There was a time when folks felt beyond anonymous using TOR on its own; but it seems a crazy idea today and I can tell you from experience, that using TOR without VPN gives one a feeling of nakedness. Looking further back there were good old days when mass monitoring felt more like a dystopian novel than government policy. People felt safe doing pretty much whatever on the web, BBS, IRC and even through their ISP provided email addresses before the days of widespread web mail. In the 80s and 90s ISPs were able to keep customer records and data to themselves unless subpoenaed (and even then I’m sure it was a rarity); search engine giants were not collecting mass marketing data or participating in huge man-in-the-middle attacks perpetrated by government spies; in fact it’s quite unlikely that LEA and Intelligence agencies monitored or pursued much online. The opportunity to commit crime or secretive activity would have been limited or not yet considered. It was not long ago that the internet was a novelty, hobby and just a great place to gain access to large amounts of information (often for learning education). In the early days of popular internet usage there were constant discussions on what qualified as a “crime” online. For quite some time there were little or no laws to govern many online activities. Today, we don’t “go online” or “dial in” like we used to – we are online; always. From home to work and back; and everything in between we possess a certain degree of an online presence every hour of the day; whether it be through social media, email, GPS tracking, or SMS (texting). As a part of basic human evolution it’s not surprising that people began discovering and exploiting ways to leverage computer networks for personal gain or pleasure, whether legal or illegal.
With that said you don’t need a secretive reason to yearn for that anonymity of the old days. I know people who have never even smoked a cigarette or drank a beer, who feel the need for VPN –it’s normal. This week a good friend was asking me about TOR and VPN so that he could set up a hidden service on his home network; not because he has anything to hide, but because he knows the minute he stands up that public service, many eyes and sticky fingers will be on it. I recently stood up a newly built home Linux server on the internet to provide myself access to my files while away and at work. Within a few minutes I had been scanned hundreds of times and a barrage of brute force had begun in an attempt to authenticate to my FTP and SSH services. Luckily I had the gear and skills to identify this and it’s quite likely they would have had trouble cracking my huge password, but I still felt better changing to non-standard ports, blocking icmp traffic and creating a certificate to be able to authenticate properly. This is the same thing as IP anonymity. For the most part, I am probably anonymous on TOR and on top of that I likely have nothing to worry about adding VPN to the mix, but yet I still feel the need to take every precaution. I also like to stay up-to-date on the latest application, DNS, etc. exploits. Today I would like to share some of those habits. You may be doing all of these and even more or you might learn one or two new things, or perhaps it will all be news to you. Whichever the case I’m doing this to amalgamate as many safe practices as I can into one location.
Let’s start with TOR and some critical ‘rules’ you should always force yourself to follow. First, if you’re like me and want to avoid the ‘guilty by association’ accusation you might not want people to know that you have or even use TOR. It’s quite common to use today, but some undereducated people hear TOR and immediately think you’re buying/selling drugs and weapons or spreading snuff films. It’s understandable if you’d just rather avoid that conversation with people. If you’re not going to be super paranoid and use a separate computer or OS (or VM) to run TOR, you can still keep it from Prying eyes by running Tails (a live TOR-bas Linux distro) on CD/DVD or USB. Running a whole distro can be time-consuming and sometimes inconvenient with things like wireless NIC driver woes, or problems with persistence. If you would rather avoid all that, then look at installing just the TOR application on a USB drive. This way it can disappear from your machine when needed and all updates, temp files etc should write to the USB stick. You can do this easily by choosing a USB drive as your installation path when running the TOR installer. If you like to be extra careful and don’t want the contents of the USB to be viewable, use an encryption program to create an encrypted volume and install TOR in that. This works fine as I have done it myself. Without the encryption/decryption software on their PC, nosey snoops will see what looks like a USB drive with no formatting (blank). From a network point of view you can also hide your TOR usage from your ISP or anyone else monitoring online. Since TOR is banned in some oppressive countries, this makes it that much more important for freedom of speech, whistleblowers, and those suffering political oppression. Since ISPs or government routers will block access to known TOR nodes, it was necessary to set up TOR bridges and relays to allow these people access, since the oppressive routers won’t identify the session establishing to any public TOR node. Anyone around the world can volunteer to run a TOR bridge and provide this access. That doesn’t mean that bridges/relays are only available to people with blocked connections. Perhaps you just don’t think that your ISP has any business knowing that you connect to TOR? Although, if you are using TOR with VPN this won’t matter much anyway, however it still provides an additional hurdle in tracking who’s doing what, so it’ not a bad idea. To make use of TOR relays you can simply send a properly formatted email to some nice folks who will respond with a relay, at which time you will configure this in your TOR settings. When TOR launches, open settings and answer “yes” to the question concerning blocking/sensoring (FIGURE A);and then a custom bridge or bridges can be configured in the blank box (FIGURE B). You can request a new relay periodically to keep them confused and guessing. For additional information on TOR bridges/relays, please refer to their Tor: Bridges support page.
It used to be that you were tracked down online by being sloppy and hacking (or whetever) using your own IP thinking no one would be smart enough to catch on; or you may have used a series of jump off points around the globe in an attempt to hide your tracks. The problem with this method is that it didn’t really hide any tracks; it simply added a few additional hops to the traffic’s original source; so anyone with network security or forensic knowledge would know how to follow the trail back to its origin. TOR aimed to alleviate this cat and mouse game which would inevitably always end with the cat picking it’s teeth using a rib from the mouse skeleton. The new game is ‘how can I exploit your applications’. Once TOR and VPN managed to successfully hide IP addresses hackers and spies had to reinvent the wheel as well and find a sneakier way in. The next section will highlight items which exist because of the new exploit game.
It’s important to remember that TOR has been built with your safety in mind and as a result they have included some very useful tips and features, which will save you from additional effort. TOR offers so much, yet asks so little from its users; however if the TOR community makes a suggestion, you follow it. They are nice enough to provide little pop up notifications to save you all of that hard effort to check in on their website every now and then. If they have taken the time to program a notification into the browser then it’s best to consider the suggestion crucial. The easiest and possibly the most important task you can complete: keep your TOR browser up-to-date. Like many applications, you will be automatically notified and prompted to update when a new package is available. You can consider these updates more important than Windows security patches as they generally address found exploits or vulnerabilities, which put your anonymity at risk. So if you launch the browser and receive the update notification, don’t even think “oh I will go do what I need to do and update it when I’m done”. You should stop everything you’re doing and update and install the new bundle immediately before using TOR for anything. Similarly TOR has also pushed out warnings not to resize your window because resizing can provide a potential vulnerability to nosey hackers or spies. I agree that the default window size is a bit annoying, but you can be sure this risk is very real if they have taken the time to program it right into the browser permanently.
As I mentioned above application exploitation is the name of the game. LEA and intelligence are now taking a page from the book of hackers and using software exploits and zero day exploits to identify users. The reason they recommend not to resize your window is because they had identified that you will produce a fingerprint to go along with a resolution leak which could be exploited and used to uniquely identify across TOR exit nodes as discussed on Reddit and through numerous TOR Tickets (multiple identified in this ticket). Similar to this it has been found time and time again that scripts like Java, can be leveraged to identify a user. To my knowledge TOR still comes with Scripts globally enabled and unless that has changed recently you will want to globally disable scripts before doing anything. FIGURE C demonstrates a popup warning if you try to globally enable scripts; so if you haven’t already you should disable them globally (FIGURE D) and enable on a site basis if you feel that you trust a site enough to enable scripts temporarily (FIGURE E). Just because you know and use a site often, does not mean that it’s safe to enable scripts. It’s exactly this sort of trust the hackers and spies are looking to exploit.
As TOR grows and evolves the developers add many additional safety measures, however there is one other important feature I would like to mention. At any time while browsing in TOR you can click the green onion in the upper left hand corner and choose “New Identity” which will sever all sessions and choose a new circuit and nodes for your TOR connection, so if you want to keep them guessing, do this at very short and regular intervals. This means that your traffic will be constantly be switching paths and would be very hard to track and record. Be warned that you will lose any open tabs, links, etc. If you wish to retain your open sessions, but are worried about opening a new link on the same circuit, you can choose “New Tor Circuit For This Site” and it should only use a new circuit with the current window/tab (see FIGURE F for both options).
Most of my safety recommendations for TOR/VPN are directly controlled through TOR, however there are still a few general guidelines and tips that can make your VPN usage more secure. Find a VPN provider that protects against DNS Leakage. A a good provider will have their own DNS servers for you to use so that you are not performing name resolution using DNS belonging to your ISP, Google or someone else undesirable. DNS Leak occurs when your OS continues to use the default DNS servers that you would use normally when not using DNS. This means that although your IP is hidden using a VPN service, your PC is still using the normal method to resolve DNS names and IPs. This means that the owner of the DNS could see every site you are looking up, which renders your VPN virtually pointless. Make sure you choose a provider that addresses this issue. Many VPN providers have a script which will physically change your DNS servers on your PC’s NIC and will use them the minute you log on or it might set your NIC to always use these servers (whether one VPN or not). Just like a hosts file, your PCs DNS will override anything on your router, etc. You can find many DNS Leak tests in Google and some VPN providers even host their own DNS Leak protection test like TorGuard’s DNS Leak Test.
I have said it a thousand times before, but do your research when choosing a VPN provider. You want to be sure that you don’t pick someone who is buddy buddy with governments, spy agencies or LEA. Be certain they do not track and/or retain records or which user(s) and/or IPs accessed the service at what time. You want a provider that does not keep these records; that way if they are subpoenaed to provide records they will honestly have nothing to give. Don’t choose a provider based in US, UK, Canada or any other coalition country for that matter. Try to find a provider based in a country not heavily influenced by the major powers; that way they won’t care about appeasing the evil empire, whichever one it is. You can find some phenomenal VPN reviews, comparisons and other valuable information on Deepdotweb.com in their VPN Comparison Chart.
Unless you’re a network engineer or programmers I will say there’s no major secret to you using TOR and VPN together. The fact that you are using both simultaneously means that you have made it increasingly difficult for someone to identify you. The ‘secret’ is to remain smart and observant to maintain anonymity. I always say if you insist on using your everyday computer with TOR and VPN that you should shut down any applications which identify you by account or otherwise. This can include anything from dropbox to Steam (gaming platform) to widgets to the lovely new Windows 10 security settings. If you’re combing TOR and VPN and someone is trying to track you, they are not going to attempt to ‘break down the vault door’ so to speak; that is to say they are not going to scratch their head trying to figure out how to crack these things. No, they are going to look for other means to identify you; open programs which can be exploited via Java, or DNS leak, etc. It’s similar to hackers nowadays. A hacker is much more likely to infiltrate a network using social engineer than they are by breaking in through the firewall, so always be thinking about how you can improve your security and minimize your exposure. You can many small things to help yourself; do your VPN servers double as SOCK 5 PROXY addresses? Well use them. Could you be encrypting all of your email using PGP and then using an already encrypted email service like Protonmail on top of that? Why not do it then? Intelligence Agencies and spies feel they have the right to spy on every citizen whether they deserve it or not, so it’s our right, and our mandate to protect ourselves and fight back with everything we can. Just say NO to Big Brother!