Re: [tor-talk] Tor plus VPN (was re: Hi all!)

["Martin Hubbard" <Martin.Hubbard@xxxxxx>]

On 01/22/12 at 06:46 AM, Christopher J. Walters wrote:

 > Actually, I know little about VPN. I was asking, in the hope that
 > I could learn more - and also it was suggested (I'm not sure where)
 > that using a VPN with Tor was better than either alone. Maybe it
 > would help if someone explained VPN - its good and bad points.

 Generally, virtual private networks (VPNs) are just that. You can think of VPN connections (aka tunnels) as virtual ethernet cables. Organizations typically use VPNs for LAN connectivity among locations, and with remote staff. There are three main protocols: 1) PPTP (outdated, simple, insecure); 2) IPsec (current, complicated, secure); and 3) OpenVPN (current, arguably less complicated, secure).

 In this context, however, we are using "VPN" in a more restricted way, to mean VPN "anonymnity" services. That is, we mean VPN connections to remote Internet gateways, rather than to remote LANs.

 Regarding Tor, you must trust the design, the validity of the security assumptions that it's based on, and the software implementation. To the extent that you don't understand any of that, you must trust the developers. If you trust Tor itself, you don't need to trust the other participants (or vice versa). But you have no way, as a user, to really know how anonymous you are.

 Regarding VPN services, you must trust the operators, as well as their designs, assumptions and implementations. Some VPN services are basically just VPN-connected proxy servers. They know who you are, and they know where you've been. Other VPN providers may claim to increase anonymity in various ways. They may claim to route connections through multiple, geographically widespread servers and routers ("multi-hop VPNs"). They may claim to mix traffic on links and exit nodes that are shared with associated organizations ("multiplexing and crowding"). They may claim to require joint authentication, by mutually anonymous administrators, for access to, and configuration of, shared resources.

 However, everything can be logged, by every device that's involved (servers, routers, switches, etc). VPN providers may claim that they don't keep logs, that their designs make it difficult or impossible to keep logs, and so on. You can nest multiple VPN services, using providers who seem unlikely to collude and cooperate with your government. You can pay anonymously. But again, you have no way, as a user, to really know how anonymous you are.

 As a user, for both Tor and VPNs, it comes down to trust. Tor is arguably more likely to be more anonymous. Accessing Tor through VPNs can't hurt. Routing VPNs through Tor may be appropriate under some circumstances. But doing that will create shared history for each VPN that you use in that way. You obviously don't want to use the same VPN service on both sides of Tor.

 If you're interested in learning more, there are many informative threads on Wilders Security Forums.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk