On Sat, Sep 29, 2018 at 04:28:46PM -0700, Mirimir wrote: > On 09/29/2018 09:29 AM, panoramix.druida wrote: > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > El sábado, 29 de septiembre de 2018 11:58, J B <jb.1234a...@gmail.com> > > escribió: > > > >> Hi, > >> Could you please explain in what sequence the two should be activated and > >> why > >> (which setup is secure) ? > >> TB -- VPN or web proxy > >> or > >> VPN or web proxy -- TB > > > > I am playing with QubeOS and I try Tor -> VPN (with Bitmask) and I found > > this useful for not having captchas everywhere as it does happend with Tor > > alone. I try this thanks to this talk: > > https://www.youtube.com/watch?v=f4U8YbXKwog > > True. But this is the most dangerous way to combine Tor and VPNs. > > If you connect first through a VPN (yours or a commercial service) and > then to Tor, the VPN becomes like your ISP. It encrypts and obscures > your traffic. So your ISP can't easily tell that you connect with Tor, > or what you otherwise connect with directly. > > But your VPN provider _does_ know all that. Also, some argue that VPN > services are more likely malicious than ISPs, and so potentially > compromise your Tor use. But others (including Mirimir) argue that ISPs > are more readily compromised by local adversaries, so using VPN services > increases security and privacy for Tor use. > > Also, if you connect to Tor through a VPN, entry guards can't easily > know your ISP-assigned IP address. So malicious entry guards (or those > who had compromised them) would need to get that information from your > VPN provider. That would have provided some protection against CMU's > relay-early exploit, which pwned many .onion services and users. > > However, connecting first to Tor, and then through Tor circuits to a > VPN, is _far_ more dangerous. Bottom line, you throw away all of the > anonymity that Tor can provide. That's because your VPN provider may > know who you are. Perhaps because you paid them in some traceable way. > Or perhaps because you accidentally connected directly, and not through > Tor, revealing your ISP-assigned IP address to them.
While that is all roughly on-average correct, it depends entirely on your adversary and intended activity. (You might not be average.) If, as one example, you need to connect to a corporate VPN and you don't want a local adversary (such as the ISP) to know your affiliation with that corporation, then this is the order to do things. aloha, Paul > > However, if you're careful, you can use VPNs through Tor to 1) avoid > Tor-specific CAPTCHAs, 2) route UDP traffic, and 3) use online services > that generally don't work well with Tor alone. > > <SNIP> > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
