To America's Tech Companies: May You ALL Be Astroided
The Market Ticker - Commentary on The Capital Markets
2017-07-07 22:19 by Karl Denninger
in Technology , 458 references Ignore this thread
To America's Tech Companies: May You ALL Be Astroided
[Comments enabled]  

Yes, all of you.

I wish for an asteroid to impact all your campuses and every last one of your executive's homes.  I will pray for it this evening and every day forward until it happens.

I've pointed out many of the stupid, allegedly "independent" decisions of American tech companies in the past, many of which look intentional.  But the current set of not-funny things I've found of late is so far beyond the pale of reason that it can only be characterized as intentional on a collusive basis.

Let me start with Micro****you Windows.

It includes a VPN client.  There's a problem with it -- it proposes 3DES as the encryption by default for key exchange.  3DES hasn't been secure in a very long time.  What's equally bad is that it also proposes a payload (ESP) encryption that is also not secure. Let me point out that our government uses it for allegedly-secure things, which means this has to be able to be overridden or every single DOD related machine on the so-called "secure" network would be a bad joke.

As it turns out it can be overridden -- here's how.  I've known about this for quite a while but I'm now pissed-off enough to make sure you know about it too.  So if you are actually using Windows VPN client go fix that right damn now.

But, it gets better: If you have Windows Phone (and probably on a tablet too) you can't fix it.  Why not?  Because to actually fix it for VPNs you have to be able to modify the routing, which Windows 10 changed without notice so the default isn't on the secure network.  Windows phone has no way to get into that screen at all -- it doesn't exist.  On Windows 10 it does, if you go into the adapter properties (which is difficult to find, but there.)  So now you know -- Microsoft intentionally crippled VPN support on Windows 10 to make your data insecure on purpose unless you catch and fix it because they changed the defaults in this regard and if you don't catch it much of your data won't route down the VPN at all.

Specifically, you have to go into the Control Panel, click "Network and sharing center", then select change adapter settings (left side.)  You will see your VPN in that list as a "WAN Miniport".  You must right-click that, choose Properties, then the Networking tab, Internet Protocol Version 4 and select advanced once again.  There under IP settings you will find that the "Use default gateway on remote network" box is not checked.  Check that box!

 by tickerguy

Let me make this clear: If you don't catch this yourself all Windows 10 machines have no secure transport actually operating even though they appear to have it working and yes, fixing it is that far hidden down in the options pages.

That path is not available on a Windows Phone.  The good news is that Windows 10 (including Windows phone) will apparently honor some rather baroque proprietary DHCP options (no, not the standard default gateway announcement that all DHCP servers send down!) but the odds of your stock-standard DHCP server that is in basically every VPN gateway ever made having that particular Micro****you option in it is zero.  In other words for the big corporate or government guys they did in fact put a way in there for it to autoconfigure when their "road warriors" connect but for everyone else you're ****ed unless you know about this and manually fix it.  The only good news is that once you fix it the settings will stay fixed -- at least so far they have in my experience (since Win10 first showed up.)

I'm just getting started, however -- Redmond is just the first place I wish for an asteroid to impact.

The second is Google.

Android is deliberately coded so that all hotspot or tethered connections will not route down an active VPN.  In fact if you try it what you'll probably find is that nothing works at all while your VPN is up because the DNS servers are all hosed.  But even if you get around that you'll find it doesn't matter -- the traffic is going down the non-VPN'd link.

There is no way around this without root and no, BlackBerry did not fix it in their phones.  So **** you BlackBerry, you just went on my **** list and you're staying there until you force those **********s at Google to either stop this **** or stop selling allegedly-secure phones entirely.

Why is this important?  We'll get to that in a minute, but understand this -- you can use the StrongSwan app on Android to set up an extremely secure VPN that even the NSA probably cannot break.  However, you can't then tether a device off that phone and have it protected as well because Google decided to route tethered data down the non-VPN interface and you can't change that.  Of course that's not obvious either which means you will probably think you're secure when you're not.

May Google and everyone who works there be hit by an asteroid: In my opinion this is an intentional and malicious decision as it forbids you from protecting tethered devices with a very solid and secure VPN with no known work-around.

Now we get to the cherry on top of the above horse****.  Windows, as noted above, has a built-in VPN client and if you know what you're doing you can make it reasonably secure (it's definitely not "out of the box".)  But the latest outrage, which belongs to Comcast, Cocks, the various mobile carriers and others, is what data network folks are doing inside their networks.

They are dropping fragmented packets.

Let me explain why this matters.  When you have a VPN during the setup process you must exchange certificates if you wish to use said VPN in a secure manner.  Passwords are never sufficiently secure simply because they're tiny and almost-always insufficiently random.  Certificates are very secure if properly generated; they are nearly impossible to break.  The problem is that a certificate will not fit in a single packet with the other data that has to be there to set the connection up.  This means a fragmented UDP packet -- at least a couple of them -- must pass for the connection to come up.

Block fragments and you block secure VPNs - such as IKEv2, unless the client knows to ask for fragmentation on the initial connection.  Oh by the way, IKEv2 is not only secure it is capable of IP hopping and renegotiates keying automatically, which not only makes it even more-secure it means it can be nailed up while you move around where your address may change (e.g. on a phone that is actually moving.)  Once the VPN comes up the protocol can internally handle all of this and there's no problem but during the negotiation it doesn't know what it needs to do because it hasn't set up the connection yet.

Guess who's IKEv2 client can't handle that and doesn't ask?  Windows, again -- and by the way, this very same limitation has been there since Windows 7.  Microscrewyou has not seen fit to update their gateway software since 2009; it is now almost eight years later and IKEv2 fragmentation is still not supported on Windows.  At all.

The effect of this outrage if you have a Windows machine if any ISP or device in the middle between you and your VPN server drops fragments the connection won't come up at all.

On Android I can work around this because the StrongSwan client can have the server's certificate loaded locally and then it can be told to not ask for it, and the client knows how to do fragmentation.  The former requires you to trust that the server's key has not been compromised since it bypasses revocation and signature (by the Certificate Authority) checks but it also avoids the need during setup to send the massive packets and thus the problem doesn't occur.  But see above for why this can't protect your other machines -- Google intentionally prevented you from protecting them behind your active VPN!

Since Windows won't similarly negotiate a connection without getting the machine certificate from the server (it always asks and if it doesn't get it the client throws up; it refuses to look in the local certificate store) this means that any ISP that blocks fragments also blocks all secure connections at the same time from said Windows machines with no work-around.

Congratulations America.  By sitting on your ass and not giving a **** about privacy and data security for two decades, along with allowing Zuckerpig and the rest to data mine you to oblivion the marketers and everyone else in the Internet and device business have gotten together and slowly strangled the ability to actually secure your data.  They are of course doing this so they can sell your data which they collect without your knowledge or consent.

You can bet their communication channels have workarounds for some or all of this.

Yours do not.

Welcome to the Hell that you built with your heads buried in your damn smartphones.

Now let me tell you how you get around this, because I've figured out a way.  It's somewhat of a pain in the ass but it works.

1. On your Android phone download PDANet.  Pay June Networks their one-time license fee.  It's worth the money.  Download their desktop software plug-in for your Windows machine.

2. Get a USB cable for your Android phone.  Set up StrongSwan on said Android phone and get it working to your VPN.  Start said VPN and connect it with a nice, strong and secure link.

3. Use PDANet to tether via USB.

Now your tethering routes down the the VPN you have set up on the phone.  **** you Google, **** you Microsoft, and **** you all the ISPs and others who are dropping fragmented packets.

I win, you lose; the only thing lost by doing this is network browse if you have an internal network of windows machines due to how addressing works in this configuration but you can still mount resources by name -- you just can't register with the WINS server so network browse doesn't operate.

Go to responses (registration required to post)
 
Main Navigation
MUST-READ Selection:
A One-Sentence Bill To Force The Health-Care Issue

Full-Text Search & Archives
Archive Access

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last
User Info To America's Tech Companies: May You ALL Be Astroided in forum [Market-Ticker]
Beango
Posts: 699
Incept: 2009-06-05

Report This As A Bad Post Add To Your Ignored User List
Is it technically possible to fully load a native, arm-supported bsd or linux distribution on an Android? You know where I'm going with this -- you may not be able to load apps from the appstore per se, but it would be secure as f**k if you had complete control over the source code.
Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Sure, but then you wind up with what amounts to a BlackBerry 10 device.

Worse, there are callbacks out of the RIL (radio code) you won't be able to get source or decent documentation on without working with Qualcomm, and of course they'll ask for (demand) a NDA...

----------
Winding it down.
Supertruckertom
Posts: 1306
Incept: 2010-11-07

USA
Report This As A Bad Post Add To Your Ignored User List
Did we just get to see the written version of your War Face?

Has anyone else ever exposed these vulnerabilities?

----------
Preparing to go Hunting.
Elonsaves
Posts: 2
Incept: 2017-07-08

Report This As A Bad Post Add To Your Ignored User List
Hold the phone. What's wrong with BlackBerry 10? My passport silver delivers more data than I need to know, can know, or should know. And its "wow!" factor is a nice conversation starter. Was thinking about buying another because the battery life on this one is starting to suck.
Idiom
Posts: 102
Incept: 2015-02-20

New Zealand
Report This As A Bad Post Add To Your Ignored User List
This is the **** the NSA and FCC should be ****ting on companies for, but they have their loyalties exactly backwards.
Maurevel
Posts: 603
Incept: 2009-06-14

Canada
Report This As A Bad Post Add To Your Ignored User List
How much time elapsed between
"What a beautiful morning. I'll setup my VPN then I'll have coffee" and the ticker? Has to be over a day.
Asimov
Posts: 109414
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
I wonder what level of arm twisting was required for them to make these decisions.

I can't imagine they would chose to screw their customers like this of their own volition.

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
Has anyone else ever exposed these vulnerabilities?

The Win10 issues, yes. The others, I don't recall reading anything about them anywhere else.
Quote:
Hold the phone. What's wrong with BlackBerry 10?

It also doesn't route tethered data down the VPN and never has. It's been an issue forever with their phones. The combination of the other problems would screw you hard.
Quote:
How much time elapsed between
"What a beautiful morning. I'll setup my VPN then I'll have coffee" and the ticker? Has to be over a day.

The VPN here has been working for a very long time; the latest "**** you" came with the frag issue, which has been slowly spreading like a virus over the last few years, and finally has gotten to the point where it basically forced me to do something about it lest the VPN be worthless.

----------
Winding it down.
Mekantor
Posts: 141
Incept: 2009-01-12

Houston, TX
Report This As A Bad Post Add To Your Ignored User List
how do the various commercial vpns deal with the fragmented packet issue?
Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Well now Mekantor, that's the problem you see. There's no way around this for any actually-secure VPN (that is, one that runs IKEv2.) You either have the ability to get at least a couple of fragmented packets between you and they for initial setup or you don't.

IKEv2, once initial setup is complete, deals with fragmented packets internally and without problems by evading it in the protocol itself. The problem lies with initial setup -- your end must authenticate the server's certificate and to do that it has to be sent TO YOU. It's that ONE exchange that blows you up if the other end can't declare it's ability to handle IKE fragmentation.

Even if I go to a ECDSA certificate (which incidentally Windows doesn't handle AT ALL; Micro****you's client won't recognize them), which is much smaller, the initial exchange is just big enough to run into fragmentation problems (about 1700 bytes.)

This JUST started becoming a big enough issue on a consistent basis for me to get pissed off about it. There have always been the odd places where fragmentation screwed you, but they were infrequent enough to not really******me off much. This is now spreading like a virus and I have to wonder if "somebody" has started harassing "some other people" -- that is, it's not an accident.

IKEv2 can be told to start up with frags enabled IF the other end can handle it. Guess which client can't? Yep -- Windows. It has NEVER been able to during negotiation; here's what happens:

Jul 8 09:28:05 IpGw charon: 15[NET] received packet: from 172.56.21.232[28747] to 68.1.57.197[500] (624 bytes)
Jul 8 09:28:05 IpGw charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 8 09:28:05 IpGw charon: 15[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 8 09:28:05 IpGw charon: 15[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul 8 09:28:05 IpGw charon: 15[IKE] received Vid-Initial-Contact vendor ID
Jul 8 09:28:05 IpGw charon: 15[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 8 09:28:05 IpGw charon: 15[IKE] 172.56.21.232 is initiating an IKE_SA
Jul 8 09:28:05 IpGw charon: 15[IKE] remote host is behind NAT
Jul 8 09:28:05 IpGw charon: 15[IKE] sending cert request for "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA, E=Cuda Systems LLC CA"
Jul 8 09:28:05 IpGw charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 8 09:28:05 IpGw charon: 15[NET] sending packet: from 68.1.57.197[500] to 172.56.21.232[28747] (465 bytes)
Jul 8 09:28:05 IpGw charon: 15[NET] received packet: from 172.56.21.232[19399] to 68.1.57.197[4500] (1436 bytes)
Jul 8 09:28:05 IpGw charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 8 09:28:05 IpGw charon: 15[IKE] received cert request for "C=US, ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA, E=Cuda Systems LLC CA"
Jul 8 09:28:05 IpGw charon: 15[IKE] received 56 cert requests for an unknown ca
Jul 8 09:28:05 IpGw charon: 15[CFG] looking for peer configs matching 68.1.57.197[%any]...172.56.21.232[192.168.43.165]
Jul 8 09:28:05 IpGw charon: 15[CFG] selected peer config 'WinUserCert'
Jul 8 09:28:05 IpGw charon: 15[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 8 09:28:05 IpGw charon: 15[IKE] peer supports MOBIKE
Jul 8 09:28:05 IpGw charon: 15[IKE] authentication of 'C=US, ST=Florida, O=Cuda Systems LLC, CN=genesis.denninger.net' (myself) with RSA signature successful
Jul 8 09:28:05 IpGw charon: 15[IKE] sending end entity cert "C=US, ST=Florida, O=Cuda Systems LLC, CN=genesis.denninger.net"
Jul 8 09:28:05 IpGw charon: 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 8 09:28:05 IpGw charon: 15[NET] sending packet: from 68.1.57.197[4500] to 172.56.21.232[19399] (1868 bytes)

That's where you get ****ed.

The problem is that the initial packet is MISSING this flag, which the Android StrongSwan client does support:

Jul 8 09:30:25 IpGw charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

So yeah, this is going to become an ever-larger problem over time. There are people who run TCP-based VPNs which would be (mostly) immune to this but they're nowhere near as secure as an IKEv2-based one and what's FAR worse is that in a mobile environment TCP-based systems do not handle IP hopping at all.

The way people "recommend" getting around it is to use LT2P or similar and a password. But that's MUCH less secure than a machine certificate... which I'm sure certain entities like a LOT.

----------
Winding it down.

Nolaguy
Posts: 133
Incept: 2007-11-11

New Orleans
Report This As A Bad Post Add To Your Ignored User List
Regarding Comcast and their dropping of fragmented packets:

Is it possible that this is related to IPv6?

It's been a long time, but I think in IPv6, only the source can fragment - while devices/routers along the path MTU cannot, so those packets are dropped by a downstream device. (there's an ICMP "too big" response message that is supposed to be sent, but who knows if Comcast has that enabled...)

Perhaps Comcast is rolling out more IPv6 and this is why it's happening more often?

Not defending Comcast - I hate those ****ers...
Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
Is it possible that this is related to IPv6?

Highly unlikely.

IPv6, if anything, handles this better than v4 did, assuming competent admins, and both Comcast and Cox have been handling v6 on their "core" (and consumer) networks for a number of years.

There are people who are "utterly convinced" that letting frags through is an inherently evil thing (they don't carry port numbers, so stateful firewalls can't differentiate) but IMHO that's horse**** since without the first packet (which does carry the port number and thus IS subject to said filters) the frag has nowhere to reassemble to.

----------
Winding it down.

Jmckenney
Posts: 12
Incept: 2014-11-04

Melbourne Florida
Report This As A Bad Post Add To Your Ignored User List
I am running Open VPN on my Ubuntu desktop, which requires a password and a certificate. I use a VOIP landline, but I notice Apple offers an Open VPN app for iPhone and iPad:

https://itunes.apple.com/us/app/openvpn-....

From what I've read, Open VPN is widely considered secure - would you concurr? Also, should I consider using a VPN provider in Switzerland rather than the USA?
Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
OpenVPN has good and bad points. The bad is that it (can) use TCP to set up, which means it cannot hop addresses seamlessly, and in addition it can (in some cases) use SSLv3, which is known insecure. On Windows it also requires elevated privileges to start it because it can't modify routing without elevated privileges, which is a severe security risk (one that might be ok for an individual, but is definitely not in any sort of "real" environment.) Finally, there are key management issues as well, especially if you try to set it up to run as a service.

OpenVPN can also be materially less-efficient, especially under congestion.

Is it better than LT2P? Yeah, but the point is that there is an EXTREMELY secure option, IPSEC/IKEv2, which OUGHT to work absent what certainly appears to be deliberate interference. It's integrated into the system and uses Windows' internal key management, which (when hardware assistance is available and used appropriate) is reasonably secure. It also doesn't require elevated privileges to start or use.

----------
Winding it down.

Amaugie
Posts: 4
Incept: 2013-04-15

Report This As A Bad Post Add To Your Ignored User List
After reading this I am thinking of signing up for nordvpn. I don't know anything about this stuff but am looking to have a secure connection. Can you share your opinion on nrdvpn or is there a vpn service you trust?
Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
I have no knowledge of nordvpn.

----------
Winding it down.
Amaugie
Posts: 4
Incept: 2013-04-15

Report This As A Bad Post Add To Your Ignored User List
It gets good reviews on pcmag...maybe I'll try it out. I will have some stumbling through things to make it work I'm sure. Thanks for sharing this info.
Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Note, by the way, that many people have severely-distorted views on what a VPN actually does for you. It serves two (and really only two!) purposes:

1. When on an OPEN, unencrypted WiFi network, everything you do on that network is trivially visible to anyone within RF range of your device. Most "sensitive" things that days are running over HTTPS (e.g. your bank, your email, etc) but exactly what web pages you go to and any unencrypted content is trivially able to be picked off by anyone who can "hear" your computer. A VPN stops this instantly by encrypting ALL traffic in and out of your machine.

2. When not at wherever the server is it allows you to have a secure connection to resources on that network exactly as if you were there. This means you can access files, printers and other devices as if you were sitting in your home or office when you're physically not. It is absolutely necessary that any such tunnel be secure or you just opened up a vulnerability to attack that would not have otherwise existed at all! Note that this benefit does NOT come from any of the public VPN providers -- only from one YOU run yourself.

3. There is a SMALL additional privacy argument with regard to big telco carriers, in that many of them DO collect data and DO sell it. Using a VPN may provide SOME limited protection in this regard, but the key word here is "limited." Your location is known to them all the time and there's nothing you can do about that if your device is on and has cellular connectivity, as is the data PATTERN of use even if not the content, so the utility there is nowhere near what people believe.

There are many people who think a VPN somehow "obscures" who you are or where you go on the net from the perspective of the other end. Nope. It's worthless for that purpose and in addition there is material overhead in terms of performance loss involved in using one. You can attempt to "mask" your location using one (appearing to be somewhere else physically) but anyone with half a brain knows it's a "public" VPN cloud or server infrastructure and the VPN does nothing to mask your cookies and other identifying information from being sent. Once you connect JUST ONE TIME without it to a given resource and that same identity is used you are instantly correlated back even if you use the VPN in the future.

The "general" use case for most people is #1. For those who have infrastructure (e.g. file storage, etc at their home or office) they wish to access "on the road" it's #1 and #2.

But never, ever believe that these implementations actually "hide" who you are. They do NOT without extreme OpSec measures that are almost impossible to maintain successfully and if you do so half-assed you're waving a red flag in front of a bull in terms of all the various people who look for such things and might conclude you're "of interest".

----------
Winding it down.

Amaugie
Posts: 4
Incept: 2013-04-15

Report This As A Bad Post Add To Your Ignored User List
So if I pay for a public VPN service to use on my home computer, laptop, and my cell phone (dtek60 at your recommendation and I do love the phone) hoping for extra privacy there is no benefit? It is only beneficial in any way if I am using public wifi? (which I don't.) Would it be worth getting for my android phone when just using my tmobile connection? I don't usually connect to public wifi on my cell phone either; only if I have no T-Mobile service which happens in rural areas. I was just hoping to get extra security/privacy when using my home computer, laptop and phone.
Amaugie
Posts: 4
Incept: 2013-04-15

Report This As A Bad Post Add To Your Ignored User List
So the point of this post is for people who run their own VPN? Sorry, like I said I don't know anything about this stuff, I just care about privacy. I know that everything a person does online can be seen by people who really want to find out; was just hoping to stop some level of snooping I guess.
Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Correct, for the most part.

There is very little value in using a VPN if all you are doing is surfing the web through a nominally-encrypted connection (or one on a wire) of any sort, unless you are intentionally trying to appear to be where you're not (e.g. to get around some sort of geographic content restriction -- and that's likely to eventually fail too as the folks who care know where the VPN providers are!)

----------
Winding it down.
Mtdm
Posts: 348
Incept: 2009-07-23

NH
Report This As A Bad Post Add To Your Ignored User List
Quote:
Highly unlikely. IPv6, if anything, handles this better than v4 did, assuming competent admins, and both Comcast and Cox have been handling v6 on their "core" (and consumer) networks for a number of years.


Well, I've mentioned this before on the forums here: lots of the carriers drop all v6 packets with extension headers. See RFC7872, for example.

It's bull**** that they do it.

But they do it.

And the argument they make (understandably in one sense, but still outrageous) is that v6 is so flexible (or poorly/broadly specified/defined if you prefer) - especially with EH - that leaving arbitrary EH in there is a security risk to their network.

Is that the primary root cause here? I'm not saying it is, and I have no doubt that there are other moves afoot to block people from communicating privately, and we can argue the toss on whether that is for the direct interests of the carriers, the interests of the content providers, or the interests of the government.

But the v6 situation is a disaster also, unless (as you mention with OpenVPN) you like tunneling everything over some other protocol, pretending it's ssh or TLS or whatever.

I haven't had the time or energy to figure out the specific whys and wherefores, but I second your experience with seeing raw VPN negotiations get blocked more and more nowadays, and I've just taking to wrapping everything in TLS. As you say, doesn't give you the same roaming capability, but at least it works. For now.

Tickerguy
Posts: 149209
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Well thus far the StrongSwan people are ahead of it... if you have a reasonably modern client.

Blocking pass thru tho as Google does with Android is utterly inexcusable AND clearly intentional.

Thus my desire that both they and Micro****face be hit by asteroids.

----------
Winding it down.
Asimov
Posts: 109414
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
I guess the question I have is are they doing it by choice so that they can profit from the information they can gather, or are they doing due to threats from the PTB? The former and I'm more than a bit pissed off, the latter and I'm more than a bit pissed - but at a different group of people.

I guess it's irrelevant in the end, though.

----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last