On 09/29/2018 08:35 PM, Paul Syverson wrote: > On Sat, Sep 29, 2018 at 04:28:46PM -0700, Mirimir wrote: >> On 09/29/2018 09:29 AM, panoramix.druida wrote: >>> >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> El sábado, 29 de septiembre de 2018 11:58, J B <jb.1234a...@gmail.com> >>> escribió: >>> >>>> Hi, >>>> Could you please explain in what sequence the two should be activated and >>>> why >>>> (which setup is secure) ? >>>> TB -- VPN or web proxy >>>> or >>>> VPN or web proxy -- TB >>> >>> I am playing with QubeOS and I try Tor -> VPN (with Bitmask) and I found >>> this useful for not having captchas everywhere as it does happend with Tor >>> alone. I try this thanks to this talk: >>> https://www.youtube.com/watch?v=f4U8YbXKwog >> >> True. But this is the most dangerous way to combine Tor and VPNs. >> >> If you connect first through a VPN (yours or a commercial service) and >> then to Tor, the VPN becomes like your ISP. It encrypts and obscures >> your traffic. So your ISP can't easily tell that you connect with Tor, >> or what you otherwise connect with directly. >> >> But your VPN provider _does_ know all that. Also, some argue that VPN >> services are more likely malicious than ISPs, and so potentially >> compromise your Tor use. But others (including Mirimir) argue that ISPs >> are more readily compromised by local adversaries, so using VPN services >> increases security and privacy for Tor use. >> >> Also, if you connect to Tor through a VPN, entry guards can't easily >> know your ISP-assigned IP address. So malicious entry guards (or those >> who had compromised them) would need to get that information from your >> VPN provider. That would have provided some protection against CMU's >> relay-early exploit, which pwned many .onion services and users. >> >> However, connecting first to Tor, and then through Tor circuits to a >> VPN, is _far_ more dangerous. Bottom line, you throw away all of the >> anonymity that Tor can provide. That's because your VPN provider may >> know who you are. Perhaps because you paid them in some traceable way. >> Or perhaps because you accidentally connected directly, and not through >> Tor, revealing your ISP-assigned IP address to them. > > While that is all roughly on-average correct, it depends entirely on your > adversary and intended activity. (You might not be average.) If, as > one example, you need to connect to a corporate VPN and you don't > want a local adversary (such as the ISP) to know your affiliation with > that corporation, then this is the order to do things. > > aloha, > Paul
Right. Didn't think of that. And yes, that _is_ a safe use case. Because you don't need/want to be anonymous to that corporation. Or for anything you do through that VPN connection. Even so, for that you might as well use a VPN service, instead of Tor. Because performance will be much better. Unless it's important to hide corporate affiliation from more than just local adversaries. >> However, if you're careful, you can use VPNs through Tor to 1) avoid >> Tor-specific CAPTCHAs, 2) route UDP traffic, and 3) use online services >> that generally don't work well with Tor alone. >> >> <SNIP> >> -- >> tor-talk mailing list - tor-talk@lists.torproject.org >> To unsubscribe or change other settings go to >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk