stories

Russia’s censorship agency has threatened to block OpenVPN. At worst, that move could interfere with systems from banking to cell service.

Source: Meduza

Roskomnadzor, Russia’s federal censorship agency, wrote to the owners of 10 VPN services in late March to request compliance with the agency’s blacklist of websites that are blocked on Russian territory. Roskomnadzor threatened to block services that refused within the second half of May, and most of the VPN companies involved have already said they will not work with the agency. One of the companies on Roskomnadzor’s list is OpenVPN Inc., which has both its own paid VPN service and a VPN protocol that companies all over the world use to enable encrypted connections among devices. Meduza has learned that blocking that protocol might lead to broader disruptions in third-party services, somewhat like the agency’s efforts to block the messaging service Telegram in 2018. If Russian censors enforce their VPN blockage plan to the letter, areas from the banking system to the cellular service industry could experience unexpected technical issues.


OpenVPN produces technologies that are highly popular around the world

OpenVPN Inc. is an American company that produces VPN services, which allow users to use the Internet anonymously. The company’s offerings include the paid VPN service Private Tunnel and a VPN protocol that shares its name with the corporation itself. The company’s free open-source program, also called OpenVPN, allows users to create their own VPN using the company’s protocol. The accessibility of OpenVPN’s products has made it one of the most popular VPN protocols in the world. Stanislav Shakirov, the technical director of the open communications organization Roskomsvoboda, estimates that up to 90 percent of free VPN services may use the protocol. Precise public statistics on the matter are unavailable.

OpenVPN is also widely used to construct internal networks for corporations, banks, and cellular operators, said Mikhail Kimarev, the acting director of the Internet Protection Society. “People use OpenVPN because using it is very simple and convenient, but you don’t have to pay for it,” he explained.

It’s not clear what exactly Roskomnadzor plans to block, but in the worst-case scenario, its actions could affect the OpenVPN protocol

In late March, after Russian intelligence services asked Roskomnadzor to contact the owners of 10 VPN services to demand that they comply with the agency’s list of blocked websites. OpenVPN was on that list, but Roskomnadzor did not specify which of the company’s products it had in mind. However, Russia’s federal statute on information includes “programs for electronic computing devices” in its definition of mechanisms for circumventing orders to block content. That means orders to block websites could affect OpenVPN products that use the company’s VPN protocol. When Meduza asked Roskomnadzor press secretary Vadim Ampelonsky to specify which products the agency is threatening to block, he said he was “not yet prepared to answer that question.”

“They have 30 days to comply [with the registry]. It will be appropriate for us to discuss what we will do if they do not follow our demands when that period of time expires,” Ampelonsky added.

OpenVPN Inc. founder and CEO Francis Dinha also spoke with Meduza. He emphasized that he also doesn’t know to what exactly Roskomnadzor’s blockage threat refers. However, he does not believe that the agency plans to block OpenVPN’s protocol. The company’s representatives declined to describe the specific demands Roskomnadzor made of OpenVPN.

OpenVPN employees say they will not work with Roskomnadzor in any case, even under threat of being blocked

OpenVPN founder Francis Dinha said that, in theory, Roskomnadzor can attempt to block both the company’s VPN service and its protocol on Russian territory. However, he added, the company does not intend to work with the agency, and it plans to use all possible technological means to circumvent any blockages if the Russian government takes that path. Dinha did not say how exactly the company hopes to resist Roskomnadzor, and OpenVPN employees were uncertain that they would manage to circumvent any forthcoming censorship efforts.

Dinha emphasized that Roskomnadzor’s demands not only include limits on freedom of information that the company finds unacceptable; the demands may also be technically impossible to meet. For example, Dinha explained that the VPN service does not have servers in Russia, making it impossible to separate one group of users from the rest and block a certain group of sites just for them. “We do not plan to sort our users and discriminate against a certain group of them,” he said.

The OpenVPN CEO also noted that the company would not work with Roskomnadzor even if the agency’s demands were realistic. “We understand that we may not bring about a chance in their position by refusing to submit, but we hope that, in conjunction with other services, we will at least slow down the spread of this kind of authoritarianism. We can’t just stand to the side or turn away. It’s possible that in the end, the world will realize that nothing good will come of limiting freedom of speech and information. […] We will work in Russia for as long as we can. But if they block us, then that’s just how it’s going to be,” Dinha said.

It is theoretically possible to block VPN services and protocols, but those measures would be circumventable

To this day, Roskomnadzor has never officially attempted to block any data transfer protocols. It has only used the term “block” to refer to limiting access to concrete web addresses. However, in August of 2018, Reuters reported that the agency was testing systems capable of blocking Telegram’s protocol, MTProto.

Roskomsvoboda technical director Stanislav Shakirov said that OpenVPN’s protocol could be blocked using Deep Packet Inspection (DPI) systems, which allow providers to separate packets specific to a given app or site from other packets during traffic analysis. DPI systems were tested for the purpose of blocking Telegram, but companies could nonetheless circumvent such an attack by masking VPN traffic as ordinary traffic, a strategy many VPN services already use. Shakirov said VPNs have applied that strategy in China, where the national government has struggled against VPN use for many years.

Other VPN services that appeared on Roskomnadzor’s list expressed similar points of view. Ben Van Pelt, the CEO of TorGuard (which has also refused to collaborate with Roskomnadzor), told Meduza that the company has extensive experience working with systemic content filtration in China and knew how to act in Russia’s case thanks to that experience. When requests to the company’s Moscow and St. Petersburg servers were turned off, TorGuard’s team added servers from neighboring countries within a few hours to prevent a drop in the service’s connection speed. The company also has its own mechanisms to resist DPI thanks to its work in China. “For us, all of this is business as usual,” Van Pelt said.

Of the 10 services Roskomnadzor contacted in March, only Kaspersky Lab’s Kaspersky Secure Connection service has agreed so far to work with the agency (Roskomnadzor claims that three others are in negotiations). Kaspersky Lab explained that its services will continue to comply with any of the agency’s demands “that do not affect the central purpose of the application — providing confidentiality and security from data seizures in cases such as payments made through open Wi-Fi networks in cafes, airports, or hotels.” The company’s press service declined to answer additional questions from Meduza.

Roskomnadzor will not be able to suppress the VPN market, but it may be able to spark a repeat of its censorship of Telegram

Several VPN services from Roskomnadzor’s list immediately told Meduza that regulators will not be able to suppress the market for anonymous Internet access: most companies will not collaborate with the agency, and the popularity of their services in Russia will only continue to grow. Some companies noted that their Russian user base had already grown since Roskomnadzor’s announcement.

“Right now, the portion of Russian users who use VPNs is around 3 percent. Before the attempts to block Telegram, it was substantially smaller, and if Roskomnadzor continues to block these services, that percentage could rise at some point to Chinese levels — something like 25 percent,” Stanislav Shakirov said.

Shakirov also noted that even if Roskomnadzor begins blocking VPN services, most users will not be affected because those services are capable of circumventing blocking mechanisms. However, blocking the OpenVPN protocol in Russia could cause temporary problems for other companies that use the protocol in their paid services. However, those problems would likely be solved quickly because nearly all VPN providers use several protocols simultaneously. “I think that in the worst case, we’ll see the same thing that happened with Telegram. [Roskomnadzor] would start blocking OpenVPN, causing minimal damage, but on the way, it would damage a whole lot else. In the meantime, OpenVPN would continue to work,” Shakirov predicted.

Vasiliy Ivanov, the CEO of the Ukrainian company Keep Solid, agreed with Shakirov’s assessment of OpenVPN’s importance. Ivanov’s company is also on Roskomnadzor’s list. He said, “Things could happen in such a way that a lot of international businesses will lose their Web connection, which would affect those companies negatively and force them to spend more resources on recovering their capacity. That said, if the ends justify the means, and we can see what the means are, then I’m afraid even to imagine what the ends were initially,” he said.

Pavel Merzlikin

Translation by Hilah Kohen