[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor to VPN to Internet = Bad. Why?

On 04/25/2012 04:06 PM, Low-Key² wrote:
> Recently, I'd come across some chatter that suggested that connecting to a VPN via TOR was not a good idea and, rather, the better idea was to connect to a VPN that then used Tor.  I've not found any articles on the net that really discuss this issue.  My concern stems from more of a curiosity due to an encrypted private web proxy I used to run for foreign activists.  While the proxy would have appeared entirely benign to anyone in their regime, a number used Tor to connect to it. My larger question is, if there is a security concern for using Tor to connect to a VPN which then connects to the internet, would the same concerns apply to people who use Tor to connect to an encrypted web proxy?  Thanks in advance for any replies.

I think the main issue is that user needs to authenthicate to the VPN, so no
matter where they came from via Tor, they are identifiable. That is true even if
the credentials are shared, in that case it's known that the individual
connecting via the VPN must be from a small group.

On the other hand, if your goal is to hide location instead of identity from the
VPN, connecting via Tor _might_ do the trick. I'm saying _might_, since some
data inside the protocols transmitted over the VPN could contain your real IP or
other identifying information (depends on the protocol(s) used inside VPN).

In the case of the encrypted proxy the attacker might know that it's some group
of people you gave access credentials to. So it depends on what the attacker can
learn - e.g. the attacker will retrieve your name from whois and might attempt
to find out from your communication which individuals belong to that group or
attempt to compromise the proxy and view logs.

tor-talk mailing list