1

If I switch VPN on, then use Tor browser, can the VPN provider still see what is passing through Tor?

I am thinking it can't, right? Because the Tor browser encrypts the data into the Onion layer before it sends to the first node?

forest
  • 65,613
  • 20
  • 208
  • 262
John
  • 197
  • 3
  • 9
  • 1
    They can see it, just not understand it... because it's encrypted. – Mark Buffalo Apr 23 '16 at 16:01
  • 1
    The VPN provider knows you are using Tor but cannot see your data because it is encrypted. However, the provider knows your IP address. More info at https://security.stackexchange.com/q/101809/53367 – Daniel Apr 23 '16 at 16:02

2 Answers2

1

Between your Tor client and the guard node, the communications are encrypted with three layers of AES128. The first layer is a key shared between you and the guard node. The second layer is a key shared between you and the middle node. The third layer is a key shared between you and the exit node. Each layer provides 2128 possible combinations of keys. Simple math dictates that 2128×3 equals 2131, so the three layers total up to the equivalent of 2131 possible keys.*

Assuming you are using Tor browser correctly so you are not leaking DNS, the VPN will only be able to see your IP, the IP of the guard node you are connecting to, and the encrypted communications between you and the guard. In order to break them, it would have to either brute force at most 2131 keys (on average half, or 2130 keys), or break the algorithm used to exchanged keys safely, called curve25519. This would require either a major breakthrough in mathematics, or a breakthrough in cryptoanalytic quantum computers. Neither seem likely to appear in the near future, and if they are, they are the kind of things which will be used by FVEY (NSA, GCHQ, etc), not by petty commercial VPN providers who want to snoop on your data.

To answer your literal question: no, the VPN cannot see your data. It only sees encrypted data between you and your guard node.

However, you should be aware that, while Tor is very secure, there are theoretical attacks against it which an actor between you and the guard node, or the guard node itself could pull off. Most of these are termed traffic analysis attacks, because, while they don't involve decrypting the data directly, they involve finding loopholes that end up discovering what the data is without actually finding the encryption key. Tor does have many defenses which makes this more difficult, far too many to name exhaustively, such as padding data into chunks of exactly 514 bytes (previously 512 bytes). However they are not perfect. It is very unlikely that your VPN will be able to pull any of these off, as they often require additional attacks against the entire Tor network.

* There's also a separate TLS connection between each node, which a VPN provider would also have to break.

forest
  • 65,613
  • 20
  • 208
  • 262
0

It depends on how you're using Tor. If you're using the 'Tor browser bundle' then you're probably fine in most cases. If you aren't using the browser bundle though, there's a chance that your DNS requests are going to be sent over the VPN, thus the VPN would know which domains you're visiting.

Another unlikely scenario would be if the VPN happened to host Tor exit nodes. If they controlled the exit node you use, they could use timing correlation to determine what you're looking at.

In the past there's been some risk with javascript de-anonymizing people, or people using certain protocols which may leak your identity.

In any case, using Tor isn't foolproof. It's good, but not without known issues.

Daisetsu
  • 5,120
  • 1
  • 15
  • 24
  • 1
    The Tor Project hates when people call it TOR. It hasn't been an acronym since... Actually it never has. The first paper when it was introduced to the world had it named "Tor". – forest Apr 24 '16 at 04:06
  • When it first came out everyone was calling it 'the onion router', even if that wasn't it's official name. Heck, I till sometimes refer to wireshark as Ethereal. Well, looks like you're right on this one. I'll keep that in mind next time I mention it. Thanks :). – Daisetsu Apr 24 '16 at 04:14
  • Normally I have nothing against calling things by older names, since it's just semantics, but now days it's only the least educated sensationalist media and dangerous "guides" (*cough* DeepDotWeb *cough*) that calls it TOR, so Tor Project has an even better reason for distancing themselves. Seeing what some of these media sites say is cringe-worthy. Once I even say one call it ToR! – forest Apr 24 '16 at 04:29
  • Hi, yer i am using the Tor Browser Bundle, Thanks. But on a side note i am also trying to figure out situation like running Tor -> VPN like through AirVPN service. Also if i route Zap, or Kali through TOR.... – John Apr 24 '16 at 08:09