How Netflix is blocking VPNs
South African entrepreneur Steven Cohen, who provides access to a range of international streaming services through his company Future TV, has provided insight into the way he believes Netflix is going about cracking down on the tools people use to circumvent geographical restrictions.
Netflix announced in January that it would begin cracking down on virtual private networking (VPN) services and other tools that people around the world have used to access the US version of the video-on-demand streaming service.
Now Steven Cohen, a South African entrepreneur, who provides access to a range of international streaming services through his company Future TV, has provided insight into the way he believes Netflix is going about the crackdown.
Netflix’s move to prevent international users from accessing versions of its service outside the territories in which they live came just days after the company announced it was launching in most markets around the world, including South Africa.
However, the South African Netflix catalogue is significantly smaller than what’s available to US viewers, prompting many users to vow to continue subscribing to the US version.
Netflix vice-president of content delivery architecture David Fullagar warned in a post on the company’s website in January that “in coming weeks, those using proxies and unblockers will only be able to access the service in the country where they currently are”.
VPN services typically mask a user’s Internet protocol (IP) address, allowing them to “fool” services like Netflix, Hulu and others into thinking they’re located in a different territory to where they actually are.
“Some members use proxies or ‘unblockers’ to access titles available outside their territory. To address this, we employ the same or similar measures other firms do. This technology continues to evolve and we are evolving with it. That means in coming weeks, those using proxies and unblockers will only be able to access the service in the country where they currently are. We are confident this change won’t impact members not using proxies,” he said.
Cohen said he has investigated in detail how Netflix is going about imposing the geo-blocking to stop unauthorised access.
Netflix, he said, has “tagged” some users randomly, preventing them from accessing services beyond their home market. It appears that all new accounts are being tagged by default, he added.
The company’s old security measure was easy to circumvent and needed only three URLs (Web addresses) to be masqueraded to an international server to tell Netflix where the client was located. “This was also easy because the video being streamed wasn’t geo-checked,” Cohen said.
On some devices, Netflix also conducted a geo-check via Google and OpenDNS, which was quite simple to get around by masquerading the IP addresses for those services.
User accounts that haven’t been tagged yet can still access international content on devices by the old method. But the new method of geo-blocking for a tagged account works in a different and more aggressive manner, he said.
“When a user’s account is tagged, Netflix first does a geo-check via their ordinary checkpoint, netflix.com. This tells Netflix where the user is accessing it from and is still simple to masquerade and users can still view what content is available in the region of the IP address.
“The next step is where it gets tricky. Netflix has different content delivery network (CDN) points for content. If a client requests, for example, House of Cards or Orange is the New Black, which are not available on Netflix South Africa, it goes to the CDN and does a geo-check on the video.
“If it detects that the IP address is different from the original netflix.com IP address, it will throw up an error message that you are using a proxy.”
It gets more complex. Netflix also conducts a check to see if the IP address is a hosting server address. Many VPN services and hosting servers have been “tagged” by Netflix and will give the user a proxy error message as well, Cohen said.
If the video is available in a user’s region, but the user is accessing another Netflix catalogue, it will let the video play.
Three main issues
There are three issues that unblocking services are grapping with, he said.
Firstly, Netflix is detecting hosting providers’ IP addresses around the world and tagging them as hosting services.
Secondly, the entire video is streamed via the hosting server, which will mean slower content delivery and high bandwidth costs for VPNs and proxy providers. In the past, the video did not need to be streamed through the VPNs.
Lastly, on some devices Netflix is using IP requests instead of domain name system requests for CDN traffic, so users may find that Netflix US works on some devices but not on others.
“Netflix has become a worldwide brand thanks to the help of proxies and VPNs that gave users around the world a taste of what it is,” Cohen said. “Now that Netflix is available worldwide and its brand is well known, it is stopping these services because of a ‘border control’ stance, and keeping the content providers happy. Yet Netflix is charging South Africans the same price in US dollars to access 740 titles compared to the US catalogue of 5 960 titles, which is a bit unfair.”
Cohen said that although Future TV does not offer an unblocking service to the public, he has successfully been able to circumvent the new blocks from Netflix. — © 2016 NewsCentral Media