Delivery-Date: Sun, 01 Feb 2015 17:17:21 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 137071E034D
	for <archiver@seul.org>; Sun,  1 Feb 2015 17:17:20 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E5060332C7;
	Sun,  1 Feb 2015 22:17:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 22349332B6
 for <tor-talk@lists.torproject.org>; Sun,  1 Feb 2015 22:17:06 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id mVBRFzV3EpVo for <tor-talk@lists.torproject.org>;
 Sun,  1 Feb 2015 22:17:06 +0000 (UTC)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com
 [IPv6:2607:f8b0:4003:c01::230])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id F05963319E
 for <tor-talk@lists.torproject.org>; Sun,  1 Feb 2015 22:17:05 +0000 (UTC)
Received: by mail-ob0-f176.google.com with SMTP id wo20so5242651obc.7
 for <tor-talk@lists.torproject.org>; Sun, 01 Feb 2015 14:17:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:content-type;
 bh=Cf25assW34buduXS1OPV7XwPxRmo3ja3f9nhxTdIXUk=;
 b=TKFMY7cwkNlNz3XpQPv3AxmUk9SMTCzldbocDPcCtqLFlJOE8ygNioEUx6NzDeV5Ek
 c3WD2Wj6/DXLqNfo0GnFE4Ldmc+PSjRSqpmbWvHjGwKdlY8ehpukdS+A/YmcPW4JOISL
 cQKrrE7C4Q4H1P7p33dMVRWtd3vwmGDwSgJp7B5+RuqQ/D5qdH76/ZW2eRDztSeX5N1A
 sE/76OOx4FrQuuDErxtj5q3w+ZQlOoSQjRf73y5t5st0Ohh8V00f81mJjFIHY6qAOcJr
 xFJTCobWFOQmTzIOgn1IblrFI+S/f6eHB1nZN3R9LPE1IgqUHdocDcMgTa62LUhUdKum
 nXcQ==
MIME-Version: 1.0
X-Received: by 10.202.185.198 with SMTP id j189mr9768641oif.72.1422829023724; 
 Sun, 01 Feb 2015 14:17:03 -0800 (PST)
Received: by 10.182.204.74 with HTTP; Sun, 1 Feb 2015 14:17:03 -0800 (PST)
In-Reply-To: <54CE4461.4020106@gmx.com>
References: <54CB577A.9000100@riseup.net> <54CD1B02.70304@whonix.org>
 <54CD85A8.6080601@riseup.net> <op.xtc9exdbbgbjo9@work-pc.lan>
 <54CDD77E.6010700@riseup.net> <54CDFBBC.5080909@techwang.com>
 <54CE4461.4020106@gmx.com>
Date: Mon, 2 Feb 2015 09:17:03 +1100
X-Google-Sender-Auth: aHWTGnuvnFAM4Xev5m_VzR_RIgU
Message-ID: <CAOsGNSSwroT9Wz0bPE7Zseh=c2BrnmEUXh_0GGN0qZf91JR6Rw@mail.gmail.com>
From: Zenaan Harkness <zen@freedbms.net>
To: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] Tor -> VPN Clarification
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 2/2/15, Joe Btfsplk <joebtfsplk@gmx.com> wrote:
> On 2/1/2015 4:11 AM, Bill Berry wrote:
>> My take (on his take :) ) was that;
>>
>> a) trusting a VPN for security is a bad idea because no VPN operator is
>> going to go to jail for you (see HideMyAss and Sabu etc)
> More details about the reference to HideMyAss & Sabu, Re: them not going
> to jail for users?
>
> This VPN & Tor (or Tor & VPN) subject - and its discussion here has
> become complex.
> Maybe too complex for all but a handful of folks?
>
> Does Tor Project or sources they recommend ("trust") have more down to
> Earth guides to If, when, where, how - of using VPN & Tor?

I agree that the descriptions / ascii arts are probably not up to
scratch at this point.

Let's create some diagrams so we can talk about scenarios (this is
just a rough crack at it, please modify/ fix as needed):

vpn = virtual private network
vps = virtual private server
www = destination website/ public internet service
tor hs = tor hidden service
tbb = tor browser bundle
| = or

**) vpn then tor:
browser
 -> vpn proxy -> VPN -> tor proxy -> TOR
 -> www | tor hs

where:
 TOR = tor entry -> tor mid -> tor exit

and where:
 VPN = vpn client -> local isp -> vps/vpn isp
        -> vps/ mixnet -> vpn server/ exit node

The vpn client could be ssh, and vpn server sshd.
Alternatively the JAP client and JAP's backend, etc.

If you run an ssh vpn, say on a vps, then your "tor proxy" can run on that vps.

This is not recommended.

Although it gives some privacy against your local isp, you would need
to trust your vps isp (assuming you are running your own vps, for your
ssh based vpn) - not recommended since the vps isp will generally have
full root access to your vps (at least to the disk image/ files).

(The terminology here might need to be improved - tor proxy might not
be the right term?)


**) tor through vpn:
browser
 -> tor proxy -> vpn proxy -> VPN -> TOR
 -> www | tor hs

This is better, since tor is running "on top of" or "through" the vpn.
The vps (or vpn mixnet) can still see that you are accessing the tor
network, but at least your local isp cannot (you get some local
privacy, only seeing you running ssh).

(BTW, why is ssh "visible" at all - surely there is a protocol to set
up an encrypted link, in full privacy? - should be a separate thread
though.)


**) vpn through tor:
browser
 -> vpn proxy -> tor proxy -> TOR
 -> VPN -> www

Here your local isp might know that you're running tor, but not what
you are accessing (a vpn).

The vpn isp/provider will know (if they want to) what website you're
accessing, assuming they know it's your vpn account (or your vps).

So the only way this would be useful for much is if you don't need
much in the way of privacy/ anonymity against your vpn provider (in
which case, why bother), or your vpn is anonymous (ie the talk about
paying for your vpn/vps with bitcoin).

Also in this scenario, any Tor HS access would not get to your vpn at
all (if you're lucky :)

Good luck,
Zenaan
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

