Posted by overvalley in Privacy

One vpn explains that you can use port-forwarding between vpn hops to connect a near server, and then forward through their fast network to a remote server. The near connection and "internal" port forward can supposedly give a speed advantage with a simultaneous multi-hop privacy advantage.

Does the port-forward affect layered encryption? Is port-forwarding simply a standard feature of multi-hop connections?

2

Comments

You must log in or register to comment.

smartypants wrote (edited )

Does the port-forward affect layered encryption?

hopping adds no real benefit, other than perhaps protecting you from COMPROMISED machines logging raw connections along the way. most VPN companies, excluding ExpressVPN, have been in the news as compromised by nation states, even NORD VPN last year.

HTTPS protocol, by design , prevents man in the middle, and not even VPNS or ISPs know anything about your URL you are using, not even the domain name, just the IP address and the fact that you are requesting a port 443 HTTPS connection.

DNS traffic deduces domain name target, but IP already zeros in target unless using VPNs.

HTTPS is secure, but sadly, once connected to https://ramble.pw or any https site, backdoor exploits added to tor browser , by NSA/CIA, in the form of "ACCIDENTAL CODE SUBMISSIONS" to tor browser used in TAILS, leaks your IP to the target. This means...

... that using one or even a chain of VPNS can have the ENDPOINT (https://ramble.pw or ISP of https://ramble.pw) exploit your TAILS tor browser via javascript (typically), or WebRTC (in the past) to LEARN YOUR ACTUAL TRUE IP ADDRESS!!!

This means that the HTTPS encrpyted traffic is still secure, end to end, but your IP address can still be logged using VPNS, by the endpoint.

Thse ways and means show up in federal court cases when FBI is forced to reveal tactics under a Judges order in court trials.

They for years tor browser in TAILS had hidden backdoors proven if you read the release notes of TAILS TAILS too? Yup, Even the famous https://tails.boum.org/

...had WebRTC enabled by accident (or by mossad on purpose) in past versions of TAILS, and if you read ALL THE CHANGE NOTES OF ALL VERSIONS you will learn I am telling the truth on the one little note they fessed up.

https://medium.com/@blackVPN/critical-windows-exploit-webrtc-can-expose-your-real-location-ip-address-even-when-using-a-vpn-4555d2fd280d

https://www.exploit-db.com/exploits/44403/

https://blog.ipvanish.com/webrtc-security-hole-leaks-real-ip-addresses/

https://thehackernews.com/2015/02/webrtc-leaks-vpn-ip-address.html

https://www.reddit.com/r/VPN/comments/2tva1o/websites_can_now_use_webrtc_to_determine_your/

That is NOT the only weakness in Tor browser, there were other non-WebRTC leaks!!!! Javascript (required for every free speech social site) and (required for Cloudflare) had exploits in summer 2019 that leaked endpoint IP addresses, and even allowed kernel level OS alteration on Mac OS using TAILS!!!!!! Many years of tails exploits prior too.

NO large web browser should EVER be trusted not to divulge IP addresses over VPN

Anyone trusting using TAILS along with its graphical browser, is a patsy. The rest are in prison already if they were criminals.

Only use text messaging , not a graphical web browser, when using TAILS, or tor services and VPNs! No fancy web browsers!

Even better, use a "one time visit" concealing gait and face, to a coffee shop.

Remember TOR/TAILS often runs unstoppable javascript using exploits by FBI, such as the infamous recent noscript vulnerability!...

https://www.netsparker.com/blog/web-security/noscript-vulnerability-tor-browser/

javascript code can cause lots of problems for your anonymity, and even root your machine , as in summer of 2019.

HTML5 fingerprints and indestructible cookies also thwart SOME VPN users too :

https://33bits.wordpress.com/2010/02/18/cookies-supercookies-and-ubercookies-stealing-the-identity-of-web-visitors/

25% of sites fingerprint you using javascript (CloudFlare and others, require javascript to connect)

2020.08 : A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts! https://www.zdnet.com/article/a-quarter-of-the-alexa-top-10k-websites-are-using-browser-fingerprinting-scripts/

In 2021, hundreds of research papers on novel fingerprinting techniques of browsers exist, and even I designed some using html5 graphics, not yet widely known by other researchers and not yet stopped in Google Chrome.

TAILS? use HiddenVM too

If you must try t connect to a https web site anonymously, use a hidden privacy VM OS and a set of privacy tools, at a public wifi :

https://github.com/aforensics/HiddenVM

https://news.ycombinator.com/item?id=22492343

There are many reasons why you may want to use HiddenVM.

whonix OS! inside HiddenVM, for TAILS on a USB, for coffeeshops or libraries: ...

I SUGGEST if you do not need OSX or Windows, to install Whonix secure Tor anonymization and TAILS inside your HiddenVM !!!
https://www.whonix.org/

TL/DR : NO CONNECTIONS MADE FROM YOUR HOME ARE SAFE FROM FBI/NSA if using a BROWSER, vs text chat. Hopping does nothing to protect HTTPS more than it already provides

2

overvalley OP wrote

This analysis is good for my edification. I'm reading some of the sources and will have some related questions later on.

1

div1337 wrote

"No fancy web browsers"

What about lynx?

1

smartypants wrote (edited )

I kind of meant not to run any browser or if so avoid javascript. but... Lynx?

for safety, Lynx doesn't support Javascript, but many web sites, including dark net ones, idiotically require javascript.

Links...?

Lynx and elinks does not support JavaScript, but Links does: sudo apt-get install links then to compile Links with JavaScript support, use the configure option --enable-javascript ... etc

https://softwarerecs.stackexchange.com/questions/11678/text-based-browser-that-runs-javascript

I would avoid the javascript entirely if possible, or use a remote proxy doing all the javascript and rerendering back through tor to your location

1

RAMBLE1 wrote

link of that vpn ?

port-forward for p2p apps to connect. Does not affect encryption.

1

overvalley OP wrote

There's an example and description at Mullvad for the two-hop connection: http://xcln5hkbriyklr6n.onion/en/help/wireguard-and-mullvad-vpn/ [Forgive the onion link, but search "wireguard-and-mullvad-vpn" for clearnet]

"Each WireGuard server is connected to all the other WireGuard servers through WireGuard tunnels."

The user gets confirmation that their target website sees the IP of the second node, but what does the ISP see? Aren't they routing to the first node (at least physically), and is it masked as the second node? Does the tunnel between nodes become redundant as the user connection tunnels through the entry node to the exit node?

Nodes/servers
Is it wrong to use "nodes" in this scenario

1