[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor browser and VPN or web proxy



On 09/29/2018 08:35 PM, Paul Syverson wrote:
> On Sat, Sep 29, 2018 at 04:28:46PM -0700, Mirimir wrote:
>> On 09/29/2018 09:29 AM, panoramix.druida wrote:
>>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> El sábado, 29 de septiembre de 2018 11:58, J B <jb.1234abcd@xxxxxxxxx> escribió:
>>>
>>>> Hi,
>>>> Could you please explain in what sequence the two should be activated and
>>>> why
>>>> (which setup is secure) ?
>>>> TB -- VPN or web proxy
>>>> or
>>>> VPN or web proxy -- TB
>>>
>>> I am playing with QubeOS and I try Tor -> VPN (with Bitmask) and I found this useful for not having captchas everywhere as it does happend with Tor alone. I try this thanks to this talk: https://www.youtube.com/watch?v=f4U8YbXKwog
>>
>> True. But this is the most dangerous way to combine Tor and VPNs.
>>
>> If you connect first through a VPN (yours or a commercial service) and
>> then to Tor, the VPN becomes like your ISP. It encrypts and obscures
>> your traffic. So your ISP can't easily tell that you connect with Tor,
>> or what you otherwise connect with directly.
>>
>> But your VPN provider _does_ know all that. Also, some argue that VPN
>> services are more likely malicious than ISPs, and so potentially
>> compromise your Tor use. But others (including Mirimir) argue that ISPs
>> are more readily compromised by local adversaries, so using VPN services
>> increases security and privacy for Tor use.
>>
>> Also, if you connect to Tor through a VPN, entry guards can't easily
>> know your ISP-assigned IP address. So malicious entry guards (or those
>> who had compromised them) would need to get that information from your
>> VPN provider. That would have provided some protection against CMU's
>> relay-early exploit, which pwned many .onion services and users.
>>
>> However, connecting first to Tor, and then through Tor circuits to a
>> VPN, is _far_ more dangerous. Bottom line, you throw away all of the
>> anonymity that Tor can provide. That's because your VPN provider may
>> know who you are. Perhaps because you paid them in some traceable way.
>> Or perhaps because you accidentally connected directly, and not through
>> Tor, revealing your ISP-assigned IP address to them.
> 
> While that is all roughly on-average correct, it depends entirely on your
> adversary and intended activity. (You might not be average.)  If, as
> one example, you need to connect to a corporate VPN and you don't
> want a local adversary (such as the ISP) to know your affiliation with
> that corporation, then this is the order to do things.
> 
> aloha,
> Paul

Right. Didn't think of that. And yes, that _is_ a safe use case. Because
you don't need/want to be anonymous to that corporation. Or for anything
you do through that VPN connection.

Even so, for that you might as well use a VPN service, instead of Tor.
Because performance will be much better. Unless it's important to hide
corporate affiliation from more than just local adversaries.

>> However, if you're careful, you can use VPNs through Tor to 1) avoid
>> Tor-specific CAPTCHAs, 2) route UDP traffic, and 3) use online services
>> that generally don't work well with Tor alone.
>>
>> <SNIP>
>> -- 
>> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk