Anonymity risks when hiding Tor from ISP?

AnonymityDoesMatter · May 7, 2021, 6:57am

Hi. Usage of Tor in my area is not recommended, e.g. I know some cases when random Tor users had problems because they were connected to Tor entry node which other people used as exit node for bad activities. So, we really need to hide Tor from ISP. I read the wiki and found out that there’re two ways to try to hide Tor from ISP: obfs4 bridges and private VPN on your own VPS. I use approach
My ISP > VPN > Tor obfs4 bridge > Tor middle node > Tor exit node
Why that way? I’d like my ISP to know only that I’m using VPN and my VPN ISP not to find out I’m using Tor. Why that? Because even obfs4 bridges are not public, they can be easily fetched through bridges torproject page so I guess in my area ISPs know about all IPs associated with Tor.

But I’m afraid is it possible to make time correlation because of ping time enlarge? I wrote about risks in wiki but I didn’t understand about time correlation fingerprinting. Does usage of that approach make user unique for destination website? I need the explanation. Thank you.

TNT_BOM_BOM · May 7, 2021, 7:08am

If you are too much worrying from ISP and your ISP that aggressive they can calculate the time of you visiting x IP address (maybe load as well) and by that they can know you are using the x IP as a gateway to your traffic (whether its VPN,Proxy…etc) and by that they know you are using something.

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Hide_Tor_from_your_Internet_Service_Provider

Patrick · May 7, 2021, 7:23am

If you don’t use the usual $facebook, $instagram, etc. [1] to receive your daily curated fix of mental programming from the endless scrolling wall, you’re already different.

[1] Or whatever localized mainstream sites people use in other areas.

Might be a non-Tor users while posting. Therefore onion link might not work. Clearnet link:

AnonymityDoesMatter · May 7, 2021, 6:56pm

Thank you for good explanation

I don’t sign in social network profiles which are correlated with my real identity through Whonix/Tor. So, I use Whonix only for anonymous activities and don’t mix real and anonymous identities. I don’t use Whonix to sign in to accounts which belong to my real identity.

I don’t know whether ISPs in my area have full list of Tor obfs4 bridges, but I strongly know that it is dangerous to connect to Tor entry node in direct mode, because the same entry node can be used by other people as Tor exit node.

To do this, I think ISP should look for every people and calculate time correlations. I think it is difficult to organize.

Everything I’d like to find out is about fingerprinrting. I know that even using Tor Browser you are not anonymous but pseudonymous because of some unique hardware details such as Canvas image drawing algorithm, but I’d like to be sure that using
ISP > VPN > Tor > Website
doesn’t have any affect on fingerprinting as using regular
ISP > Tor > Website
scheme.

Patrick · May 8, 2021, 4:26am

I doubt that. If you look into research papers, done what universities with limited funding, students, independent researchers accomplished…

Specific example:

https://blog.torproject.org/one-cell-enough-break-tors-anonymity

Research papers:

https://www.freehaven.net/anonbib/

…then just try to imagine multiple full time employees having years of time available to focus on implementing this.

General Tor question. Unrelated to Whonix. Suggested to resolve as per https://www.whonix.org/wiki/Free_Support_Principle.

HulaHoop · May 9, 2021, 2:00am

No. As far as they can tell, you’re just another Tor user.

The use of a VPN before bridge however is quite flimsy and depends on your ISP being totally clueless. If they (ISP/gov) are then Bridge protocols should be enough. If not then they can probably fingerprint the bridge protocol even if encapsulated in the VPN. In the latter you are better off using a better bridge protocol than the one they can recognize which still means the VPN is of little benefit.

AnonymityDoesMatter · May 9, 2021, 5:49pm

Tor in my area is not blocked but I know a lot of cases when people who were connected to Tor in direct mode had serious problems with law because in my area gov doesn’t know and doesn’t want to know how Tor works, they think if a user is connected to Tor entry node which can be used as exit node too, then that man made a crime because some other Tor user used that node as exit for bad activities. So, I don’t want to risk and connect to Tor in direct mode.

In my opinion, ISP/gov might know IPs of all public obfs4 bridges (they can easily set up a bot which fetches IPs of all Tor bridges from torproject site) and using a DPI it is easy to find out that a user uses Tor. I think using VPN before Tor is safer because IP address of your own VPS cannot be associated with Tor.

I don’t encapsulate bridge protocol into VPN. I just use ISP > VPN > obfs4 bridge > Middle node > Exit node approach. So an IP address of obfs4 bridge is only visible to my VPS ISP which is under other country jurisdiction, not by real ISP. And to try to hide the fact I’m using Tor from my VPS ISP too, I use obfs4 bridges.

By the way, can I set up a private (not public) obfs4 bridge on my own VPS and make Tor connection through it? Or connecting to VPN before Tor is better? Thank you.

HulaHoop · May 9, 2021, 11:18pm

Try using Meek instead. The too big to censor status and lack of exit on the same IP should be OK.

Yes you can

Not recommended of little practical benefit.

AnonymityDoesMatter · May 13, 2021, 11:09am

So am I right that meek bridges uses https connection to Microsoft Azure cloud CND servers in order to spoof traffic between ISP and Tor entry node and make it look like an ordinary https traffic to Microsoft services?

Patrick · May 13, 2021, 2:21pm

Can be resolved as per https://www.whonix.org/wiki/Free_Support_Principle.

HulaHoop · May 13, 2021, 3:29pm

Yeah the idea is to make it look like a normal connection to MS. Look up the meek technical docs if you want to know more. Here’s not the place to repeat that.

AnonymityDoesMatter · May 13, 2021, 7:30pm

That what i found in tor blog:

You’re right that using meek means there are more entities who can watch the traffic patterns between you and your first hop. With ordinary bridges it is:
your ISP, all upstream routers, and the bridge itself.
With meek it is:
your ISP, all upstream routers, Amazon/Google, and the bridge itself.
Of course, none of these entities gets to see your plaintext directly—there is still a Tor encryption layer underneath meek’s HTTPS tunnel. But all those entities are in a better position to do timing correlation, for example.

It’s important to understand that Amazon/Google don’t actually get to see what web sites you browse. What they see is a bunch of encrypted HTTPS POST requests, which they forward to a Tor bridge. Amazon/Google knows that your IP address is using Tor; what we’re trying to do is prevent the censor from knowing it.

So, it looks like meek is not so secure as private (non-public) obfs4 bridge or VPN on your own VPS before Tor. Obfs4 or VPN have less chance for time correlation attack.

HulaHoop · May 13, 2021, 11:16pm

Most VPNs do monitor despite what they claim either because they are required by law, are scum bags who want to profile and sell data to advertisers or are compromised by intelligence to uncover what their users are doing (Snowden docs have evidence this is the case). So your equivalence between private obfs4 and VPNs is inaccurate.