Security Specifications and Initiatives

Throughout the internet community, there are many groups working on resolving a variety of security related issues online.    The activities cover all aspects of internet security and networking in general from authentication, firewalls, one time passwords, public key infrastructure, transport layer security and much more.

Many of the most important security protocols, initiatives and specifications being developed can be researched at the following groups.

TCSEC (Trusted Computer System Evaluation Criteria)

These are requirements for secure products as defined by the US National Security Agency.   These are important standards which many US and global companies use in establishing base lines for their computer and network infrastructure.    You will often hear these standards referred to as the ‘Orange book’.

CAPI (Crypto API)

CAPI is an application programming interface developed by Microsoft which makes it much easier for developers to create applications which incorporate both encryption and digital signatures.

CDSA (Common Data Security Architecture) 

CDSA is a security reference standard primarily designed to help develop applications which take advantage of other software security mechanisms.   Although not initially widely used, CDSA has since been accepted by the Open Group for evaluation and technical companies usch as IBM, Netscape and Intel have aided in developing the standard further.  It is important for a disparate communication medium such as the internet to have open and inter-operable standards for applications and software.   The standard also includes an expansion platform for future developments and improvements in security elements and architecture.

GSS-API – (Generic Security Services API)

The GSS-API is a higher level interface that enables applications and software an interface into security technologies.  For example it can act as a gateway into private and public key infrastructure and technologies.

This list is of course, a long way from being complete and because of the fast paced development of security technologies it’s very likely to change greatly.   It should be remembered that although there is an obvious requirement for security at the server level,   securing applications and software on the client is also important.   Client side security is often more of a challenge due to different platforms and a lack of standards – configuration settings on every computer are likely to be different.

Many people now take security and privacy extremely seriously, especially now that so much of our lives involve online activities.  Using encryption and some sort of IP cloaker like this to provide anonymity is extremely common.  Most of these security services are provided by third parties through specialised software.   Again incorporating these into some sort of common security standard is a sensible option yet somewhat difficult to achieve.

Further Reading: Netflix VPN Problem, Haber Press, 2015

Certificate Based Client Authentication

One of the most important features of SSL is it’s ability to authenticate based on SSL certificates.  Often people fail to understand that this certificate based authentication can only be used when SSL is functioning, it is not accessible in other situations.    Take for example the more common example on the web of insecure HTTP exchanges – this means that SSL certificate based authentication is not available.  The only option here is to control access by using basic username password authentication.  This represents possibly the biggest security issue on the internet today because this also takes place in clear text too!

Another common misconception is with regards the SSL sessions themselves.  SSL sessions are established between two endpoints.  The session may go through a SSL tunnel which is effectively a forward proxy server.    However secure reverse proxying is not SSL tunnelling it’s probably better described as HTTPS proxying although this is not a commonly used term.   In this example the proxy acts as an endpoint of one SSL session, accepting the endpoint of one SSL session and forwarding the request to the origin server.

The two sessions are distinct except of course they will both be present in the cache and memory of the proxy server. An important consequence of this is that the client certificate based authentication credential are not relayed to the origin server.   The SSL session between the client and the reverse proxy server authenticates the client to the proxy server.  However the SSL session between the origin server and the proxy authenticates the server itself.   The certificate presented to the origin server is the reverse proxy’s certificate and the origin server has no knowledge of the client and it’s certificate.

Just to summarise this is the ability to authenticate the client to the origin server though the reverse proxy server.

In these situations where client based certificate based authentication and access control are required, the role would have to be performed by the reverse proxy serve.  In other words the access control function has been delegated to the proxy server.  Currently there is no protocol available for for transferring access control data from the origin server to the reverse proxy server.    However there are situations in advanced networks where the access control lists can be stored in an LDAP server for example in Windows Active directory domains.   This enables all unverified connections to be controlled, e’g blocking BBC VPN connections from  including outbound client requests to the media servers.

The reverse proxy could be described in this situation as operating as a web server.  Indeed the authentication required by the reverse proxy is actually web server authentication not proxy server authentication.    Thus crucially the challenge status code is HTTP 401 and not 407.  This is a crucial difference and a simple way to identify the exact authentication methods which are taking place on a network if you’re troubleshooting.

 

Buy US Proxy with Transparent Proxying

When we are discussing the technological characteristics of proxies there’s one term which you will see used very often – ‘transparent’.    It can actually be used in two distinct ways when it comes to proxies.  The first is to refer to a definition which implies transparent proxying ensures that any user will see no difference to the original request whether it goes direct to the server or through a proxy.   In an ideal world pretty much all legitimate proxies would be considered ‘transparent’.

Proxies are however significantly more advanced from the early years when this original definition was created.  The term ‘transparent proxying’ now has much more meaning.  The extended definition means that transparent proxying ensures that the client software is not aware of the existence of the proxy server in the communication stream.   This is unusual because the client was usually configured to use a proxy, perhaps by the internet settings in it’s browser configuration.    Software would then make a decision in it’s requests and perhaps distinguish between proxy and direct requests.

When transparent proxying, in it’s modern context, is used the router is programmed to redirect the request through the proxy not the client. This means that the proxy can actually be used to intercept and control all HTTP requests that are targeted by outbound connections.  The request can even be parsed or perhaps even filtered and redirected.  This control allows the network to configure access control rules on all outbound requests,  A company network could use these to ensure unsuitable requests are not being made from a corporate network e.g. illegal web sites.

This level of transparent proxying leaves the client completely unaware of the existence of an intermediate proxy server.   There are some caveats though and the proxy can be detected in certain circumstances.  For  example there is little point in investing in a USA proxy buy if the server only supports HTTP/1.1 because the protocol makes no allowance for transparency in proxying information.

One of the main issues and indeed worries is that allowing completely transparent proxying might cause other issues particularly in the client side applications.  For example one of the fundamentals of using proxies in a corporate network is to reduce traffic by caching locally.  This could cause all sorts of problems if the behaviour of the proxy cache effects communication between the destination server and the client application.

Further Reading – http://www.changeipaddress.net/us-ip-address-for-netflix/

Remote Login Methods

The ability to remotely login to a machine that’s miles away from you is perhaps one of the internet’s most popular applications.  It might not seem so, but being able to access a remote host without a hard wire connection has transformed many areas of IT particularly in support and development.   Obviously you need an account on the host that you are trying to login to, but actually using the machine as if you are at the console is extremely useful in many situations.

Two of the most famous applications for remote login access when using a TCP/IP based network (e.g like the internet) are Telnet and Rlogin.   The most famous and probably used by every IT support technician over the age of 25 is Telnet, installed as standard in almost every TCP/IP implementation.   It seems relatively simple but this actually hides some great functionality not least the ability to Telnet from one operating system to another.  It’s incredibly useful to be able to sit at a Microsoft Windows machine with multiple command interfaces open in separate windows to Unix and Linux machines at the same time.

Remember these terminal windows are actually like physically sitting at the remote host’s console.  This is is completely different from just using a web session or using something like an Italian to stream RAI player abroad like this.  Each individual character that you type is entered into the remote host, there’s no streaming, no relaying or filtering.  Obviously there are some restrictions about running a terminal windows on a completely different systems.  However Telnet does an option negotiation phase between the client and server to ensure that only services which are supported at both ends are available.

The other famous remote login application is called Rlogin which was developed from Berkeley Unix.   This application was initially only available on Unix Systems however it has been ported to most other operating systems now and you can Rlogin between Windows and Linux.  Both of these applications use the Client/Server configuration – the client is the system where the initial connection is established to the remote server which is the target.

Nowadays, the most popular of the two application – Telnet has become much more sophisticated.  Over the years lots of functionality has been added to Telnet whereas Rlogin remains quite simple and unmodified.  However it should be noted that although Rlogin lacks features, it is a simple and stable remote access application.

The author – John Herrington has worked in IT for over thirty years in a variety of roles from support to latterly Network manager at a large bank.   He now works for himself and runs one of the largest paid VPN services on the West Coast of America. He obviously works remotely a lot of the time but will rarely use Telnet as it’s too insecure!

Tracking VPN and Proxy Users

There are similar challenges for network administrators in corporate networks and those running firewalls for authoritarian regimes about the use of proxies and VPN services.  The issue is that not only do they allow individuals the freedom to conduct their internet activity without being tracked, a VPN will also prevent most aspects of logging taking place too.

If you imagine a company network it means that an individual could potentially conduct all sorts of behaviour from a company computer whilst sitting in a corporate office whilst at work.   They could be downloading films, streaming Netflix or something perhaps much more sinister even.  Obviously this is potentially a risk to both the network infrastructure and also potentially to the company’s reputation.

So how do you block the use of VPNs and proxies?  For a corporate network there are actually many more options, and the simplest is probably to stop any sort of VPN and proxy being used in the first place.   You can lock down the advanced settings in a web browser quite simply, for example the Internet Explorer Administration Kit (IEAK) allows you to configure and deploy an IE package which cannot be modified onto every client in your organisation.  This stops proxies being used manually and VPN clients can be blocked by ensuring that  standard users have no administrative access to their desktops.

It is certainly easier to block any installation than trying to track the use of VPNs particularly some of the most sophisticated ones.   For example although you could potentially monitor logs in firewalls and routers for specific IP addresses which looked like VPNs some services allow you to switch to a range of IP addresses – Hide My VPN like the one in this video demonstrates:

As you can see if a service is rotated then identifying the VPN by it’s IP address is much more difficult.  However blocking installation of the highlighted service Identity Cloaker can also be difficult as it has a mobile version which can be run directly from a USB disk.

You can see that proxies are fairly irrelevant today as they can be easily blocked, also most content filters can detect their use too.   Significantly their use has now dropped globally for additional reasons mainly that they are mostly detected by websites which operate regional restrictions.   It is the more sophisticated Virtual private networks which are the difficulty, particularly those equipped with various VPN hider technologies and advanced encryption.

Does BBC Block VPN Programs from iPlayer

For years people have used VPNs for all sorts of reasons, but it’s origin lay quite simply in the security they provided.  International companies will normally insist that their employees use VPN services when remotely connecting back to their servers using the internet.  It makes sense, otherwise important information and credentials would be trusted to the owners of coffee shop wifi or the administrator of your local Premier Lodge or hotel chain.

The concept is simple, create an encrypted tunnel which ensures that all the data which normally is passed in clear text instead is encrypted and unreadable.  Of course, this security means that as well as being safe from computer criminals and identity thieves – it’s also secure from intelligence services and state controlled snoopers too.  It should come as no surprise that anyone who opposes free speech generally hates VPNs and the protection that they give.

So when we hear stories about different organisations and companies from the Netflix to the Chinese Government trying to block VPNs what are they doing.  Well it depends, obviously the situation that leads to thousands of BBC iPlayer VPN not working is going to be slightly different to the Chinese throwing billions at the great firewall of China.   However the general techniques are basically the same as a small company want to achieve the same thing.

One of the most common options is to block the ports used by these services.  Most VPN tunnelling protocols operate on standard ports, e.g using PPTP or LTP.  They need to establish these connections to transfer and receive data, without them the service won’t function.  Other methods include identifying and blocking specific IP addresses or ranges which are being used by VPN services.   It is these two methods that are mostly used by the big media companies like Hulu and the BBC.

Many Rumors – Does BBC Block VPN ?

In reality this does actually happen but not in any sophisticated method.  Many companies providing VPN services have been blocked but largely because of their own issues.   Using BBC logos and overloading servers are too of the main reasons they have been blocked. It’s not the BBC iplayer detecting VPN services, it’s seeing thousand of individuals using the same IP address accessing the service which is the problem.

In many instances this is very likely to happen, there was a report that NordVPN was blocked by BBC iPlayer for example.  This was largely true simply because they are the largest legitimate VPN provider with millions of users.  Don’t worry though Nord have allocated specific IP addresses now specifically for access so it works ok as long as you use those.  Nord VPN is very good value and you can get some great deals at the moment too if you want to watch the BBC abroad.

Just make sure you use the BBC enabled VPN servers.does BBC Block VPN

If you don’t mind spending a little more and want something even more secure then a program called Identity Cloaker doesn’t have as many users and has optimized it’s UK servers for accessing the BBC.  I’ve used it without problems for ten years now and it certainly smashes the rumours that BBC iPlayer is not working through VPN programs.

The reality is that although many VPN services have been blocked it’s not actually that easy to achieve unless the company is careless or greedy.  Normally it’s just a numbers game but even then if IP addresses are rotated carefully there shouldn’t be an issue.  The BBC doesn’t have the time and budget to technically spot and block VPN services in any other way other than mentioned above.

These methods can be time consuming though and it’s possible to switch address and some services allow you to configure alternative ports too. The Chinese Government as you would expect have gone one step forward and use more sophisticated techniques like deep packet inspection.   These involved looking at the data itself to identify if a VPN is being used to transport it.  For example if you are unable to read any data because none of it’s in clear text then there is the likelihood that it is being encrypted.   Of course, there are other methods which encrypt data like SSL so you need to be careful that you don’t block other traffic, it’s a risk that the Chinese would probably be happy to take however.

Even these methods are not foolproof and VPN companies can scramble things like the meta data to make identifying the use of a VPN even harder.  It is worthwhile noting that many people in China still use VPNs routinely and so if the huge resources available to the Chinese State can’t block their use.  there’s little likelihood that our BBC VPN workaround is going to stop working in the foreseeable future as long as we choose the right company to use.

 

BBC News Proxy Streaming from Outside the UK

The BBC haven’t always streamed the BBC News over the internet, in fact it was noticeably missing from the initial releases of the BBC iPlayer for a few years. There are a few other programmes which were omitted, for example there was always a delay put on Match of the Day presumably for contractual reasons. However now that BBC has it’s own dedicated 24 hour News channel, it’s great news to see that it’s simultaneously broadcast live online on their web site.

Using a bbc news proxy

You can see the tab illustrated which leads to the live TV streaming section including the BBC News channel.   However many people outside the UK will have problems finding this link as it simply doesn’t exist on the version you get outside the UK.  It’s called the ‘International version’ and anyone not in the UK will be redirected to this site.   The site is good but it’s missing all the TV stations and the BBC iPlayer functionality, even if you go there directly you’ll get blocked whenever you try and play anything.

A BBC News Proxy in Action

Yet fear not, millions (and that’s not an exaggeration) watch the BBC News and all UK TV channels from all over the world.  When you appreciate the amount of programmes available on the BBC iPlayer and ITV Hub for example you’ll realise why people make the effort.  For many of us online access to the BBC iPlayer is way more valuable than a cable subscription which can cost a small fortune.

For those of us feeling a little bit stranded in mainland Europe after the disappointment over Brexit it genuinely feels like a lifeline.  Access to proper journalism is only appreciated when you have relied on social media for a while.

Like this post for example found on Facebook !

Got me worried, I can tell you !  Can you guess which European country I’m trying to access the BBC News from.  Anyway it apparently is slightly misleading and it wasn’t due to UK passport holders being segregated into different queues.  It was apparently a training exercise for customs staff at  the airport that caused the problems.

It was actually mentioned on the BBC show – Newsnight which I watch every evening 1030 GMT via the live streaming function on the BBC site.   You can even stream the last few episodes from the iPlayer link too – BBC Newsnight on iPlayer

UK Proxy BBC  – the News and All the British TV Channels

Ironically Brexit would have actually made accessing the BBC online content for free a little bit more difficult.  The EU’s digital marketplace initiatives where forcing them to make the BBC accessible across Europe for all license fee holders.  This would have been great for legitimate viewers but would have probably involved an authentication process for everyone.

Anyway that’s unlikely to happen now and you can still watch the BBC by routing your connection through a proxy server based in the UK.  To be more specific it’s really a VPN which is harder to detect, but functions in almost the same way.  Don’t be worried about lots of rumours that the BBC is blocking all VPN programs that’s not entirely true.  Many have been blocked but the secure ones like Identity Cloaker still work perfectly,

Here’s a quick video entitled – BBC News Streaming over the Internet which you can also watch below:

As you can see the trick is to hide your location before you connect to the website. By logging on to a server physically located in the UK, you can access any of the BBC without issue simply because it will see the server’s UK address and not your real one. It has the added bonus of adding a layer of security and privacy to your internet connection too. This is because the connection between your computer and the VPN server is entirely encrypted which means both your identity is private but also all credentials you pass through the VPN are safe too.

It should be added that all the media companies try and block access to their sites through intermediary servers like proxies and VPNs. However there are still several companies who’s servers work perfectly well for accessing the BBC from anywhere in the world.

Further Reading about changing your IP address to a UK one  – http://www.changeipaddress.net/change-ip-address-to-united-kingdom/

Using a Proxy to Watch the BBC Iplayer in 2020

You’d never hear the word ‘proxy’ outside of an IT department a few years ago, but now everyone uses them. This post is specifically how to use a proxy to watch the BBC iPlayer application in the USA. Now firstly a quick introduction to the problem, the internet is not open or unrestricted in fact it’s more segmented than ever before. One of the reasons, is a technology called ‘region locking’ or ‘geo-targeting’ which have very similar meanings.

Using a Proxy to Watch the BBC

These technologies are basically designed to ensure that certain websites are only accessible from specific physical locations. It sounds crazy, but it’s true – where you are based physically has a huge impact on what you can access online. I’m not talking about the stupid filtering that paranoid governments do either, these restrictions are deployed by the web sites themselves. Mostly it’s to do with money, profit or copyright laws but they affect a huge proportion of the world’s best web sites.

I would certainly put the BBC and it’s application BBC iPLayer as one of the best web sites on the internet. You get access to all the BBC broadcasts live, something like six or seven 24 hour TV channels plus all the radio channels. You can also watch stuff for about six weeks after using the BBC iPlayer, all quality programmes with not an advert to be seen. Unfortunately it’s only accessible in the UK, if you try and access from the USA you’ll get blocked.

Using a Proxy to Watch the BBC

Which is where our friend the proxy comes in, a server that sits between you and the web site you visit basically hiding your real location. The trick is to use a proxy server that sits in the country you need access to, which for the BBC is of course the United Kingdom.

So here we go – How to watch the BBC iPlayer USA simply by using a proxy server.

As you can see this is on a computer, the software demonstrated is called Identity Cloaker and actively hides your true location when you visit any website. In this instance, the BBC sees the UK proxy server and assumes that is your location and as such everything works, you can even watch the BBC News.

Now a few years ago pretty much any proxy server would work, even the free ones you could find online. However this has now changed and there’s a few things you should bare in mind when looking for a way to watch the BBC iplayer in the USA.

Speed – it’s everything when streaming video, otherwise whatever you’re watching will buffer all the time.
Discretion – don’t sign up to a proxy/vpn service which openly advertises bypassing the BBC blocks and has it’s logos all over the site. They will get blocked or closed down.
Security – last year the BBC started actively blocking these connections from proxies. They need to be securely configured so as not to be detected.
Other Countries – If you want to access websites and TV stations in other countries, you’ll need access to proxies in those countries too.

Identity Cloaker is our recommendation because of it’s speed and security, plus it’s very reasonably priced.   Try the 10 day trial first to make sure it works well for you.  Although the core program is software to run on your computer/laptop you can also connect through from a tablet or smartphone by creating the connection manually.  It’s easy to do and there’s a guide here.

How to use a US IP Proxy Server

There used to be a time when configuring and using a US IP proxy server was only for the technologically advanced. However times have changed and now millions of people with limited technical knowledge use IP proxies every day for many mundane situations.

One of the most common uses for an IP proxy is to access content that is restricted by region locking. For instance if you try and access any of the mainstream US media sites like ABC, NBC or Hulu from outside the USA then you’ll find that the majority of the site is inaccessible. The sames goes for lots of other media sites across the world – all inaccessible outside their domestic market.

It kind of makes a mockery of the global communication medium that we call the internet. It certainly wasn’t designed to restrict and block access based on your physical location however that is how it has turned out. Which is why for a US citizen travelling or living abroad a US IP proxy server is so useful.

Using a US IP Proxy Server

The fact is that most of these websites determine your location by looking at your IP address and where it’s registered to. This will of course determine your physical location, however if you connect through a proxy server then the IP address of the server will be revealed and not your own. Therefore someone on holiday in Europe who connected to the internet through a US IP proxy server would appear to be in the US. Here’s a quick video which demonstrates this in action:

As you can see in the demonstration, the software is used to connect to a network of different proxies. In this particular example a US proxy is selected in order to access the film and movie site Hulu. Without using the proxy then the site won’t be accessible as the content is only licensed for US based users. However you can see that there are many different countries available in the software which can be used to watch or access web sites in other countries.

Connecting through a Canadian proxy would give you access to all the Canadian websites, using a French proxy would give you a French IP address and the ability to watch sites like M6 Replay.

As you can see from the video there is no real technical knowledge required as it’s all taken care of by the software. There are a whole host of these programs available now which you can install easily and then change your IP address to whichever you need. It is worth remembering though that when your connection is routed through a specific country then your browsing will be tailored to that country.

Someone connected through a US IP proxy will for example get the US version of Google complete with US related search results. It is obviously not a major issue but it can be confusing if you forget!

How to Switch Your IP Address to Another Country

Many of us now use VPNs and proxy servers routinely to hide our real IP addresses. The reasons are many however for most us it’s either to bypass the thousands of region locks which exist online or simply to hide our real location and identity. Investing in a VPN solution is usually a wise move, providing protection for when you’re online either at home or using an insecure wifi connection in a cafe or hotel for example. When you connect through a VPN or proxy your real ip address is hidden and the website you visit has no way of logging your location.

How to Switch Your IP Address to Another Country

The problem is that for region locking uses, having a single additional IP address is rarely enough. The problem is that all these regional filters are based on different locations, so you often require addresses based in a variety of countries and being able to change address quickly is essential. Here’s a quick demonstration of some software called Identity Cloaker which facilitates this:

You can see that the software that controls the connection sits in the task bar and you can enable the VPN or switch it to use another server whenever you like. So for example if you where trying to watch the BBC you’d need a UK IP proxy but to watch ABC or CNN live streams you’d need a US proxy and IP address. All you need to do is open the control panel and switch to the appropriate country.

How to Switch Your IP Address to Another Country

A few of the biggest VPN providers now provide multiple servers across different countries so you can switch like this. It makes sense to use one of these rather than the companies who charge additional for each country you sign up for. Using these companies you’ll find information on how to change IP address quickly as the subscription covers all their servers. Most of the sites cover countries like USA, Canada, UK, France and Germany whereas for other countries you might need to search around.

This is Not a Fake IP Address

Remember although you’re using software like this to hide your real address in order to access resources or maintain anonymity there’s nothing fake about the address.  It’s the only feasible way to change IP address online, by routing through an intermediate server. The address you present is entirely real and functional, which is essential if it’s going to allow you to communicate via TCP/IP.

Which is one of the problems with trying to find a free IP address changer – the fact is that real hardware and bandwidth are required.  These incur costs which have to be paid for in some ways, unless you find some unusually rich and benevolent individual (clue they don’t exist in the world of online proxies!).  Even free ones are expensive, and if you need something special like a sneaker proxy these cost even more to support and run.

For many just being able to hide my IP is enough, but if you’re trying to access geo-locked content or websites then that’s not actually enough.  In these circumstances you need the proxies to have an IP address in that specific country.   This generally means that the hardware must be physically located in that country too.

One of the difficult countries to get a proxy or VPN in is Australia, simply because the internet costs tend to be much higher there and it’s expensive to include Australian servers in their infrastructure. There are a few around though and you can find a few around, but remember to watch BBC iPlayer in Australia you need a UK proxy not an Australian one. Although any one based in Australia would be advised to use a local proxy when they’re not trying to bypass region locks simply because of the speed.

There is another reason why you should regularly rotate and change your IP address and that’s to keep the fact that you’re using a secure connection private. If you don’t switch addresses and just use a static video proxy, any ISP logs will show the use of a proxy as all requests will be routed through the one specific IP address. Switching this address periodically makes it much more difficult to detect.