advanced patterns, and there are engineers, such as those in Roskomnadzor in Russia, who are trying to implement new patterns that allow them to detect more advanced VPN protocols.
Note: Roskomnadzor is The Federal Service for Supervision of Communications, Information Technology and Mass Media. This government body responsible for monitoring, controlling, and censoring mass media
But new patterns are also being developed, such as patterns of network usage. For example, when using a VPN, you send traffic through a VPN application, trying to send all packets to a single destination. This can also be considered a pattern.
How does Russia censor the internet? In Russia, we have a government structure called Roskomnadzor, for example, that controls things like blocking DPI and so on. They basically install devices called the TMCT inside the ISP. These devices are responsible for handling DPI.
Note: TMCT refers to Technical Means of Countering Threats, where the network operators are required to share the routing information to the regulator, Roskomnadzor.
They analyze HTTP, HTTPS requests, and responses, as well as DNS requests, and they’re able to check what is going through that device. If there is any other protocol, it’s easy to see what protocol you’re using and even what content is being transmitted. That is very concerning, I would say, for sure.
So, the main thing is to be able to avoid recognition by those devices. There should be different headers, different patterns, and so on.
On Honeypots: I think it’s a really important one because we believe that honeypots are serious threats, especially when it comes to user trust. Yes, there is an issue with honeypots, particularly in heavily censored regions. And that’s why our app is open source.
So, you can verify its code and ensure that there is no hidden surveillance mechanism. I would recommend choosing open-source VPN solutions. Otherwise, it’s all about trust, and it seems hard to trust due to the presence of honeypots nowadays.
Well, I meant not the protocol being open source, because there are a bunch of different protocols. What I meant is that the app itself, the code of the app, should be open-sourced. So it should be posted, for example, on GitHub, where you can actually build the app. You can download the repository and build the app yourself to see how it works. You can check its code from top to bottom, and you can even take the code, throw it into ChatGPT, for example, and ask, “Are there any honeypots? Is there anything hidden that I should know about?” And it will tell you no. In our case, for example, there should also be no collected logs, and so on. In my opinion, that is also important.
On measures to protect the infrastructure: There are many measures in place to protect our infrastructure and some of our metrics. It’s private technology, how we defend our backend, and how we manage these things. But overall, you can read our audit reports and check how we approach security. All data is available. It’s almost impossible to explain everything in 30 minutes. The audit took about one month to detect our vulnerabilities, and we regularly fix all vulnerabilities. The audit was made by 7A security.
On VPN Censorship in India: Yes, we read about certain directives in India, and as far as I know, the requirements are to collect and store user data and logs, which we believe is completely unacceptable. It definitely contradicts the purpose of a VPN. We have no plans, for example, to register or host infrastructure in this case because of these demands. We refuse to compromise on user privacy and security because that is the cornerstone of our principles.
Since we do not collect any user data, information, logs, or traffic, we would refuse to comply with such requirements. It’s not good to collect all that information. So, we would continue to develop new solutions to avoid censorship. If an app is blocked in certain stores, there are ways to work around that, like changing regions. There are things you can do to access the apps you need.
On Government demands for user data: We would refuse because, as I mentioned earlier, we would refuse to collect data. So, they would have to send requests to Google, and the app would eventually become inaccessible from India. In that case, we would recommend the same methods to download the app as we do in Russia and other countries by changing regions in the App Store or Google Store. There are other platforms where you can download the app, such as GitHub, APKPure, or Uptodown. Additionally, there is more we are working on.
Well, it’s inevitable, you know; you have to make peace with it. What other options are there? It’s either you agree to these demands and stay, but in doing so, you’ll lose all the trust that users have placed in you over time. That’s not going to work because it’s all about trust, all about reputation, and we are not going to do that. So yes, if they remove it, that’s fine. There are other options to download and distribute the app. If they ban it on those platforms as well, then yes, we will work on it and upload it elsewhere.
On ISP’s blocking IP addresses without government order: Oh, they do, of course; it’s a pretty common thing. But, for example, when we talk about WireGuard, the original protocol no longer works in most parts of Russia at all. And as we mentioned earlier, that’s why we created AmneziaWG, an enhanced version of WireGuard. And yes, obviously, technologies will continue to develop, which is why we have an incoming second iteration. Essentially, all of this with the protocol is a race to see who will do it first, right? But yes, it’s a pretty common thing. We’ve sort of gotten used to it, not going to lie, but we have to stay ahead.
On governments regulating self-hosted VPNs? That’s a tricky question. Well, I would say that there are options, for example, where a VPN protocol can mimic normal traffic, such as HTTPS. XRay VLESS does that, and I would consider that as an option to explore.
I think the problem of criminalization is not the VPN protocols being detected, because XRay VLESS and AmneziaWG are undetectable, like a regular VPN tunnel. The most important risk is detecting VPN applications on devices.
For example, in Turkmenistan, there are very strong laws that prohibit the use of VPNs, and users try to hide how they use VPN applications. If the police check your mobile phone and find a VPN application, you can be charged in Turkmenistan. So, that’s the most important issue.
For example, in Russia, when you’re using bank apps and so on, they actually check the processes on the phone to see if you’re using a VPN. If they detect it, they will ask you to turn it off, saying, “Please don’t use VPN.” I would say that is not a good sign for the future. So, we will, I would say, have to mimic the app to something else as well.
On advice to using VPNs in high risk areas: Well, I would suggest maybe using two phones. Don’t use a fingerprint to unlock your phone, so the government authorities won’t be able to unlock it with your finger, and don’t use Face ID either, as that is not safe.
There are also options on Android phones, for example, where you can hide apps. In most cases, police officers aren’t very tech-savvy, so they’re not likely to dig deeply into your phone. You can try hiding the apps you’re using, putting a password on them, or changing the icon, changing the name, and so on. There are options available to help you stay safe.
On challenges to VPN providers from governments: It’s a constant technological battle to see who will do it first. The one who does it first is often followed by others catching up, and switching places is just part of the process. The government blocks first, creates something new, and we catch up. Or we get ahead by creating something truly innovative and undetectable, such as the protocol we already have. Now, for example, the government is trying to catch up, but so far, it’s difficult for them to do so. We are ready for it, and everyone should be ready for it, both now and in the future.
First and foremost, it should be completely transparent to users. That’s the key. Ideally, it should be open source. Open-source VPNs will evolve towards complete decentralization and increased flexibility because, as I mentioned, it’s a battle. You have to either catch up or stay ahead. What I mean by this is that you can’t hold your infrastructure in one place; you can’t store payment data, for example, in one location because it can be blocked at any time. Protocols, of course, should be capable of rapid adaptation to censorship, as this will become critical.
The threats are increasing, with the sophistication of DPI growing, and on top of that, AI is being incorporated. This will make metadata analysis by governments more widespread. While it’s still an expensive process, as I mentioned earlier, it will become cheaper over time.
Advice before using VPNs: I would advise that there should be full transparency from the VPN service providers, because otherwise, you cannot trust it, especially due to honeypots. That’s a critical issue. If it doesn’t have open code, you cannot know what’s actually going on. So, I would advise being careful, researching the matter, and being really cautious.
It is most important for users to stay updated on what is happening in the field of VPN blockages by governments and the overall situation in various countries. Understanding what’s going on in different regions is crucial. Stay informed about censorship and related matters. Reading sources like Medianama is a good way to stay updated.
Summary: Indian government staunchly defends its rules for VPN providers
Who Is In Charge Of Regulating VPNs In India?
IFF Questions VPN Apps Ban in India Over Security Risks