quote:
But that's why you create a different persona and don't mix your regular persona with your TOR persona. I think the SilkRoad dude got caught because he mixed personas. And I think there was a Firefox vulnerability, but I think using a VM you delete and restore from image after each session would reduce that risk.
I think using TOR is fine in conjunction with other things like good practices and a VPN. But it also comes down to what you are doing with it. Just wanting to be safe at Starbucks? VPN. Wanting to appear to be in a different country? VPN. Wanting to remain private? I think the additional layers of obfuscation that TOR provides is beneficial.
Of course this should only be used for legal purposes where you just want to remain private.
I get what you're saying, and yes, the Silk Road guy got busted because he messed up and basically gave the authorities a piece of information that linked his obfuscated online identity to his real identity. In the OP's case (and based on the 10+ other threads he's started recently), I think he's more concerned with keeping his data secure from eavesdroppers and exploits that might exist when going about his daily life, occasionally using public wifi at a coffee shop or wherever (aka not wanting/willing to maintain a separate online persona and most likely not trying to cover his tracks from shady/illegal activity).
I have concerns with things that I commonly see recommended on threads like this one (mainly, the use of a public VPN service and/or Tor), and I think a lot of it really stems from the general public's lack of understanding of what those technologies are designed to do, including opening up new vulnerabilities and attack vectors that many folks don't consider when they're leaned on as catch-all problem solvers.
Let's start with VPN. At the end of the day, a VPN is nothing more than a tunneling mechanism that encapsulates (and usually encrypts) your traffic between two endpoints. It's great if you want secure access into a network (like your company) that wouldn't ordinarily be available outside a firewall, for example. This is a situation where you would generally trust the entity that set up the VPN tunnel (your company) and also the network in which the endpoint of the VPN resides (your company's network).
Now let's shift over to free or paid public VPN services on the internet. Keep in mind that when you use a VPN, you're passing all of your network traffic through the endpoint on the other side of the tunnel (meaning that, if they wanted to, the operator of the VPN could monitor/log all of your traffic). Now, in reality, that would still be of limited use if all of your sensitive information is passed to its final destination via secure protocols like HTTPS, SSH, etc. However, there's still enough plaintext data passed around during the course of everyday web browsing that most people probably aren't as anonymous as they think if their network traffic is really under a microscope (not limited to but including logging of which sites/services are accessed, even if the payload content of exchanges is encrypted using higher-level protocols). There was a thread started the other day on here about a new free VPN service run by Opera, and then it was quickly mentioned that Opera was now controlled by a Chinese company. Red flags, much?
Now on Tor. Great for two things... keeping your physical location completely private via its system of bouncing encrypted traffic between intermediate nodes before reaching an exit node, and accessing "dark web" sites (not that you'd really want to) where the server itself is running an instance of the Tor client such that it can only be accessed by other Tor nodes. When talking about using Tor in the context of everyday browsing to access non-Tor sites, the only benefit provided is that your location remains anonymous. The use of Tor comes with the same warning of public VPN services, in that you'd better really trust who's running the network. In the case of Tor, anyone can stand up an exit node which serves as the gateway between the encrypted Tor network and the regular internet. Operators of exit nodes are free to monitor traffic (including plaintext traffic to/from end users if secure protocols are not being used). They won't know where I am, but they are certainly free to see me send/receive "Mary had a little lamb" via insecure protocols like regular HTTP. This becomes a problem when that plaintext data might hold sensitive information or, even in the strict case of ciphertext exchanges, patterns of activity that could be used to drive further probing and targeted exploits, not necessarily against the user of the laptop at Starbucks, but against the sites/services that are being accessed.
For an example of that, consider the thought process of a nefarious operator of a Tor exit node (keeping in mind that the barrier to entry on running an exit node is zero). "Hey, someone on Tor is continually logging into secure webmail hosted at mail.xyzlawfirm.com. I can't directly read their mail since everything is being exchanged over HTTPS, but I wonder what's so sensitive about what they're doing and why they feel the need to use Tor. Maybe I'll flag this one and see what exploits I can run against their servers later."
My first question to anyone using Tor or a public VPN service is, "why do you trust the operator of the VPN, and/or any random person off the street who might be running a Tor exit node, to not log and attempt to analyze your traffic?" Beyond that, if you're dead-set on using them, are you disciplined enough to make sure that your applications are all using secure protocols and, beyond that, not inadvertently drawing extra attention to yourself and your network traffic that might end up making you or the services you connect to a more interesting target?
So what do I do personally, given that I travel quite a bit and am forced to use public wifi in airports, hotels, etc? I run an OpenVPN server on a machine at my house and always connect through it when I'm on the road. I've taken steps to reach a reasonable level of confidence that my home network is secure, so the endpoint of the VPN that I use is considered to be inside of a secure perimeter that's not controlled by any third parties. Traffic to/from the internet then leaves my house via my ISP, which is then beyond my control but at least I'm not advertising to the world (via a Tor exit node, for example) that my data is "special" and deserves a closer look. The guy sitting at Starbucks doing packet captures with Wireshark on his laptop sees AES-256 encrypted VPN packets leaving my laptop heading toward the public IP of my cable modem back home. He's free to use that destination IP to see if anything can be exploited, but again, I control the network back home, have taken measures to ensure that it's secure, and am not reliant on third parties to lock down any obvious non-backbone choke points where all of my data is being funneled.
Now, if you see a van parked outside your house hooked up to your DSL line with alligator clips, I can't help you.