NordVPN Says Its New Protocol Can Circumvent VPN Blockers

NordVPN has introduced NordWhisper, a new protocol designed to bypass VPN blocks in restrictive countries like Russia and India by making VPN traffic appear like regular internet activity. Gizmodo reports: NordVPN claims to have found a way to make traffic from its service look normal, though admits that it may not always work perfectly. It also says the NordWhisper protocol may introduce more latency. The protocol is rolling out first to users on Windows, Linux, and Android. Support for other platforms will come in the future.

Re:

[Anonymous Coward]

Oklahoma has entered the chat. https://www.oklahoman.com/stor... [oklahoman.com]

Re:

[Mr. Dollar Ton]

What are you talking about, you can't even visit Holland anymore. They renamed it to the Netherlands.

Just use a ToR client

[gweihir]

Seriously.

Re:

[poofmeisterp]

Seriously.

I thought ToR was already thrown to the dog poop heap because FBI/etc had hacked it and found ways to track and target anything they wanted. Did I miss some big news that makes that impossible? I don't pay attention to the "news", so yeah. Need to "call a friend." lol

Re:

[gweihir]

You fell for propaganda. There was one documented, targeted, high-effort attack by the FBI. That, incidentally, did a traffic-analysis attack that had been known for decades. Details matter. VPN operators get NSLs all the time, so many that the cases do not even get reported on anymore.

Re:

[poofmeisterp]

Thank you, kind sir!

How does it work

[alvinrod]

I'm curious as to how this works and while I don't think they've done anything like this, I recently had thought about harnessing LLMs to churn out something that hides messages that look like crap AI output while hiding some other message within that. Essentially the idea would be to fool blockers by using an LMM to generate utterly banal crap that looks like Facebook posts about uncle Steve's bowel cancer diagnosis and hide the useful bits in there in some way. Instead of trying to use encryption the LMM utilizes steganography to disguise the real traffic within something that otherwise looks innocuous and travels as plaintext to avoid suspicion. The obvious downside is that this requires transmitting a lot of data that's useless, but it's probably impossible for conventional algorithms to detect and would even fool humans who would brush it off.

Re:

[Narcocide]

I've been fairly sure this has already been happening for over a decade now.

Re: How does it work

[sectokia]

Thatâ(TM)s not the problem, all content is always in TLS regardless of vpn. The problem is when you use a vpn, you are very obvious to government/isp, as you are only talking to one end point and not making multiple tcp connections and dns lookups like a normal user would. So the idea is to use many ips as the end point with many tcp connects and disconnects and have lots of secure dns look ups. so anyone listening sees a bunch of random stuff that looks like normal encrypted user behaviour

Re:

[ls671]

Yeah, it's easy to hide when you don't send all traffic through the VPN. You can play with your routing tables to only route forbidden sites through the VPN.

Re:

[MachineShedFred]

Don't even have to play with route tables. Just fire up a docker container with your illicit service in it, and have the docker container use the VPN. Everything else even from the same host goes out direct - no routing knowledge required.

Re: How does it work

[tlhIngan]

Most likely they just reinvented the SSLVPN.

Basically your connection goes over TCP port 443 and for the most part looks like regular HTTPS traffic, which in general is allowed everywhere.

Commercial VPNs all have an SSLVPN mode because you never know how restrictive a firewall can be, but almost all allow HTTPS traffic. Even with a proxy. The only danger might come into proxies that use their own keys, but that's easily worked around by encrypting the contents before connecting to the proxy.

The real problem is on bad connections, TCP over TCP basically will kill your connection as the outer TCP will do retransmissions as well as the inner TCP. And any bad connection means dropped packets, or high jitter and latency.

It's basically a last resort kind of VPN.

Re:

[MachineShedFred]

It's still a problem for the VPN operator though, because if they have 300 people all tunneling their Netflix region-locked traffic over HTTPS through the same endpoint, Netflix still sees a shitload of weird traffic coming from that one endpoint and can identify it as a VPN host.

They would need to do something like SSLVPN as well as spread the outbound traffic among many endpoints so that it looks like singular users, or a few users on a shared network (such as airport free wifi, etc.). And as they are of

Re:How does it work

[ls671]

I'm curious as to how this works

I am curious too. I only see 2 ways for a country to block their citizen to access VPNs:

1) Block known IPs
2) Deep packet inspection

1 and 2 could be combined to be able to find IPs to block while not having to deep packet inspect all the country traffic. Partial packet inspection to find new IPs to block could give good results. The country could also target given users for packet inspection to hypothetically get better result.

1) is easy to do for the country and all NordVPN has to do is get a bunch of IPs or strike deals with third parties to proxy their traffic. Bonus points if the IPs they use change constantly. Heck, they could even use their own customers IPs to proxy other customers traffic!

2) is more expensive to do on a large scale for the country and hard to do for all the country's traffic. But yeah, NordVPN could have come up with something to somehow masquerade the traffic I guess.

As a side note, I remember a military vpn link where they would saturate the bandwidth to full capacity all the time so eve-droppers couldn't notice any change when something is happening and more is transmitted. They'd just send gibberish over the link when there was nothing or little to transmit. I played with the concept and it is quite easy to implement actually with tc on linux. Just have a process saturating the bandwidth and tc simply drops that process traffic when real traffic needs to be sent over the VPN.

Now if they could make a stable release

[databasecowgirl]

Unfortunately, the UI is still dragging its knuckles and connections drops or will log you out without warning for no apparent reason.

At least you can lock the connection so you aren't exposed if the connection fails. Probably. But the feedback on the UI is so unreliable, I would not trust it.

When you try to fix it, there's no feedback to indicate the app isn't frozen. You just have to wait until it eventually responds. Or not. And if after a minute or two you click reconnect again, it might. It might also eventually connect and then reconnect a few times to teach you a lesson. And just for good measure, once you're back to work, it might switch you to another country just for grins.

On the macUI, you get five recent connections saved for easy access. On windows, only three. Kind of a short sighted slight.

Worse, the login process is totally banjo requiring interaction with your browser which also requires disabling the network lock and then giving it permission to relaunch the app despite it having to already be running in order to login. And even having given permission, it will usually fail, requiring the user to enter a doom loop of failed log ins that obviating any good such a protocol might provide.

One might conclude NordVPN doesn't put any effort into testing. Not a good strategy for a company selling security.

Re:

[MachineShedFred]

I have no idea what the hell you're talking about. I've used NordVPN for years to defeat geo-locking for streaming video and it's been rock solid. Used primarily on Android and Linux. And they use a mix of standard protocols in addition to their proprietary stuff like what this article is talking about, so you don't need to use their "UI" at all.

If you have a problem with their "UI" don't fucking use it, and just use any WireGuard or OpenVPN client. Sheesh.