4

Goal 1: access certain "anonymous" sites that you don't want to provide your real identity, IP or location to.

Goal 2: access "regular" sites that do require or have your real identity, such as your bank or Facebook.

All sites use end-to-end encryption over HTTPS, so packet sniffing isn't an issue.

Let's say you're using a VPN that you trust to not keep logs, and is located in a jurisdiction outside of the Five Eyes. Unless you use split tunneling, all your traffic will go through the VPN - both to regular and anonymous sites.

Is it a bad idea to access over the same VPN both sites that know your real identity and those that don't? What kinds of attacks could expose your identity to a) the anonymous sites, b) the attackers?

If one of the "regular" sites is subpoenaed, they can hand over your IP as well as the IP of the VPN(s) you've used to connect to them, but if you trust your VPN provider to not keep logs, this doesn't seem like a problem. If an anonymous site is subpoenaed for all users who've connected from that VPN IP, you have plausible deniability, since the VPN's external IPs are shared.

Sam
  • 111
  • 2
  • 1
    You may want to look at [Could logless VPNs be traced?](https://security.stackexchange.com/questions/175179/could-logless-vpns-be-traced/175186#175186) if your assumption is that a VPN that you "trust not to keep logs" is anonymous. – forest Dec 19 '17 at 10:51
  • Same question almost - [Identity exposure by using same proxy?](https://security.stackexchange.com/questions/145105/identity-exposure-by-using-same-proxy) – Sam Dec 20 '17 at 00:57
  • My worry was time-based. If they see IP address xyz accessing a "bad" site and have sufficient resources, they can look for ALL accesses from xyz at or near that time, including on sites where you use your real information. This wouldn't hold up in court, even for a warrant, but I thought I'd mention it. It's also nice to have a speed increase on sites you visit with your real information – Barry Carter May 14 '22 at 16:40

1 Answers1

1

Is it a bad idea to access over the same VPN both sites that know your real identity and those that don't?

From a hyperparanoid perspective yes. You will likely have the same visible IP for both sites. Whilst usually you would expect other users to be present at the VPN IP it still makes pairing up your requests easier.

What kinds of attacks could expose your identity to a) the anonymous sites, b) the attackers?

Two obvious ones -

  • Browser Fingerprinting. This is surprisingly accurate - https://amiunique.org/
  • Packet matching. I.e. someone with wire access to traffic entering and leaving the VPN can use statistical methods to pair the packet you send into the VPN with the packet leaving the VPN for the remote server (and vice versa).
Hector
  • 10,923
  • 3
  • 41
  • 44
  • 1
    Not even from a "hyperparanoid" perspective. Advertising companies _today_ are using fingerprinting techniques like the one you linked to correlate users across time and websites. – forest Dec 19 '17 at 10:55
  • @forest - Agreed. I was really leaning towards the packet / IP matching side with that one. Browser fingerprinting can be used whether you use the same VPN, no VPN or different ones. – Hector Dec 19 '17 at 11:16
  • Browser fingerprinting would be thwarted by using different browsers and profiles for "anonymous" vs "regular" sites. Bonus points: don't use the browsers full-screen, and use different themes to easily distinguish them visually - e.g. a dark theme for one and a light theme for the other. – Sam Dec 01 '21 at 10:37