6

I have been reading more about Tor and its risks to personal data leakage to the exit nodes in the chain. This last node can snatch encryption keys or log in information of websites I may have accessed.

Then i thought what if I used an encrypted VPN to access Tor to give me a secure form of anonymity. Security is my main concern but for example if I'm downloading a car the Tor anonymity will hide my location while using a VPN can protect me from the very nodes that comprise the Tor chain.

Is it safe and more secure to use a combination of Tor and VPN then just using Tor? What is more secure, routing VPN through Tor or Tor traffic through a VPN tunnel? Is there a more secure way to browse the internet and download content? What is the optimal way to securely surf the web? What is the best way to safely download content? Am I overthinking this?

Anders
  • 65,052
  • 24
  • 180
  • 218
user26409
  • 67
  • 1
  • 7
  • By the way: When you have more questions about Tor, there is another stackexchange site [specifically about this topic](https://tor.stackexchange.com/). – Philipp Oct 04 '15 at 09:22
  • Here's a similar question on Tor.SE: https://tor.stackexchange.com/questions/1067/tor-vpn-or-vpn-tor – timuzhti Oct 05 '15 at 05:14
  • [Related answer](http://security.stackexchange.com/questions/72679/differences-between-using-tor-browser-and-vpn/72729#72729) – RoraΖ Oct 05 '15 at 12:40

4 Answers4

6

In theory yes, In practice maybe not but also yes at the same time.

If you were to use VPN and a Tor network you remove one of the security layers in the tor network. Tor uses relays and your path changes every time you use Tor by using a VPN you would be using the same end point (assuming you went Tor -> VPN)

If you went VPN -> Tor, You would encrypt all of your traffic to your start point (The VPN Out interface) and then the Tor network would take over, the issue here comes with the VPN service its self, they could very easily see you are using the Tor network, this would be your weak spot you want to be under the radar with everything.

To make it secure you would need to buy an anonymous VPN and pay for it in bitcoins after rolling your bitcoins via a tumbler (depending how you obtain the bit coins will determine your weak spot in the chain, but the tumbler should fix most of that issue). To also secure the purchase make bitcoin transactions and VPN transaction VIA Tor.

Then once you have the anonymous VPN you would not want to connect to your VPN from your home address (though anonymous VPNs hold no data so technically you shouldn't be able to be traced from your home address). Then once connected to the VPN you can use the Tor network that way.

To summarise:

Using a VPN creates an issue with its self as to obtain the VPN you would use personal information. though any extra security would be nice as you mentioned the chain is only as strong as its weakest link. The VPN would be the weakest link with personal information following you back (using a free VPN would end up in records being kept of your activities).

Keeping data private is never the issue, its keeping the data disassociated from the owner. 01/01/1970 is someones birthdate, asking someones birthday can be a security question... sadly I dont know who this birthday belongs to, following?

forest
  • 65,613
  • 20
  • 208
  • 262
TheHidden
  • 4,315
  • 3
  • 22
  • 40
4

A security chain is as secure as its weakest link. Even if you chain a VPN with Tor, you still have to send traffic through Tor so the key snatching you refer is not solved. The problem you refer of the exit nodes (connection tapping) may be mitigated using HTTPS websites since the traffic crossing the exit nodes is the traffic reaching the destination and if it is encrypted and signed you know you are talking to the right host and not being listened to by other nodes.

As for anonymity, you can chain VPNs with VPNs with Tor and get the maximum indirection but remember that this chaining comes with performance penalties (more nodes crossed and cryptographic algorithms).

forest
  • 65,613
  • 20
  • 208
  • 262
BrunoMCBraga
  • 476
  • 4
  • 12
2

Conceptually you can think of Tor as a bunch of VPNs where you can set rules as to how the Tor nodes are chained together to transport your traffic from your computer to the final web site you want to visit. When your browser talks (sends IP packets) to a VPN or Tor, it encrypts those packets. You can think of a normal unencrypted packet as a postcard where anyone passing it along (your ISP or a man-in-the-middle hacker) can read the contents (your queries or web pages you see), while an encrypted packet (including HTTPS packets) are surrounded as though inside an envelope; even though everyone can see the sending and receiving IP addresses, only you and the addressee know the encrypted contents.

Below see what happens to your packets depending on if you use a VPN, Tor, or a combination of the two. I'm not going to complicate the explanation below (much) by how the communication channel is set up; just how your privacy is impacted by using different methods.

When not using Tor, VPN or HTTPS (regular surfing to non-secure HTTP sites):

-Your browser sends non-encrypted readable by everyone packets across the internet. Everyone who passes those packets along can see all information you send, what your IP address is, and what pages you look at.

When not using a VPN or Tor, but only visiting HTTPS web sites:

-Your browser encrypts your packets for the HTTPS site you are visiting

-Your ISP (or any man-in-the-middle) knows what web sites you visit, but doesn't see actual pages or info you send them.

-The web site you visit knows what pages are sent, your IP address (and ISP) and any info you send them

-If the web site places cookies on your computer, they can link all pages on their site that your computer visits.

When using a VPN or only one Tor node:

-Your browser encrypts packets for the web site and then encrypts them again for the VPN/Tor (two envelopes, one inside another).

-Your ISP sees only that all your packets go to the VPN/Tor (they can measure amount of traffic)

-Your VPN/Tor now knows pretty much what your ISP knew pre-VPN; where you surf, but not what (unless using HTTP instead of HTTPS).

-The web site you visit doesn't know your IP address; they see the address of your VPN.

-If the web site places cookies on your computer, they can link all pages on their site that your computer visits, but unless you give them payment or other personal information, they don't know who you are. If cookies are used and you ever give them personal info, they will link it to your cookie which links all pages you visit.

When using two Tor nodes or a VPN and a Tor node:

-Your browser encrypts packets multiple times; The outermost envelope is for the entry/first node, the next inside is for the next node, and so on until the innermost packet which is the HTTPS encryption that the web site opens.

-Your ISP sees only that all your packets go to the VPN/Tor entry node (whatever is first) and can measure traffic.

-The Tor entry node (or VPN, if first) sees your ISP/IP address, knows the next node IP and can measure traffic.

-The Tor exit node (or VPN if last) sees the prior node IP and knows where the web pages you look at are but not contents.

-The web site you visit knows that its pages are sent to your exit node/VPN.

-If the web site places cookies on your computer, they can link all pages on their site that your computer visits, but unless you give them payment or other personal information, they don't know who you are. If cookies are used and you ever give them personal info, they will link it to your cookie which links all pages you visit.

Adding many more nodes:

Adding more nodes or VPNs to any communication link is only important if you think that one or more of the nodes are either compromised or cooperating with each other to leak your information. If both the entry node and exit node in a two node Tor system were run by the same organization, it would have the information as though the two nodes were one Tor node (or like a VPN). Tor works best if the nodes are independent of each other so they can't conspire to add their information together.

My final answer to your question:

As long as you only visit HTTPS web sites, your packet contents are already encrypted (privacy). The exit node (either VPN or last Tor node) can't look into packet contents and see passwords or encryption keys.

Using a VPN or Tor is usually done to obscure which web sites you visit (anonymity) from any one group. How anonymous you are depends on how many Tor or VPN nodes you select have been compromised. If some nodes are compromised but others are not, using more nodes (or VPNs) is more secure if some of those additional nodes are also non-compromised.

Anonymity is accomplished by obscuring the metadata of your packets (sending and final IP locations) from any group. Adding more (non-compromised) nodes tends to obscure your metadata better, since the metadata visible to any node is limited to their part of the link.

As for the difference between a Tor node and a VPN service; VPNs usually give better throughput/performance at the cost of paying them money. If you pay the VPN using a credit card (rather than an anonymous payment like Bit-Coin) that will give your personal info to the VPN. Tor nodes are free, usually slower than VPN services, and you don't have a clue as to who is running them.

If you are a non-expert, using either a VPN or Tor alone is easier than trying to get them to work together on your computer.

forest
  • 65,613
  • 20
  • 208
  • 262
Mark Ripley
  • 657
  • 4
  • 9
0

It is more secure than just using your ISP, if you pay anonymously with bitcoin. However, ideally you should be using only public connections at various locations like coffee shops.

Remember a VPN is never going to risk going to jail to protect a $15/month subscriber.

Bear
  • 96
  • 5
  • These are all helpful suggestions. This is true about the vpn. Some vpn services advertise that they don't keep logs and if that is true they shouldn't need risk anything as they don't retain any information to provide. – user26409 Oct 07 '15 at 00:51