25

Recently I have been getting more and more interested in the security (privacy and anonymity) issues of my online life. Not that I have anything to hide, or that what I do online is so interesting to others, but I just want to know what I can do to remain as safe (and anonymous) as possible.

I feel it is my right as a citizen of a free, democratic, society to be anonymous when I want to be. Not because I want to do anything illegal, but because I feel my privacy is being violated by big companies like google, facebook and even by my own government.

So that is why I have been looking into methods of ensuring my online anonymity (and therefore freedom). The best method I have found so far (as a noob in online anonymity) is a VPN (as opposed to tor, which is too slow for my day to day surfing needs). They offer a multihop VPN, use OpenVPN, aren't terribly expensive, don't log data and provide anonymous methods of payment.

My question is: is a VPN a good method for ensuring my online anonymity? More specifically:

  • How do I know if I can trust them?
  • What are the risks of using a VPN service?
  • Would transferring my online activity to servers abroad mean I am subject to the laws of those other countries, or would I still only be subject to the laws of my own country?
  • Can I relay my (imap and smtp) email traffic through them?
  • Can I use the service combined with Tor and Tails for extra security, or is that not possible (or useful)?

I hope the questions are clear enough, and to be perfectly clear about my intentions: I am not a hacker looking to cover up my tracks or anything. I wouldn't even know how to hack something if the password were written on my forehead: I am just a person concerned with my online freedom, see also: reasons for anonymity

Kindle Q
  • 155
  • 8

5 Answers5

14

I have to say that in my opinion, VPN is very overrated in terms of privacy.

It's meant to tunnel your private data over an insecure medium, so provide confidentiality from your VPN client to your VPN server, and only between these points. The way from your application to your VPN client and the whole way from your VPN server to your wanted destionation does not include that! And it does not mean your destination won't know you're using VPN!

If you're an employee and need to do work in your companies network, fine, thats the purpose of VPN, but otherwise you have to distinguish your enemy:
Do you just want that one website you're visting to not know where you are? Maybe VPN is still ok.
Do you not want your authorities to know that, too? Hell don't even think about using VPN.
Your VPN provider will give out anything, and thats all you wanted to hide. He won't risk his business for you! No, even not if your providers country is different from yours. International "crime"-fighting is more organized than ever. And yes, downloading that one music title you'd never buy for money counts as "crime".


But you asked what you CAN do for privacy. There is something still exploitable to gain what you're seeking. Up to, I'd say 99% safety:

Prepaid mobile internet, it's cheap nowadays, and you can buy the SIM-card, the connector for your computer and the credit with the last anonymous payment method: Cash!
Of course you have to keep some important things in mind as to secure your computer (especially to not disclose information), just use it in crowded places, etc.


But as anything in security, the whole system is just as weak as the weakest member: One login with a real identity, one prepaid credit paid with your card, and you're (theoretically, but don't hope for something better) back to your current situation.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
ordag
  • 1,378
  • 12
  • 8
  • 2
    Oh and _TOR_ is just security through obscurity. It may give you a good feeling, but that's it. – ordag Feb 05 '12 at 15:23
  • 1
    Sucks to be an Australian. They make you show your driver licence/ID to purchase a prepaid SIM card and they record that in a database somewhere. – zuallauz Dec 20 '12 at 22:38
  • A VPN (or a more primitive SSH tunnel) is very useful for evading firewalls - having a server listening for SSH on port 443 will allow you to get services requiring blocked ports past just about any firewall. – TimD Dec 20 '12 at 22:44
  • VPN is overrated in terms of privacy (not a magic like many of us think), but it's still required for real anonimity and safety. Especially, own VPN network, not a server. – Croll Jul 22 '15 at 13:29
  • @ordag How is Tor security through obscurity? No security or anonymity features it provides require the algorithm being secret. It is entirely open source. I'm not sure you understand what _security through obscurity_ means... – forest Apr 01 '18 at 10:26
11

IMHO - very legitimate question.

The way Luzlsec got busted - is through VPN company (HideMyAss) providing police with logs.

" HideMyAss (HMA) keep logs and as a UK company when given a court order to cough up information, they do so. After matching timestamps to IP addresses, in the blink of an eye Luzlsec member ‘Recursion’ became 23-year-old Cody Kretsinger from Phoenix. The FBI had their man."

So - it's important to make sure your VPN company keeps no logs whatsoever. Here's a good post comparing VPN providers that share or don't share posts:

http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/

buntul
  • 321
  • 2
  • 6
  • 1
    hit the nail on the head if your using a VPN, you need to know where the company (and their servers) are located. This is important as data retention laws, and other laws you are probably interested in, vary. the article linked by buntul is a great resource to see what companys offer, and what policys they have in regards to logs/data/etc. – Oscalation Dec 22 '12 at 04:42
8

A VPN can be a very good way of ensuring your online anonymity, and can be a very practical solution as well. However, the best way to protect your online life from others would probably be using the Tor browser bundle. (Free and open source)

Tor is a large network of servers worldwide, which you connect through with encrypted data whenever you want to reach a service. You usually go through three servers or so before the last server sends your request to the site you want to visit.

You can read a lot more about Tor on their website: http://torproject.org

As far as i'm concerned this is THE BEST way to stay private online, though you might for practical reasons still choose to use a VPN. For an example when you use the browser bundle, it's only the traffic of the tor browser that goes through the tor network, where a VPN sends all your traffic through the VPN server. Also with tor you might run into having to type in an quick and easy captcha in order to make a google search because of the heavy traffic some of the tor servers deliver to google, though i don't find that to be too big of a problem.

Edit:
I see that you added some questions about using imap and smtp, and i would just add that you can relay all your traffic through Tor if you know how, but it might be hard work to set up, where as mentioned before, a VPN typically sends all your traffic through the VPN server once you've connected.

As for the pros and cons about using a VPN, the pros are that it's easy, encrypted and quick. The con is that when you use a third party provider, you have to trust in them to not log your data and hand it out to others.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Kristoffer la Cour
  • 311
  • 1
  • 2
  • 7
  • I have tried TOR, and like it, but for day to day browsing it is just too slow for my needs. That is why i chose to look at vpn services. –  Feb 04 '12 at 16:38
  • 1
    I see your point, and in that case i would go for a VPN as well. But i'm sorry to say that i don't know much specifically about iVPN.net. – Kristoffer la Cour Feb 04 '12 at 16:40
  • If you want to go the VPN Route, consider a few Linux distros. The one I am going to play with is IPCop which supports a few different types of VPN. I have heard they are a pain to use from a friend who recommended a different distro to me (name escapes me). Essentially, most of the Linux distros that can be used as routers would most likely be able to support this functionality. I don't really know if a VPN is the best choice though. It would encrypt data from your client to your server. Server to external would be subject to the same privacy and security issues you have originally. – Jeff Feb 06 '12 at 15:40
5

Privacy and security are just concepts. To deal with them you need a conceptual approach.

Just think about your vulnerabilities: in which situations of life you feel somebody might be trying to collect information from you to take some kind of advantage.

If your answer is "all the time" then you'd better refrain from using any digital system that involves telecommunications.

Otherwise here is my approach: if you live in a developed country

  • chances are that you will have lots of places where you can connect to the Internet, with your own computer or using others' resources
  • you can buy second-hand computers so it will be more difficult to trace you as a owner (mostly if you pay in cash to some person you will met once in a lifetime, to buy a computer advertised in an online forum)
  • you can use prepaid Internet access, as already said in this website
  • use free online resources (email addresses, etc) and do not give your real identity if you do not want to
  • keep handy a bootable USB memory drive with a Linux live distro, or a Boot copy of Windows, this way you should be able to use a computer elsewhere and leave no traces of you using it (other than your fingerprints...)

Any HW/SW you may think of will protect you from some issues, but security is a concept.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
Alfonso
  • 51
  • 1
  • 2
2

It's easy to set up a multihop VPN using two different (competing) VPN vendors.
First establish a L2TP VPN connection to Vendor 1.
Then establish an OpenVPN connection to Vendor 2.
(A double tunnel.)

Vendor 1 can see your 'real' IP but only sees encrypted exit traffic.
Vendor 2 only sees Vendor 1 IP and then the unecrypted exit traffic.

Virtually impossible to trace back to 'real' IP unless both Vendors are compromised.
(Note: Some VPNs refuse connections from other VPNs. Most do allow these connections.)

It's a cool setup. Simple and easy to use. Works great.
Just FYI.

Mr. Smith
  • 21
  • 1
  • Presumably in this case both the VPN connections would be linked to a user account that could be traced back to you? So in unless you can create a VPN account completely anonymously Vendor 2 would be able to trace your traffic back to you. – Ben Dec 12 '17 at 11:00