Netflix's VPN ban may result in stronger security for VPN customers
Despite very vocal critics, Netflix will not give in to the demands of overseas VPN users that want access to the US catalogue of shows says Paul Bischoff.
Paul Bischoff, technology expert, Comparitech
Netflix CEO Reed Hastings has stated the number of people who once connected to Netflix via VPN to access a larger catalogue of shows is negligible. Netflix started blocking VPN connections earlier this year shortly after its global rollout in order to enforce geographic content licencing restrictions.
While Netflix sees overseas VPN users as insignificant, the reverse is not so true. VPN providers depend on these geo-block evading Netflix users as a core segment of customers. Losing them could be disastrous for the dozens of VPN providers on the market, which are racing for new ways to evade Netflix's firewall.
And Netflix isn't the only streaming entertainment company taking a stand against VPNs. Hulu, BBC iPlayer, and others are weeding out VPN users.
Ideally, everyone would use a VPN simply to protect their privacy, but we all know that's just wishful thinking. VPN providers need to be able to unblock streaming services like these in order to attract and retain customers. To do so, they'll have to start adapting with more connection options and improved security.
How Netflix blocks VPNs
Netflix can block VPN users by employing two main methods. The first is simply identifying and blocking the shared IP addresses used by most providers. Dozens, hundreds, and even thousands of people can use a single IP address. Shared IPs are both cost effective for VPN providers and add a layer of anonymity, making it difficult to trace individual users of a VPN service.
However, all Netflix has to do is identify one VPN user in order to block everyone using that IP. Those IPs are often within a specific range and supplied by a handful of hosting services, like Choopah and Amazon. That makes it easy for Netflix to block large swathes of users in one fell swoop. Netflix can also compare billing addresses and other personal info with the IP location of the user.
The other way to identify and block a VPN connection is to use deep packet inspection. While there's no way for Netflix to decrypt a VPN connection, it can figure out the protocol and algorithm used to encrypt it in the first place. If Netflix can determine with a degree of certainty that a connection is using OpenVPN, for example, then it will block that IP. This is the same tactic used by censorship regimes in countries such as China to find and exterminate VPNs.
Netflix is actively blocking VPN connections, but we've been able to spoof our location and bypass the firewall using another means as a workaround to Netflix' VPN ban: Smart DNS. Also known as a DNS proxy, Smart DNS is often sold as a standalone service or a bonus feature with VPNs. Like a VPN, a smart DNS proxy obscures the original IP address and acts as an intermediary between the client and the service.
Smart DNS proxies don't encrypt traffic, so there's nothing for deep packet inspection to inspect. It looks like normal traffic. Using IronSocket's Smart DNS service, we accessed the full US catalogue on Netflix from out of country.
We expect to see many more VPN providers add smart DNS proxies in the near future, but it's only a temporary solution. Once Netflix adds a measure to detect a proxy, it's all too simple for them to block connections from it. Netflix only needs to take notice that a connection is coming from a data centre IP instead of a residence.
Because Smart DNS lacks encryption, it shouldn't be used for purposes that require security.
Dedicated IPs and IPv6
To get around these two issues, VPN providers need to make a few changes. The first is to offer static, dedicated IP addresses to users in addition to shared IPs. A dedicated IP means one user per IP address. They are usually static, meaning they don't change often. Netflix has a much more difficult time pinpointing dedicated IPs, and VPN providers that offer them, like TorGuard, have proven successful in evading the block.
Shared IPs are still more secure from a privacy standpoint, so users should be given both options and told that dedicated IPs are primarily for evading VPN blocks.
The other issue with dedicated IPs is that they are expensive and in short supply. To overcome this barrier, it's time VPN providers started investing in securing IPv6. They have been reluctant to adopt IPv6 up to this point due to security concerns: IPv6 has a tendency toward DNS leaks.
Instead of protecting customers against these leaks, most VPN providers have simply forced users onto the older IPv4. IPv4 has just over four billion unique IP addresses, which are running out fast due to the internet of things and more internet-enabled devices in general. IPv6 has 340 undecillion (I bet you didn't even know that was a number) addresses, so assigning dedicated IPs shouldn't be a problem if providers take the time to properly secure it.
IPv6 will allow everyone to use a dedicated IP when the situation permits it, but it doesn't protect against deep packet inspection. For this, VPN users need an extra layer of encryption that hides the VPN protocol and encryption algorithm used.
There are a handful of readily available methods for doing this, though few are simple enough in their current form for a novice to take advantage of. SSH tunnels, SSL tunnels, and obfuscation proxies all wrap the already-encrypted VPN traffic in a second layer, making it impossible for Netflix or anyone else to ascertain whether a VPN is being used.
Each of these three methods can be used with OpenVPN, which has become the gold standard of encryptions used by most third-party premium VPN apps. I have personally found success in using Obfsproxy, an obfuscation proxy tool adopted by Tor, to bypass Netflix and HBO Now firewalls. I did so using a homemade VPN on an Amazon Linux EC2 server combined with OpenVPN. In theory, it should work to protect VPNs against China's Great Firewall as well.
SSH and SSL tunnelling ought to work equally well, but all these methods have some drawbacks that VPN providers will need to address. First and foremost is speed. VPN connections are usually a bit slower due to the time it takes to encrypt traffic. These obfuscation methods will slow down transfers even more, which could result in lower quality streams and long buffer times on slower devices and connections. They are also more prone to disconnections.
The other problem is usability. Ideally a tutorial shouldn't be required for the average person to set up a VPN app. At the moment, however, very few VPN providers offer obfuscation tools like these, and even those aren't all that simple to set up. AirVPN, NordVPN, and TorGuard are the only ones I know of. Obfuscation tools that work on mobile are even more rare.
Opportunity in adversity
Implementing these changes is far from impossible, and I expect their implementation to be expedited so long as Netflix remains persistent in threatening the profits of VPN providers. On the whole, I think Netflix's policy could benefit the VPN industry, forcing it to innovate and add more value for customers. Not only will they be able to circumvent VPN bans, users will benefit from unidentifiable web traffic and a safe browsing experience over IPv6. Those in censorship-heavy nations such as China and Syria won't have to worry about their VPNs being shut down or snooped on. VPN providers should view Reed Hastings' decision as an opportunity, not an obstacle.
Contributed by Paul Bischoff, technology expert, Comparitech