Question on VPN

Hello people, if there is any possibilities where VPN service provider act as man in the middle (putting the trust factor aside)? Thanks.

 

It strikes me on the basis of common sense alone that using a VPN (no matter how it's structured or advertised) is not unlike dropping your car off at the garage for repairs for a couple of days while the mechanic ( a guy you happen not to know for sh*t) goes through your glove, checks under your seats and rifles through your trunk - and then calls the cops if he even sniffs pot or sees baby talcum powder anywhere on or in the car - at least US, Canadian, Australian or European VPNs, or any other country we have mutual enforcement treaties with for that matter.

 

I agree with Jamie1980. VPN providers see all your traffic. You can encrypt anything that you want private, but they still see where you're going. You can use Tor to hide that, but they at least see that you're using Tor.

Using VPNs does hide all of that from your ISP. So you want to pick VPNs that you "trust" more than your ISP. As Jamie1980 suggested, you want to pick one in a country that doesn't readily cooperate with yours. We know that using HMA didn't work out for recursion, a LulzSec member from the US. However, HMA might have protected Egyptian dissidents (or so HMA has claimed).

Combining VPNs (via nesting) from multiple poorly-cooperating countries is better. You can add Tor to the mix if you like. While perfect Internet anonymity is an illusion, workable anonymity is possible for most of us.

 

Those are? I don't see Iran or Venezuela offering VPN services

 

Maybe you haven't looked hard enough

But seriously, I didn't say "non-cooperating". Panama and Russia don't cooperate as readily with the US as the UK does. And it's no accident that Countermail operates in Sweden, rather than in Germany. Or consider BolehVPN. How long would their torrent focus fly in Australia?

 

I know you have mentioned using a VPN, running Tor through that, and then connecting to another VPN from there. Which sounds pretty amazing. Wouldn't that be perfect anonymity? I mean, if that last VPN has never seen your real connection, and it only sees Tor, how could it be traced?

And what if you are running a VPN and then run Tor through that and connect to a hidden Tor service (or whatever it's called)? That never leaves the Tor network, right? So could it be traced? I would think that would be pretty darned anonymous.

Actually, wouldn't a Tor hidden service be 100% anonymous as long as you didn't give out any personal info? No exit node, right?

 

@caspian

If you're combining VPNs and Tor, you'll be very hard to trace. But everything on the Internet has a public IP address, and everything can be traced, given enough traffic data.

Of course, gathering and analysing so much data would be very difficult and expensive, so only high-value targets of TLAs need worry. Far more likely is de-anonymization through spearphishing. That's how Anonymous outed some users of the Tor hidden service "Hidden Wiki".

 

Thanks for the response guys.

I've found my answer over @ http://serverfault.com/questions/214043/vpn-man-in-the-middle-when-connecting-to-a-https-service

 

@lonneytunes

We did lose sight of your question about MITM attacks

As you got from Server Fault, encrypted (SSL, SSH, etc) traffic is no more vulnerable to VPN providers than it is to ISPs. In either case, MITM attacks would require the target server's encryption key.

 

Is spear phishing talking people into giving up personal information?Like gaining someone's trust so they five you a username or email address?

I'll have to look up hidden wiki again. I thought that was just a list of services in the Tor network. I found a list a few weeks ago poking around. I did see some illegal stuff but I also saw quite a bit of stuff that just looked really normal. Nothing out of the ordinary. Message boards, blogs etc...

 

@caspian

Spearphishing is phishing that's targeted on specific individuals, and that looks like something that they'd normally get (such as an email from a coworker). Anonymous' #OpDarknet wasn't that focused. They posted an "emergency Tor update" on one of the CP-related pages that was actually malware. It "phoned home" when targets weren't using Tor. See -http://pastebin.com/hquN9kg5-.

 

Thanks mirimir

[me]<->[vpn server]<--(proxy spoofed ssl cetr)-->[proxy]<--(website ssl cert)-->[website]
If there is some "mechanism" to verify the website CA cert (e.g some 3rd party), probably it will provide better authenticity right?

 

That looks pretty clever. Was this the Tor Browser Bundle or just Firefox configured with Tor? Because the tor button in TBB wouldn't be connected to the internet while TBB is closed right? And Tor is automatically started when TBB is opened, as far as I know. So how could tor button phone home with a true IP unless it was tor button installed in regular firefox that was being used without tor?

 

@caspian

The malware didn't do anything to Tor. It waited until Tor wasn't connected, and then queried a Metasploit site, which logged IP address and whatever it could find (as with the old decloak.net site). I don't know (or remember) specifics about how it evaded protections in TBB. When Tor isn't connected, your computer must have normal Internet access to find Tor entry nodes. Unless everything but safe Tor nodes is blocked in your hosts file, I don't see what would stop the Metasploit query.

 

Didn't they also fake a signed Verisign certificate? I believe that could be how they got them.

 

lols emergency tor update, thats gold xD

 

Indeed. This was after the DDoS attacks on The Hidden Wiki etc had started. And a (totally unrelated) Tor update was expected. So it was plausible, I guess. But downloading a "Tor update" from The Hidden Wiki, while it was being DDoSed and aggressively defaced, was just plain stupid.

Still, I wonder how many have recently downloaded Java patches from third-party sites.

 

There is more to it than that. They had help from Mozzila in #OpDarkNet. Someone on the inside eh Couldn't of happened to a nicer bunch of people I think.