[tor-talk] Tor browser and VPN or web proxy

Paul Syverson paul.syverson at nrl.navy.mil
Sun Sep 30 03:35:28 UTC 2018


On Sat, Sep 29, 2018 at 04:28:46PM -0700, Mirimir wrote:
> On 09/29/2018 09:29 AM, panoramix.druida wrote:
> > 
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > El sábado, 29 de septiembre de 2018 11:58, J B <jb.1234abcd at gmail.com> escribió:
> > 
> >> Hi,
> >> Could you please explain in what sequence the two should be activated and
> >> why
> >> (which setup is secure) ?
> >> TB -- VPN or web proxy
> >> or
> >> VPN or web proxy -- TB
> > 
> > I am playing with QubeOS and I try Tor -> VPN (with Bitmask) and I found this useful for not having captchas everywhere as it does happend with Tor alone. I try this thanks to this talk: https://www.youtube.com/watch?v=f4U8YbXKwog
> 
> True. But this is the most dangerous way to combine Tor and VPNs.
> 
> If you connect first through a VPN (yours or a commercial service) and
> then to Tor, the VPN becomes like your ISP. It encrypts and obscures
> your traffic. So your ISP can't easily tell that you connect with Tor,
> or what you otherwise connect with directly.
> 
> But your VPN provider _does_ know all that. Also, some argue that VPN
> services are more likely malicious than ISPs, and so potentially
> compromise your Tor use. But others (including Mirimir) argue that ISPs
> are more readily compromised by local adversaries, so using VPN services
> increases security and privacy for Tor use.
> 
> Also, if you connect to Tor through a VPN, entry guards can't easily
> know your ISP-assigned IP address. So malicious entry guards (or those
> who had compromised them) would need to get that information from your
> VPN provider. That would have provided some protection against CMU's
> relay-early exploit, which pwned many .onion services and users.
> 
> However, connecting first to Tor, and then through Tor circuits to a
> VPN, is _far_ more dangerous. Bottom line, you throw away all of the
> anonymity that Tor can provide. That's because your VPN provider may
> know who you are. Perhaps because you paid them in some traceable way.
> Or perhaps because you accidentally connected directly, and not through
> Tor, revealing your ISP-assigned IP address to them.

While that is all roughly on-average correct, it depends entirely on your
adversary and intended activity. (You might not be average.)  If, as
one example, you need to connect to a corporate VPN and you don't
want a local adversary (such as the ISP) to know your affiliation with
that corporation, then this is the order to do things.

aloha,
Paul


> 
> However, if you're careful, you can use VPNs through Tor to 1) avoid
> Tor-specific CAPTCHAs, 2) route UDP traffic, and 3) use online services
> that generally don't work well with Tor alone.
> 
> <SNIP>
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 


More information about the tor-talk mailing list