2

So let's assume the following:
1. A host machine running a clean BSD-based OS that has no backdoors, malware, spyware or other potentially de-anonymizing harmful software.
2. One home internet connection from an ISP that keeps a close eye on potential Tor usage. The connection is being shared by a couple other devices and people.
3. One solid VPN provider that resides in a non 14 eyes jurisdiction, doesn't have a record of collaborating with intelligence agencies, offers stable servers in a multitude of locations, employs a zero-logs policy running everything from RAM memory and doesn't even ask for account names or emails.
Payment was done through bitcoin.
There's no DNS leakage
Internet is blocked in case of connection failure
Traffic monitoring shows that every packet is indeed being routed by the VPN
4. A standard whonix setup(gateway, workstation) running as virtual machines on the host using VirtualBox
5. A list of 1000 socks5 proxies which may or may not have their activity monitored and logged by a potentially hostile 3rd party which will be used at browser-level to access a website

So we have the following schema
Machine -> Home connection/Personal IP -> VPN IP -> Tor -> Firefox ESR with a Socks5 Proxy-> Website

These are my questions:
1. Is there any way in which the ISP can know that we are on Tor and/or using Whonix.
2. Could 'website' ever find out what the originating IP address really was?
3. Is there any way to correlate what happens at the 'website' level with the originating IP address/connection
4. Would using a public internet connection instead make a big difference in the anonymity of the setup?

forest
  • 65,613
  • 20
  • 208
  • 262
  • Wow, now that's some solid anonymity, you got the VPN tunnel, the SOCKS5 Daisy chain, the DNS leak, the TOR network relay... what about the canvas browser fingerprinting on the website? I read that FF added that but for the TOR browser to apply, but it wasn't a default in FF ESR, or persistent cookies (not the deletable by browser - I know it's a clean BSD, but eventually you can be fingerprinted)? – Azteca Dec 05 '17 at 20:24
  • I'll answer in more detail later (the tl;dr is that a lot of your assumptions are incorrect or even dangerous for your implied threat model). To quickly answer one of your questions though, yes your ISP can know you were using Tor because Tor sends things in padded "cells" of 514 bytes in length. This is visible even through a VPN. – forest Dec 07 '17 at 09:32
  • VPN > TOR = all your TOR activity gets logged by the VPN. You're screwed. =) – Mark Buffalo Dec 11 '17 at 07:50
  • @MarkBuffalo How would a VPN log Tor activity? Tor traffic is encrypted. – forest Jun 15 '19 at 08:53
  • @forest Your VPN could log which IP addresses you connect to. It doesn’t always need to know the content of the data, just the metadata. In spite of that, many of the VPN providers are actually honeypots/owned by a single Chinese company. You still have to communicate through the VPN to get to TOR. If your home IP is the only IP in the neighborhood connected to a VPN at a specific time, and at a specific time your VPN IP connects to TOR, and someone can see those traffic hops (hint: five eyes), they’ll be able to figure out where you are visiting, and potentially what you’re doing on the site. – Mark Buffalo Jun 15 '19 at 15:41
  • Continued from above: Also, the VPN account may be registered to your home address/contain PII, so when you log in to the VPN and start a connection, a honeypot knows you connected to X IP address at Y time, and it makes it much easier to correlate who you are. Doesn’t necessarily need a list of the websites you visited, but IP addresses you communicated with. Even if you use bitcoins to purchase a a VPN, if you left any trails on that bitcoin wallet that could lead to you, you’re not as anonymous as you think you are. – Mark Buffalo Jun 15 '19 at 15:48
  • @MarkBuffalo All that the VPN would know, barring collusion with a global passive adversary, is that you are connecting to the Tor network. They would only see your connection to a guard, and Tor does not, by default, intend to hide the fact that you are using Tor from your ISP (or a VPN). Although if you want, you can use an obfuscated bridge which _does_ hide that fact. – forest Jun 16 '19 at 00:46
  • @forest https://en.wikipedia.org/wiki/UKUSA_Agreement This should help. – Mark Buffalo Jun 16 '19 at 00:52
  • @MarkBuffalo I'm not sure how that's relevant. I understand how FVEY and SSEUR operate. – forest Jun 16 '19 at 00:54
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/94962/discussion-between-forest-and-mark-buffalo). – forest Jun 16 '19 at 00:54

1 Answers1

10

First, some comments

I'll be frank here. A lot of your setup is poorly thought out or outright dangerous. For example, using a proxy after Tor (it's not TOR) can greatly decrease anonymity as you now have a centralized exit point (even with the use of rotating proxies). This is exacerbated by using a VPN, since now rather than having a protective chain of relays, you have two points, both controlled by individual entities, which can collaborate to fully deanonymize you. But let's look past that for now. Some comments about the assumptions...

  1. One home internet connection from an ISP that keeps a close eye on potential TOR usage. The connection is being shared by a couple other devices and people.

Being shared by multiple people is irrelevant, as TCP/IP fingerprinting is able to distinguish multiple devices coming from a single IP. If you need to reduce the chance of an ISP knowing you are using Tor, you may have to use pluggable transports with a bridge. These are designed to obfuscate the Tor protocol in various ways, though the use of a bridge is only intended if you are being blocked. It is not always sufficient for simply avoiding membership attribution.

  1. One solid VPN provider that resides in a non 14 eyes jurisdiction, doesn't have a record of collaborating with intelligence agencies, offers stable servers in a multitude of locations, employs a zero-logs policy running everything from RAM memory and doesn't even ask for account names or emails.

A VPN being in a non-SSEUR (14-eyes) jurisdiction can actually make anonymity worse, as now rather than going through small ISPs in a "bad place", you are going through the border of a "bad place", complete with all their IXP taps. This can be bad enough that some circuits that go through many topographically distant countries can even lead to complete deanonymization. Furthermore, even if the VPN claims to provide zero logs, their ISP and DC certainly does log, it would be unheard of not to. See this answer which provides an example. I strongly recommend you read it.

Payment was done through bitcoin.

I'm sure you're already aware of this, but bitcoins aren't anonymous. Ensure payment was done with initially anonymously obtained bitcoins.

  1. A standard whonix setup(gateway, workstation) running as virtual machines on the host using VirtualBox

VirtualBox is rather insecure, as are most hypervisors. It can be especially vulnerable to leaking graphics information when hardware acceleration for graphics is used. Whonix is best used with physical hardware isolation, so a simple 0day in the hypervisor will not bring down your whole anonymity system. Using hardware isolation will reduce the attack surface to that of the networking protocols, Tor control port, and SOCKS protocol.

  1. A list of 1000 socks5 proxies which may or may not have their activity monitored and logged by a potentially hostile 3rd party which will be used at browser-level to access a website

This is dangerous, far more dangerous than using plain Tor exit nodes. Chances are a large number, if not all, of these proxies are managed by a single entity. This makes it far more dangerous than Tor, where each exit tends to be operated by a different entity.

Furthermore, there is the risk of the proxies being too close to your guard or VPN topographically (or even on the same subnet!). Tor ensures that none of the three relays in any given circuit are too close, but this guarantee breaks down as soon as you use "extra" proxies. If your VPN or guard and one of the proxies is part of the same DC, it can completely deanonymize you. This goes against "anonymity 101 common sense", but is quite true. There's zero chance that there will be no extensive monitoring between the border of your country and your "safe, non-SSEUR country", but there is a non-zero chance that there will be no monitoring at the junction between two small ISPs in the same country.

In the case of you -> vpn -> node1 -> node2 -> node3 -> proxy -> website, The three nodes are guaranteed not to be too close, topographically. There is no way for Tor to guarantee that vpn and proxy are not right next to each other, blowing your anonymity. This is the same reason using Tor over Tor is a horrible idea.

You may want to read Measuring and mitigating AS-level adversaries against Tor, which explains this phenomenon.

Machine -> Home connection/Personal IP -> VPN IP -> TOR -> Firefox ESR with a Socks5 Proxy-> Website

You should absolutely not be using plain Firefox ESR, even with "privacy" extensions. You should only ever use Tor Browser, or you will be subject to completely accurate fingerprinting (for example, through audiocontext fingerprinting). There are more than a dozen extremely important features which Tor Browser provides which are lacking on Firefox ESR and cannot be implemented in addons, requiring patches to the source code as well (like Tor Browser's reduced timing granularity of javascript.now()). Tor Browser is far more than just Firefox and a few addons.

To answer your questions, though...

  1. Is there any way in which the ISP can know that we are on TOR and/or using Whoenix.

Yes, it can know you are using Tor. A VPN typically uses UDP or TCP for communication, and there is no padding. Tor on the other hand uses its own protocol, where data is sent in groups of cells of 514 bytes each (previously 512). This means that your ISP will see VPN traffic going through in bursts of 514 bytes, indicating use of Tor. There is likely also a way to determine that you are using Whonix with a high likelihood of Whonix makes any unique connection attempts at startup (such as update checks) that could be detected through a type of passive fingerprinting called website fingerprinting.

  1. Could 'website' ever find out what the originating IP address really was?

Potentially, if it was coordinating with an entity that could see both your proxies and your VPN. Other than that, no, not with your first assumption in place, assuming it also extends to 0days and not just backdoors.

  1. Is there any way to correlate what happens at the 'website' level with the originating IP address/connection

See previous answer. This question is basically the same as your second one.

  1. Would using a public internet connection instead make a big difference in the anonymity of the setup?

That depends on many factors. A public internet connection may have more fine-grained logging. It may be subject to attacks on the WiFi protocol. Unlike a hardwired home connection, a public wireless connection allows countless others in close range to determine your unique hardware (MAC address randomization is not enough), and potentially mount website fingerprinting attacks.

Recommendations

Rather than just criticizing this setup, I think some recommendations are in order.

  • Use Whonix with physical isolation, or Tails.
  • Use stock Tor Browser with the security slider set to high, without any other changes.
  • Install open source firmware on your router such as OpenWrt.
  • Do not use anything extra like a VPN or proxy.
  • Ensure all your software is up to date, and keep track of disclosed vulnerabilities.
  • Avoid WiFi because of fingerprinting attacks from a local adversary and insecure WiFi chips.
  • And as always, be mindful of your OPSEC.
Glorfindel
  • 2,263
  • 6
  • 19
  • 30
forest
  • 65,613
  • 20
  • 208
  • 262
  • What about using a Tor bridge, instead of the initial VPN? – Michael Hampton Jun 16 '19 at 03:07
  • @MichaelHampton You can use an obfuscated bridge if you want to hide the fact that you are using Tor from an automated firewall, but it's not necessarily the best choice for anonymity. There are a lot of bridges so chances are, you'd be one of the few people, or the only person, using it at any given time. Compare this with a guard, where many people are using it at once. If I use a bridge and tell you which bridge I use, you can probably guess that any traffic going through it is mine. If I use a guard and tell you which guard I use, I could be one of hundreds of people using it. – forest Jun 16 '19 at 03:08
  • Sorry, I was not clear. The OP was using a VPN to try to prevent his ISP from learning he is using Tor. – Michael Hampton Jun 16 '19 at 03:10
  • @MichaelHampton Ah. Yes an obfuscated bridge (e.g. using obfs4) attempts to hide the fact that the connection is going into the Tor network. A VPN would not help for reasons I mentioned in my answer (514-byte cell padding). A bridge can break this pattern and appear like non-Tor traffic. It can't necessarily defend against manual analysis of the traffic from ISP network engineers though, so it's only really useful for getting around automated censorship such as that performed by China's GFW. – forest Jun 16 '19 at 03:11