[tor-talk] Tor to VPN to Internet = Bad. Why?

AK akarmn at gmail.com
Wed Apr 25 20:10:40 UTC 2012 

I think in some cases where Tor is blocked, connecting to a VPN through Tor
may be useful. The problem of course is signing up for the VPN anonymously,
but this can be achieved with Bitcoin, to an arbitrarily high level of
security, although at present it's still kind of inconvenient a level of
mixing that would be just as anonymous as Tor.

On Wed, Apr 25, 2012 at 12:27 PM, Ondrej Mikle <ondrej.mikle at gmail.com>wrote:

> On 04/25/2012 04:06 PM, Low-Key² wrote:
> > Recently, I'd come across some chatter that suggested that connecting to
> a VPN via TOR was not a good idea and, rather, the better idea was to
> connect to a VPN that then used Tor.  I've not found any articles on the
> net that really discuss this issue.  My concern stems from more of a
> curiosity due to an encrypted private web proxy I used to run for foreign
> activists.  While the proxy would have appeared entirely benign to anyone
> in their regime, a number used Tor to connect to it. My larger question is,
> if there is a security concern for using Tor to connect to a VPN which then
> connects to the internet, would the same concerns apply to people who use
> Tor to connect to an encrypted web proxy?  Thanks in advance for any
> replies.
>
> I think the main issue is that user needs to authenthicate to the VPN, so
> no
> matter where they came from via Tor, they are identifiable. That is true
> even if
> the credentials are shared, in that case it's known that the individual
> connecting via the VPN must be from a small group.
>
> On the other hand, if your goal is to hide location instead of identity
> from the
> VPN, connecting via Tor _might_ do the trick. I'm saying _might_, since
> some
> data inside the protocols transmitted over the VPN could contain your real
> IP or
> other identifying information (depends on the protocol(s) used inside VPN).
>
> In the case of the encrypted proxy the attacker might know that it's some
> group
> of people you gave access credentials to. So it depends on what the
> attacker can
> learn - e.g. the attacker will retrieve your name from whois and might
> attempt
> to find out from your communication which individuals belong to that group
> or
> attempt to compromise the proxy and view logs.
>
> Ondrej
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>

More information about the tor-talk mailing list