Paywall still imposes access limits
Maybe I don't understand how a VPN works but a news site, with a paywall, limited my access. I did not get a VPN for this reason, to get around paywalls, but, when the paywall limitation popped up, it made me wonder how they would know me since I am running PIA. I admit I am ignorant to what a VPN does and does not do, so could someone please explain this to me. Thank you.
Comments
Believe it or not, one of the detection methods involves one of the most simple things - time zone. The IP connection of the VPN is in the time zone of the gateway country connected to, however, when you access a site via browser that site can get the system time zone your computer is set to. If your system time zone differs from the VPN IP time zone then its a clue that your connection is a VPN (or proxy) connection. Another thing that's a give way for a VPN connection (based on OpenVPN) is the MTU/MSS ratio - OpenVPn has a somewhat unique MTU/MSS ratio signature depending on the type of connection (UDP or TCP), the packet block size, the compression, and the encryption type - all of which are detectable, so a profile match can be detected against a database of known OpenVPN based connection MTU/MSS ratio values. For example, a profile of an openvpn based connection (PIA in this case) using UDP, lzo compression, and sha 1 based encryption, is the default settings for the PIA client when installed (for example, which is a profile of : OpenVPN UDP bs128 SHA1 lzo) and this gives an MTU of 1392 and data packet block size of 128 to any site you connect to - its a simple matter from there to look at the MTU and block size and see if there is any decryption being used and that produces a profile which screams a 99.9% chance that the connection is an openvpn based VPN connection. Basically; For a VPN connection using OpenVPN the system leaves the MTU setting unchanged so the MTU appears as the standard 1500 on the system end, but the size of MSS within the data packet is changed. The MSS value reduces the MTU value seen at the end point. By comparing the packet size within the data packet to a database of known/standard standard MTU/MSS ratio values for OpenVPN the use of a VPN can be detected.
The MTU/MSS ration alone, although also unique to openvpn based connections, could be for any number of reasons, that's true, but the MSS and block size is unique to openvpn because it happens base upon the compression and encryption. For example, while on VPN take a look at this link > http://ipleak.com/full-report/ < then scroll down and look under the 'Proxy / VPN Detection' section and in that section look at the 'Network Link' item - you see the "OpenVPN" there (using our example profile it would say OpenVPN UDP bs128 SHA1 lzo). Even if the MTU/MSS alone was detected but not matched to a profile, the time zone would give you away too as a first hint clue to apply other detection method decisions. Then there is the matter of the VPN IP address, using this alone its a simple matter to match it to a database containing known VPN IP ranges or to known VPN data center providers. Then there is the matter of the ISP detection from the IP as another first hint "lets look further" thing where databases of known non-VPN legitimate ISP's services in a region are compared to an incoming connection IP - if the IP and DNS do not resolve to one of these known ISP service providers its also a red flag that a VPN or other "anonymous" type of tool is being used to mask the true IP address. Yet another first hint clue thing is IP and DNS lookup's via ARIN or one of the other regional authorities for IP addresses, if the IP or DNS lookup comes back as 'no record' (or similar) its a pretty sure bet its a VPN (or proxy) connection. Then there is the thing of shared IP collection databases - various on line services are starting to work together, how it works is if an IP address is detected as a VPN connection then the IP range for that IP address is put in the collection database so that all IP address in that range will also be blocked, then the databases are shared with other services on line which block VPN's and before long all of a VPN service IP addresses are blocked, for example, to Netflix. Sometimes the detection systems make mistakes and someone using a VPN will slip through, so the person that slips thinks they were not detected but in reality they were probably detected but the system was not up to the task at the moment (could have been real busy or being updated or something else) of blocking the connection at the time, so the person posts in a forum they were using Netflix or some other thing on the VPN connection then others try it too; Lets not forget that PIA is a shared IP system and that makes it very easy to block whole ranges of IP addresses, so the person posts they were able to use Netflix (or what ever) on VPN and others try it then suddenly the system is blocking them and everyone with an IP in that range. The common thing you see in forums about this is "try another gateway to get another IP address" or similar thing, which is probably the worse advice to give because it just invites people to try other gateways which give other IP ranges the blocking system can put in the database to block. Then there are 'deep packet' inspection systems which detect VPN connections just fine, and its simple too, basically (without going into too much detail, but to give the general flow of things) the site (or even your ISP) re-direct you, without you knowing it, to a "test" url in their domain and if they can not read your destination traffic exchange they know you are encrypted most likely via a VPN connection then they simply compare the MTU/MSS ratio against what is normal and they got you then you end up blocked and the IP range goes in the database for the overall mass detection. Then of course there are obvious things screwed up sometimes, for example, DNS leaks which are a sure bet its a VPN connection.
The point being that there are different methods that can be used to detect a VPN connection, and a lot of sites use a combination. The profile method is relatively new (and makes mistakes sometimes but its over 85% accurate) but is gaining support and deployment for use along with other methods. The time zone thing is a first hint type of thing, if the time zone is different between the system and the VPN IP connection then it says "look further" - PIA does not include an "auto adjusting of a time zone" type of thing to make the VPN IP connection match the system time zone, but it might not be worth it with newer detection methods coming on line anyway.
While mentioning the subject of 'anonymous' in context with VPN use, something that has got to be realized is that a VPN does not, and is not intended to, make you 'anonymous'. The 'anonymous' part is completely the individuals responsibility, the term is misapplied to, and by, VPN service providers. Although a VPN service may have numerous or different features/attributes/usefulness, people often confuse the numerous or different features/attributes/usefulness with remaining 'anonymous' and lump them together as allowing them to be 'anonymous', and that is simply not true. A person, no matter what the numerous or different features/attributes/usefulness a VPN service provides for them, is only as 'anonymous' on the internet as they choose to remain, for (simple basic) example, a person using a VPN connection buys something on line and has it shipped to their home address well guess what - that person has just compromised their claimed (because they use a VPN) 'anonymous' nature on the internet. The truth of the matter is that a VPN service is intended to do one thing and one thing only and that is protect your traffic from prying eyes- that's it, period, and it is not intended to make you 'anonymous'.