Isn’t TOR secure enough? Adding a VPN layer is extra security, yes but is it really necessary?
I’m just trying to understand the technicalities of it.
In my theory, TOR is secure as it is, as it is designed already to be even safer than VPNs.
I think the VPN recommendation is just in case you end up following a link to the clearnet = yes? Or for people who are not very tech savvy and might end up opening a link in a regular browser instead of Tor.
Also, some are suggesting to run TOR and do darknet stuffs in VirtualBOX. Again I’m trying to understand the practical application where that would be helpful.
Tor over VPN: not recommended, unless your in a country where cannot connect to Tor without a VPN or where bridges are much slower than VPN
Tor in virtual machine: Prevents dark-net exploits from infecting your host OS, your bare metals machine. More secure than Tor running on your main PC’s bare metals. Not infallible since VM penetration exploits are found once in a while and sophisticated malware might try penetration in their infection process, thus also infecting your host machine, so for complete safety, a separate computer with microphones and webcams removed when not in use.
Another use for VM is to run Linux desktop / command line apps through Tor with a for-Tor distro like Tails or Whonix, then you won’t have to configure Tor (and split tunnel if you want UDP to work) on your bare metals OS.
All the popular VPN’s log info. They don’t protect against anything other than VERY basic privacy, and possibly avoiding giving out your IP to some trackers.
You also need DNS when you reach your exit. This may be intentionally, or unintentionally logged or viewed while on Tor.
Yes, TOR is secure enough. But using a VM, a bridge, or a (trusted and log free) VPN, may further increase security against specific threats. If you need them, you probably already messed up, but you’d be glad they’re there.
If using a normal OS, use a VPN to protect normal traffic. And if you want to use Tor Browser, do Tor Browser over VPN (leave VPN running as usual, then later launch Tor Browser).
In “Tor Browser over VPN” configuration, VPN doesn’t help or hurt Tor Browser, and VPN helps protect all of the non-Tor traffic (from services, cron jobs, other apps) coming out of your system while you’re using Tor browser (and after you stop using Tor browser). Using a VPN and letting the VPN company see some info is better than letting your ISP see the same info, because the ISP knows more about you. So leave the VPN running 24/365, even while you’re using Tor Browser. [PS: I’m talking about running TB in a normal OS; Tails is a different situation.]
That said, neither VPN nor Tor/onion are magic silver bullets that make you safe and anonymous. VPN mainly protects your traffic from other devices on same LAN, from router, and from ISP. Also hides originating IP address from destination web sites. Tor/onion does same, but only for Tor browser traffic; also adds more hops to make it harder to trace back from the destination server to your original IP address, and also mostly forces you into using good browser settings. Both VPN and Tor/onion really protect only the data in motion; if the data content reveals your private info, the destination server gets your private info.
Isn’t TOR secure enough? Adding a VPN layer is extra security, yes but is it really necessary?
It isn’t necessary. Using a VPN is a bad idea. VPNs are trash and VPN companies are full of shit. They do not give you “an extra layer of security” but they have convinced the public that they do through malicious advertising campaign.
I think the VPN recommendation is just in case you end up following a link to the clearnet = yes?
No. Tor works over the regular internet as well. It is REQUIRED to access onion domains.
Also, some are suggesting to run TOR and do darknet stuffs in VirtualBOX. Again I’m trying to understand the practical application where that would be helpful.
VirtualBox is an ok setup. A better one utilizes better isolation. The benefit is that if you get infected through an exploit (i.e Tor Browser has a vulnerability) the VM will be infected instead of your main OS. To go further they must perform a VM escape (not trivial to dismiss as a possibility!)
Unless you set up a VPS with a stolen credit card (lol) in a country that is outside of the 14 eyes, then no, don’t use a VPN if you’re concerned about any form of logs. If you actually have operational security needs, use tails os. The second you connect to the initial relay, your ISP knows you’re using TOR. Start with baby steps, like routing your traffic with DNSSEC, and hosting your own DNS server instead of using the default ISP DNS server, etc.
The reason you would run an OS in a container would be to mitigate exposure to your hardware if you download something on TOR that you shouldn’t have downloaded.
Who recommends you not use a vpn, exactly? The tor project? The guys who announce vulnerabilities to the feds before the public, and intentionally leaves them unmatched? The problem with if tor is not safe, is if that tor is not safe, then you should not take safety advice from them. Tor was not developed to keep NG individuals anonymous, nor is it maintained with that as a goal, and since they ain’t tryna do that, listening to them about how to do that is foolhardy to say the least. Tor project should be treated like a bad actor, advice they give on staying anonymous should be heavily scrutinized and looked at through a window of, is it possible this something I would be told if I was being given bad advice.
Use a vpn, bare minimum use one where the company is not based in the US or subject to nsa letters or American warrants. Nordvpn is by far the best. Connect to servers in Panama or Romania. Mullvad is good too. Sign up and pay in a way that isn’t linked to you. Don’t ever do personal identity revealing stuff tied to it, like logging into your Google account or any similar actions.
Tor alone is good enough… for what? For browsing onion sites. Beyond that, If your freedom or life depends on untraceability, fuck no. Use i2p links whenever possible, and don’t count on tor as anything more than a penetrable layer that when pierced will reveal nothing but encrypted i2p traffic
This myth of “malicious nodes” is infuriating. A malicious node won’t compromise your privacy on TOR, that’s the entire purpose of TOR. There are multiple nodes and they’d all need to be malicious. This is very, very unlikely.
I use a VPN 24/365 to protect the non-Tor traffic of my system. Then when I want to access an onion site, I launch Tor Browser and thus have Tor over VPN.
Tor Browser is secure by itself. Tor Browser doesn’t need help from a VPN. VPN doesn’t help or hurt the Tor traffic. VPN is there for the non-Tor traffic.
