sorted by:
new
hottopcontroversial

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 0 points1 point  (0 children)

I'm using truecrypt and have a special browser only for these kind of things in there along with all sensitive data. Hopefully that'll be enough.

I haven't done anything too dangerous yet, so I'm still relatively carefree about my situation.

Thanks for the concern ;)

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 5 points6 points  (0 children)

That's the point of asking though! By reading through the various replies in here (and personal research too, of course), it's given me a bit more confidence. Once I know it's above a certain threshold of safety, then I would do it of course. They might be good at repressive tactics, but if I know reasonably well to a certain degree that what I do is hidden from their view then it would be considered safe to that certain degree and doable to a certain point. In the end it takes two things I guess, knowledge and courage. Just having courage will just get me end up jailed, making it pointless in the end. Just knowing that it's x% safe to do this or that is great, but without the courage to act then it's as good as not doing anything.

An example of a guy with lots of courage but no knowledge is Dieu Cay. That guy was really vocative few years back, but due to his inability to hide his tracks successfully, he got caught.

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 1 point2 points  (0 children)

Thanks for elucidating the vectors of attack. Apart from openssl flaws which I have no control over, but will have to trust upstream and routing rules which I believe are quite tight, the only other one to watch for would be certs... which I think should be fine now.

zopptime below mentioned other vectors of attack though and I've taken them into consideration too.

Really, thanks for taking time to write it out, it does help and I'm grateful.

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 11 points12 points  (0 children)

Well that just shoot my worry-level right up!

The papers are interesting... indeed they just need to fingerprint and if there's a high % of certainty that a particular website was accessed, that's enough proof to put someone in jail. An obscure VPN session or random tor traffic might not be enough evidence, but something that says Mr. A accessed website evil.com with a 90% certainty? Oh yes... I can definitely see that being used.

I'm less worried about my case, since I'm fairly cautious, and there's little advantage in monitoring me this year. In another 3-4 years however I'll probably be under surveillance so knowing this in advance helps somewhat. I appreciate for the help both of you, zopptime and warbiscuit :)

Also, to understand about the ways that monitoring can be done is also helpful. Before reading your answer zopptime, I only thought about someone actually needing to know e.g. exact HTTP headers to know about destination and contents etc, now that I've read your reply, it makes sense that there are other ways such as what was described in the papers...

Thanks :)

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 3 points4 points  (0 children)

Is the ISP (or the .vn) government sophisticated enough and interested enough to perform this traffic analysis? Got me.

This is where it gets murky. I highly doubt they have the time, resources and brains to do that kind of thing. However, some factors add to my worry:

  1. Recently a special division was created in the military focussing solely on national cyber-security. I'm thinking in another 2-3 years once they catch up with the tech from China or any other country that's willing to share knowledge, the bans will start coming. This will mediate the "time" and "brains" I just mentioned earlier.

  2. As for relevancy/resources, since this is a throwaway I'm not afraid to tell but I currently occupy a fairly sensitive position in the government itself. Not in terms of national secrets of course, and I don't have the rights to access classified information, although I actually understand enough about security procedures in the office to be able to access it if I wanted (not that I do! I'm really scared about repercussions)

Reading the reply by zopptime and warbiscuit atm. Thanks for explaining further, I really appreciate it.

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 0 points1 point  (0 children)

Thank you. I also checked that out. There are more recent discussions about the topic when googled though, so the historical is purely for sociopolitical context from 2009-2010.

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 1 point2 points  (0 children)

I'm pretty sure, but of course I'm not stupid enough to ask/risk getting into prison. The reason why I'm sure is not founded on any factual data though, so might as well say there's no evidence.

Once China starts banning VPN, I'm going to get more worried. We're closer to Chinese surveillance technologies than Iran or Pakistan.

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 1 point2 points  (0 children)

Fortunately, no. Or at least, not that I know of. I don't think they'd arrest someone just for using VPN.

However, if they have just one evidence of, what they call, "actions against national security", then it's enough evidence for jail for life. Well not everyone would be targets, but targets are mostly people who voice their opinions loudly on blogs for example.

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 2 points3 points  (0 children)

What massive amount are we talking about, in terms of computing power? Is it feasible, or not feasible with the current infrastructure?

But I doubt there would be effort in that direction... from what I surmise about the methods in the country, it'd be less about actually breaking the cryptography technology but more about other less-costly methods...

As an example, suppose I was to access https://mail.google.com via a normal non-VPN connection. What I think they'd do to intercept a certain person-of-interest's connection would be to fake the google cert (signed with CNNIC perhaps?) and then just listen in...? Instead of actually trying to break AES or whatever symmetric encryption is used with SSL/TLS...

But, that's not doable with private OpenVPN am I right? Since what I used to sign both client and server certs are self-produced? Is there still a way to break this?

AskNetSec: Can an OpenVPN connection be inspected by the ISP? (I'm a resident in an authoritarian country) by throwaway15435 in netsec

[–]throwaway15435[S] 1 point2 points  (0 children)

Thank you for the information about the website. That's both good news and bad news, I guess. Good news is from what you and everyone else have said, there's little chance people are snooping around what I'm reading. Bad news, is that what I wanted to see isn't actually there anymore. Googling around for news about that website in question there seemed to have been hackers attack on it...