You must log in or register to comment.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 3.13K Posts
- 78.3K Comments
- Modlog
The thing about anonymity that a lot of people don’t get is that there is no such thing as 100% anonymous. Vpn makes it more expensive to track you. Tor makes it more expensive to track you. Good opsec makes it more expensive to track you but ultimately, if you’ve got a target on your back, there is no way to be 100% anonymous.
The thing you gotta ask yourself is, what is your threat model ? Are you hiding from LEO on account of torrents or just want some privacy from corporations? VPN is fine. Are you buying drugs on the darkweb ? TOR is fine. Are you selling drugs on the darkweb ? You probably need a more sophisticated masking network mesh. Are you involved in CSAM or run a darkweb market ? Nothing you do will help you, you are going to get caught, that is a certainty.
Don’t go wasting your precious brain matter on developing a leak free network. There is no such thing. If someone wants badly to track you down, with enough money, they will. Best you can do is be a little bit more trouble than it’s worth to spend on you. For some things, like i mentioned before, there is a cutoff point where you’re as anonymous as you’ll ever be. For others, there is basically unlimited resources to track you. Even using TOR, they can get you at your entry node, like it has happened before, if no one else in your neighborhood is connected to TOR.
you can use bridges even with as simple vpns as calyx or riseup
What about the fact that many large VPNs are owned by (the same) ad companies / data mining companies? Despite the technical discussion, aren’t we ultimately placing our trust in the hands of the untrustworthy?
Maybe if you can to through 2 VPN servers?
Like ProtonVPN and their “Secure Core” feature where it goes to first a VPN server in a country with higher privacy protections (like Switzerland, Iceland, etc.), then it goes to any location of your choice, I like to pick US, Canada, or UK, so websites always appear in English.
Its much harder to unmask a Secure Core connections with Switzerland --> United States, for example.
(Not sponsored, and other providers may also have such a feature)
Or you could just use Tor.
NSA also runs Tor nodes.
Every time you connect to tor, you are rolling the dice on 3 random nodes.
If you use Tor frequently, you’ll eventually end up with 3 NSA run nodes, it may take a week, it may take months, but it will eventually happen.
Edit: I use tor tho, I just also run a VPN at the same time, in case I get unlucky and roll 3 NSA nodes.
Many people run Tor nodes. I also used to run exits until dealing with complaints became onerous, then I ran middlemen for many years. In general one should only pipe encrypted traffic through Tor, and be it just for malicious exits which sniff and tamper with your traffic. There are use cases for using Tor together with a VPN tunnel, but these need careful consideration.
It makes a lot to coordinate a timing demask. Those VPN nodes are busy. You also need to be monitoring very close to the in/e-gress which means you’re going to need ISP or data center cooperation.
Doing this to tor is a little more approachable, because you can run tons of exit nodes* in your own data center. If you throw enough money at the problem it’s possible to greatly raise chances to keep the entire conversation in your own data center.
The thing is none of this is trivial. And it’s *probably not a good candidate for automatic. So you’re really going to have to have pissed in somebody’s wheaties sufficiently to become a target.
If you’re doing anything that’s prison term illegal, All bets are off that a VPN will sufficiently protect you by itself.
deleted by creator
I think you read the news about Germany unmasking somebody who was using an older version of a Tor app. This has been proven to be mostly a user error.
https://blog.torproject.org/tor-is-still-safe/
German deanon was done 2021, only reported now. And torproject not receive report from investigator, only CCC did.
So we not know how deanon.
Some VPNs allow multi-hopping, similar to Tor. I couldn’t give you an exhaustive list but most popular ones support this. Mullvad and Proton do, for example. There are also strategies to add noise into VPN traffic.
This is not a silver bullet, of course. Tor has similar problems as you describe if an adversary has visibility into enough nodes. As always, this comes down to your threat model.
On the one hand, I find the advertising of VPNs outright dishonest. On the other hand, I would trust any reputable VPN provider much more than I trust my ISP or cell carrier.
Ivpn is one service that not only supports the use of tor, but they also invest in the tor organization and run a lot of nodes.
Their site is also a goldmine of basic to advanced level docs on serious privacy and security (free). Including detailed instructions for cresting your own anon servers, vps, etc. And how to use a VPN with tor properly.
They are quite serious about what they do and how they do it.
Can you explain? I’m curious
Sure. I’m referring to the ones that run big ad campaigns, like Nord and Mullvad. They tend to overstate how a VPN can protect you, sometimes in ways that barely make sense. There is no epidemic of criminals stealing personal credit card information over insecure wi-fi, for example. The ads play into ignorance and fear.
That said, yeah, I’d rather be on a VPN when on a public wi-fi network. But I’m not really worried about someone sniffing my encrypted HTTPS traffic (which is pretty much everything nowadays; Firefox by default won’t even load unencrypted web sites).
Mean nord, express and surfshark? Never see ad from mullvad.
Mullvad had a huge ad in Times Square this summer.
They have a big IRL ad campaign in major US cities. See https://mullvad.net/en/blog/advertising-that-targets-everyone
These ads certainly aren’t the worst, but they’re still a bit misleading. Using a VPN is not going to prevent tracking in general. Your phone apps will still send GPS data to all the same places. Web sites will still use all the same cookies. Facebook is still gonna be Facebook. 🤷
That said, Mullvad does include domain-based ad and tracker blocking with their DNS server (which is free and available to the public, btw), and that’s also optional on the VPN, so it does help to a point.
(Pinging @countrypunk@slrpnk.net to avoid double-replying. )
Mullvad runs big ad campaigns? That’s news to me.
The main defense against VPN timing attacks is to ensure your VPN exit node isn’t somewhere that the same person would have access to as your connecting IP.
That said, if someone runs a website or service where you have a unique login or custom token and they have access to your ISP’s connection logs… a standard VPN will once again give you away. This is why TOR exists.
I generally argue that an exit VPN doesn’t really provide much privacy; the only real services it provides are georelocation and protection against low effort bulk filtering (eg, identifying torrenters or bulk metadata collection).
For everything else, either encryption and third party DNS is enough, or the exit VPN isn’t enough to stop targeted surveillance.
But tor also give you away if log in.
Also, if you have a limited RAM smartphone and your VPN is operating in userspace, then all it takes is for one really large image to grace your smartphone screen for your OS to go into out-of-memory kill mode. What’s it going to kill? The foreground app you’re trying to use, or the background VPN app.
In my experience, the VPN goes down before the browser does. Mounting a swap on your phone is not the worse solution against this, but the UI starts to get really unresponsive.
I’m using Mullvad on a cheap T-Mobile phone and it never shuts down my VPN app, no matter what else is running.
The only time it goes down is if it powers down completely. Then I have to start it manually after the phone powers on.
In settings on my android, non root.
Always on VPN. Block unless active
If you are who I think you are, we’ve probably had this discussion before. Even with an always on VPN, if the system runs out of memory it will kill the VPN first before the browser. In a perfect world the traffic would still be routed into a dead tunnel. From what I’ve seen, once the VPN is killed, the tunnel device is gone and the default route snaps back to wlan
On Android, you can turn on “Block connections without VPN” and all connections are blocked if VPN gets disconnected. This also makes VPN based firewalls not work, and if you use “Split Tunnel”, the apps not going through a VPN and are connected directly to the internet, also not work.
I am not. And I’ve never had this discussion.
Always on vs the additional option of blocking internet until the VPN connects.
The second option is more system level?
Using shizuku (rish) in termux I checked the active links with VPN on and then force stopped / killed the VPN in terminal and checked again. The VPN tunnel disappeared but the dummy kill switch tunnels remained. I could not access any network connection.
*The routing table also maintains the dummy kill switch
(oh sorry, but) I’ve heard this argument before. All I can say is that in my experience, when the system is out of memory, it kills some process (e.g. the UI) which upon restarting resets the networking
You’ll be happy to know I just force killed :
Android system
Google services framework
Network
System UI
System WiFi Resources
Wi-Fi
Settings
System connectivity resources
Secure UI service
The results are the same
VPN kill switch prevents network access.
*later, when I’m connected to a PC, I’ll try killing/restarting userspace, shell, and user to see if I can get the kill switch to fail. (If I try those now it may kill shizuku which relies on shell - not sure.)
I’ll also see if I can’t force lmk to kill all the memory.
In
cmd settings list securethese may be some part of what keeps the system from allowing a connection.always_on_vpn_lockdown=1 always_on_vpn_lockdown_whitelist=
Yet another argument for root. Then you can exclude the VPN app from OOM. Or even move it into /system.
I understand why this isn’t done (moving such apps to system), since mobile uses immutable OS concept. But we still need a way to manage such apps appropriately.
I didn’t know about this feature. what’s the config?
OOM_DISABLE on $PID or echo -17 > /proc/$PID/oom_adj
https://mullvad.net/en/blog/introducing-defense-against-ai-guided-traffic-analysis-daita
I hope DAITA gets implemented in all VPN services.
And for all devices. Seems it’s only available for Windows. WTF?