On 01/22/12 at 06:46 AM, Christopher J. Walters wrote:
> Actually, I know little about VPN. I was asking, in the hope that
> I could learn more - and also it was suggested (I'm not sure where)
> that using a VPN with Tor was better than either alone. Maybe it
> would help if someone explained VPN - its good and bad points.
Generally, virtual private networks (VPNs) are just that. You can think of VPN
connections (aka tunnels) as virtual ethernet cables. Organizations typically
use VPNs for LAN connectivity among locations, and with remote staff. There are
three main protocols: 1) PPTP (outdated, simple, insecure); 2) IPsec (current,
complicated, secure); and 3) OpenVPN (current, arguably less complicated,
secure).
In this context, however, we are using "VPN" in a more restricted way, to mean
VPN "anonymnity" services. That is, we mean VPN connections to remote Internet
gateways, rather than to remote LANs.
Regarding Tor, you must trust the design, the validity of the security
assumptions that it's based on, and the software implementation. To the extent
that you don't understand any of that, you must trust the developers. If you
trust Tor itself, you don't need to trust the other participants (or vice
versa). But you have no way, as a user, to really know how anonymous you are.
Regarding VPN services, you must trust the operators, as well as their
designs, assumptions and implementations. Some VPN services are basically just
VPN-connected proxy servers. They know who you are, and they know where you've
been. Other VPN providers may claim to increase anonymity in various ways. They
may claim to route connections through multiple, geographically widespread
servers and routers ("multi-hop VPNs"). They may claim to mix traffic on links
and exit nodes that are shared with associated organizations ("multiplexing and
crowding"). They may claim to require joint authentication, by mutually
anonymous administrators, for access to, and configuration of, shared resources.
However, everything can be logged, by every device that's involved (servers,
routers, switches, etc). VPN providers may claim that they don't keep logs,
that their designs make it difficult or impossible to keep logs, and so on. You
can nest multiple VPN services, using providers who seem unlikely to collude
and cooperate with your government. You can pay anonymously. But again, you
have no way, as a user, to really know how anonymous you are.
As a user, for both Tor and VPNs, it comes down to trust. Tor is arguably more
likely to be more anonymous. Accessing Tor through VPNs can't hurt. Routing
VPNs through Tor may be appropriate under some circumstances. But doing that
will create shared history for each VPN that you use in that way. You obviously
don't want to use the same VPN service on both sides of Tor.
If you're interested in learning more, there are many informative threads on
Wilders Security Forums.
_______________________________________________
tor-talk mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
