VPN's Decrease Anonymity

I've seen a lot of users recommending the use of a VPN, however I haven't seen the evidence to support they actually increase operational security. There are 2 main points, a VPN doesn't necessarily hide the fact that you use tor and that using a VPN increases your attack surface.

1) VPN's will not hide the fact that you're using tor from your ISP [1]. VPN/SSH fingerprinting has been around for a while now, if you need to hide your tor usage you should be using a bridge and obfsproxy.

2) VPN's increase your attack surface. Firstly, you have to trust that the vpn provider is honest, that every employee who could steal sensitive data is honest, and that the provider and employees are competent enough to run a secure business.

In the Snowden leaks he brought forth evidence that nations were likely compromising VPN companies. Here is an excerpt from an NBC article[2]:

When p0ke clicked on the link, however, JTRIG was able to pull up the IP address of the VPN (virtual private network) the hacktivist was using. The VPN was supposed to protect his identity, but GCHQ either hacked into the network, asked the VPN for the hacker's personal information, or asked law enforcement in the host nation to request the information.

A representative of the VPN told NBC News the company had not provided GCHQ with the hacker's information, but indicated that in past instances it has cooperated with local law enforcement.

The NSA runs a program codenamed Bullrun that is dedicated to thwarting internet encryption, there are much better security researchers than myself who have speculated on what the capabilities may be but it is certain that Five Eyes has succesfully defeated encryption via hardware backdoors and software exploitation.

Via Wikipedia[3]:

According to a Bullrun briefing document, the agency had successfully infiltrated both the Secure Sockets Layer as well as virtual private network (VPN). The New York Times reported that: "But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government's nuclear department and another's Internet service by cracking the virtual private networks that protected them. By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300."

Yeah, its worded a little funny at the beginning, but it shows that the agencies have had success in the past and will continue to expand their efforts. As a regular user you probably don't have to worry about this except for parallel investigation. However, anyone who operates a darknet market or provides services on/to a dnm should definitely be worried about Five Eyes spying.

In conclusion, VPN's are a risk with no reward. If you care about your anonymity then tunneling tor through a VPN is not the answer. Professional security researchers agree[4].

Sources:

[1] https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN#VPNSSHFingerprinting

[2] http://www.nbcnews.com/news/investigations/war-anonymous-british-spies-attacked-hackers-snowden-docs-show-n21361

[3] https://en.wikipedia.org/wiki/Bullrun_%28decryption_program%29

[4| PDF] https://grugq.github.io/presentations/Keynote_The_Grugq_-_OPSEC_for_Russians.pdf

[4| VID] http://www.youtube.com/watch?v=9XaYdCdwiWU

[>] For more reading on anonymity:

[*] http://freehaven.net/anonbib/topic.html#Anonymous_20communication

[*] https://grugq.github.io/

[*] https://www.torproject.org/docs/pluggable-transports.html.en


Comments


[4 Points] Bbmcisrightyoufools:

There's also the possibly of your VPN being a honeypot ala Cumbajohnny


[4 Points] jfovendas:

OP, youre an idiot.

1) VPN's will not hide the fact that you're using tor from your ISP [1]. VPN/SSH fingerprinting has been around for a while now, if you need to hide your tor usage you should be using a bridge and obfsproxy.

Bridges can be enumerated which defeats the point of using them. VPNs hide the fact you are using Tor, if your worried about profiling packetflows then run bittorrent alongside it.

2) VPN's increase your attack surface. Firstly, you have to trust that the vpn provider is honest, that every employee who could steal sensitive data is honest, and that the provider and employees are competent enough to run a secure business.

You have to trust your guard node completely if you dont run one. At least VPns offer a last line of defense.

The NSA runs a program codenamed Bullrun that is dedicated to thwarting internet encryption,

Bullrun was the heartbleed bug and the port-forwarding bug that deanon'd vpns, maybe they have a few more tricks up their sleeves but security is an ongoing thing. This is besides the point, you adversary isnt the NSA its the FBI/DEA.

there are much better security researchers than myself

Of course there are because you are not a security researcher.


[2 Points] Hank_Vendor:

I've never understood it.

I mean, is tor not just a series of free vpns? Why go to the trouble of using tor and then place a vpn provider who knows your real identity in between the two? Makes no sense to me.

But then it also makes no sense to me that people are using their own wifi in the first place. I mean a phone as a usb dongle or a mobile broadband dongle thing seem like much better options to me.

You can take the wifi card out of your laptop so it doesn't know what other wifi networks its near too. That seems like a good place to start off so it acts in a sense as your failsafe in case your other measure get compromised without your knowledge.


[1 Points] Anti-Hero_AU:

Excellent resource.

Now, lets see who can refute this?

/u/fastStack what are your thoughts regarding the Cryptostorm Private Network, and have you test-driven it yet (or poked around)? Just another VPN to you, or?


[1 Points] stiktalk:

thanks for the post, i was considering getting a vpn as a consumer.

good information <3


[1 Points] honestlyhardworking:

thx for the post boss


[-1 Points] 0p9000:

is this FUD from Gov.? Sure they increase your anonymity, but only if the server doesnt keep any logs and if they are NOT in an western country. what they wanna do versus encryption without quantum computers? Who ever didnt bought from day 1 a vpn-service from an offshore location, stay away from internet crime? but youre just drug users, please stop to care.