[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Tor -> VPN Clarification



Hi, 

Here are a couple of typical use scenarios for both setups. 

PC => Tor => VPN => Internet :
Gives the traditional advantages of a VPN to a Tor routed connection. Meaning that the connection from Tor Exit Node to outside is encrypted so it adds confidentiality to anonymity. 
Also, this configuration allows you to obfuscate the fact that you use Tor for the server you are connecting to, e.g. You can appear to be in a country of your choice. 

But then, the Tor provided anonymity is now at stakes with how close this VPN connection is associated to you. A great benefit of Tor (change circuit every 10mn) is being ripped out of the equation, because every connection can now be associated to possibly a single VPN server. This alone greatly depletes your anonymous status, because activities-correlating (I don't remember how this type of matching is usually called) makes you stand out from the rest of thousands of Tor user. 
But moreover, this already threatening amount of info was obtained solely from the best-case hypothesis where the absolute minimum share of info has leaked from the singled-out VPN server. Any additional information that the VPN server has about you will add up to the pile, even if it's not - yet - personally identifying. Any payment leaves a trail, be it only a bitcoin adress, but also every bit of info leaked by each single device which has used this VPN account, (browser metadata for example is a big one, timezone and even (accidental or malicious) clock (a)synchronisation, language packed installed, etc, ...) 

It really comes as a trade-off between anonymity and confidentiality. 



VPN => Tor :
Obfuscate your use of Tor to your ISP or anyone able to monitor your host's Internet traffic. 
Can prove very useful, let's say if you're connecting through a foreign hotel's Internet, a VPN draws much less attention than Tor because it is very common for workers to connect to their employees network this way. Then it all depends on 1) how much your VPN connection look like a regular business one and 2) how far your adversary will go in investigating the "issue". Deep packet inspection for example can look like the absolute spy master tech but most of the technologies devices that are actually being sold and used just stop at protocol matching. "if it quacks like a duck...". So mostly beware of the IP-associated location of your VPN server. 


This is a very interesting topic to focus on. The attempt at combining other technologies to supplement Tor's inherent weaknesses is an exciting subject as much as a tricky one. 
It is crucial to be aware of the many aspects of how and why does Tor actually provide anonymity so as not to break any vital part of the process. 

Le 30 janvier 2015 11:05:46 CET, Squeak <squeak@riseup.net> a écrit :
>Hello,
>
>Relative newbie here, and I was wondering if someone could help me with
>something please. I keep seeing people describing connections to the
>Tor
>and is VPN connections in the following two ways:
>
>Tor -> VPN
>VPN -> Tor
>
>So if I fire up Tunnelblick, connect to my VPN provider and then open
>TBB which of the above does this describe?  And also, is there a
>recommended way of connecting these two technologies?
>
>Another thing I've noticed is in the Tunnelblick client that there is
>an
>option to connect to a Socks5 proxy, this suggests to me that I can
>send
>the VPN connection through the Tor network.  But I am confused as to
>why
>one would want to do this, and what the benefits/disadvantages might
>be?
>
>Really appreciate any help you guys could give me!
>
>Squeak
>
>
>
>------------------------------------------------------------------------
>
>-- 
>tor-talk mailing list - tor-talk@lists.torproject.org
>To unsubscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk