Following the publication of a recent article about Public Wi-Fi and the use of Virtual Private Networks (VPNs), I have received questions about what is reasonable and what is not reasonable with websites attempting to block the use of VPNs. A recurring concern was specifically the blocking of VPN access through an unencrypted public Wi-Fi network.
VPNs are an excellent security measure, but because of the way in which VPNs can be used to circumvent geographic restrictions on content, a number of websites are contractually required to take extra measures to ensure that restrictions are enforced. The problem is that because key entertainment sites such as the BBC, Netflix and Amazon Prime use VPN blocking, and these sites are very popular, many VPN users who stream movies and television programs will be asked to deactivate their VPN.
Blocking access through a VPN is relatively easy as the services require IP addresses in order to function and websites can be configured to block traffic to these IP addresses or redirect traffic to a page asking for the VPN to be disabled. There are also other means such as blocking specific network ports. What makes it difficult is that new VPN services are created with different IP addresses and as these are identified, they are added to a block list.
The use of a VPN also prevents content filtering because the network traffic is encrypted. In the case of a public Wi-Fi, the service provider would struggle to stop for example the use of peer to peer file sharing to download illegal content, access to pornography in public, or access to extremist materials online. The reality is that because of how VPNs are being used, anti VPN countermeasures are gradually being introduced.
Unfortunately, because of the way in which VPNs can be used to perform unlawful activities, many countries have either banned the use of VPNs or are currently attempting to do so.
Consider how people become conditioned to do things in a certain way and that potentially harmful activity becomes normal, with consequences that are never fully appreciated. As more websites and services ask for VPNs to be disabled in order to access the content, the more people will get used to the idea that disabling a VPN is the normal thing to do. Consequently, it becomes less effective as a security measure. This behavioural change has already taken place in other areas:
- Advert blocking components in browsers are another example. Many sites now perform checks to determine if adverts have been blocked. If they have, visitors are redirected to a page instructing them to deactivate the advert blocker in order to view the content. Again, the more this happens, and the more frequently these instructions are followed, the less effective advert blocking is. With many adverts containing malware, the risks of exposure increase.
- Terms and conditions – most of the time terms and conditions are so complex and long-winded that nobody has the time to read them or even care what they include. People have got used to the idea that terms and conditions are accepted by just ticking a box to say they have read them and agree to the terms.
- Cookie notifications – the way in which cookie notifications have been implemented is extremely annoying and interrupts the users’ experience of websites. The inevitable outcome is that people will just click OK to accept cookies just to get rid of the banner or popup that is preventing them from reading the content.
What would you think if you visited a website and was redirected to a page that told you that the site has detected that you have ‘ABC XYZ Antivirus’ installed and the site requires you to disable it before content will be displayed? I would expect people would be sensible enough to leave the site and not follow the instructions.
Thank you for your feedback. Some of the content in articles published here is inspired by feedback and readers’ questions. Please keep the questions coming!
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.