In what circumstances would using Tor over VPN be more harmful to your anonymity than using Tor over ISP?

The /r/TorwithVPN sticky says:

The vast majority of the time, using a VPN in addition to Tor isn’t going to provide you any real benefit. Sometimes, it can even be harmful to your anonymity.

How can using Tor over VPN be more harmful to your anonymity than using Tor over your ISP?

I assume of course that you are only using HTTPS and .onion sites. Nobody uses HTTP anymore.

Your ISP openly admits to logging, selling data, and cooperating with law enforcement, sometimes without a warrant. Your VPN provider at least claims not to do these things.

But even if they were incompetent or lying, I don’t see any way why your anonymity would be less off compared to using your ISP. Even if the NSA outright owned and operated your VPN provider, I still don’t see how this hurts your anonymity compared to just using your ISP.

To me, I think it is fair to say that using a VPN probably won’t help your anonymity, but at the very least there is no situation in which it can hurt your anonymity, granted that you are using HTTPS/.onion.

When using a VPN you use an account. All your traffic from different locations, networks and IP addresses will be tied to the same account for the VPN provider. Guard nodes however have no additional information about you than the IP address.

I think it is unlikely for the adversary to infiltrate the Tor network which is relatively hard and will never be completely successful as there always will be good guard and exit nodes as well while not infiltrating the VPN service which is a lot easier and very promising as VPNs are a single point of failure and will allow surveilling regular users of the VPN that do not use Tor as well.

A VPN can increase the attack surface as a malicious guard node in combination with malicious exit nodes of the same attacker can profile the users activity tied to the VPNs IP address reducing the anonymity to pseudonymity. If the attack is targeted they can then specifically target the VPN. Additonally the VPN has the same attack surface as the guard node without the VPN so that in the end additional attack surface gets introduced.

In my opinion it’s up to you how you want to protect yourself. If you’re that concerned about hiding your tor usage from your ISP you probably shouldn’t be using your home wifi to access tor. This is the number one concern of mine why should you put your full trust in these technologies? Idc what methods you use to protect yourself a vpn, bridge, tor, or even a combination of all 3. Never put your full trust in anything. Always prepare for everything to fail you. Assume your adversaries already know your real location, and make sure that location is nearly impossible to link back to your real identity.

User->ISP->VPN->Tor is at best a net zero gain for anonymity, User->ISP->Tor->VPN is detrimental to anonymity.

I don’t know what people are hoping to gain by using a vpn with Tor, at best it doesn’t help at worst it undoes all the work the Tor network just did. We talked about this 4 days ago and the best I can gather is people are trying to conceal the fact they’re using Tor. Why concealing that is important is anyone’s guess, I think the worry is using Tor is going to get people thrown in prision?

If you want to use a VPN with Tor, make sure it isn’t tied to an account (ie. you don’t need to authenticate to use it) and it has many concurrent users on it.

When using a VPN you use an account. All your traffic from different locations, networks and IP addresses will be tied to the same account for the VPN provider. Guard nodes however have no additional information about you than the IP address.

Once they get your real IP address, it is game over. Your anonymity is gone. In the event of a correlation attack, by using a VPN at least the government needs to hack your VPN or somehow correlate your VPN’s packets to the Tor exit nodes packet. By not using a VPN, you give them real IP address.

You have a point about 1 account being associated to multiple IP addresses. Perhaps it would be wise to use a single account for 1 IP address (as opposed to say sharing the same account with your family members who live outside the home).

think it is unlikely for the adversary to infiltrate the Tor network…while not infiltrating the VPN service
A VPN can increase the attack surface as a malicious guard node in combination with malicious exit nodes of the same attacker can profile the users activity tied to the VPNs IP address reducing the anonymity to pseudonymity

Bu why has your anonymity has decreased by using the VPN?

If they own the tor exit nodes and entry nodes, they will get your real IP address, regardless of whether or not you use a VPN.

If they own the tor entry/exit nodes and also own the VPN, they still get your real IP address.

If they happen to own only the tor entry/exit nodes but do not own your VPN, then they do not get your real IP address.

I don’t see how the use of the VPN provides any more harm to your anonymity.

you probably shouldn’t be using your home wifi to access tor

I suppose there are other concerns with using a library/coffee shop too. I believe the owner of silk road was raided at a public library. If I recall correctly they literally just took the laptop out of his hand while he was logged in.

User->ISP->VPN->Tor is at best a net zero gain for anonymity

Why do you say at best? I think it is fair to say that there is absolutely no way for a VPN to provide any damage here.

I don’t know what people are hoping to gain by using a vpn with Tor

Here are two reasons:

1. You live in a country where Tor is legal, but regardless you don’t want your ISP and therefore your government to know you use Tor, as it is a major red flag with a huge stigma. You don’t want to use a tor bridge because these are supposed to only be used by people living in places where Tor is illegal.

2. Correlation attacks. If the government owns a sufficient number of entry and exit nodes in the Tor network, they will be able to correlate your real IP. By using a VPN, at the very least you have put a small barrier up. It is even possible that this is potentially a significant barrier, assuming your VPN doesn’t log.

Well in this dystopia it’s a good idea to conceal your tor activity. Especially if you’re doing something illegal. The less attention you draw to yourself the better.

I’m new to this but I thought the point was, you use the VPN, then connect tot the Tor network, so that once you hit the exit node, all traffic is encrypted by the VPN. So if the exit node is compromised, the owner can’t sniff that traffic anyway due to it being encrypted.

Is this not how it would work?

When using a VPN the VPN takes the place of the guard node.

Without a VPN the attacker has to observe your traffic entering at the guard node and leaving at the exit node. It does not necessarily have to control the nodes themselves, though that is an obvious option to achieve that, but seeing their network traffic, your network traffic or the destination’s network traffic works as well.

With a VPN the attacker has to observe your traffic at the exit node and at the VPN now. You basically shift trust from the guard node to the VPN. However there are two potential problems with this:
The VPN already has more information on you with your account than the guard which has none. Thereby you concentrate more trust in a single entity. Depending on your situation and threat model this may or may not be an issue.
The guard node does not lose its special position. While the middle and exit node are chosen randomly for every circuit the guard stays the same for a longer period of time. In the case of an attacker correlating your traffic at the guard and multiple exits this allows them to profile your traffic to a single entity tied to your VPN’s IP address. This would reduce your anonymity to pseudonymity and can enable further attacks for example on your VPN provider. Note that just observing your traffic entering and leaving the VPN server can be enough to correlate it. This attack surface is in addition to the regular attack surface of correlation between your entry point (either the guard or the VPN) and the exit which remains when using a VPN.

Yes he used the same public wifi when he was running the silk road. He never thought to hack into wifi and connect from a distance, and keep moving around. There’re obviously concerns with using public wifi especially if they capture your face on camera. I’m not sure if you’ve heard about Clearview AI, but if your face is all over social media you would be found quickly.

For the first part, there’s no real way a VPN would realistically help, if someone has enough control over the internet to break Tor it’s reasonable to assume they’ve done the same with VPNs. If we assume the VPN is safe and Tor is broke, all the VPN can offer is masking your home IP from the attacker. At worst the VPN is a honeypot and somebody is keeping track of every time you use Tor and are building a rap sheet on your activites.

If the government owns a sufficient number of entry and exit nodes

VPNs are not immune to this either, it’s trivial for any group to setup a VPN service and copy paste the no log policy onto their front page. There’s a good chance many VPNs are honeypots. This could reasonably be combated by stacking VPNs, pipe your stuff from one to the next to the next, but you’ve basically just created a lesser Tor network at that point.

you use Tor, as it is a major red flag with a huge stigma

Fair point, but if that’s the case it’s also reasonable to assume VPNs suffer from the same stigma, right? They’re more or less equivalent in the eyes of civilian law enforcement as being ways to circumvent surveillance and dodge the law. Either way, I agree a VPN is the best way to hide your Tor usage from your ISP, assuming you’ve guessed a safe VPN provider.

If a global adversity has the theoretical power to observe your traffic entering the guard node and leaving the exit node, then he will get your IP if you do not use a VPN. It is a 100% guarentee that your IP address will be leaked now. In this event, the adversary has broken tor and you might as well use the normal internet.

All you need to lose the game is for your IP address to be leaked. With your IP address they can now discover your name and address when they force your ISP to hand it over. It doesn’t matter if your VPN has your email address in addition to your IP. And you can use anonymous email and pay with monero.

In the case of an attacker correlating your traffic at the guard and multiple exits this allows them to profile your traffic to a single entity tied to your VPN’s IP address. This would reduce your anonymity to pseudonymity

But this is no different at all to not using a VPN. If you don’t use a VPN, they get your real IP, immediately. If you use a VPN, they have to hack/monitor your VPN.

Using the VPN provides no additional risk to your anonymity.

Without a VPN the attacker has to observe your traffic entering at the guard node and leaving at the exit node. It does not necessarily have to control the nodes themselves, though that is an obvious option to achieve that, but seeing their network traffic, your network traffic or the destination’s network traffic works as well.

This is the specific argument I was referring to in my other post. I have read it multiple times now from multiple people. This argument conflates 1) an unsophisticated actor who can only control Tor nodes with 2) a highly sophisticated actor who has control over most ISPs and can essentially view all packets over the internet.

These two actors are totally different. The first actor is not sophisticated enough to hack/monitor your VPN and correlate it to your exit node. Only the second actor is sophisticated enough to do this. So using a VPN can protect you against the first, but not the second. Tor cannot protect you against the first or the second.

Clearview AI

Holy shit, no I have not heard about this. It is pretty scary.

I wonder if you could create a bunch of profiles with fake names using your picture to try to mess up their algorithm.

if someone has enough control over the internet to break Tor it’s reasonable to assume they’ve done the same with VPNs

I don’t agree with this argument.

To break tor, all you need to do is control a percentage of guard nodes and exit nodes. That’s it. It does not require a high level of sophistication and money.

To break the general internet, you would somehow need control over all the packets being sent all over the world and store them in a database and correlate them all. While I suppose this is possible, it requires an extraordinary higher level of sophistication than simply buying a hundred servers and configuring them as guard or exit nodes.

So I don’t think it is valid to claim that if an adversary could break tor it implies they are sophisticated enough to hack a VPN provider or monitor packets before and after a VPN provider.

If we assume the VPN is safe and Tor is broke, all the VPN can offer is masking your home IP from the attacker.

All the VPN can offer? Isn’t the entire point of Tor to prevent your IP address from being correlated to a website? If Tor really was broken, and leaks your IP, but your VPN saves you, that would be very excellent news indeed. It would be hard to justify not using a VPN.

At worst the VPN is a honeypot and somebody is keeping track of every time you use Tor and are building a rap sheet on your activites.

I totally agree with you on this. It is definitely possible for the VPN to be a honeypot and they can now correlate your IP to the destination website without having to perform a correlation attack on Tor. Saves them a lot of time.

You could potentially create your own VPN on your own anonymous web server (paid with monero) using open source technologies. But I suppose it is possible the web hosting company is logging packets and now you are back to square one. I need to read more about this approach, I think it sounds promising.

The other thing I like about the private VPN is for the case where you believe the NSA has broken tor by owning a % of the guard/exit nodes, and where NSA has figured out specifically to monitor packets from the top VPN providers, but is not as sophisticated as to have a general monitoring capability of the entire internet. In this model you could protect IP by hiding behind an anonymous web server (that hopefully doesn’t log packets!)

I think it comes down to, which are you afraid of more, a correlation attack on the tor network, or a honeypot VPN? If you think a tor correlation attack is a realistic scenario, then your IP will maybe be protected if you get lucky and chose a non-honeypot VPN. If you think a tor correlation attack is not realistic, you’re probably better off avoiding VPNs in the event you chose a honeypot.

Fair point, but if that’s the case it’s also reasonable to assume VPNs suffer from the same stigma, right?

I could be wrong, but I am under the impression that many normal people use VPNs, for example for work related tasks, and that government has the same impression that I do. You see the NordVPN advertising on almost every youtube paid promotion nowadays. I convinced my elderly father to use a VPN because he likes going to coffee shops and use his computer and it’s not safe to use their WIFI otherwise.

If we assume that a VPN is definitely a honeypot, what exactly can they do?

Of course, they can log. But what are they logging? For example they will know that you are accessing Tor. But do they know which websites you are requesting? Also if the honeypot owners also owned some exit nodes they can correlate you and get your IP, but this is no different than owning exit/entry nodes and correlating your IP if you don’t use VPN).

Is there anything else they can log?

Can they do anything more damaging, such as engage in a man in the middle attack and decrypt all of your content?

What a bridge? There has been a talk that it’s a good way to hide tor usage as well.

I think you don’t quite understand that the VPN server inherits the attack surface from the guard node.

If an adversary is able to observe all internet traffic world wide they can just correlate your traffic at the VPN and the exit node.

But this is no different at all to not using a VPN. If you don’t use a VPN, they get your real IP, immediately.

Yes, but this attack surface is in addition to the attack surface you had without a VPN. By using a VPN you shift the attack surface of the guard to the VPN so that you do not reduce the attack surface overall and additionally you still have attack surface at the guard on top of the attack surface you had before that is now shifted to the VPN. Overall you increase your attack surface by now having two persistent hops instead of one.

All you need to lose the game is for your IP address to be leaked. With your IP address they can now discover your name and address when they force your ISP to hand it over.

That is a very specific threat model in which your adversary can and will request your identity from your ISP based on your IP address and your IP address also uniquely identifies you. That is not necessarily the case. IP addresses can be shared by many people in a number of cases like many people being behind the same NAT or using a public network.