[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor plus VPN (was re: Hi all!)

On 1/22/2012 10:01 AM, Martin Hubbard wrote:
> On 01/22/12 at 06:46 AM, Christopher J. Walters wrote:

Thank you for your reply.

> Generally, virtual private networks (VPNs) are just that. You can think of
> VPN connections (aka tunnels) as virtual ethernet cables. Organizations
> typically use VPNs for LAN connectivity among locations, and with remote
> staff. There are three main protocols: 1) PPTP (outdated, simple, insecure);
> 2) IPsec (current, complicated, secure); and 3) OpenVPN (current, arguably
> less complicated, secure).
> In this context, however, we are using "VPN" in a more restricted way, to
> mean VPN "anonymnity" services. That is, we mean VPN connections to remote
> Internet gateways, rather than to remote LANs.
> Regarding Tor, you must trust the design, the validity of the security
> assumptions that it's based on, and the software implementation. To the
> extent that you don't understand any of that, you must trust the developers.
> If you trust Tor itself, you don't need to trust the other participants (or
> vice versa). But you have no way, as a user, to really know how anonymous
> you are.

I understand the security assumptions that Tor is based upon, and believe them
to be more sound than using proxy servers (even with nesting).  As for the
implementation, I am a programmer, and Tor is open source so I COULD look at
the implementation by downloading the source code and going through it (a very
time consuming process).

> Regarding VPN services, you must trust the operators, as well as their
> designs, assumptions and implementations. Some VPN services are basically
> just VPN-connected proxy servers. They know who you are, and they know where
> you've been. Other VPN providers may claim to increase anonymity in various
> ways. They may claim to route connections through multiple, geographically
> widespread servers and routers ("multi-hop VPNs"). They may claim to mix
> traffic on links and exit nodes that are shared with associated
> organizations ("multiplexing and crowding"). They may claim to require joint
> authentication, by mutually anonymous administrators, for access to, and
> configuration of, shared resources.
> However, everything can be logged, by every device that's involved (servers,
> routers, switches, etc). VPN providers may claim that they don't keep logs,
> that their designs make it difficult or impossible to keep logs, and so on.
> You can nest multiple VPN services, using providers who seem unlikely to
> collude and cooperate with your government. You can pay anonymously. But
> again, you have no way, as a user, to really know how anonymous you are.

So, in essence VPNs in this context, are just another form of proxy server (or
another way to access one).  I agree, there is no way to even know if you are
anonymous - after all, I am sure that some VPNs are run by governments (not
that they'd tell you that).

> As a user, for both Tor and VPNs, it comes down to trust. Tor is arguably
> more likely to be more anonymous. Accessing Tor through VPNs can't hurt.
> Routing VPNs through Tor may be appropriate under some circumstances. But
> doing that will create shared history for each VPN that you use in that way.
> You obviously don't want to use the same VPN service on both sides of Tor.

Doesn't everything come down to trust, in the end?  Everything going through
the Internet is logged, and unless encrypted, world-readable.  Often, it is
logged, even then in unencrypted form, on the other side.

What I get from this discussion is that, with anything that makes you
anonymous, you can't be sure of the level (I couldn't even if I did go through
the Tor source code, since I have no way of knowing if every Tor node my
traffic passes through is using *that* source code).  It is a matter of trust,
best practices, and the integrity of the system you're using.

> If you're interested in learning more, there are many informative threads on
> Wilders Security Forums. 

I will probably check them out.

> tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

avast! Antivirus: Outbound message clean.
Virus Database (VPS): 120122-0, 01/22/2012
Tested on: 1/22/2012 10:47:57 AM
avast! - copyright (c) 1988-2012 AVAST Software.

tor-talk mailing list