The goal of the Pakistani government seems to be the complete obliteration of all private communications. But the only way to do that is by banning all communication.
With the ban on VPNs, steganographic[1] techniques that make encrypted traffic look like regular traffic will become more and more common. The troubling thing is the fact that these techniques are somewhat hungry for bandwidth.
I disagree with the spirit of this comment.
You don't need to ban all communication, to remove privacy in practice.
Crypto is currently usable in practice. Its a bit hard for many users, but its doable, especially with modern VPN implementations.
If any encrypted tunnel is allowed, you can put all your traffic through it, and no one knows whether you are surfing banned websites, or working on the corporate VPN.
And you can be pretty confident your modern crypto implementation isn't going to be broken.
But steganography isn't really usable, in practice.
If nothing else, the government can do traffic analysis, and see suspiciously large traffic volumes going to a small collection of servers (which are accepting the steg'd communication, and proxying your requests, presumably).
And even if the traffic looks like normal HTTP, with images in it, that's simply not good enough to use, in a regime where the secret police can arrest you if they suspect you are trying to hide your traffic content. And they will be able to find users, because eventually the servers accepting steg'd traffic, which the population are using, will become known.
So, while I think it'd be very hard to remove the ability to send small amounts of text data, from the Internet, I think it'd be possible to make private communication unworkable, in practice, for most people.
I don't see how this would be worked around, without building a massive distributed network of computers that all accepted and routed steg'd communication; something like if every webserver would accept, and onion-route, incoming steg'd traffic.
That doesn't exist, so I think their initiative will work, if they push it enough; hopefully rules like this remain isolated to relatively repressive regimes, and not gain widespread adoption; the widespread commercial use of encrypted communications is probably the best defence against global crypto bans.
You are right that, as steganography isn't really usable right now, you don't need to ban all communication to remove privacy in practice right now. But as governments adopt privacy-removing measures, the people will react devising privacy-enabling measures, and undetectable steganography might be possible in the future.
Let us remember that normal HTTP traffic follows a power-law, with relatively few sites getting the majority of the traffic, so there might be a way, if many of the high-traffic sites on the internet collaborate, of making "covert" traffic look just like "innocent" traffic.
that's simply not good enough to use, in a regime where the secret police can arrest you if they suspect you are trying to hide your traffic content
Even if we accept the premise of undetectable steganography, which is not possible by any possible means today, the arrests will continue to happen. However, I hope they will tend to happen less, as the large number of false-positive arrests would certainly cause high commotion in the general population.
* So, while I think it'd be very hard to remove the ability to send small amounts of text data, from the Internet, I think it'd be possible to make private communication unworkable, in practice, for most people.*
You are correct. Under the current situation, it'll be hard to make all your communication private under the restrictions imposed by, for instance, the Pakistani government, but dissidents don't need all communication to be private, and small amounts of text data might be all that's needed.
If you use steganography with plaintext, you're relying on security by obscurity. Governments aren't going to tell you when they've cracked your secret.
If you're encrypting your steganographic messages, you're increasing the entropy of the plaintext message you're concealing it in.
If you use steganography with plaintext, you're relying on security by obscurity.
No. It is perfectly possible to have steganographic keys, in the same way that you have cryptographic keys.
Trivial example: If the key is 7, the hidden message can be extracted by combining the least significant bits of every 7th pixel of an image. (Incidentally, that hidden message could also be, and indeed probably should also be, encrypted.)
For an example that's only slightly more complex but might actually be useful, replace "7" with a seeded CSPRNG.
you're increasing the entropy of the plaintext message you're concealing it in.
Yes. But you should still be able to conceal a low-bitrate secret message inside a high-entropy covertext/envelope/whatever-you-call-it without a significant chance of being detected.
Trivial example: With a good algorithm and a stick full of 1MB JPEGs, it shouldn't be possible for an attacker to determine which files contain a concealed (140-byte) tweet and which don't.
Solution: don't use it with plain text, but with compressed files such as photos and movies which have high entropy by virtue of their compression (if it is effective, that is).
I believe that blake8086 was referring to the content of the hidden message when he said plain text. He is asserting that if you hide 'hidden message here' in something, you are using security by obscurity, but if you try to hide ENC('hidden message here', 'secret key goes here') you are going to make the detection of the presence of your secret message easier.
I argued against the latter point: if you hide the encrypted message in something which is normally compressed such as JPEG or DivX, the encrypted message blends in with the rest of the data because compressed data has high entropy (the better the compression, the higher the entropy). I don't get your point about security by obscurity, that's pretty much the whole point of steganography I would suppose. Security by obscurity is mostly a slogan to criticize not publishing algorithms etc.
You need to quantify "blends in". If I [an attacker] plot a distribution of the entropy in all your files, and some of them are outliers, even by a small amount, I can focus all my analysis on those files.
What I know is that, as https is so easy to use, there are plans to make it serve covert traffic. So you would make a request to https://www.friendlyproxy.com with an extra header somewhat like What-I-Want: http://www.bannedsite.com and have "friendlyproxy.com" serve you the document you originally wanted.
I forgot the name of the project, though. I believe it was from an American university
Besides, with this new wave of government carrying MITM attacks, I don't know how useful this techniques will be.
I wrote something like this to circumvent our filtering proxy at work. I didn't open it up to the public because I was worried about being responsible for their traffic, though.
Psh, you can still spread messages person to person, you know, in REAL LIFE. It's sad how we're all tied to the Internet and try to make it the first and foremost way in which we communicate.
Most governments only go to controlling online activity after controlling real-life activity. I don't know about Pakistan specifically, but typically the domestic "security" organizations are rather adept at tracking down groups who organize in meatspace.
Why do the cops win? A network of instant communication. If you can't communicate quickly, or at least as fast as your enemies, in many cases you might as well not communicate at all. There are benefits of sneakernets but they don't win on their own.
In Iran, in the days we had protests, they dropped all encrypted connections as well. That makes internet simply unusable. I hope this would never come to Iran, although I believe it will. Soon.
What about the possibility of encrypted traffic that doesn't look encrypted? Perhaps "Liking" public Facebook status updates such that the first letter of each status liked, in chronological order, is the datastream.
To do this, wouldn't they have to effectively block SSL and SSH connections as well? SSL is used in OpenVPN and some Cisco implementations. And we all know that you can tunnel any port over ssh.
Or is the plan that the punishment for stepping outside the lines be enough to keep people from experimenting with these technologies?
Yes, I think they would need to block those as well in order to be effective.
Frankly I don't see how they could possibly get away with it. Businesses of any size can't run without encrypted channels. Proceeding with this seems sure way to smother any economic development and relegate the country to third-world backwater status for the foreseeable future. And is any world leader crazy enough to do that besides Kim Jong-il?
> Businesses of any size can't run without encrypted channels.
Sure they can - they did before the internet. (No, the postal mail is not secure.)
> Proceeding with this seems sure way to smother any economic development and relegate the country to third-world backwater status for the foreseeable future. And is any world leader crazy enough to do that besides Kim Jong-il?
Pretty much every "world leader" in the last 100 years (if not longer) has shown that s\he is willing to give up some economic development in return for control and other benefits. (They arguably give up more than they think that they're giving up, but that's a separate issue.) Disagree? Name three exceptions.
Besides, the effect on economic development in the short term will be almost unnoticable.
My wording was ambiguous, I should have said of any significant size.
Anyway, "some economic benefit" is the understatement of the year. A multinational simply can not do business without secure communications. History is irrelevant; Wells Fargo wrote out every transaction on a slip of paper and manually reconciled it every night 50 years ago, but to do so today would be utterly impossible. In todays global economy, countries need to be able to do business with foreign companies or they will be a backwater plain and simple. China certainly makes some of the tradeoffs you are talking about, but do they outright ban secure communications? Of course not, because that would be suicidal.
>Sure they can - they did before the internet. (No, the postal mail is not secure.)
It's several orders of magnitude more secure than plain http.
>Besides, the effect on economic development in the short term will be almost unnoticable.
India has to be chock full of nationalistic script kiddies and legitimate hackers who will have a field day wrecking Pakistan's online economy if they actually try to implement this plan.
As well they should. It's one thing to use your leet skillz on some bigco with the vague self-important notion that the man is oppressing the peepz, but how often do they get to go up against real, genuine Bad with a big b.
Hmm, that would mean no Gmail for anyone in Pakistan. Any service that uses SSL for logins would also become unusable if SSL was banned.
I don't see any mention of a wholesale ban on encryption, only the use of encryption for privacy purposes. So, port 443 might still be open. It's still pretty easy to distinguish between HTTPS traffic and VPN traffic, though.
> Authority prohibited usage of all such mechanisms including encrypted virtual private networks (EVPNs) which conceal communication to the extent that prohibits monitoring.
They sure can't monitor your email if you're using SSL, so I'd wager that yes, if you have gmail and live in Pakistan, now would be a great time to back it all up.
They could proxy the SSL connections and still let people log in while monitoring the traffic. Of course, your browser will complain if they rewrap it in SSL unless they get a cert like Iran did.
They don't need to do what Iran did. What Iran did was get a cert that was automatically trusted by nearly every web browser in the world because the issuer was a trusted CA by default. You only need a trusted cert if you don't want users to get a warning. Iran was trying to be sneaky. Pakistan is up front about wanting to monitor traffic. They can use any cert they want. They could use a self signed cert to proxy SSL. Sure, the browser will complain that it's not a trusted cert, but the government is already saying they are going to monitor everything. If users add the cert to the "trusted" list they won't get the warning anymore.
They're doing this under the pre-text of monitoring all internet usage so that they can 'search traffic for terrorist communication'.
At my university, students are required to browse through an authenticated proxy (which we have to sign in to using our university IDs), which logs our browsing history. This is done so that they can comply with the PTA's requirement that an ISP should be able to provide browsing history of all users for the last 45 days upon request.
Never mind that it's trivial to get around that proxy, all it actually does is mess up most stuff like Windows updates, gaming, etc.
SSL works in most ISP's in Pakistan, though anti-state and very bad for the children websites like the Rolling Stones are blocked. Nice, Pakistani friendly sites like redtube or child porn remain unblocked of course.
VPN's work too, so far. I'm on one right now. As to why - the filtration system the government is using is so brain dead - there is basically one Juniper router and a couple of Cisco routers (last time I looked) - through which the entire country's traffic is routed.
Using a VPN makes web browsing much faster, with no annoying "waiting" moments - which I presume is the routers locking up under massive load.
The day VPN's are blocked is going to be a sad day indeed. I am going to explore for alternatives to VPN's. Way back in the days of super slow dial up I used these services which would take a link and email the page or entire site to you depending on the command you sent, in a zip file.
Besides censorship, another reason is the local telephone monopoly, PTCL is trying to shut off all voice gateways into Pakistan, which are causing it to lose money and are hard to tap into as they are routed over VPN's to a local gateway connected to a bunch of landlines or cellphones which connects the local call.
Though of course they could just tap into the local last mile...
If Pakistani government can easily spy on the communications of their citizens, so can other organizations. Israel, India, Iran, to name a few of them.
This does nothing to stop people who are intent on communicating privately (SSL, SSH, public key encrypted messages, etc.) and everything to hamper internet progress in Pakistan.
Why would a tech company even consider spreading/outsourcing to Pakistan after this?
For the same reason that they spread, for example, to China? If they think there is money to be made, you can't underestimate the concessions that a company will make to the local government.
Apple obviously uses VPN in its non-Cupertino locations, presumably too with its production lines in China. I know that China allows the use of VPN for businesses with a legitimate need. Even though Pakistan was never an ideal location for doing business anyway, they've essentially banned any technical business from conducting operations in Pakistan.
More red tape, exactly what businesses need! <sarcasm>
Even multinationals don't enjoy having to spend extra resources to keep track of such arbitrary requirements. Will they need to register only the IP of their VPN gateways, or also the client IPs? Will they need to specify the type of software they use? What are the chances that they'll also be asked for certificates, so that spooks can snoop anyway?
If I have a website running on servers in Jamaica, selling paper planes, and I use SSL because it's the right thing to do, will Pakistani customers be able to buy anything from me? Obviously I haven't registered with the Pakistani government, chances are that I don't even know what Pakistan is!
This is unbelievable.
(On the other hand, it's a wet dream for the likes of RIAA...)
I am not sure this is that much more disturbing than the British Government even thinking about restricting the use of social media apps during times of civil disobedience. And this is extremely disturbing.
How can any global company now do business in Pakistan? Surely there is some kind of back door in there.
OpenVPN sessions look like SSL traffic to the eavesdropper. So there's a good reason to use OpenVPN in Pakistan. They'll have to ban SSL at the state level as well.
I'm not sure how banning VPN's is going to stop the terrorists. Don't they use cellphones to coordinate their strikes? You would have to stop the internet and all forms of communication to slow them down, and then still you wouldn't slow them down much. We gotta get "Right to bear encryption" next to "Right to bear arms" in the constitution/bill of rights.
With the ban on VPNs, steganographic[1] techniques that make encrypted traffic look like regular traffic will become more and more common. The troubling thing is the fact that these techniques are somewhat hungry for bandwidth.
[1] http://en.wikipedia.org/wiki/Steganography