When using the vpn-tor-vpn chain, if the tor output node is compromised and traffic is sniffed, listened and recorded on the output node, and the second and first node are compromised, is it possible to de-anonymize the user? Or does it protect against the fact that traffic on the output node is encrypted and decrypted only on the second vpn? Is it possible to find out if the output node is compromised, which second node sent this traffic and the first node? How to prevent this if it is not recommended to change the input and output nodes?
No. If Tor is broken there is no anonymity. VPNs don’t conceal the source of traffic but what was sent (if even that). Most VPNs record by law or are compromised by the powers that be. The encrypted SSL connection is not suitable to conceal what data was being fetched either. A large adversary recording the internet will be able to make a guess what pages or data you are fetching even if encrypted.
Yes and no. TPO devs regularly run scans to catch sybils and blacklist them. I doubt you can figure this out with the data you have.
Tor’s guard rotation is designed to mitigate the damage in case of the network being compromised to a certain extent. Don’t mess with the node selection as it will reduce your anonymity with no clear benefit. Also you can apply our One guard per app advice and spin up Tor from a clean state to assign a different guard for every app you use in the Workstation to reduce risks.
1 Like
Thank you, but I did not quite understand you. And I asked question wrong. If both vpn and all nodes are compromised, is it possible to deanonymize the user? The fact that on the output node the traffic will be encrypted by second vpn and decrypted only on the second vpn will not save anonymity if both of vpn are compromised and all the nodes in the chain are compromised too (sniff traffic, decrypt and save it) ?
Please use correct terminology.
Entry guard → Middle node/relay → Exit node/relay
Think about what you are asking. If an adversary knows the IP from which the data originated from and the IP of the website you are connecting to… Yes!! You can be de-anonymized if all nodes are compromised.
https://whonix.org/wiki/Tor_Entry_Guards#Introduction
Current practical, low-latency, anonymity designs like Tor fail when the attacker can see both ends of the communication channel. For example, suppose the attacker controls or watches the Tor relay a user chooses to enter the network, and also controls or watches the website visited. In this case, the research community is unaware of any practical, low-latency design that can reliably prevent the attacker from correlating volume and timing information on both ends.
1 Like