Use of a VPS so its provider cannot see site being browsed

Discussion in 'privacy technology' started by Ulysses_, Feb 9, 2015.

  1. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    A fully-featured browser is used in a VPS. The video/graphics output is shown on my local PC.

    Is there anything that can be done to make it extremely difficult for the provider of the VPS to see the output graphics of the browser?

    Is there anything that can be done to make it extremely difficult for the provider of the VPS to see the IP and domain name of the site too, that the browser is browsing?
     
  2. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    The host operating system can always see everything on the guest (VPS). If you are worried about privacy, I would go with a privacy-oriented VPS provider, unseen.is comes to mind. It all boils down to trust, same as with VPNs.
     
  3. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    This is certainly a challenge but not everybody offering VPS's is technical enough to see what is going on inside in such depth. How can any privacy breaking by them be made harder?
     
    Last edited: Feb 9, 2015
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    Using strong end-to-end encryption (such as TLS for websites and email transmission, and GnuPG for email content encryption) limits what your VPN provider can see. They can see what sites you visit, but not any of the content. But they can see traffic patterns, reflecting the sizes of various components and their timing and transmission speed. For email, they can see message headers (sender and recipient addresses, subject, datetime, routing history, and so on) but not content.

    End-to-end encryption is the only solution. Ideally, both content and metadata ought to be encrypted. But that's problematic, because some of the metadata is necessary for message delivery. That's the key challenge that many startups are addressing for secure email and email-like services.
     
  5. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    I was asking about a VPS provider, not a VPN provider. If you were a VPS provider, how would you find out what part of https://www.youtube.com I am browsing with firefox, inside the VPS?

    What if firefox is rebuilt to send its output graphics straight to my PC, without any frame buffer in the VPS, and do it with TLS encryption?
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    I'm getting confused. A VPS is a computer which is running in a remote network. When it browses, its traffic can be seen in clear on the network that machine is on. There is no privacy whatsoever. Of course, you can do what you would do on a local client, which is to use the whole gamut of VPN, Tor etc.

    Yes, you can make the client-to-VPS connection secure, with care (e.g. with VNC or RDC). It's not exactly transmitting the graphics of the remote system though.

    What are you really trying to achieve here?
     
  7. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    104
    Like krustytheclown2 said, hosting company can see whatever you do in your VPS. It doesn't matter how hard you encrypt or hide your traffic going outside, they have always access to your VPS itself. It's just an file in hosting companys server that they can, and do, copy/backup/take snapshot if they need to. Best you can do is to not keep any logs or stuff that you don't want outside party to see in your VPS.

    Also, with VPS, in the worst case, there are always three outside parties that client/user has to trust.
    Two outside parties if using VPN/Tor/Proxy/whatever to hide your traffic from ISP:

    Client ---> ISP ---> VPS (you! your own VPS here runnig SSH,OpenVPN whatever...) ----> VPS Reseller ---> Actual VPS provider company (the one that owns data center & network)

    And in the best case:

    Client ---> ISP ---> VPS (you! your own VPS here runnig SSH,OpenVPN whatever...) ---> Actual VPS provider company (the one that owns data center & network)

    That's two outside parties that client has to trust and only one outside party (actual VPS provider) if using VPN/Tor/Proxy/whatever to hide from ISP


    Little offtopic:
    http://www.wipeyourdata.com/other-d...rthvpn-user-arrested-after-police-finds-logs/

    In that example, even tought the VPN provider did not log anything, the data center that the VPN provider was hosting it's stuff did log it. Again, the case of trust, which was betrayed by hosting company.


    The only setup being even close to 100% privacy/anonymous would be to have your very own server that only you have access physically. And even in this case the setup is only as private as the weakest link in network traffic.

    But because physical hosting option is not always possible (you don't want to host in your living room or can't travel to some country to setup server there or hosting your own stuff is too expensive because enterprise grade Internet connection and/or electricity) then the next best thing is VPS.
     
  8. Kiebler

    Kiebler Registered Member

    Joined:
    Feb 3, 2015
    Posts:
    15
    ^@Stefan Froberg


    Even though EarthVPN states that they do not keep logs and that it is possible that the datacenter did, how did the datacenter match the ip address of the user to that of the VPN IP address used if EarthVPN DID NOT keep logs? IMHO, it sounds like they were caught in a lie.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    The datacenter can see both incoming and outgoing traffic on the VPN server. So traffic correlation is trivial. VPN servers don't do any mixing. Neither does Tor.
     
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    A single hop makes it somewhat easy to correlate IF a powerful adversary wants to monitor you over time. This monitoring would happen outside of the tunnel but overlooking the datacenter. It takes an adversary with "connections" and clout. You need not worry about the movie industry doing such a thing. Obviously varying your route and mostly adding relays increases the task for them exponentially. Most articles I read use words like "catastrophic" for routes with 5 or more hops, regarding their monitoring. That could be 2 vpn's and then TOR = 5 relays with your connection circuit changing every ten minutes.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    My goto is four chained VPNs, in diverse jurisdictions, plus Tor :)
     
  12. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    104
    Wow! :eek: That can't be fast??


    Speaking of VPS, I have been checking some new ones and found ViralVPS (http://www.viralvps.com).
    They seem to be registered in India.
    Quite a nice uplink (10 Gbps!) and prices are bearable if adding that 40% lifetime discount.

    Asked them what they allow and here's the following:
    - OpenVPN allowed
    - Public Proxies allowed only if they are password protected
    - Tor not allowed, at all (even Tor bridge!) :(

    Then there is LunarVPS (http://lunarvps.com).
    Also registered in India. Uplink 1 Gbps and not bad hardware specs.
    And they allow all, OpenVPN,Proxies & Tor. :)

    Has anybody here experience of these two VPS providers?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    Well, with Tor on the end, the VPNs don't hurt that much. Latency can get >500 msec, but you get used to it after a while ;)
     
  14. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    104
    Jeeez.... You must have quite a connection mirimir. :)

    Im connecting throught my crappy 3G modem and Im lucky if latencies stay below 500 without any encryption...
    With one VPN tunnel it's still surfable. Hate to think what would few more VPNs plus Tor do to my horrible connection :D

    Note to self: Get 4G modem. First thing in the morning.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    Yes, I do have a fast, low-latency connection :)

    Still, it takes considerable trial and error to get usable four-VPN chains. Only some combinations of VPN providers and servers work well. Also, perhaps counterintuitively, adding a VPN to a nested chain can actually increase bandwidth (and also increase latency, of course). But for obvious reasons, I'll not go into specifics ;)
     
    Last edited: Feb 10, 2015
  16. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    104
    Heh, I understand that ;)

    But can you at least reveal how much you pay per month for that kind of setup?

    So that I know if I should do the same or just rent few more cheap VPS from three more countries and setup OpenVPN to each of them.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    Four decent VPN services cost about 50-60 USD per month. But I typically have several accounts at any given time, for testing and alternate branches.
    Doing that, you'll be the only user, so the route would be trivial to trace.
     
  18. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    This is why the best quality VPNs have at least some of their servers in-house, so they can know for certain that they're not logging. But in this case, can the underlying ISP that's providing their bandwidth see and correlate the incoming and outgoing connections as easily?
     
  19. Justintime123

    Justintime123 Registered Member

    Joined:
    Jun 15, 2013
    Posts:
    95
    According to comments made by Steve Gibson on his show don't expect anonymity on Tor.

    Tor: Not so Anonymous
    https://www.grc.com/sn/sn-493.htm

    And it turns out that's the Achilles heel of Tor is that the Internet was never designed for anonymity. It wasn't. Back seven years ago, I was looking through some of that transcript from back then, and I talked about how an IP address isn't a person's name, but it's easily mappable to an endpoint on the Internet because the Internet was designed, back when it was first created, only with the assurance that an existing Internet address could put a packet on the Internet, and it would eventually get to the other Internet address, where the packet contained both the source IP and a destination IP. That was all it was supposed to do...

    ...So these guys asked the question, could we use NetFlow, something sort of as fuzzy instead of as focused, could we or how could we use NetFlow to deanonymize Tor traffic? Sort of as an academic exercise. What they had to do in order to pull this off is deliberately interfere with the traffic coming from a server back to the user. Now, that's a powerful technique. And we're going to come back to that in a broader context also, and look at just exactly how powerful that is. But it's powerful enough that, by delaying or dropping or blocking bursts of traffic from the server, NetFlow built into routers, as fuzzy as it is, is enough. And so that's what they were saying, where they sort of came up with this broad, 81% of Tor users. I'm less impressed with that.
     
  20. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    If the traffic is a visit to an HTTPS site like paypal*, paypal content cannot be seen in the clear. Rogue VPS providers/hosts can see the fact you are using paypal but not the content.

    They can also look at the logs and caches, but these do not show what you are doing with paypal, only the fact you going to paypal.

    Eavesdropper can also see the traffic from the VPS to your PC, containing graphics primitives with the output of firefox. That traffic can go through your own VPN but before it is tunneled it is available in the clear in ram. Not trivial to reconstruct paypal content from such graphics in ram, but it is possible.

    Eavesdropper can also see the frame buffer where the graphics is held in the VPS ram, if one is used, which is easier. So what is wanted is some sort of remote control software that:

    1. does not keep a frame buffer in ram.

    2. sends the graphics to my PC in a format that is too hard to understand, and encrypted.

    * not that anyone in their right mind would do their shopping with paypal on a VPS, it is just an example
     
    Last edited: Feb 11, 2015
  21. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    104
    Hmmm...For 50 USD I could maybe get twelve VPS, if lucky. Then I could set them to chain like you did or make OpenVPN client pick one randomly.

    Can't argue with that. It is easier to trace if you have only single connection coming from some IP instead of several thousands from same IP (or IPs). Hell, maybe I have to start giving subscriptions to my server :D

    But Im really sceptical of all these "no logs" claims of commercial VPN providers.
    Even if they really did not log anything initially, they could anytime start doing that and install packet sniffer (http://thehackernews.com/2013/09/vpn-provider-proxysh-sniffed-traffic-of.html)

    And not all those providers own their equipment, they are just renting their stuff from "landlord".

    So it really boils down that with commercial VPN provider, you have one extra outside party (or several, if using multiple VPN providers) to add to that chain of trust.
    But if you are your own VPN provider, that factor is eliminated.

    But neither solution is truly untraceable on it's own.
     
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Ah, the good-old it's only metadata argument. If I go to the trouble of using this stuff in a privacy context I'd think it not worth the bother if all my metadata's exposed. And you can use https from your own client. If there's only one connection to your VPS, that gives you nothing.

    It isn't only the VPS providers (or their hosters either). Anyone who has access to the network and its peering will be able to have a gander.

    And then, do you really trust the image that your VPS provider gives you? How do you know the image running has the integrity you expected?

    @Stefan Froberg - I think you're talking yourself into becoming a VPN provider on all your VPSs! Trick is then to get people to trust you, right?!
     
  23. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    What if you write and download your own system checker binary that calculates a checksum for all system files and compares this with the same checksum on your PC where you've got the same distro.
     
  24. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    This is where you're mistaken. This would all be true for a VPN, but a VPS is entirely different. A VPS is a virtual machine running on a big server owned by whatever company. If you have a virtual machine running on your home computer, your host operating system can look at whatever is going on in the VM post-decryption, meaning SSL or even a VPN on the VM won't prevent the host from seeing everything. If you have a keylogger on the host, it will capture keystrokes on the VM, without the VM being able to notice. Moreover, absolutely everything on the VPS can be monitored by the host (your provider) without you ever being able to notice, this is how virtualization works.

    x2go tunnels a remote desktop session over SSH and is easy to set up. It'll prevent your ISP (or the VPN provider you're using on your personal computer) from viewing the contents of the remote connection.

    Maybe I shouldn't say this but there are ways to use a random person's computer with remote desktop without them even knowing if you want solid pseudonymity ;) The NSA even does it...
     
    Last edited: Feb 11, 2015
  25. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    104
    Of course. Like with any business. That is, if I truly wanted to become one (don't have a clue how to do billing for example....).

    At the end of the day, no matter what service you use, the only one you can truly trust in cyberworld is you and just you.

    Getting few more VPS, putting OpenVPN in them and (maybe) mixing the whole soup with Tor gives, if not 100%, then at least acceptable privacy and control for me.
     
Loading...