What happens if you use a VPN in conjunction with TOR? Plus a few basic queries.

Discussion in 'privacy technology' started by ccoates, Sep 1, 2010.

Thread Status:
Not open for further replies.
  1. ccoates
    Offline

    ccoates Registered Member

    Apologies if this comes up a lot. It's difficult to search for topics related to both because they're such short search terms. I did try searching via the use of Google's "site:" option and went through every page without stumbling upon the topic, but maybe it's too obvious to have been discussed.

    Firstly, is there a point to combining the use of a VPN with the use of TOR? I realize they do different things, but it seems like if a VPN encrypts traffic, and then TOR anonymizes it, you'd avoid the problems of plaintext in the exit nodes.

    If you do use a VPN service, and then run TOR in a browser, how exactly do the two work together?

    Does the VPN service encrypt your data, then send it through the TOR nodes, which eventually emerges encrypted?

    In this case, does the VPN know what you're accessing via TOR, or simply that you're using TOR? Is the TOR traffic encrypted between the TOR network and the client on your PC?

    Is there something obvious that I'm missing because the entire subject is new to me?

    I am trying to learn about different security and privacy setups for a number of reasons. I am planning on traveling long-term in the future, and some of the countries I will find myself passing through have oppressive internet and privacy legislation that I'd rather not run afoul of.

    Another is that I use an unsecured, shared internet connection in my building. Recently I was delivered one of those notices for illegally sharing a television show (I am not sharing said show, illegally or otherwise.) Would the use of a VPN insulate me from future exposure to such things, or am I collectively liable/vulnerable because someone on the same connection is filesharing?

    I've also seen things like JanusVM and XB Browser mentioned, which claim to use both VPN and TOR technologies. Does this mean they use them in tandem, or do they use one or the other? As in, if you're a free user, XB Browser uses TOR, and if you pay up, it uses the VPN instead?

    How does the use of JanusVM differ from running a separate OS instance in Virtualbox that you create yourself?

    I know that's a lot of stuff. Any help is appreciated.
  2. katio
    Offline

    katio Guest

    This thread might be of some relevance:
    http://www.wilderssecurity.com/showthread.php?t=275888

    No, they are more similar than you think. Both only "hide" your true IP, and use encryption -internally- to do so but they do NOT encrypt data between your destination and the VPN/exit node. This means both exit nodes and VPN provider can eavesdrop all data that passes through them unless the communication is otherwise secured (e.g. though TSL).

    You could use tor on your PC and then go to the VPN, if you aren't traceable through the money transfers you still wouldn't achieve much: exit nodes don't know who you are already. All you do is move the risk of eavesdropping to someone more liable than random tor servers.
    I can't really think of a secure way to do it the other way round. You'd need a remote server under your control that isn't traceable back to you which runs tor and you connect through VPN to it. I don't see any legal way to do that, i.e. you'd probably be a cracker/black hat and have some zombie computers at your disposal...

    Regarding your shared connection: VPN won't change anything. Get out of that deal if you can, if not I'd seek some legal advice just to be on the safe side.

    From what I know about JanusVM it's literally a black box so I wouldn't trust it on principle alone. You're own setup based on open source software and virtualisation is more secure (if you know what you are doing/RTFM), more flexible and cheaper.
    XB is basically a VPN of some sorts, that means the basic issue is: do you trust your provider.
    Tor is different, you don't have to trust any corporation not to have a hidden agenda, backdoors (well, by design they don't need one, they can see everything already) or some deals with the gov. However you have to trust the developers and those who review the code that there's no back door or NSA approved vulnerability of some sorts. Re exit nodes the trust issue is solved quickly: Simply assume every exit node is logged and monitored...
    Last edited by a moderator: Sep 1, 2010
  3. katio
    Offline

    katio Guest

    Right, disregard what I said about having to be a cracker ;) It works both ways. Didn't really think it through, sorry.
    But you don't really improve your security that way either, exit nodes can read ALL unencrypted traffic and if tor is vulnerable they'd get back to the VPN and via subpoena, server logs and/or money trail finally back to you.
  4. ccoates
    Offline

    ccoates Registered Member

    I think I'm beginning to understand. But if you're dealing with sensitive data, identifying data, or login/password data, then TOR still exposes you, even if you use a VPN. Using them in conjunction simply provides you with:

    a) Protection from your ISP.
    b) Protection from your VPN.

    But in the process it still:

    c) Exposes your data in the final node.

    So the process resembles this:

    Me --> TOR encrypts data --> VPN software encrypts data, then it passes through the tunnel, then is decrypted on the other side by the VPN's servers, hiding your traffic from your ISP --> Encrypted TOR data passes through the first node --> Encrypted TOR data passes through the relay node --> TOR data is decrypted as it passes through the exit node --> Internet.

    I had somehow gotten the impression that the VPN protection would cover you all the way through the process, somehow magically decrypting your data on the other end of the TOR network.

    In this case, if you have sensitive data, like let's say an online social profile with content that can identify you, logins/passwords to things like forums which normally don't use HTTPS, or documents with data that is sensitive or can identify you, then TOR is still not ideal for your use.

    Followup question: what if you disable TOR when you login to something that isn't running HTTPS, for example Wilders Security Forums, then re-enable it after you've logged in. Can the TOR exit node sniff out your login/password after the fact, or will it simply be able to see what you're viewing or posting? Does the act of disabling TOR temporarily run too high a risk of exposing your anonymity and defeat the purpose of using TOR to begin with?

    So it seems the combination is really only useful if you don't trust your ISP, and you don't trust your VPN provider, and you consider the possibility of exposing your data to a random user's exit node less risky than trusting your VPN provider alone.

    In either case, if you're in a truly hostile country with restrictive internet laws, won't the use of either service, or both, raise red flags? They can still tell you're using TOR or a VPN, right? Is that where something like Haystack comes into the picture?
    Last edited: Sep 2, 2010
  5. LockBox
    Offline

    LockBox Registered Member

    Just remember - Tor is for anonymity, not privacy. Your information is all there for the exit node to read - but without a clue as to where it came from. You have solid anonymity.

    If you want privacy of information you're sending, use text encryption with your recipient having the (hopefully solid and secure) password. You then have anonymity and privacy.
  6. ccoates
    Offline

    ccoates Registered Member

    That is what I was asking. If you turn off TOR before you login, and then re-activate it after you login, is your login data ever exposed afterwards. Via browser data, cookies, or whatever.

    But it seems like TOR is great for anonymous web browsing, but not for any activity whatsoever that may expose private data, even if you're using https (since implementations of that seem hard to verify), including email, social networking, or anything that involves a financial transaction.

    Thanks for all the information, I think I understand the process a lot more than when I started. Although Onioncat still confuses me. But it seems like it'd be great to transfer data between two known users, but not for undirected traffic (like reading your Gmail).
  7. katio
    Offline

    katio Guest

    The protocol isn't the problem. Good PKI is hard, Web of Trust is nice but isn't what I'd call "enduser-proof". So far no one has a brought up a better model than we have now.

    Since you mention Java and stuff: it's not only a data security but also anonymity, they are known to ignore the tor proxy and reveal your true IP. Firewalling the complete OS in VM for example mitigates this problem if you must use Flash and Java.
Thread Status:
Not open for further replies.