Given that the Harvard student lost his anonymity simply by using Tor on the Harvard WiFi network, do you think there would have been worthwhile anonymizing value had he simply added VPN on top of Tor?
That is, after anonymizing his browser fingerprint, instead of going directly to freeware Tor, one adds an additional layer of freeware VPN?
The presumed advantage is that the local WiFi network couldn't have "seen" the Tor connection
The disadvantage presumably would be that both VPN and Tor slow things down; but they guy was only sending email.
QUESTION: Does freeware VPN add any additional anonymizing value to Tor?
I haven't used Tor myself but have used VPN's in the past. Essentially, your ISP will know that you made a connection to the VPN, but from that point on they know nothing. Once connected to the VPN, you are anonymous and once you connect to Tor, your activity becomes anonymous to the provider of the VPN.
OK. I stand corrected that Tor is for anonymity, not for encryption. So, is this correction correct yet?
----> === not encrypted
++++> === encrypted
Normal un-encrypted connection: Home PC---->ISP---->Internet---->Destination (The destination can see the IP address of the home PC.) (The ISP can see the IP address of the destination.)
The standard TOR scenario: Home PC---->ISP---->Internet---->Tor1/Tor2/Tor3--->Destination (The destination can *not* see the IP address of the home PC.) (The ISP can *not* see the IP address of the destination.)
I think this is the "personal VPN" scenario: Home PC++++>ISP++++>Internet++++>VPN Server---->Destination (The destination can *not* see the IP address of the home PC.) (The ISP can *not* see the IP address of the destination.)
I think this is the encryption adding personal VPN to Tor: Home PC++++>ISP++++>Internet++++>VPN++++>Tor1/Tor2/Tor3--->Destination (The destination can *not* see the IP address of the home PC.) (The ISP can *not* see the IP address of the destination.)
I've been studying this, and I think if we add https, then we have the best of all worlds...
A. The "personal VPN services" tunnel protects you from the PC to the VPN server in the middle of the Internet.
B. I think the Tor then protects you (differently) from the VPN to the 3rd Tor node.
C. And, HTTPS will protect you on the final hop from the third Tor node to the final destination.
It seems, if I understand this yet, that without HTTPS, the final hop is unprotected. Without Tor, everything out of the VPN server is unprotected. And, without VPN, the information is protected from the PC to the first Tor node, but, not the fact that you're using Tor.
With all three (VPN + Tor + HTTPS), I would think the traffic is protected from everyone except the final destination, which does the final unencryption - but it only knows that you came from tor node 3.
Yeah I think you got it. Lot's of free videos on line to explain this in parts. The parts they likely leave out are the common sense things no one wants to say or write for fear of "teaching" a basic "hacking" concept. That concept is, how do I hide myself as much as possible.
In my humble opinion the big problem is the target and the foot print we leave behind.
The target has something you want. And if it is available to public then it has to be accessible in some way. And thus someone can start with the target. They watch the target or act like a target and wait for you to come to them. Once you establish a connection to them the question becomes how hard will it be for the target you yourself connected to to backtrace your connection. TOR is helpful here. It slices it up into stages and none of these stages are aware of all of the stages. So a backtrace loses the trial of your presence.
But like the video explains, I hope, that a script somewhere might ask you to do something else for the sake of gaining your presence information. I mention Google because it is so easy to see this from the Google point of view. If you log into your Google account, you just made your presence known to Google and anyone else who is snooping Google, like the NSA.
It really depends on how clean you want to make yourself. If you have a cookie for example for ZDNET, and you happen to browse their site, you give them a whole history of you via the cookie they've left behind for all those visits of yours. And now you've added the presence of your now not so anonymous connection.
Perhaps a simple way to think about this is imagine you find a way to completely travel, physically, as someone else. So the world thinks you're home, in bed, asleep. In fact you are on a 747 to Russia. You get there and the first thing you do is pay for lunch with your credit card, and sign a digital signature screen. You've just told the world where you are. Had you paid with cash you'd still be anonymous assuming of course no one who knows you has seen you.
The network is the same way. You may find it easy to hide going from New York to Russia as a digital presence but what you do when you get there might expose who you are just like the above.
Maybe you wish to download something and you don't want to be you while you commit the act of downloading it. You hide yourself well and download whatever it is. Once you get it, you break your connection and become you again. You launch whatever it is and inside there is a Trojan that starts to monitor your presence online. Form that moment on everything you think you're doing anonymously has been recorded.
Maybe someone grabs your machine. How much can they reconstruct from it? As the saying goes, don't bury the bones in your own backyard. Plenty of companies have realized, often years later, that their own servers are in fact hosting stolen data for someone anonymous who'd rather not be caught with the stolen data on their own host. This is how it was found that Adobe was hacked. Someone suddenly realized they had all of Adobe's source code on their server. Oops.