Over the weekend I gave myself the task of setting up Glype. Glype is an interesting PHP script that allows one to create a simple web proxy on any Apache web server.
The purpose of this, primarily for myself is to be able to reach this proxy on my server from a web environment (such as schools or public computers) that is heavily censored or firewalled.
Because everybody knows that the internet just isn’t worth using with all of the “good” sites blocked by over zealous network administrators and politically motivated school administrators.
In my quest to set up the aforementioned HTTP proxy server I figured I would peruse the project’s website for some of their frequently asked questions, guides and other tidbits of information. No problem, right?
Ironically, the Glype project’s website wantonly blocks all proxies and VPNs thanks to the ridiculous “security theater” that is called Blocked.
All of them! Entire IP ranges! Entire ASN’s! Have they lost their mind?
This is thanks to what I am awarding the title of most incompetent website protection software: so-called “Blocked.com”. I am very displeased with the sloppy way this software does it’s thing. Becoming the judge, jury and executioner simply because a potential visitor MAY be from a bad IP neighborhood.
If someone wanted to be as ridiculously paranoid as them, they would have been better off creating an IPtables rule to do the same thing for free.
Granted, I understand that internet spam is a big problem. That’s no understatement. Providers like OVH and the millions of spam robots crawling the web are definitely an issue. I get plenty of these across my web properties every day.
My spat with blocked comes from how they conduct their blocking. Instead of intelligently trying to detect suspicious behavior, patterns or user agent strings that may be reflective of spam (or other shenanigans such as forged packet headers, shady reverse DNS entries) like competitors such as Cloudflare (which provides a really good benefit to security without screwing over honest end users.) they just block entire networks.
This is akin to denying kids the right to an education just because they’re from a certain neighborhood! What? My lousy /32 IP allocation ain’t good enough?
I am incensed by this because I run my own private VPN server. My self hosted OpenVPN and L2TP/IPSec virtual servers allow me to avoid Comcast (and others) deep packet inspection, traffic shaping and other sources of trouble. Internet providers have been known to use deep packet inspection technology to screw with competing services (I’m looking at you, Verizon!) and build personalized advertising profiles of users to sell to marketing companies. For example, instead of seeing me accessing Netlfix, Google etc, they will only see AES-256 encrypted UDP packets. It also gives me the bonus of tunneling the upstream bandwidth provider’s IPv6 connectivity (which Comcast has shamefully still failed to deploy to my southern New Jersey home.)
This is a major benefit to me, as it allows me to take full control over the security and privacy of my internet connectivity. Consequentially, all Internet traffic exiting my devices will terminate at the VPN server, so to the “outside world” my devices have an IP address that comes back to my server provider’s data center.
It’s not like it’s OVH or one of the notoriously bad at handling abuse providers that infest the web with spam and brute force login attempts. The company I use has no history of this sort and enforces their abuse policies excellently. I’m not sending out suspicious user agents or any other activity indicative or spam, and this is not a publicly accessible VPN service (just me!)
And it’s not like this IP of mine is being used as a TOR exit node or other potential source of abuse.
But when I visit any website “protected” by this software, here’s what I’m greeted with:
I refuse or not use my VPN due to those aforementioned privacy concerns. Many people make usage of virtual private servers thanks to the proliferation of technologies such as Xen, OpenVZ and KVM- with VPN servers being one of their most useful applications. This company is simply blocking entire blocks of IP address ranges and providers to provide the illusion of security to its customers.
As a website owner and a website visitor, I am extremely disappointed in Blocked. Discriminating against IP addresses that have had no history of spam is only hurting both the entire internet community.