quandyalaterreux wrote on February 20, 2021 at 8:36 AM

Reply to comment by spc50 in Is Tor Browser Safe and Completely Anonymous to Use? by RandomlyGeneratedUsername

Wear your web condom with a VPN, then Tor...

Please see https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h/

spc50 wrote on February 20, 2021 at 9:01 AM

Thanks for the share.

I am reading and trying to get my head around what is posed there.

This--> "...If you connect to a VPN over Tor, this traffic separation goes away completely..."

People go connecting to their VPN via Tor? That's not ahh bright.

Normally: Computer ---> REMOTE VPN ---> TOR

No single tunnel there like claimed. Sure VPN is, but it's a drop in replacement in essence for your local gateway. Normal pedestrian leakage of IP and you get the VPN IP instead of your actual IP. More advanced leaking, well, nothing is saving you.

Then there is this ---> there's the matter of trust to consider again. Alice must be sure her VPN provider is worthy of the trust she will be placing in it. She must have paid her VPN provider in a way that can't be traced back to her. She must be sure that the VPN provider doesn't keep traffic or connection logs. She has to trust herself to never mess up and connect to her VPN without Tor. And for this VPN to be of any benefit at all, she must convince herself that her adversary can't somehow work with the VPN provider, compromise the VPN provider, or work with/compromise ISPs and ASes near the VPN provider.

This is why you need real provider for VPN that is exercising maximum transparency and who answers the tough questions. A compatible philosophy they live by is most important. But have to implement thing, not just lip service.

Same argument made for trust thy VPN provider NOT --- can be 100% extended to your ISP and its upstreams. This is why crypto matters and everything should be encapsulated in something, ideally multiple wrappers.

Peel back a layer of this and there is another layer - if your protection is working effectively.

For VPN to work in this mix you need provider that doesn't want to intimately knows its customers.

Zero knowledge of customers.
Anonymous payments (prepaid cards, cash, privacy coins, barter).
No name or info required to maintain account. No logs on the servers.
Forced DNS that is scoured clean of fluff and abuse 3rd party noise.
Something better than a warrant canary - how about full posting of all abuse@provider inbound emails automatically?

That's a decent start.

You will see that around here soon as a thing. Cause the VPN industry is a marketing scam most of it. Gets exploited and they toss more into ad buys and placement spots. Fake privacy niche is a real tragedy.