Clarify Tor's weaknesses with respect to observability

Site Development Guide Suggestions
14

Edit 11/29: I ended up publishing a video response to Mental Outlaw basically covering the stuff in this post.

Thanks for sharing! It’s very close to being a good video :slight_smile:

I’ll respond to every point he makes here for future reference, I might make a response video to him since I’m already writing on the subject anyways.

1:08 - He says that Tor doesn’t recommend the use of Tor with a VPN.

  • In reality (and as his screenshot shows), Tor does acknowledge that a VPN can be used with Tor without compromising privacy. As stated earlier in this thread, Tor also acknowledges the benefits of using a VPN to stand out less on your network.

  • Tor makes the suggestion to only use Tor because it simplifies their advice and makes the network easy to use. This still doesn’t change the fact that using a VPN with Tor provides additional protections which Tor inherently can not, so it doesn’t stop us from covering the real benefits of VPN+Tor.

    In the real-world there is virtually 0 harm to using a VPN+Tor (as I will cover below), and there are plenty of real benefits. Even if all those benefits are negated for whatever reason, you’ll virtually never be worse off with a VPN+Tor configuration like we are suggesting, at worst you’ll merely be “back to square 1” and still benefitting from the other protections that Tor provides.

2:42 - Minor nitpick but he claims Tor changes your whole relay every 10 minutes which isn’t true now that entry guards exist to protect against the very threat he’s describing here.

3:11 - He brings up threat modeling :smile: and then he immediately tells people that there are only two valid threat models :sob:

  • He says that the only people who need to hide Tor usage from their ISP are:

    1. People doing crime
    2. People protesting their government (unfortunately he never brings this up in the video again, but I’ll cover some of my thoughts on it at the end of this post)
    3. People in countries which block Tor (I know this is three even though he said two)

  • I believe that it’s fair to say there are plenty of other, real-world situations where you would want to hide your Tor activity from your ISP or network administrator which are not government-related at all.

    Consider the fact that Harvard network administrators were able to deanonymize a Tor user with very trivial traffic analysis. In this case yes it was government/law-enforcement related sure, but this demonstrates the threat a network administrator can pose in any scenario. If Harvard can do it for the FBI, they (and anyone else!) can also do it for whatever reason they’d like.

    • Imagine a whistleblower connecting to Tor on their employer’s network to post something about the company they work for, for example. A lot of online literature about Tor tends to suggest that merely connecting to Tor makes you completely anonymous, but of course this isn’t the case in reality. The fact that your Tor use is observable by your local network poses a real risk to many people.

People in countries which block Tor

3:44 - Here he covers folks in countries like Iran/China which block network connections.

  • :white_check_mark: This is true, and is the reason I state in my draft that…

    This is not censorship circumvention advice, because if Tor is blocked entirely by your ISP, your VPN likely is as well. Rather, this recommendation aims to make your traffic blend in better with commonplace VPN user traffic, and provide you with some level of plausible deniability by obscuring the fact that you’re connecting to Tor from your ISP.

4:08 - He conflates the idea of blocking bridges and identifying bridges here.

  • Bridges are fairly decent at circumventing censorship, because they are unpublished and make efforts to obfuscate the fact that they are indeed Tor bridges. However, these are only transient protections because Tor bridges are virtually always eventually identified and blocked.

    • This fact is very bad for people who want to hide past Tor usage from their ISP, which is almost certainly logging basic metadata like IP addresses and connection times indefinitely:

      Consider this scenario: You connect to Tor via a bridge, and your ISP doesn’t detect it because they are not doing sophisticated analysis of your traffic, so things are working as intended. 4 months go by, and the IP of your bridge has been made public (as they almost inevitably are). Your ISP wants to identify Tor users 4 months ago, and with their limited logging they can see that you connected to an IP address which was later revealed to be a Tor bridge. You have virtually no excuse to be making such a connection, so the ISP can say with very high confidence that you were a Tor user at that time.

      Scenario 2: You connect to Tor via a VPN, and this works fine. 4 months later your ISP again wants to identify Tor users 4 months ago. Their logs almost certainly can identify your traffic 4 months ago, but all they would likely be able to see is that you connected to a VPN’s IP address. Because your ISP almost certainly is not capturing all packet-level data and storing it forever, they have no way of determining what you connected to with that VPN after the fact, and you have plausible deniability :white_check_mark:

    • Therefore, bridges are only good at circumventing censorship in the moment, but not from hiding Tor usage in historical network analysis (and also obviously not in situations where a firewall is doing deep packet inspection, as he mentions in the video and I address above).

For the next minute he goes further into why a VPN won’t bypass censorship in the same way bridges can, and we agree on those facts.

However, I will point out that at the same time there are also plenty of real-world network censors who do block Tor and don’t block VPNs, so it’s not like a circumstance where a VPN is a valid censorship circumvention technique is inconceivable. I would still suggest that people try to use a VPN to bypass censorship, and explore other options if that isn’t feasible on your specific network.

People doing crime

5:25 - Here he covers folks who are likely to be targeted by law enforcement. We can agree that opsec failures are much more likely to be the reason criminals get caught rather than network analysis. Not much to say here…

6:57 - Then he says that using a VPN to connect to Tor will make you stand out more, and this is where the argument falls apart a bit:

7:08 - He claims that entities like Interpol are Global Passive Adversaries, not using that term but he describes them as if they are. This is maybe a common misconception but is very untrue and borders on conspiratorial thinking:

  • A “Global Passive Adversary” (GPA) is an entity which can monitor the network traffic of every Tor node, every VPN, and every ISP.

    • He falsely states that organizations like Interpol are examples of GPAs, despite there being no evidence to suggest this is the case. Merely having global jurisdiction doesn’t imply that your organization has on-demand global access to every ISP. An investigative agency would have to coordinate with every single ISP on the chain separately, and there are plenty of situations where that would be an impossible task.

    • The reality is that a GPA almost certainly does not exist in this form, but if it does…

7:18 - …so given all of that he makes the point that if a GPA sees traffic between a VPN and Tor, that traffic will be extra suspicious.

  • In a situation where a GPA exists, Tor does not protect you, Tor+VPN does not protect you, you are not protected and we state as such in the guide:

    Powerful adversaries with the capability to passively watch all network traffic around the globe (“Global Passive Adversaries”) are not something that Tor protects you against (and using Tor with a VPN doesn’t change this fact).

  • Let’s assume a GPA doesn’t exist though, and they’re doing this investigation after the fact. The ability for a law enforcement agent to determine that a VPN user connected to Tor hinges on either your VPN collecting logs, or the law enforcement agency to already be monitoring traffic from that VPN.

    1. In the first case (best-case), this is avoided by virtue of the fact that your VPN provider isn’t collecting logs. Maybe a shady VPN provider will be collecting logs secretly, but I am reasonably confident that the VPN providers we recommend are not, and the entire point of using them in the first place is that you trust them to not log more than you trust your ISP to not log.

      However, for the sake of the argument let’s pretend your VPN provider is secretly logging. Then it becomes the same situation as the second case, see below:

    2. In the second case (worst-case), this means that said law enforcement agent knows you are connecting to Tor. However, they could just as likely do this to your regular ISP too! This merely means you’re back to square one, and they know you connected to Tor but not what you connected to (because Tor obfuscates this information, of course). So, worst-case scenario you’re in the same place as you were without using a VPN, you’re not worse off than if you had just connected to Tor.

9:36 - He claims you will stick out like a sore thumb because you’re connecting to Tor via a VPN, and most Tor users connect directly to Tor.

  • Again however, this hinges on a—frankly absurd—idea that they can tell that you’re connecting to Tor via that VPN because they’ve broken the encrypted tunnel and can read your traffic. This is an unrealistic scenario he’s posed, but there are a few semi-realistic (not really) scenarios where an observer on your ISP could tell that you’re connecting to Tor via a VPN:

    1. Website Traffic Fingerprinting is perhaps the most realistic way to detect Tor usage inside a VPN, but this is not to say that it’s realistic at all!

      • Tor Project themselves don’t believe that website traffic fingerprinting is realistic in real-world scenarios: A Critique of Website Traffic Fingerprinting Attacks | The Tor Project
      • If you are still super concerned about this for some reason, you could use a VPN in addition to a pluggable transport (bridge) to obfuscate your traffic’s fingerprint further. This is potentially valid advice and something I will consider adding to the article I’m drafting.

    2. Your VPN tells law enforcement that you’re connecting to Tor. This scenario we just addressed above, it’s both unlikely and not going to provide much information to law enforcement because they still need to take the additional step of determining what your Tor traffic actually was.

      • It’s potentially a valid argument that if this happens, it will make your traffic potentially more valuable to decrypt and therefore law enforcement might spend additional resources on decrypting your Tor traffic after they determined that you made the initial connection through a VPN. I don’t agree this is a realistic concern for two reasons:

        1. Many people connect to Tor via a VPN already for various reasons, I don’t think you will stand out more from other Tor users even if you do use a VPN in addition to Tor, as he posits.
        2. Even if they do put extra effort into decrypting your traffic, this is still a very challenging task to complete. There’s no evidence to suggest that determining what you connected to via Tor with traffic analysis during investigations like this is even possible, so in our worst-case scenario, investigators are still posed with a virtually impossible task anyways.

  • Secondly, you know what else makes you stick out like a glow stick? Connecting to Tor!

    This is actually the entire point of my suggested changes in the first place:

    As we’ve alluded to already, Tor is also easily identifiable on the network. Unlike an actual VPN provider, using Tor will make you stick out as a person likely attempting to evade authorities. In a perfect world, Tor would be seen by authorities as a tool with many uses (like how VPNs are viewed), but in reality the perception of Tor is still far less legitimate than the perception of commercial VPNs, so using a real VPN provides you with plausible deniability, e.g. “I was just using it to watch Netflix,” etc.

    The overall advice I’m intending to give here is to provide additional privacy protections from your ISP when connecting to Tor, with the understanding that most people trust their VPN more than their ISP.

    Therefore the potential risks of your VPN knowing you’re connecting to Tor are irrelevant in the first place anyways, because we have already established that the risks of your ISP knowing you’re connecting to Tor are almost certainly higher.

10:27 - Anyways, his overall recommendation is to use Tor to blend in with other Tor users on your ISP, which is certainly a nice thought.

  • As I said before, if we all lived in a perfect ideal world this could be good advice, but this suggestion ignores the reality that Tor use simply is not common or non-suspicious in the first place, and Tor traffic is flagged by nearly every firewall or logging device that your ISP might use.

    This is why my suggested advice is much more limited:

    If you live in a free country, are accessing mundane content via Tor, aren’t worried about your ISP or local network administrators having the knowledge that you’re using Tor, and want to help de-stigmatize Tor usage, you can likely connect to Tor directly via standard means like Tor Browser without worry.

  • It’s a shame that he brought up threat modeling once in the video and then ended the whole thing with a black and white “don’t do this” recommendation.

Response to YouTube comments

I’ll also respond to some of his confused commenters:

I see some YouTube commenters claim that using a VPN with Tor makes you stand out more because you’re sending your network traffic through 4 hops.

  • This doesn’t make sense because of how Tor is designed, and you can figure this out with 5 seconds of thinking about it. If you could stand out on the Tor network based on what your network looks like before the entry node, that would obviously defeat the point of Tor in the first place, because you could be fingerprintable based on ISP configuration. Using a VPN before Tor should not increase your fingerprintability to either the destination or to Tor relays.

I also see people make claims along the lines of “your VPN acts like a permanent guard node.” This doesn’t make sense, because you still have an actual guard node protecting your ingress into the Tor network.

  • By this logic, your ISP would be acting as a “permanent guard node” too, which obviously is not a real issue. Your VPN replaces your ISP, not any Tor nodes.
  • The reality is that whatever happens before your Tor entry node cannot be detected and fingerprinted by observers on the Tor network or at your destination. I addressed this earlier too, but I just want to reiterate that as long as your last three connections are through the Tor network, you’re not losing any benefits of the Tor network.

Luckily I also saw a decent amount of comments explaining why his video is not the greatest advice too.

Regarding protestors & criminals

I was disappointed he didn’t go into protestors and other dissidents much, I think it is probably the most obvious example of when using a VPN with Tor does make sense.

In situations like that you’re likely dealing with surveillance states who don’t censor traffic. This is also the situation where VPN usage among the general population will likely be very high for a variety of reasons, and will arouse much less suspicion from network monitors.

Again, in other situations with actual censorship of VPNs and Tor, that isn’t what this recommendation is geared towards anyways.

The other thing I want to add is that the reason it may appear that I/we are defending criminals with this advice is twofold:

  1. It’s newsworthy when criminals fail at privacy, and court cases are well-documented, so there are simply more real-world examples to point to when explaining privacy failures. This does not mean that criminals are the only people who need stronger privacy protections, it’s just that when the average person’s privacy protections are broken the impact isn’t necessarily shared with the rest of the world. It does not mean that the impact in non-criminal real-world situations doesn’t exist.
  2. What’s lawful in one country is criminal in another, and there are a lot of gray areas where it is almost certainly morally acceptable and even encouraged to break some laws in especially repressive countries, so the knowledge on how to do so is still fairly important.

So basically despite all this theoretical talk about “evading law enforcement,” this advice isn’t intended for actual criminals to evade law enforcement. The reader is intended to take these examples and find out ways they might also apply to their regular, every-day life :slight_smile:

9 Likes