User network activity

Hi guys…

I’m using Whonix over a vpn. I would like to know if a third observer can see when I’m using my pc or not only by analyzing my network data exchanges.
I assume the third observer doesn’t have access to my machine of course in any possibile way (physical, backdoor, rootkits, bugs etc), otherwise evreything becomes possible.

A network level adversary can see what time you’re connected to your VPN at and when you disconnect. From this, they can determine when you’re using your pc. This can be solved by just leaving your pc on overnight still connected to the VPN. Maybe create a script to make a few random connections so the adversary doesn’t see a major drop in network usage.

1 Like

They aren’t asking how to hide that they’re using Tor/Whonix but if an adversary can see when their pc is in use.

Page Hide Tor use from the Internet Service Provider covers that to implicitly.

Using a VPN or SSH does not provide a strong guarantee of hiding Tor use from the ISP either. [4] VPNs and SSHs are vulnerable to an attack called website traffic fingerprinting. [5]

[4] Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services#Comparison_of_Tor_and_VPN_services
[5] For a reference for website traffic fingerprinting, see VPN/SSH Fingerprinting (w).

Since adversaries can see which website is being visited even though using a VPN or SSH, even though they don’t know all the traffic in plaintext, it is easy to guess that they can also guess the type of traffic being generated.

I wouldn’t wonder if “user is really using the internet” is easily distinguished from “automated activity”. Users have unique patterns. Automation has too. User patterns change a bit but automated ones are very predictable. This looks more like a whack a mole, who takes more effort, who’s more dedicated, and not certainty for the one trying to hide activity than a resilient solution.

1 Like

They’d just see Tor traffic as the user is using Tor over a VPN.

It would be much harder to determine if it’s automated or not as it would require an advanced traffic analysis attack on Tor.

1 Like

I overlooked this. Good point.

Indeed, you might be correct but only for users who don’t generate clearnet (non-Tor) traffic on the host at the same time. For those who also use clearnet at the same time, what I replied applies.

1 Like