Because http isn't encrypted and because tor exit nodes can see our traffic, how to encrypt?

edited September 24 in VPN Setup Support Posts: 10
Hi, 

I chatted with the tor irc chat service and they all said that PIA and any other VPN service that claims to help with anonymity or privacy are just plain lying and that when we use a VPN > tor to connect to http sites that there is no extra layer of security, at all. That, when we connect to our VPN the only thing it will do for us is hide from our ISP the fact that we are connected to tor. That being said, I don't know what their problem is with VPNs but I'd just like to know if there is some way to encrypt our traffic against exit node snooping from the NSA or hackers or whoever so that if ever we are using an HTTP site we don't get doxed or blackmailed or hacked or whatever. I don't want any sites or any exit node holder to be able to access my accounts or have any way to see what I am doing on other tabs of my browsers or anything like that. I recently found about Shark Wire, a developing tool that shows all of your computer's data packet circulation and all internet traffic to and from your computer and there are literally thousands upon thousands of packets that are transferred at any given sitting to and from your computer from what I could tell, although I am not a developer and don't know how to use the tool very well. I don't mean to be alarmist about this but just to say that if one accesses an HTTP site via tor that there is a lot of unencrypted data being transferred that could ultimately make tor and any VPN totally pointless. Maybe there is a way to strengthen the weakest link or replace it somehow? 

Thank you for all insight and help !!!

<span>:smile:</span>
Post edited by Jacksback on

Comments

  • Don't all chime in at once...
  • Posts: 10
    Ok... well, thanks anyways I guess.
  • Posts: 308
    I think you are suffering from paronoia. If you are using PIA and are still that worred, maybe you should turn off your internet and stick to face to face communication?
    As far as I am concerned, using a VPN gives me the privacy I require - if the NSA really wants to snoop on you there are many other ways that you can;t really prevent - phone taps, bugging, email reading etc.
    So, my advice is just chill and relax.
  • Posts: 10
    Sorry but it seems that you have failed to respond to my question and instead changed the subject to one of psychology.  

    There are many reasons to encrypt your data as it is transferred across any give network. For starters, HTTP sites simply do not encrypt, and so as long as any person has access to an exit node, so long as a user is accessing an HTTP site through one such node, and so long as the user is entering sensitive information into said site (such as self-identifying information or passwords or so forth) then a hacker or government agent or the like can easily monitor all such information as it passes through their exit node.

    For the very same reason that you have a VPN, at all, one should consider the question of encryption on HTTP sites. The reality about encryption is that on HTTP sites, one cannot encrypt. So how can you claim to care about or need a VPN (which is purchased to encrypt your data) if on HTTP sites one's data is vulnerable and to you wanting to deal with such vulnerabilities means that such is a symptom of paranoia? 

    Also, your answer works in every case. "I'd like to get a VPN so hackers can't see my true IP address." Response: "Then just don't use the internet, you're paranoid." Or, "I'd like to keep my browsing history private from my ISP so that it has absolutely no way of knowing what sites I frequent, such that even if it carries out deep-packet inspection, it still cannot know." Response: "Paranoia, stop using the internet." I'd like to have an email that is very hard to hack... etc. Part of the appeal of quantum computing is an allegedly unbreakable security. Wanting that is not a result of paranoia but of the reality in which we live. Taking precautions to ensure your safety and privacy as well as your identity is by no means irrational. 
  • edited November 11 Posts: 36
    Jacksback said:
    Hi, 

    I chatted with the tor irc chat service and they all said that PIA and any other VPN service that claims to help with anonymity or privacy are just plain lying and that when we use a VPN > tor to connect to http sites that there is no extra layer of security, at all. That, when we connect to our VPN the only thing it will do for us is hide from our ISP the fact that we are connected to tor. That being said, I don't know what their problem is with VPNs but I'd just like to know if there is some way to encrypt our traffic against exit node snooping from the NSA or hackers or whoever so that if ever we are using an HTTP site we don't get doxed or blackmailed or hacked or whatever. I don't want any sites or any exit node holder to be able to access my accounts or have any way to see what I am doing on other tabs of my browsers or anything like that. I recently found about Shark Wire, a developing tool that shows all of your computer's data packet circulation and all internet traffic to and from your computer and there are literally thousands upon thousands of packets that are transferred at any given sitting to and from your computer from what I could tell, although I am not a developer and don't know how to use the tool very well. I don't mean to be alarmist about this but just to say that if one accesses an HTTP site via tor that there is a lot of unencrypted data being transferred that could ultimately make tor and any VPN totally pointless. Maybe there is a way to strengthen the weakest link or replace it somehow? 

    Thank you for all insight and help !!!

    <span>:smile:</span>
    @Jacksback

     You can get a very good level of anonymity connecting to the web through a VPN then TOR.
    The VPN will hide the fact you are using TOR, and TOR itself can't be broken and even if it does somehow, it leads right back to a no-log VPN.
    The only thing that can give you away is you or your software.
    Just make sure javascript and WebRTC are disabled in your browser, cookies autodelete and use a generic common fake user agent and don't log into any personal accounts or anything relating to you in any way.

    Essential privacy Addons for Firefox:
    NoScript 
    User Agent Switcher
    Foxy Proxy
    Cookie Autodelete
    HTTPS Everywhere

    You can also modify firefox internals to help further:
    modify about:config

    Just think of a TOR exit node as something that is most likely 100% hostile to you and indifferent to your desire for privacy.
    If you use it in the right way it is completely anonymous.
    Post edited by d4rkcat on
  • edited November 12 Posts: 112
    @Jacksback ; Sorry for not seeing your post before, I came onboard long after you had made it. I am the resident PIA Tor user (I use TailsOS and QubesOS/Whonix daily as workstations) and I can tell you that your concerns are misplaced and you're misunderstanding something about Tor.

    While it is true that an HTTP connection over Tor would allow the exit node to inspect the contents of your traffic, why you would be connecting to an HTTP site and not an HTTPS site is beyond me. Tor Browser even has the HTTPS Everywhere plugin installed to help prevent this type of mistake. If you're connecting to an HTTPS address, the Tor exit node cannot inspect the contents of your traffic.

    Bottom line, if you don't want people seeing your traffic, use encryption. For browsing, that means only visiting HTTPS addresses. Tor itself has the same encryption automatically if you're viewing .onion addresses (no need for HTTPS).


    Let's review!


    Not Encrypted

    Tor > HTTP
    PIA > Tor > HTTP
    PIA > HTTP

    Encrypted

    Tor > HTTPS
    PIA > Tor > HTTPS
    PIA > HTTPS
    PIA > Tor > .onion
    Tor > .onion


    As for the comment about PIA or any other VPN provider "just plain lying" when claiming what they don't do (like storing logs), I tend to agree on principle. If you use a VPN, your threat model should match it. While I trust PIA, I also understand that there could be logs and I would never even know. I find that it's far better to operate on the assumption of complete compromise. That means:

    1. Keep separate identities online for different purposes and never mingle them (e.g. don't sign up for a credit card with the same IP/session/email etc that you do for an online forum)
    2. Don't use PIA for traffic that can get you arrested in the countries PIA operates in. Don't use Tor in countries where using Tor is illegal. This is all common sense and is basic threat modeling for survival.
    3. If you need a VPN and don't trust anyone (like me!) set up your own VPN. Then again, if you're just using a VPS someplace to host it, you're still trusting the VPS company with root access to your machine...

    Security and privacy is hard. PIA does the best they can to provide the basics for average users in most situations.
    Post edited by sn0wmonster on
Sign In or Register to comment.