Saturday, 28 August 2010

TRA to ban VPN's in Oman


This is a re-blog of the original article written by Riyadh Al Balushi (aka @blue_chi) here.

Essentially, The Regulatory Authority (TRA) have decided that too many people are circumventing the filtering system imposed on net users here via Virtual Private Networks. If you read Arabic, here is the draft proposal being tabled by TRA for banning all VPN's in the Sultanate.

According to Riyadh's translation, those found privately using a VPN will be fined RO 500, and those found commercially using a VPN will be fined RO 1000.

Now this is a double-edged sword, because many companies here use VPN's to conduct their business. In fact, as a business, you must pay an absolute fortune for a leased line here - the only way to get a static IP with Omantel (Omantel conveniently decided that ADSL connections could not have static IP's, even though all it would take is a few clicks of a mouse - Nawras offer static IP's on their connections for a reasonable RO 50 a month). To give you an idea, an 8MB ADSL (and 0.5mb up) residential line is RO 99 a month. A 1MB leased line (that's full duplex, up and down) is RO 1,725 a month (after RO 400 setup fee) (this falls to RO 1,294 a month if you commit to 3 years usage). You read that correctly - to get a Fixed IP (which is required by many corporate networks architecture) you need to spend between US$3,364 and $4,485 a month! And that is only for a 1MB connection - you can look at Omantel's rates here. Alternatively, you could go to Nawras and get a Fixed IP on a 16MB down and 2MB up connection for a rather frugal RO 369 ($959) a month. It's a wonder why Omantel continues to refuse to offer static IP's on it's Business ADSL packages. Stupidity does come to mind.

So now then, the rest of us. Many people have been using VPN's to circumvent the restriction policies in effect. Some people use VPN's to get their skype working, others use them to look at porn, others to access regional-specific websites (Such as the BBC's iPlayer), and further more people use VPN's to access educational institutions. Some people just don't want their browsing to be monitored and so choose to encrypt it. OpenVPN is the software of choice for these people (it's the defacto standard because it's available for free, you just need to connect to a host machine - which is where companies charge). Omantel have blocked the standard ports that OpenVPN use, thus knocking out a large swath of VPN users in one swipe. Nawras have throttled these ports, to a point where a stable VOIP connection cannot be achieved, but browsing can still continue.

It seems that this move by TRA is more about stopping people from VOIPing than protecting the moral fibre of internet users here in the Sultanate.

The point of this argument is this: Where do you draw the line? To ban VPN's because people are using them to enable their Voip connections, that's one thing, but to ban VPN's because people are encrypting their traffic and big brother is not happy (which is the reason being spouted at the moment) is just a slippery slope. What happens when I want to do online banking, or access email, or visit any website which is SSL encrypted (thats https:// as opposed to http://) - following that line of thought from TRA, they will want to stop ALL of that because it's encrypted traffic.

I find this just another example of how draconian the policy makers at TRA really are, and I wonder what will happen next? The filtering hardware and software already imposed on us by TRA slows our internet traffic down significantly already, and for those people that game online (pc or console) they'll tell you the same thing - finding other players that they can play with without a significant lag (delay) is proving to be harder and harder these days.

The fine, if you are caught, is significant - RO 500 for personal users, and RO 1000 for commercial users of VPN's. That's a large chunk of change. TRA will grant licenses for educational institutions and businesses, but you may not apply for a VPN license if you are a private user. There is no word on pricing from the TRA, nor is there any word on how long it will take to get a license granted, or how they will apply those licenses to the ISP's filtering processes. Smart money says it'll be done via a whitelist of IP's - except that wont work for Omantel ADSL business customers, or Nawras Business customers that do not have static IP's. There's a lot left to the imagination here.

To detect whether someone is using a VPN, there are a number of methods that can be employed to do this. The most obvious one is to just simply block the common ports that are used by popular VPN providers, which has already been done. After that it get's technical, and essentially what can be done is that a profile is looked for in the pattern of your internet traffic coming from your account. For example, if all the traffic coming from your account is being funnelled through one port, then that's an easy guess that you are using a VPN. It gets very technical very quickly and thus over my head, but suffice to say - YES, it is entirely possible to detect when people are using VPN's.

One does have to ask the question - when does internet access here become so limited, that it's just not worth the already high prices charged for access?

le fin.

No comments:

Post a Comment