x-post from iama - "We are darknet solutions we bulid and host darknet - says connecting to vpn before tor is not the same as tor before vpn

http://www.reddit.com/r/IAmA/comments/2ii1il/we_are_darknet_solutions_we_build_host_darknet/

This was a post he made and it made me think.

////////////////////////////// Security researcher here. Just going to expand on what you mentioned about VPNs to make sure people do this correctly. A VPN provides privacy and Tor provides anonymity. Privacy protects the data you're transmitting, anonymity protects you and your identity. The point of using a VPN and Tor together is to strengthen privacy when you're using Tor on the regular internet. In order to browse the regular internet through tor you use one of a very limited number of "exit nodes" which will route your Tor traffic to and from the internet. Once the exit node processes your traffic it is no longer made private by the systems Tor has built in. So when you "Tor" to the regular internet your data is no longer private unless you're using SSL/TLS or some other end to end encryption e.g. said VPN. You connect to the VPN and have a private tunnel through which your data continues to be encrypted. The exit node strips off the Tor encryption and gets more encrypted data bound for your VPN provider. The idea is that the VPN provider is more trustworthy than the volunteer runand guaranteed to be surveilled exit nodes. If you're going to combine a VPN and Tor together, you must make sure you connect to Tor first and then the VPN. Otherwise the VPN is just a connection between you and the "entrance" of the Tor network. This defeats the purpose and your traffic will be sniffed, saved, and logged by an intelligence agency that resides in the same country as the exit node. tl;dr: Tor to VPN is OK but VPN to Tor is BAD. Also pay for your VPN in tumbled (essentially laundered) Bitcoins. All the Russian based "untrackable" exchange providers are monitored by the FSB (direct descendant of the KGB) and probably the NSA anyway. ////////////////////////////

Can anyone back this up or claify?

It kind of defeats the purpose for me. I got a vpn becuase i didnt want my isp seeing i use tor. but if you connect to tor before the vpn they will see this, and vice versa your traffic will not be encrypted or something.

what do you guys think?


Comments


[10 Points] krustykainer:

I say no way.

1) How do you force your VPN to run through Tor safely?

2) Your VPN client software (PPTP, OpenVPN etc) can and will leak local route and IP details of your REAL endpoint to the other end of the VPN - bad!

VPNs are only useful for hiding the fact that you're running Tor from your ISP or for protecting traffic where you don't care if somebody knows who you're talking to but do care if somebody knows WHAT you're saying.

Not sure if this guy means well or not but it's bad advice as a whole. Yes exit nodes can sniff your traffic, this is true which is why browsing to anything other than SSL protected sites is more risky through Tor from a privacy perspective.


[3 Points] AcaciaBlue:

This sounds stupid. If you Tor->VPN it just delays the problem as there is still the SAME un-encrypted data hitting the VPN before the tor exit point. If you VPN->Tor then at least your ISP does not put you on the big brown list of "probably guilty" pedophiles and drug dealers who use Tor (at least I hope). And as long as you stick to onion sites only there is nothing for the outside world to spy on anyway.


[3 Points] irakneekly:

just trying to learn but... Can you do Free VPN to Tor to Paid for and trusted VPN? Then you are hiding Tor but in a sense connecting to the real VPN after Tor. I would appreciate any info as I am pretty fascinated by this.


[3 Points] hilbert89:

x-posting my answer:

VPN to Tor is BAD.

That's not exactly the words I would use. For browsing the internet, Tor to VPN clearly provides better anonymity and privacy, but VPN to Tor still provides at least as much anonymity and privacy as Tor alone. A VPN in front of Tor would provide no additional privacy, but it would provide anonymity, both in the form of disguising your use of Tor from your ISP and by offering some protection against tagging attacks and traffic correlation attacks from Tor nodes (which are the major known vulnerability of Tor).

And if you are visiting an .onion site, like in the context of this post, Tor to VPN isn't even possible, so VPN to Tor is reasonable if you don't trust Tor alone.

tl;dr: Tor to VPN is great for clearnet browsing but is neither possible nor needed for browsing .onion websites. For that case, VPN to Tor is a great alternative and not bad at all.


[3 Points] darknetsolutions:

That comment is actually by /u/secunda, not us.

Permalink: https://www.reddit.com/r/IAmA/comments/2ii1il/we_are_darknet_solutions_we_build_host_darknet/cl2pe5g

We stated to connect to the VPN first, and then to TOR. Among other things, this prevents your ISP from detecting you are using TOR.

But, the reverse is also possible and has it's own benefits.


[2 Points] DuCruu:

Isn't this what we already know?

VPN > Tor ensures that your isp can't see that you're running tor. You'll still be running through the same exit nodes but there are many exit nodes and it's a slim chance and it would still lead back to the IP of the VPN, no?

Tor > VPN means your isp could see you're using tor (which isn't a problem apparently if you use the big cable provides ex comcast) but the info you relay out the Tor exit nodes is encrypted through your VPN.

Personally when orders are being made, public wifi is used and Tor > VPN makes most sense. For browsing VPN > Tor makes more sense.


[1 Points] balgarath:

Why not both?

The obvious answer:

VPN -> Tor -> Same VPN -> Interwebz ;)


[0 Points] twigburst:

If you use VPN to tor couldn't they just sniff all your traffic and possibly steal your bitcoins alert LE?