Silk Road forums
Discussion => Security => Topic started by: ikalihi812 on March 05, 2012, 11:40 pm
-
How about if we use LogMeIN software or an alternative to use another person's PC in conjunction with TOR to access SR?
Even if the IP address used with SR is tracked via some unknown means, it won't lead directly to your own PC.
TeamViewer is a great free option
-
Using a vpn is something that only a fed would suggest.
-
Says who? And how would you know that genius?
-
I'm not sure why it's the case, but there are dozens of threads in here that all say the same thing, don't use a VPN in conjuction with TOR for SR purposes. Haven't seen a single thread supporting the idea so maybe just search around in here and you'll arrive at the same conclusion.
-
Wow great answer, I will definitely read old threads to see what's up.
-
Likely to do with th fact that the VPN operator can see your IP address.
-
https://lists.torproject.org/pipermail/tor-talk/2012-January/022913.html
pay special attention to anything said by Arma he is the lead Tor dev
Hi, I am not new to Tor, though it has been a while since I've used it. I
notice that there are many changes since I used it last. I have some some
questions to get me up to speed with the newest release.
I hope you don't mind my asking these questions, since my attention span is
about that of a gnat since I have an extreme toothache. Otherwise I would
probably read all the docs.
1. Is there a preferred browser and OS to maximize security?
2. What is the best way to use a VPN with Tor to increase anonymity?
3. Is there now a way to use Tor to send anonymous email? (All but government
controlled remailers were shut down).
I can use Windows 7 64 bit + any GNU/Linux or Posix OS that supports multibit
builds.
I'd like to get back into using Tor (I stopped because the TorButton was ...
unreliable for anonymity).
Any recommended reading, if not direct answers? Think of me as a newbie who's
not really a newbie - that is, I've used Tor and just want to be brought up to
speed on the most secure way to use the new version.
Chris
> Hi,
Hi!
> I am not new to Tor, though it has been a while since I've used it. I
> notice that there are many changes since I used it last. I have some some
> questions to get me up to speed with the newest release.
[snip]
> 1. Is there a preferred browser and OS to maximize security?
The Tor Browser Bundle (TBB) is what you need:
https://www.torproject.org/download/download-easy.html.en
Just extract and run.
> 2. What is the best way to use a VPN with Tor to increase anonymity?
I'll leave this for someone else ...
> 3. Is there now a way to use Tor to send anonymous email? (All but government
> controlled remailers were shut down).
Depends on how you define anonymous. As you point out the remailer
networks are pretty much dead.
You can sign up to Tor Mail and FastMail via Tor, and then access both
either through a web interface or via IMAP (Claws Mail works well as a
lightweight IMAP client, and seems to play nicely with Tor). FastMail
requires a pre-existing email address for its free account, but 10
Minute Mail (or Tor Mail) can help you there.
http://tormail.net/ , http://jhiwjjlqpyawmpjx.onion/
https://fastmail.fm/
http://10minutemail.com/10MinuteMail/index.html
Search the archives for some discussions about Tor Mail ... not
everyone is happy with it. (I am!)
> I can use Windows 7 64 bit + any GNU/Linux or Posix OS that supports multibit
> builds.
There are Tor Browser Bundles for Windows, Linux, and OS X.
> I'd like to get back into using Tor (I stopped because the TorButton was ...
> unreliable for anonymity).
Torbutton has been through some changes, and comes in the TBB. As the
web page says: "Users should be using Tor Browser Bundle, not
installing Torbutton themselves":
https://www.torproject.org/torbutton/
Mike may have more to say, but the design doco should cover everything:
https://www.torproject.org/torbutton/en/design/index.html.en
> Any recommended reading, if not direct answers? Think of me as a newbie who's
> not really a newbie - that is, I've used Tor and just want to be brought up to
> speed on the most secure way to use the new version.
Keep reading this list!
-C
> 2. What is the best way to use a VPN with Tor to increase anonymity?
Others have already made a few statements about Tor plus VPN.
You can do you -> VPN -> Tor, or you -> Tor -> VPN maybe even you -> VPN
-> Tor -> VPN?
And you can stop using Tor as a (socks) proxy and start using Tor as a
transparent proxy.
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
you -> your own VPN server -> Tor
https://trac.torproject.org/projects/tor/wiki/doc/TorVPN
in this case a simple Tor-Gateway could be more easy
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX
If you like further information you could tell a bit more why you want to
use Tor plus VPN.
On 1/22/2012 05:51 AM, proper at tormail.net wrote:
>> 2. What is the best way to use a VPN with Tor to increase anonymity?
>
> Others have already made a few statements about Tor plus VPN.
>
> You can do you -> VPN -> Tor, or you -> Tor -> VPN maybe even you -> VPN
> -> Tor -> VPN?
>
> And you can stop using Tor as a (socks) proxy and start using Tor as a
> transparent proxy.
> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
>
> you -> your own VPN server -> Tor
> https://trac.torproject.org/projects/tor/wiki/doc/TorVPN
>
> in this case a simple Tor-Gateway could be more easy
> https://trac.torproject.org/projects/tor/wiki/doc/TorBOX
>
> If you like further information you could tell a bit more why you want to
> use Tor plus VPN.
Actually, I know little about VPN. I was asking, in the hope that I could
learn more - and also it was suggested (I'm not sure where) that using a VPN
with Tor was better than either alone. Maybe it would help if someone
explained VPN - its good and bad points.
So the replies I've received are what I was looking for, mostly. I just want
to be anonymous when browsing the web - if Tor alone can accomplish that, I
will be satisfied. Too many companies track everything you do on the Internet
(including ISPs), then sell that information.
Chris
On 01/21/12 at 03:44 PM, Christopher J. Walters wrote:
> 2. What is the best way to use a VPN with Tor to increase anonymity?
You're not going to get better anonymity by using VPNs with Tor. Anonymity is what Tor does very well, far better than any commercial VPN arrangement. With VPNs, there are potentially always logs that lead back to you. You can make the trails hard to follow, by nesting VPNs from multiple providers and paying anonymously, but you can't eliminate them.
You can use VPNs with Tor in two ways. You can route Tor through VPN services. That prevents your ISP etc from seeing that you're using Tor. Generally, VPNs are more popular than Tor, so you won't stand out as much. Once the VPN client has connected, the VPN tunnel will be the machine's default Internet connection, and the Tor Browser Bundle will route through it.
You can also route VPN services through Tor. That hides and secures your Internet activity from Tor exit nodes. Although you are exposed to VPN exit nodes, you at least get to choose them. If you're using VPNs in this way, you'll want to pay for them anonymously (cash in the mail, Liberty Reserve, well-laundered Bitcoin, etc). However, you can't readily do this without using virtual machines. And you'll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking.
arma \/
On Sun, Jan 22, 2012 at 06:06:47AM +0100, Martin Hubbard wrote:
> On 01/21/12 at 03:44 PM, Christopher J. Walters wrote:
>
> > 2. What is the best way to use a VPN with Tor to increase anonymity?
>
> You're not going to get better anonymity by using VPNs with
>Tor. Anonymity is what Tor does very well, far better than any commercial
>VPN arrangement. With VPNs, there are potentially always logs that lead
>back to you. You can make the trails hard to follow, by nesting VPNs from
>multiple providers and paying anonymously, but you can't eliminate them.
>
> You can use VPNs with Tor in two ways. You can route Tor through
>VPN services. That prevents your ISP etc from seeing that you're using
>Tor.
Another advantage here is that it prevents Tor from seeing who you are
behind the VPN. So if somebody does manage to break Tor and learn the IP
address your traffic is coming from, but your VPN was actually following
through on their promises (they won't watch, they won't remember, and
they will somehow magically make it so nobody else is watching either),
then you'll be better off.
> Generally, VPNs are more popular than Tor, so you won't stand out
>as much. Once the VPN client has connected, the VPN tunnel will be the
>machine's default Internet connection, and the Tor Browser Bundle will
>route through it.
> You can also route VPN services through Tor. That hides and secures
>your Internet activity from Tor exit nodes. Although you are exposed to
>VPN exit nodes, you at least get to choose them. If you're using VPNs
>in this way, you'll want to pay for them anonymously (cash in the mail,
>Liberty Reserve, well-laundered Bitcoin, etc). However, you can't readily
>do this without using virtual machines. And you'll need to use TCP mode
>for the VPNs (to route through Tor). In our experience, establishing
>VPN connections through Tor is chancy, and requires much tweaking.
Even if you pay for them anonymously, you're making a bottleneck where
all your traffic goes -- the VPN can build a profile of everything you
do, and over time that will probably be really dangerous.
In short, I think "You -> VPN provider -> Tor network" can be a fine idea,
assuming your VPN provider's network is in fact sufficiently safer than
your own network; but "You -> Tor network -> VPN provider" is generally
a really poor plan.
--Roger
> Another advantage here is that it prevents Tor from seeing who you are
> behind the VPN. So if somebody does manage to break Tor and learn the IP
> address your traffic is coming from, but your VPN was actually following
> through on their promises (they won't watch, they won't remember, and
> they will somehow magically make it so nobody else is watching either),
> then you'll be better off.
>
> Even if you pay for them anonymously, you're making a bottleneck where
> all your traffic goes -- the VPN can build a profile of everything you
> do, and over time that will probably be really dangerous.
>
> In short, I think "You -> VPN provider -> Tor network" can be a fine idea,
> assuming your VPN provider's network is in fact sufficiently safer than
> your own network; but "You -> Tor network -> VPN provider" is generally
> a really poor plan.
>
> --Roger
>
With your permission, parts of this could be used in the torproject.org
wiki. Mailing list discussion would be linked. I am going to create a new
article related to Tor plus VPN.
Can you agree with that?
On Sun, Jan 22, 2012 at 10:57:38AM -0000, proper at tormail.net wrote:
> With your permission, parts of this could be used in the torproject.org
> wiki. Mailing list discussion would be linked. I am going to create a new
> article related to Tor plus VPN.
>
> Can you agree with that?
Sure, please do.
--Roger
On 01/21/12 at 11:26 PM, Roger Dingledine wrote:
> Even if you pay for them anonymously, you're making a bottleneck
> where all your traffic goes -- the VPN can build a profile of
> everything you do, and over time that will probably be really
> dangerous.
That is a very good point. On the other hand, such profiling can be advantageous in fleshing out an identity.
On 01/22/12 at 06:46 AM, Christopher J. Walters wrote:
> Actually, I know little about VPN. I was asking, in the hope that
> I could learn more - and also it was suggested (I'm not sure where)
> that using a VPN with Tor was better than either alone. Maybe it
> would help if someone explained VPN - its good and bad points.
Generally, virtual private networks (VPNs) are just that. You can think of VPN connections (aka tunnels) as virtual ethernet cables. Organizations typically use VPNs for LAN connectivity among locations, and with remote staff. There are three main protocols: 1) PPTP (outdated, simple, insecure); 2) IPsec (current, complicated, secure); and 3) OpenVPN (current, arguably less complicated, secure).
In this context, however, we are using "VPN" in a more restricted way, to mean VPN "anonymnity" services. That is, we mean VPN connections to remote Internet gateways, rather than to remote LANs.
Regarding Tor, you must trust the design, the validity of the security assumptions that it's based on, and the software implementation. To the extent that you don't understand any of that, you must trust the developers. If you trust Tor itself, you don't need to trust the other participants (or vice versa). But you have no way, as a user, to really know how anonymous you are.
Regarding VPN services, you must trust the operators, as well as their designs, assumptions and implementations. Some VPN services are basically just VPN-connected proxy servers. They know who you are, and they know where you've been. Other VPN providers may claim to increase anonymity in various ways. They may claim to route connections through multiple, geographically widespread servers and routers ("multi-hop VPNs"). They may claim to mix traffic on links and exit nodes that are shared with associated organizations ("multiplexing and crowding"). They may claim to require joint authentication, by mutually anonymous administrators, for access to, and configuration of, shared resources.
However, everything can be logged, by every device that's involved (servers, routers, switches, etc). VPN providers may claim that they don't keep logs, that their designs make it difficult or impossible to keep logs, and so on. You can nest multiple VPN services, using providers who seem unlikely to collude and cooperate with your government. You can pay anonymously. But again, you have no way, as a user, to really know how anonymous you are.
As a user, for both Tor and VPNs, it comes down to trust. Tor is arguably more likely to be more anonymous. Accessing Tor through VPNs can't hurt. Routing VPNs through Tor may be appropriate under some circumstances. But doing that will create shared history for each VPN that you use in that way. You obviously don't want to use the same VPN service on both sides of Tor.
If you're interested in learning more, there are many informative threads on Wilders Security Forums.
Thank you for your reply.
> Generally, virtual private networks (VPNs) are just that. You can think of
> VPN connections (aka tunnels) as virtual ethernet cables. Organizations
> typically use VPNs for LAN connectivity among locations, and with remote
> staff. There are three main protocols: 1) PPTP (outdated, simple, insecure);
> 2) IPsec (current, complicated, secure); and 3) OpenVPN (current, arguably
> less complicated, secure).
>
> In this context, however, we are using "VPN" in a more restricted way, to
> mean VPN "anonymnity" services. That is, we mean VPN connections to remote
> Internet gateways, rather than to remote LANs.
>
> Regarding Tor, you must trust the design, the validity of the security
> assumptions that it's based on, and the software implementation. To the
> extent that you don't understand any of that, you must trust the developers.
> If you trust Tor itself, you don't need to trust the other participants (or
> vice versa). But you have no way, as a user, to really know how anonymous
> you are.
I understand the security assumptions that Tor is based upon, and believe them
to be more sound than using proxy servers (even with nesting). As for the
implementation, I am a programmer, and Tor is open source so I COULD look at
the implementation by downloading the source code and going through it (a very
time consuming process).
> Regarding VPN services, you must trust the operators, as well as their
> designs, assumptions and implementations. Some VPN services are basically
> just VPN-connected proxy servers. They know who you are, and they know where
> you've been. Other VPN providers may claim to increase anonymity in various
> ways. They may claim to route connections through multiple, geographically
> widespread servers and routers ("multi-hop VPNs"). They may claim to mix
> traffic on links and exit nodes that are shared with associated
> organizations ("multiplexing and crowding"). They may claim to require joint
> authentication, by mutually anonymous administrators, for access to, and
> configuration of, shared resources.
>
> However, everything can be logged, by every device that's involved (servers,
> routers, switches, etc). VPN providers may claim that they don't keep logs,
> that their designs make it difficult or impossible to keep logs, and so on.
> You can nest multiple VPN services, using providers who seem unlikely to
> collude and cooperate with your government. You can pay anonymously. But
> again, you have no way, as a user, to really know how anonymous you are.
So, in essence VPNs in this context, are just another form of proxy server (or
another way to access one). I agree, there is no way to even know if you are
anonymous - after all, I am sure that some VPNs are run by governments (not
that they'd tell you that).
> As a user, for both Tor and VPNs, it comes down to trust. Tor is arguably
> more likely to be more anonymous. Accessing Tor through VPNs can't hurt.
> Routing VPNs through Tor may be appropriate under some circumstances. But
> doing that will create shared history for each VPN that you use in that way.
> You obviously don't want to use the same VPN service on both sides of Tor.
Doesn't everything come down to trust, in the end? Everything going through
the Internet is logged, and unless encrypted, world-readable. Often, it is
logged, even then in unencrypted form, on the other side.
What I get from this discussion is that, with anything that makes you
anonymous, you can't be sure of the level (I couldn't even if I did go through
the Tor source code, since I have no way of knowing if every Tor node my
traffic passes through is using *that* source code). It is a matter of trust,
best practices, and the integrity of the system you're using.
> If you're interested in learning more, there are many informative threads on
> Wilders Security Forums.
I will probably check them out.
If anyone SUGGESTS a specific VPN to you, they are probably a fed. If anyone suggests you should use a VPN instead of Tor they are probably a fed.
-
LMFAO so basically Arma just supported my idea! hahaha! cool!
"In short, I think "You -> VPN provider -> Tor network" can be a fine idea,"
-
Well he at least didn't say it is horrible :P.
-
If possible I want to set up something like this: You--> TeamViewer PC --> TOR PC --> TeamViewer PC --> TOR PC --> Silk Road