Replying to Avatar Obi-₿it Koinobi

What are your thoughts on this? He says you're just asking for more attention by connecting to tor through vpn:

https://www.youtube.com/watch?v=y8bIt4K_Kfo

Avatar
Ava 1y ago

his argument is that it's more "obvious" to use vpn with tor. i usually like mental outlaw's videos, but i disagree with his point of "don't use a vpn with tor because it makes you more obvious."

yes, there are some times it doesn't make sense to use both tor and a vpn but that's a nuanced discussion for later.

what is important is not exposing your ip to the internet whenever possible.

splittunneling or using multiple vpn qubes (on qubesos) and having a direct connection not routed through the vpn traffic work for those "other times" when you do have to expose your ip to an app or website.

keeping an always-on vpn, not disconnecting, then connecting to tor, then forgetting to reconnect the vpn and exposing your ip is far more risky.

just leave it on.

the fact is, your isp will likely hand over your personal data faster with less resistance than a respectable vpn would

if there is no account or email with your actual identity attached (like mullvad vpn) and you were using a fingerprint resistant browser with a vpn on when you signed up, or signed up over tor and paid with non kyc or cash, what can they hand over?

Reply to this note

Please Login to reply.

Discussion

Avatar
Ava 1y ago

tldr, yes you are trusting a 3rd party with your ip, but it makes more sense to trust a privacy-first open source vpn company (who's reputation depends on them not logging user ip) like mullvad, who stores this info in temporary ram, not to permanant hard disk...and who has post-quantum safe resistant vpn tunnels...to not log my ip (they have been tested) than any isp when using tor.

it's a silly argument imo. i think it was a filler video.

Avatar
hit with a hint of s 1y ago

What is “post-quantum safe resistant”?

Avatar
Ava 1y ago

"The encryption used by WireGuard has no known vulnerabilities. However, the current establishment of a shared secret to use for the encryption is known to be crackable with a strong enough quantum computer.

Although strong enough quantum computers have yet to be demonstrated, having post-quantum secure tunnels today protect against attackers that record encrypted traffic with the hope of decrypting it with a future quantum computer."

https://mullvad.net/en/blog/stable-quantum-resistant-tunnels-in-the-app

Avatar
hit with a hint of s 1y ago

Thanks. I guess I should not expect to understand. Unfortunately i use mostly a wireguard connection. Maybe it’s time to rethink this approach.

Avatar
boston wine 1y ago

Okay, as a relative newbie, here are my takeaways from these threads. Am I indeed getting the right picture?

1. Mullvad is a superior VPN for multiple reasons, and is worth switching from another provider like Proton or Nord

2. Running Tor - for any viable usage - through a VPN is fine, because you’re really just evaluating whether your VPN provider or your ISP knows you’re using Tor, and while neither can see the activity, you’d rather a quality VPN service be aware of Tor usage than a “definitely captured” ISP like Verizon or Spectrum

3. If you’re aiming to cover the lowest-hanging fruit, but aren’t ready (or feel it’s currently necessary) to make the full shift to a de-googled Graphene phone and TailsOS, then simply running an always-on VPN like Mullvad for benign web activity should gain a significant amount of privacy with minimal inconvenience.

For the tech-familiar and privacy-conscious beginner, would you say the above is a decent start? Any glaring holes?

Avatar
Ava 1y ago

1. Mullvad is a superior VPN for multiple reasons, and is worth switching from another provider like Proton or Nord

-- i don't recommend nord, but i do also recommend proton vpn. if you only want a vpn, mullvad is where it's at.

2. Running Tor - for any viable usage - through a VPN is fine, because you’re really just evaluating whether your VPN provider or your ISP knows you’re using Tor, and while neither can see the activity, you’d rather a quality VPN service be aware of Tor usage than a “definitely captured” ISP like Verizon or Spectrum

-- basically yes. tor over vpn (tor through vpn). there is more to evaluate, but it is riskier to turn off your vpn, then connect to tor, forget to reenable then expose your ip or trust your isp over a respected no log vpn provider.

also, if you don't have a vpn enabled, surfing http (unsecured sites) on tor can be used to deanonymise you by a malicious tor exit node etc (same with clearnet). this was a rebuttal to the argument made in the video.

3. If you’re aiming to cover the lowest-hanging fruit, but aren’t ready (or feel it’s currently necessary) to make the full shift to a de-googled Graphene phone and TailsOS, then simply running an always-on VPN like Mullvad for benign web activity should gain a significant amount of privacy with minimal inconvenience.

yes i recommend using an always-on vpn as i outlined. it's a basic first step re: the post, and yes to grapheneos, but with qubesos with whonix for a daily driver os. tails is awesome for what it is but it is not a daily driver per se, it's more for one and done stuff (this depends on your threat model).

tl;dr: use tor over (through) vpn. keep your vpn always-on (except for banking and other sites/apps that don't play nicely with it...you can use splittunneling to bypass vpn traffic for those). also, fyi amethyst allows you to connect through a tor proxy via orbot.

Avatar
Orange Crush 1y ago

This is why QubesOS rocks. Breaking applications, different sites, and different activities apart from each other with app specific qubes will increase your focus by removing highly personalized and well designed attacks on your attention. I could care less about hiding, I want the freedom to drive my own experience.

67
67af7c7a... 1y ago

Please be careful with recommendations of this girl.

She's perhaps a girl who seeks attention or is paid/controlled by official entities or both.

1. Sweden(Mullvad) has one of the worst privacy laws in the world. For instance police can enter your home w/o warrant, they can hack your devices and they use facial recognition.

Try to avoid services located in Sweden.

Remember Libera.Chat is located in Sweden too.

2. Using Tor over VPN - you can be easier fingerprinted, time-correlated. If in your country Tor isn't forbidden just connect directly to Tor. Perfectly make Tor run 24/7.

3. Do not use GrapheneOS which builds a walled garden and forces users to use their server (updates, clock sync etc). Using GOS you're like a beacon. If you want to have GOS for sure do not follow their recommendations for instance do not use web installer, disable their Store, disable auto-updates, don't install Google services. Disable all known connections to GOS' servers like supl, connectivity checks etc.

Do not listen to this lady. Even banks, not all of course accept Tor connections.

This girl's recommendations are dangerous.

#security #privacy

Avatar
boston wine 1y ago

Thanks for the thorough feedback, Ava 🤙

I’ve found mixed feedback on Nord (the first VPN I had tried). Mostly benign and then the occasional word of caution - how come?

My threat model is minimal - reducing the number of companies and aggregators that have my data, and telling my ISP to mind their own business, are my primary goals.

My bank seems to have no issue with VPN. I had to “train” my mobile banking app to accept traffic from my vpn servers until it stopped giving me errors, but now it works fine.

Appreciate it 🙏