To VPN or NOT?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Status
Not open for further replies.
MichaelRSorg

MichaelRSorg

Well-known member
Nov 1, 2020
90
15
RouterSecurity.org
VPN vs. Tor is interesting. Both encrypt data before it leaves your computer. Simply put:

A VPN provider can see most of what you do online, just as an ISP can when not using a VPN. So trust is shifted. But, you can shop around and try to find a trustworthy VPN provider. Here in the US, thanks to the corruption in our government, most people have no choice when it comes to ISP.

Tor tries to get rid of the need to trust a VPN provider. Like a VPN, Tor sits between you and the ultimate destination of your data. Tor involves three randomly connected computers (out of a pool of thousands), the one you connect to (Tor entry node), a middle one and the third one (Tor exit node) which does the final decryption and sends your data out to the Internet in the same form it would have been without Tor. The Tor entry node knows who you are (from your IP address) and the Tor exit node knows where your data is really going, but no Tor computer knows both. The down side (other than speed) is that you can not shop around for a trustworthy Tor exit node. It is reasonable to assume that spy agencies run some of them.
 
P

PHolder

Well-known member
Sep 16, 2020
1,027
2
456
Ontario, Canada
Tor *could* work like a VPN, but it relies on you placing too much trust of the exit node. Accordingly you probably still want to use HTTPS traffic over Tor and be extra cautious and suspicious.

Anyone can operate a Tor exit node... including such undesirable people as Russian or Chinese or North Korean hackers, the NSA (or equivalent TLAs from other countries) or just ne'er-do-well malware toting hackers. They could theoretically alter your content on exit (to include maliciousness) or they can add content to your inbound download. Say you thought you were downloading a safe .EXE and they replace it (man in the middle style) with something that attacks you.
 
  • Like
Reactions: Dave
Dave

Dave

Dave Jenkins, N1MXV
Sep 16, 2020
81
50
Gardner, MA (USA)
PHolder said:
Tor *could* work like a VPN, but it relies on you placing too much trust of the exit node. Accordingly you probably still want to use HTTPS traffic over Tor and be extra cautious and suspicious.

Anyone can operate a Tor exit node... including such undesirable people as Russian or Chinese or North Korean hackers, the NSA (or equivalent TLAs from other countries) or just ne'er-do-well malware toting hackers. They could theoretically alter your content on exit (to include maliciousness) or they can add content to your inbound download. Say you thought you were downloading a safe .EXE and they replace it (man in the middle style) with something that attacks you.
Click to expand...
True. Though don't most of those big potential bad actors also have control of some trusted root certs?
 
S

SeanBZA

Well-known member
Oct 1, 2020
92
27
Thing is the bad actors tend to provide exit nodes with very high bandwidth, and with heavy duty processors, so they get preferential treatment as being lower latency, thus tend to become exit nodes, and it is then when they can add the malicious code to the blob and send it up. Easy to see if the unwrapped packet is another shell of the onion, or if it is the final wrapper exposing the inner data. For the malicious site then all they need to do is add in extra scripting, and in addition if you are a letter agency you have the ability, due to owning some trust at root certificate level, to simply issue your own self generated on the fly trusted certificate for the site, and then impersonate the site to the user, and vice versa impersonate the user to the site, sitting in the middle with open decrypted access. Then simply add in the requisite code to get the actual user browser to at least leak information about location, or other things, running as trusted script in the browser. Only not going to work with browsers that have built in pinned certificates, but in general TOR is not often used with Chrome, so it can have the certificate store quietly poisoned, using the built in trusted cert stores, of which, as Steve has pointed out before, there are many.

At least using a VPN you are pretty sure that you only have a single hop, and have to trust the VPN provider, though pretty much every one has exit nodes that are known, and which often are targeted by state actors in order to eavesdrop on the traffic, more for the who and to who, and when, which is very much a much better source of intel than the actual content.
 
Status
Not open for further replies.

Similar threads

Lob
  • Locked
Patch Tuesday, RIP (or not....)
Replies
4
Views
514
Security
Tigris
Tigris
J
Use a max length password.... or not?
Replies
2
Views
235
Security
PHolder
P
Raymond Day
  • Locked
  • Question
Copied WordPress to new URL SQRL says "identity is not associated with any account"
Replies
3
Views
270
Security
PHolder
P
S
  • Locked
sso vs … not
Replies
8
Views
895
Security
Intuit
I
J
  • Locked
DNS over TLS inside a VPN, is this going over board?
Replies
9
Views
944
Security
PHolder
P
Top Bottom