[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor browser and VPN or web proxy

On 09/29/2018 09:29 AM, panoramix.druida wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> El sábado, 29 de septiembre de 2018 11:58, J B <jb.1234abcd@xxxxxxxxx> escribió:
>> Hi,
>> Could you please explain in what sequence the two should be activated and
>> why
>> (which setup is secure) ?
>> TB -- VPN or web proxy
>> or
>> VPN or web proxy -- TB
> I am playing with QubeOS and I try Tor -> VPN (with Bitmask) and I found this useful for not having captchas everywhere as it does happend with Tor alone. I try this thanks to this talk: https://www.youtube.com/watch?v=f4U8YbXKwog

True. But this is the most dangerous way to combine Tor and VPNs.

If you connect first through a VPN (yours or a commercial service) and
then to Tor, the VPN becomes like your ISP. It encrypts and obscures
your traffic. So your ISP can't easily tell that you connect with Tor,
or what you otherwise connect with directly.

But your VPN provider _does_ know all that. Also, some argue that VPN
services are more likely malicious than ISPs, and so potentially
compromise your Tor use. But others (including Mirimir) argue that ISPs
are more readily compromised by local adversaries, so using VPN services
increases security and privacy for Tor use.

Also, if you connect to Tor through a VPN, entry guards can't easily
know your ISP-assigned IP address. So malicious entry guards (or those
who had compromised them) would need to get that information from your
VPN provider. That would have provided some protection against CMU's
relay-early exploit, which pwned many .onion services and users.

However, connecting first to Tor, and then through Tor circuits to a
VPN, is _far_ more dangerous. Bottom line, you throw away all of the
anonymity that Tor can provide. That's because your VPN provider may
know who you are. Perhaps because you paid them in some traceable way.
Or perhaps because you accidentally connected directly, and not through
Tor, revealing your ISP-assigned IP address to them.

However, if you're careful, you can use VPNs through Tor to 1) avoid
Tor-specific CAPTCHAs, 2) route UDP traffic, and 3) use online services
that generally don't work well with Tor alone.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to