From 931933475a4341481d3a2201a969ad2853e26652 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sol=C3=A8ne=20Rapenne?= Date: Wed, 13 Dec 2023 17:27:24 +0100 Subject: [PATCH 1/5] Update text for 2023 --- ...saries-and-anonymity-systems-the-basics.md | 80 ++++++++----------- 1 file changed, 34 insertions(+), 46 deletions(-) diff --git a/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md b/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md index 0fc09409e..b158ce009 100644 --- a/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md +++ b/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md @@ -7,9 +7,9 @@ weight: 20 date: 2014-09-04T08:10:03+00:00 layout: guides-details --- -There are three sorts of players in this game. First, there are users who communicate with other users and/or destinations. Second, there are adversaries (archetypic attackers) with goals such as observing communications, blocking communications, identifying users, associating users with other users and/or destinations, impersonating and/or compromising users and destinations, and so on. +There are three sorts of players in this game. First, there are **users** who communicate with other users and/or destinations. Second, there are **adversaries** (archetypic attackers) with goals such as observing communications, blocking communications, identifying users, associating users with other users and/or destinations, impersonating and/or compromising users and destinations, and so on. -Third, there are services and systems that protect users' communications, providing some mix of anonymity, freedom, privacy and security. Given how anonymity reduces the risk of targeted attack, it's useful to consider these as primarily `anonymity systems`. In this discussion, we first summarize background information about available anonymity systems. We then explore how each is vulnerable to adversaries with various capabilities. +Third, there are services and systems that protect users' communications, providing some mix of anonymity, freedom, privacy and security. Given how anonymity reduces the risk of targeted attack, it's useful to consider these as primarily **anonymity systems**. In this discussion, we first summarize background information about available anonymity systems. We then explore how each is vulnerable to adversaries with various capabilities. It's crucial to keep in mind that none of these anonymity systems provide end-to-end encryption between users and Internet destinations. All traffic between users and system exit nodes is encrypted, of course. But traffic between exit nodes and destinations is not encrypted, unless users and destinations are employing end-to-end encryption (such as HTTPS for websites, TLS for email or SSH for remote login). @@ -17,49 +17,47 @@ For email messages, anonymity systems do obscure the user's ISP-assigned IP addr ## Anonymity Systems -Three types of low-latency anonymity systems are available for general Internet access. There are numerous VPN services, one mix network (JonDonym) and one onion-routing network (Tor). All employ encryption to provide privacy and security between users and system exits. Even so, it's always prudent to use end-to-end encryption, because system exits (and adversaries observing them and/or destinations) can otherwise see unencrypted traffic. +Three types of low-latency anonymity systems are available for general Internet access. There are numerous VPN services, [mix networks](https://en.wikipedia.org/wiki/Mix_network) (NymTech) and [onion-routing networks](https://en.wikipedia.org/wiki/Onion_routing) (Tor, Lokinet). All employ encryption to provide privacy and security between users and system exits. Even so, it's always prudent to use end-to-end encryption, because system exits (and adversaries observing them and/or destinations) can otherwise see unencrypted traffic. -Each of these anonymity systems provides anonymity in a particular way, more or less effectively against various adversaries. Excluded from this discussion are various proxy services, such as SSH tunnels (which are harder to use), and web proxies and browser plug-ins (which are far easier to compromise). Also excluded are Freenet and I2P. Freenet is a P2P network designed for anonymous and takedown-resistant publishing, often among closed groups of trusted participants. I2P is a garlic-routing network that focuses primarily on P2P content sharing. Neither Freenet nor I2P focus on general Internet access, although I2P does have Internet gateways. +Each of these anonymity systems provides anonymity in a particular way, more or less effectively against various adversaries. Excluded from this discussion are various proxy services, such as SSH tunnels (which are harder to use), and web proxies and browser plug-ins (which are far easier to compromise). Also excluded are Freenet and I2P. Freenet is a P2P network designed for anonymous and takedown-resistant publishing, often among closed groups of trusted participants. I2P is a [garlic-routing network](https://en.wikipedia.org/wiki/Garlic_routing) that focuses primarily on content sharing between I2P users. Neither Freenet nor I2P focus on general Internet access, although I2P does have Internet gateways. ### VPN Services -VPN services are the simplest type of anonymity system. Once a user client and remote VPN server have negotiated an encrypted virtual network connection, the server acts as a proxy for all of the client's Internet traffic. Those services employing properly configured OpenVPN or IPsec protocols (but not the PPTP protocol) provide strong security and privacy (with perfect forward secrecy) between users and system exits. +VPN services are the simplest type of anonymity system. Once a user client and remote VPN server have negotiated an encrypted virtual network connection, the server acts as a proxy for all of the client's Internet traffic. Those services employing properly configured IPSec, OpenVPN or WireGuard protocols (but not the PPTP protocol) provide strong security and privacy (when [perfect forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) is used) between users and system exits. -VPN services provide privacy by hiding Internet destinations from ISPs. And they provide anonymity by hiding user information (such as ISP, identity and geolocation) from destinations. That is, both ends (and associated network observers) see only a VPN server's IPv4 address. Network lag (latency) is far lower than with either JonDonym or Tor, and speed (bandwidth) is 10-20 fold higher. +VPN services provide privacy by hiding Internet destinations from ISPs. And they provide anonymity by hiding user information (such as ISP, IP address and geolocation) from destinations. That is, both ends (and associated network observers) see only a VPN server's IP address. Network latency is far lower than with either NymTech or Tor, and speed (bandwidth) is less likely to be limited. -Reputable VPN services use perfect forward secrecy. For OpenVPN, that relies on TLS with transient symmetric session keys. The keys are negotiated on-the-fly, after the server and client have authenticated themselves. They are unpredictable, and frequently changed (by default, hourly). An adversary that compromises a particular session can decrypt only traffic from that session. Traffic from retained intercepts and traffic from future sessions remain secure, because they're encrypted with different session keys. +Reputable VPN services use perfect forward secrecy. For OpenVPN, that relies on TLS with transient symmetric session keys. The keys are negotiated on-the-fly, after the server and client have authenticated themselves. They are unpredictable, and frequently changed (by default, hourly). On the other hand, the [WireGuard](https://www.wireguard.com/) VPN protocol has perfect forward secrecy built in its protocol, every few minutes the negociated temporary symmetric keys used between the peers are rotated with newly generated ones. An adversary that compromises a particular session can decrypt only traffic from that session. Traffic from retained intercepts and traffic from future sessions remain secure, because they're encrypted with different session keys. If an adversary wanted to decrypt snooped traffic by using a bruteforce technique, in case of success it would only work for a particular session before keys are rotated, which make this technique expensive and is a noop, especially if the VPN uses a post-quantum resistant encryption algorithm. VPN services are very easy to set up and use, because providers handle the technical aspects. However, the privacy and anonymity that VPN services provide hinges entirely on the operator's integrity and discretion, on its technical competence, and on its ability to prevent adversaries from observing, manipulating and/or compromising its servers. VPN services provide strong protection against local adversaries, and good protection against censorship and routine mass surveillance, even at the national level. However, they provide limited protection against adversaries with international reach. Such adversaries may coerce providers and/or their hosting providers or ISPs, and so may observe, manipulate and/or compromise their servers. They also provide limited protection against determined and resourceful censors. We discuss that further below, under `Passive Adversaries with Limited Network Reach`. -In some jurisdictions, VPN providers may be served with court orders that can not be disclosed without serious penalties. But there's a workaround: the warrant canary. As long as no such court order has been received, the provider may regularly publish a statement to that effect. If the warrant canary isn't renewed on schedule, users may safely infer that the provider has received such a court order. There is no need for the provider to take active steps that would violate the order. +In some jurisdictions, VPN providers may be served with court orders that can not be disclosed without serious penalties. But there's a workaround: the warrant canary. As long as no such court order has been received, the provider may regularly publish a statement to that effect. If the warrant canary isn't renewed on schedule, users may safely infer that the provider has received such a court order. There is no need for the provider to take active steps that would violate the order. Canaries are often web pages, cryptographically signed and displaying the date of signature, so users can verify the authenticity of the canary, the signature prevents anyone from publish a fake canary. -Some VPN services provide multi-hop routing. Users' traffic is proxied, in turn, through servers in different nations. Given that, users sharing a given entry node are typically using different exit nodes, and users sharing a given exit node are typically using different entry nodes. Other VPN services rotate users' traffic among multiple exit servers. Such approaches protect better against adversaries with limited international reach. Even so, all bets are off for those who are targeted by more resourceful state adversaries. +Some VPN services provide multi-hop routing. Users' traffic is proxied, in turn, through multiple servers, it's best when those are located in different nations. Given that, users sharing a given entry node are typically using different exit nodes, and users sharing a given exit node are typically using different entry nodes. Other VPN services rotate users' traffic among multiple exit servers. Such approaches protect better against adversaries with limited international reach. Even so, all bets are off for those who are targeted by more resourceful state adversaries. -### JonDonym - -[JonDonym](https://anonymous-proxy-servers.net/) is a mix-based anonymity system, currently comprising 42 mixing servers (mixes). It is a closed system of trusted mixes. It provides anonymity through unpredictable randomization of traffic through fixed cascades of anonymizing mixes (`mixing`). Each mix delays incoming packets, from multiple user clients or adjacent mixes, for random periods of time, and then forwards them in randomized order. JonDonym mixes strip layers of encryption to anonymize traffic from non-adjacent mixes. +### Tor -Six free two-mix JonDonym cascades are available, and ten premium three-mix cascades. Unlike multi-hop VPN services and Tor, each mix participates in just one cascade, and so each cascade has a static pair of entry and exit IP addresses (as do one-hop VPN services). As with VPN services, anonymity ultimately relies on mix operators' integrity and discretion, and on their ability to prevent adversaries from observing, manipulating and/or compromising their servers. Still, given mixing and the distribution of trust among multiple mix operators, JonDonym generally provides stronger anonymity than VPN services can, even those services that provide multi-hop routing. +[Tor](https://www.torproject.org/) is a second-generation onion-routing anonymity system, currently comprising about 8000 anonymizing relays (as of December 2023) ([Tor Servers Metrics](https://metrics.torproject.org/networksize.html)). It is an open system, with highly distributed trust, and no centralized ownership. It provides anonymity through dynamic, unpredictable and hard-to-trace routing through a large network of untrusted relays. Unlike VPN services, adversaries are free to participate by running relays. Even so, there is oversight by a core group of trusted developers and relay operators, and there is a vetting process for new relays. -Mix operators must be verified and certified by JonDos GmbH, and cascades are created through negotiation among mix operators. The entry cost of becoming a mix operator is nontrivial, given oversight by the existing community of trusted mix operators. There is no such process for operators of Tor relays. There is no firm requirement to even provide contact information. Tor developers do monitor relay behavior, and relays that behave maliciously are restricted, and eventually banned. Even so, there's constant flux of Tor relays, but JonDonym mix operators can't come and go so easily. +User clients connect through the Tor network, creating encrypted three-relay circuits at random, and changing them frequently. Circuit traffic is relayed in fixed-size (512-byte) cells. At each step, relays remove a layer of encryption. That prevents non-adjacent relays from identifying each other, and helps protect against malicious relays. Traffic between relays is TLS encrypted, on top of the onion-routing circuit encryption. That somewhat obscures the circuit's cell pattern (number and timing) from external adversaries. However, unlike mixnets, Tor relays do not explicitly mix traffic. -### Tor +Although the Tor network is large, many of its 8000 relays have limited uptime, limited usable bandwidth, and/or exit restrictions (e.g., blocking IRC). Such limitations reduce the network's effective size, and they also increase its vulnerability to adversaries who can introduce numerous attractive relays. -[Tor](https://www.torproject.org/) is a second-generation onion-routing anonymity system, currently comprising about 6000 anonymizing relays. It is an open system, with highly distributed trust, and no centralized ownership. It provides anonymity through dynamic, unpredictable and hard-to-trace routing through a large network of untrusted relays. Unlike VPN services and JonDonym, adversaries are free to participate by running relays. Even so, there is oversight by a core group of trusted developers and relay operators, and there is a vetting process for new relays. +### Mix networks -User clients connect through the Tor network, creating encrypted three-relay circuits at random, and changing them frequently. Circuit traffic is relayed in fixed-size (512-byte) cells. At each step, relays remove a layer of encryption. That prevents non-adjacent relays from identifying each other, and helps protect against malicious relays. Traffic between relays is TLS encrypted, on top of the onion-routing circuit encryption. That somewhat obscures the circuit's cell pattern (number and timing) from external adversaries. However, unlike JonDonym mixes, Tor relays do not explicitly mix traffic. +A [Mix network](https://blog.nymtech.net/a-simple-introduction-to-mixnets-6783a103d20e), commonly called "mixnet", is a system that routes network traffic between peers but hiding the metadata associated with the traffic, mostly by routing fake traffic and adding delay in the transmission to prevent traffic correlation if an adversary monitors multiple nodes. There are currently two young implementations of mix networks: [NymTech](https://nymtech.net/docs) and [Lokinet](https://lokinet.org/). In order to offer a high quality of service those networks make use of blockchain tokens, both to incentivize the hosting of highly available routers by rewarding operators, and to fully decentralize the network management. This also mean the network isn't free of use as you need to own tokens. -Although the Tor network is far larger than JonDonym, many of its 6000 relays have limited uptime, limited usable bandwidth, and/or exit restrictions (e.g., blocking IRC). Such limitations reduce the network's effective size, and they also increase its vulnerability to adversaries who can introduce numerous attractive relays. +A mix network should provide full anonymity as the network packets are mixed between different layers of routers, cover packets can be created to reach the desired [level of anonymity](https://blog.nymtech.net/an-empirical-study-of-privacy-scalability-and-latency-of-nym-mixnet-ff05320fb62d), fake bouncing packets create fake inbound traffic to reduce correlation possibility, and packets are delayed in each layer of routers so the timing can't be analyzed by an observer to trace a packet from the destination to its origin. The only fact that could be known would be that an user is connected to the mix network. However, we still lack feedback about these networks in a real world usage as they are quite recent, compared to Tor which has been successfully running for decades. ## Adversaries -All low-latency anonymity systems are broken against adversaries that can observe, manipulate and/or compromise both ends of a connection. That is certainly so for VPN services, JonDonym and Tor. Increasing the number of intervening system nodes doesn't prevent such compromise. Conversely, all three systems protect well against weak local adversaries. However, one can distinguish them by considering their vulnerability to three canonical classes of attackers, or adversaries, each resourceful in distinct ways. +All low-latency anonymity systems are broken against adversaries that can observe, manipulate and/or compromise both ends of a connection. That is certainly so for VPN services, mixnets and Tor. Increasing the number of intervening system nodes doesn't prevent such compromise. Conversely, all three systems protect well against weak local adversaries. However, one can distinguish them by considering their vulnerability to three canonical classes of attackers, or adversaries, each resourceful in distinct ways. Passive adversaries simply intercept and analyze network traffic, seeking to correlate streams entering and exiting anonymity systems. Byzantine adversaries can mark or otherwise modify traffic, primarily to facilitate traffic correlation. Realistic passive adversaries are Byzantine, and so we lump them together. However, there is a key distinction: anonymity systems can't detect purely passive adversaries, except through consequent Byzantine activity, and so active defense against them is problematic. -There are two sorts of active adversaries. Sybil adversaries focus on system-level vulnerabilities, and exploit them by running numerous malicious clients and/or network nodes. Sybil is the pseudonym of the patient in a well-known book about multiple-personality disorder. In this context, its use puns on the strategy of using numerous, apparently independent puppets in a collective attack. +There are two sorts of active adversaries. [Sybil adversaries](https://en.wikipedia.org/wiki/Sybil_attack) focus on system-level vulnerabilities, and exploit them by running numerous malicious clients and/or network nodes. Sybil is the pseudonym of the patient in a well-known book about multiple-personality disorder. In this context, its use puns on the strategy of using numerous, apparently independent puppets in a collective attack. Coercive adversaries focus on security vulnerabilities of particular network nodes, and exploit them appropriately, seeking system compromise. They may also go after system operators, employing social engineering or phishing attacks, physical attacks, political or legal authority, and so on. They may also carry out such attacks against high-value users. These are highly complex topics, and not at all specific to anonymity systems, and so we don't discuss them further. @@ -67,7 +65,7 @@ These distinctions are clearly artificial, and some actual attackers (prototypic ### Passive Adversaries with Limited Network Reach -For passive and Byzantine adversaries, key resources are network reach to obtain intercepts, data storage, and computing capacity for traffic correlation (and for Byzantine adversaries, modification). For governments, network reach typically depends on legal authority and/or political influence, supplemented through agreements with peers. For non-governmental passive adversaries, such as schools, businesses and ISPs at various levels, ownership and/or management authority typically limits network reach. And for those adversaries with requisite expertise and resources, stealth is always an option. +For passive and Byzantine adversaries, key resources are network reach to obtain intercepts, data storage, and computing capacity for traffic correlation (and for Byzantine adversaries, modification). For governments, network reach typically depends on legal authority and/or political influence, supplemented through agreements with peers. For non-governmental passive adversaries, such as schools, businesses and ISPs at various levels, ownership and/or management authority typically limit network reach. And for those adversaries with requisite expertise and resources, stealth is always an option. All low-latency anonymity systems arguably protect against passive adversaries that can access just one end of a connection. That's typically the case for most non-governmental passive adversaries, except for Tier 1 ISPs. Most governments (excepting the NSA and collaborators, such as the Five Eyes) can only see one end of international connections. In such cases, the hardest part is typically penetrating a perimeter firewall. It might be an enterprise firewall, or the Great Firewall (GFW) of China. But without additional intercepts, traffic correlation and modification can't accomplish very much. @@ -75,39 +73,35 @@ While China is obviously a very formidable adversary, its international network The GFW blocks anonymity systems in at least four ways. First, it blocks access to known entry servers. Second, it blocks traffic based on connection protocol, determined from characteristic headers and packet patterns. Third, it probes suspected entry servers, trying to detect anonymity systems by posing as a client. Fourth, as a last resort, it may simply throttle or block all encrypted traffic. -Anonymity systems can evade the GFW (and other firewalls) by encapsulating their traffic in more generic connections routed via proxy servers. Some VPN services offer SSH and/or SSL (stunnel) proxies, and a few use proprietary closed-source transport protocols. The Tor Project has developed an open-source pluggable transport framework, comprising the core [obfsproxy](https://www.torproject.org/projects/obfsproxy.html.en) app, and an evolving series of transport plug-ins. It's a SOCKS5 proxy, and should work with virtually any anonymity system. So far, only iVPN is using it. +Anonymity systems can evade the GFW (and other firewalls) by encapsulating their traffic in more generic connections routed via proxy servers. Some VPN services offer obfuscation proxy protocols such as [V2RAY](https://www.v2ray.com/en/) or [Obfsproxy](https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports) (developped by the Tor project), SSH and/or TLS (stunnel) proxies, and a few use proprietary closed-source transport protocols. However, against resourceful adversaries, obfuscating the transport protocol is just a temporary fix. Once an adversary has identified a proxy server, it can simply block traffic to that IP address. More seriously, the adversary can also readily identify all users connecting to that proxy server. Furthermore, by investigating hosts that those users subsequently connect to, it can readily identify additional proxy servers. -Distributing proxies is a hard problem. Adversaries can enumerate proxies by posing as users, and resourceful adversaries can field numerous malicious users. Tor bridges are distributed in several ways. Volunteers can create bridges, and share addresses on an ad hoc basis. There's a central BridgeDB, which can be accessed by the Tor client, and reached through its website. The BridgeDB can also be queried by email, but only from email addresses that are more-or-less difficult to obtain. - -Reputation-based alternatives are under investigation. Bridges could be distributed through various channels, such as individual users, private email lists, or social networks. The reputation of each channel would depend on the overall fate of bridges that had been distributed through it, and new bridges would be distributed through channels in proportion to reputation. +Distributing proxies is a hard problem. Adversaries can enumerate proxies by posing as users, and resourceful adversaries can field numerous malicious users. Tor bridges are distributed in several ways. Volunteers can create bridges, and share addresses on an ad hoc basis. There's a central BridgeDB but the bridges list isn't public information, but there are [different methods](https://tb-manual.torproject.org/bridges/) to obtain a bridge address in an automated way. -The recently proposed [CloudTransport bridge](https://www.petsymposium.org/2014/papers/Brubaker.pdf) design takes a different approach. It relies on cloud servers, with IP addresses that would change frequently, and would be drawn from large pools shared with mainstream cloud-hosted services. Censors couldn't readily and reliably distinguish bridge users from those using other services on the cloud host. In order to block such bridges, censors would need to block entire ranges of IP addresses, and in doing so, they would also block access to other cloud services. +The recently proposed [Raceboat](https://petsymposium.org/popets/2024/popets-2024-0027.pdf) framework, inspired by [CloudTransport bridge](https://www.petsymposium.org/2014/papers/Brubaker.pdf) design takes a different approach. Raceboat purpose is to offer a censorship resistant service helping end users to get access to bridges with a large choice of protocols, instead of having each software embedding their own [Pluggable Transport](https://www.pluggabletransports.info/). ### Passive Adversaries with International Network Reach -Tor is generally far less vulnerable than are JonDonym or most VPN services to passive adversaries with international network reach. It is far larger, and far less vulnerable to coercion. There are many more simultaneous users, and many more nodes (relays). Relays are distributed globally, in numerous data centers, among many nations, and with no central ownership or management. Furthermore, traffic paths change, frequently and unpredictably. Given that, it is arguably impractical for most adversaries to obtain enough intercepts. +Tor is generally far less vulnerable than are most VPN services to passive adversaries with international network reach. It is far larger, and far less vulnerable to coercion. There are many more simultaneous users, and many more nodes (relays). Relays are distributed globally, in numerous data centers, among many nations, and with no central ownership or management. Furthermore, traffic paths change, frequently and unpredictably. Given that, it is arguably impractical for most adversaries to obtain enough intercepts. -Global passive adversaries would, by definition, have enough intercepts. However, there are typically about two million Tor users, and on the order of several million concurrent circuits. Tracing a particular Tor circuit would entail correlating conversations in one intercept (presumably starting with an exit relay or entry guard) with several million conversations intercepted from at most a few thousand other relays. That would be trivial for a global adversary. However, cross correlating all of the several million concurrent conversations from all Tor relays would involve on the order of 10{{< sup >}}13{{< / sup >}} comparisons, which is arguably not so trivial. In other words, all but the most resourceful global passive adversaries may be computationally bounded. And in any case, as discussed below, Sybil attacks against Tor are far easier. +Global passive adversaries would, by definition, have enough intercepts. However, there are typically about [four million Tor users](https://metrics.torproject.org/userstats-relay-country.html), and on the order of several million concurrent circuits. Tracing a particular Tor circuit would entail correlating conversations in one intercept (presumably starting with an exit relay or entry guard) with several million conversations intercepted from at most a few thousand other relays. That would be trivial for a global adversary. However, cross correlating all of the several million concurrent conversations from all Tor relays would involve on the order of 10{{< sup >}}13{{< / sup >}} comparisons, which is arguably not so trivial. In other words, all but the most resourceful global passive adversaries may be computationally bounded. And in any case, as discussed below, Sybil attacks against Tor are far easier. -Against adversaries with enough network reach to observe a given fraction of the system's nodes, JonDonym does resist compromise better than Tor does. That is so because JonDonym mixes distort traffic patterns, whereas Tor relays do not. That distortion hinders correlation of traffic flows captured in different network segments. However, because JonDonym is smaller than Tor, with less geographic diversity, observing substantially all system nodes would require less network reach for JonDonym than for Tor. And once an adversary can see both ends of a connection, in-network mixing becomes relatively useless. +Against adversaries with enough network reach to observe a given fraction of the system's nodes, mixnets resist compromise better than Tor does. That is so because mixnets distort traffic patterns, whereas Tor relays do not. That distortion hinders correlation of traffic flows captured in different network segments. -There are but nine JonDonym mix operators, headquartered in six nations. There are 16 mix cascades: six free two-mix cascades, and ten premium three-mix cascades. Each cascade is static, with a fixed entry and exit IP address. The 42 entry and exit mixes (each used in just one cascade) are located in just 17 data centers, in 12 nations. And there are typically about 20-60 users on each of the ten premium cascades, and about 400-500 users for each of the six free cascades. +Against adversaries with limited international network reach, Tor resists compromise correctly. That is so for two reasons. First, as noted, observing all system nodes is hard for Tor. Second, cross correlating user conversations between entry and exit intercepts involves a lot of comparisons. Conversely, cross correlating all Tor conversations would require on the order of 10{{< sup >}}13{{< / sup >}} comparisons. -Against adversaries with limited international network reach, Tor resists compromise better than JonDonym does. That is so for two reasons. First, as noted, observing all system nodes is harder for Tor than for JonDonym. Second, cross correlating user conversations between entry and exit intercepts would involve far less comparisons for JonDonym. Given that there is no mixing among cascades, cross correlating all of JonDonym's 2600-3600 entry and exit conversations would involve only on the order of 10{{< sup >}}7{{< / sup >}} comparisons, which would arguably be trivial for a global adversary, even in real time. Conversely, compromising all Tor conversations would require on the order of 10{{< sup >}}13{{< / sup >}} comparisons. +Most VPN services are vulnerable against international reach adversaries. There are typically 10-100 servers, located in 5-20 data centers, in perhaps as many nations, with a hundred users per server. All servers are typically under common ownership and/or management. For providers offering only one-hop routes, an adversary only need to correlate entry and exit conversations on one server. For all but the largest VPN services, cross correlating all entry and exit conversations would involve far less than a million comparisons. -Most VPN services are even more vulnerable. There are typically 10-100 servers, located in 5-20 data centers, in perhaps as many nations, with about 50 users per server. All servers are typically under common ownership and/or management. Most providers offer only one-hop routes, and so an adversary need only correlate entry and exit conversations on one server. For all but the largest VPN services, cross correlating all entry and exit conversations would involve far less than a million comparisons. +A few large VPN services have several hundred or more servers, with numerous IP addresses per server, located in perhaps more than 100 data centers. But even for the largest, cross correlating all entry and exit conversations would involve at most a few million comparisons. It all depends on where entry and exit nodes are located, where an adversary can observe traffic, and how many comparisons among concurrent conversations would be required. However, given common ownership and/or management of VPN services, social engineering, or legal and/or political coercion, would be more-likely approaches. -A few large VPN services have several hundred or more servers, with numerous IP addresses per server, located in perhaps more than 100 data centers. But even for the largest, cross correlating all entry and exit conversations would involve at most a few million comparisons. Still, it's possible that some of the largest VPN services offer better anonymity than JonDonym does. It all depends on where entry and exit nodes are located, where an adversary can observe traffic, and how many comparisons among concurrent conversations would be required. However, given common ownership and/or management of VPN services, social engineering, or legal and/or political coercion, would be more-likely approaches. - -Some VPN services offer multi-hop routes. For example, there might be three servers (A,B,C) in different countries, with six available two-hop routes (A-B,A-C,B-A,B-C,C-A,C-B). Multi-hop routes can offer better protection against passive adversaries with limited network reach, because all users' traffic transits two or more nations. Also, as the entry and exit servers connect using VPNs, adversaries can't intercept individual user connections between servers. But again, common ownership and/or management is the key vulnerability. +Some VPN services offer multi-hop routes. For example, there might be three servers (A,B,C) in different countries, with six available two-hop routes (A-B,A-C,B-A,B-C,C-A,C-B). Multi-hop routes can offer better protection against passive adversaries with limited network reach, because all users' traffic transits two or more nations. Also, as the entry and exit servers connect using VPNs, adversaries can't intercept individual user connections between servers. But again, common ownership and/or management is the key vulnerability. Multi-hop providers are less vulnerable when the servers are not all in the reach of the adversary who would either know from the VPN entry point that a user is using a multi hop VPN, or from the VPN exit point that a request was done from a multi hop setup. ### Sybil Adversaries For Sybil adversaries, key assets are large server clusters and fast uplinks. That allows them to run numerous malicious clients and/or attractive network nodes, to efficiently analyze collected data, and to exploit what they learn. They are strongest when they own both clients and network nodes of anonymity systems, because they can use them synergetically. There is no requirement for broad network reach, just bandwidth. We conservatively assume that Sybil adversaries are computationally unbounded. -Even with limited organizational support, anyone with the financial resources and expertise to wield large cloud server clusters (such as AWS cluster compute instances) can be a strong Sybil adversary, at least for limited periods of time. Given typical cloud pricing structures, enormous resources are very affordable on limited terms. China is undoubtedly a formidable Sybil adversary, given its immense technical (and human) resources. But other plausible examples range from skilled individuals to small academic research groups to non-government gangs to state-level intelligence agencies (such as the NSA). +Even with limited organizational support, anyone with the financial resources and expertise to wield large cloud server clusters (such as public cloud cluster compute instances) can be a strong Sybil adversary, at least for limited periods of time. Given typical cloud pricing structures, enormous resources are very affordable on limited terms. China is undoubtedly a formidable Sybil adversary, given its immense technical (and human) resources. But other plausible examples range from skilled individuals to small academic research groups to non-government gangs to state-level intelligence agencies (such as the NSA). ### Sybil Adversaries vs VPN Services @@ -117,19 +111,13 @@ Consider an adversary, with limited network reach, that seeks to deanonymize tho An effective DDoS attack on a particular VPN server would interfere with its users activity, and might even take them offline. Given enough testing, the Sybil adversary would know which VPN server each targeted user was connecting through. Knowing that, the adversary might try to directly compromise the server, or go after the operator and/or hosting provider. Depending on its resources, it might use such approaches as political or legal coercion, spearphishing and social engineering. -For adversaries that can observe traffic at Internet exchange points between users and VPN servers, there may be no need to compromise VPN servers or their operators. Given an effective DDoS attack on the right VPN server, the adversary would see impacts on both a user's online activity and their connection to the server. State-level adversaries are canonically resourceful for such attacks against all low-latency anonymity systems, but especially against VPN services (smallest) and JonDonym (smaller than Tor). - -### Sybil Adversaries vs JonDonym - -Introducing malicious JonDonym mixes is also difficult. As noted, mix operators must be verified and certified, and there is apparently close oversight by an existing community of trusted mix operators. Also, JonDonym cascades are static, and new operators generally don't join existing cascades, but rather find partners for new ones. Given that, compromising existing mixes or operators would arguably be more efficient. Therefore, we consider Sybil attacks involving malicious JonDonym mixes to be coercion, which we don't discuss. - -The six free JonDonym cascades are in theory vulnerable to the attacks discussed above for VPN services. However, given that free cascades typically operate at near maximum capacity, DDoS attacks would ramp up quite slowly. Sybil attacks against the ten premium cascades would be faster, because they typically operate at far below maximum capacity. Although numerous premium accounts would be required, creating them would not be an issue for resourceful adversaries. Perhaps more problematic would be the response of mix operators to a large influx of new premium clients. +For adversaries that can observe traffic at Internet exchange points between users and VPN servers, there may be no need to compromise VPN servers or their operators. Given an effective DDoS attack on the right VPN server, the adversary would see impacts on both a user's online activity and their connection to the server. State-level adversaries are canonically resourceful for such attacks against all low-latency anonymity systems, but especially against VPN services. ### Sybil Adversaries vs Tor -Although Tor is much larger than JonDonym and VPN services, it is an open system, where Sybil adversaries can readily wield both clients and relays. Given that, Tor is arguably more vulnerable to pure Sybil adversaries, which we consider to have very limited network reach and no coercive authority. Indeed, Sybil attacks by academic research groups have apparently compromised substantial percentages of Tor users over several months. +Although Tor is much larger than VPN services, it is an open system, where Sybil adversaries can readily wield both clients and relays. Given that, Tor is arguably more vulnerable to pure Sybil adversaries, which we consider to have very limited network reach and no coercive authority. Indeed, Sybil attacks by academic research groups have apparently compromised substantial percentages of Tor users over several months. -Given that the NSA (or even China) has orders of magnitude more resources, one might expect that Tor is entirely defenseless against them. However, even though Tor is an open system of untrusted relays, entry and behavior of relays are subject to oversight by a core group of trusted developers and relay operators. Also, there is a vetting process for new relays, which seeks to limit disruptive and malicious behavior. +Given that state level actors have orders of magnitude more resources, one might expect that Tor is entirely defenseless against them. However, even though Tor is an open system of untrusted relays, entry and behavior of relays are subject to oversight by a core group of trusted developers and relay operators. Also, there is a vetting process for new relays, which seeks to limit disruptive and malicious behavior. In other words, Sybil attacks on Tor aren't so much limited by an adversary's resources as they are by oversight. While that largely mitigates the resource advantage possessed by nation-state adversaries such as the NSA and China, it does so only for Sybil attacks. There is no such defense against passive network analysis by nation-state adversaries with adequate network reach, because it's not readily detectable. @@ -137,4 +125,4 @@ Consider a pure Sybil adversary, which can wield numerous malicious Tor clients For malicious entry guards, the strategy involves avoiding the Exit flag by blocking connections to the Internet, and getting the Guard flag by being online continuously for at least eight days. In practice, malicious entry guards would remain online continuously during an attack, so as to maximize their usage. For malicious exit relays, the strategy involves getting the Exit flag by allowing connections to the Internet, and avoiding the Guard flag by being continuously online for periods of a week or less. -An adversary can increase the speed and breadth of this Sybil attack by employing malicious clients in DDoS attacks against honest relays. By attacking honest entry guards, the adversary can gradually push user clients to its malicious entry guards. Similarly, by attacking honest exit relays, the adversary can push user clients to its malicious exit relays. \ No newline at end of file +An adversary can increase the speed and breadth of this Sybil attack by employing malicious clients in DDoS attacks against honest relays. By attacking honest entry guards, the adversary can gradually push user clients to its malicious entry guards. Similarly, by attacking honest exit relays, the adversary can push user clients to its malicious exit relays. From 9bbfdbfba2c61c0483ab8e6453a798235ea2862e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sol=C3=A8ne=20Rapenne?= Date: Fri, 22 Dec 2023 11:04:40 +0100 Subject: [PATCH 2/5] fix typos --- ...saries-and-anonymity-systems-the-basics.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md b/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md index b158ce009..d929e21af 100644 --- a/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md +++ b/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md @@ -23,11 +23,11 @@ Each of these anonymity systems provides anonymity in a particular way, more or ### VPN Services -VPN services are the simplest type of anonymity system. Once a user client and remote VPN server have negotiated an encrypted virtual network connection, the server acts as a proxy for all of the client's Internet traffic. Those services employing properly configured IPSec, OpenVPN or WireGuard protocols (but not the PPTP protocol) provide strong security and privacy (when [perfect forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) is used) between users and system exits. +VPN services are the simplest type of anonymity system. Once a user client and remote VPN server have negotiated an encrypted virtual network connection, the server acts as a proxy for all the client's Internet traffic. Those services employing properly configured IPSec, OpenVPN or WireGuard protocols (but not the PPTP protocol) provide strong security and privacy (when [perfect forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) is used) between users and system exits. VPN services provide privacy by hiding Internet destinations from ISPs. And they provide anonymity by hiding user information (such as ISP, IP address and geolocation) from destinations. That is, both ends (and associated network observers) see only a VPN server's IP address. Network latency is far lower than with either NymTech or Tor, and speed (bandwidth) is less likely to be limited. -Reputable VPN services use perfect forward secrecy. For OpenVPN, that relies on TLS with transient symmetric session keys. The keys are negotiated on-the-fly, after the server and client have authenticated themselves. They are unpredictable, and frequently changed (by default, hourly). On the other hand, the [WireGuard](https://www.wireguard.com/) VPN protocol has perfect forward secrecy built in its protocol, every few minutes the negociated temporary symmetric keys used between the peers are rotated with newly generated ones. An adversary that compromises a particular session can decrypt only traffic from that session. Traffic from retained intercepts and traffic from future sessions remain secure, because they're encrypted with different session keys. If an adversary wanted to decrypt snooped traffic by using a bruteforce technique, in case of success it would only work for a particular session before keys are rotated, which make this technique expensive and is a noop, especially if the VPN uses a post-quantum resistant encryption algorithm. +Reputable VPN services use perfect forward secrecy. For OpenVPN, that relies on TLS with transient symmetric session keys. The keys are negotiated on-the-fly, after the server and client have authenticated themselves. They are unpredictable, and frequently changed (by default, hourly). On the other hand, the [WireGuard](https://www.wireguard.com/) VPN protocol has perfect forward secrecy built in its protocol, every few minutes the negotiated temporary symmetric keys used between the peers are rotated with newly generated ones. An adversary that compromises a particular session can decrypt only traffic from that session. Traffic from retained intercepts and traffic from future sessions remain secure, because they're encrypted with different session keys. If an adversary wanted to decrypt snooped traffic by using a brute force technique, in case of success it would only work for a particular session before keys are rotated, which make this technique expensive and is a no-op, especially if the VPN uses a post-quantum resistant encryption algorithm. VPN services are very easy to set up and use, because providers handle the technical aspects. However, the privacy and anonymity that VPN services provide hinges entirely on the operator's integrity and discretion, on its technical competence, and on its ability to prevent adversaries from observing, manipulating and/or compromising its servers. @@ -47,9 +47,9 @@ Although the Tor network is large, many of its 8000 relays have limited uptime, ### Mix networks -A [Mix network](https://blog.nymtech.net/a-simple-introduction-to-mixnets-6783a103d20e), commonly called "mixnet", is a system that routes network traffic between peers but hiding the metadata associated with the traffic, mostly by routing fake traffic and adding delay in the transmission to prevent traffic correlation if an adversary monitors multiple nodes. There are currently two young implementations of mix networks: [NymTech](https://nymtech.net/docs) and [Lokinet](https://lokinet.org/). In order to offer a high quality of service those networks make use of blockchain tokens, both to incentivize the hosting of highly available routers by rewarding operators, and to fully decentralize the network management. This also mean the network isn't free of use as you need to own tokens. +A [Mix network](https://blog.nymtech.net/a-simple-introduction-to-mixnets-6783a103d20e), commonly called "mixnet", is a system that routes network traffic between peers but hiding the metadata associated with the traffic, mostly by routing fake traffic and adding delay in the transmission to prevent traffic correlation if an adversary monitors multiple nodes. There are currently two young implementations of mix networks: [NymTech](https://nymtech.net/docs) and [Lokinet](https://lokinet.org/). In order to offer a high quality of service those networks make use of blockchain tokens, both to incentivize the hosting of highly available routers by rewarding operators, and to fully decentralize the network management. This also mean the network isn't free of use as you need to own tokens. -A mix network should provide full anonymity as the network packets are mixed between different layers of routers, cover packets can be created to reach the desired [level of anonymity](https://blog.nymtech.net/an-empirical-study-of-privacy-scalability-and-latency-of-nym-mixnet-ff05320fb62d), fake bouncing packets create fake inbound traffic to reduce correlation possibility, and packets are delayed in each layer of routers so the timing can't be analyzed by an observer to trace a packet from the destination to its origin. The only fact that could be known would be that an user is connected to the mix network. However, we still lack feedback about these networks in a real world usage as they are quite recent, compared to Tor which has been successfully running for decades. +A mix network should provide full anonymity as the network packets are mixed between different layers of routers, cover packets can be created to reach the desired [level of anonymity](https://blog.nymtech.net/an-empirical-study-of-privacy-scalability-and-latency-of-nym-mixnet-ff05320fb62d), fake bouncing packets create fake inbound traffic to reduce correlation possibility, and packets are delayed in each layer of routers, so the timing can't be analyzed by an observer to trace a packet from the destination to its origin. The only fact that could be known would be that a user is connected to the mix network. However, we still lack feedback about these networks in a real world usage as they are quite recent, compared to Tor which has been successfully running for decades. ## Adversaries @@ -65,7 +65,7 @@ These distinctions are clearly artificial, and some actual attackers (prototypic ### Passive Adversaries with Limited Network Reach -For passive and Byzantine adversaries, key resources are network reach to obtain intercepts, data storage, and computing capacity for traffic correlation (and for Byzantine adversaries, modification). For governments, network reach typically depends on legal authority and/or political influence, supplemented through agreements with peers. For non-governmental passive adversaries, such as schools, businesses and ISPs at various levels, ownership and/or management authority typically limit network reach. And for those adversaries with requisite expertise and resources, stealth is always an option. +For passive and Byzantine adversaries, key resources are network reach to obtain intercepts, data storage, and computing capacity for traffic correlation (and for Byzantine adversaries, modification). For governments, network reach typically depends on legal authority and/or political influence, supplemented through agreements with peers. Finally, the non-governmental passive adversaries, such as schools, businesses and ISPs at various levels, ownership and/or management authority typically limit network reach. And for those adversaries with requisite expertise and resources, stealth is always an option. All low-latency anonymity systems arguably protect against passive adversaries that can access just one end of a connection. That's typically the case for most non-governmental passive adversaries, except for Tier 1 ISPs. Most governments (excepting the NSA and collaborators, such as the Five Eyes) can only see one end of international connections. In such cases, the hardest part is typically penetrating a perimeter firewall. It might be an enterprise firewall, or the Great Firewall (GFW) of China. But without additional intercepts, traffic correlation and modification can't accomplish very much. @@ -73,7 +73,7 @@ While China is obviously a very formidable adversary, its international network The GFW blocks anonymity systems in at least four ways. First, it blocks access to known entry servers. Second, it blocks traffic based on connection protocol, determined from characteristic headers and packet patterns. Third, it probes suspected entry servers, trying to detect anonymity systems by posing as a client. Fourth, as a last resort, it may simply throttle or block all encrypted traffic. -Anonymity systems can evade the GFW (and other firewalls) by encapsulating their traffic in more generic connections routed via proxy servers. Some VPN services offer obfuscation proxy protocols such as [V2RAY](https://www.v2ray.com/en/) or [Obfsproxy](https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports) (developped by the Tor project), SSH and/or TLS (stunnel) proxies, and a few use proprietary closed-source transport protocols. +Anonymity systems can evade the GFW (and other firewalls) by encapsulating their traffic in more generic connections routed via proxy servers. Some VPN services offer obfuscation proxy protocols such as [V2RAY](https://www.v2ray.com/en/) or [Obfsproxy](https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports) (developed by the Tor project), SSH and/or TLS (stunnel) proxies, and a few use proprietary closed-source transport protocols. However, against resourceful adversaries, obfuscating the transport protocol is just a temporary fix. Once an adversary has identified a proxy server, it can simply block traffic to that IP address. More seriously, the adversary can also readily identify all users connecting to that proxy server. Furthermore, by investigating hosts that those users subsequently connect to, it can readily identify additional proxy servers. @@ -85,13 +85,13 @@ The recently proposed [Raceboat](https://petsymposium.org/popets/2024/popets-202 Tor is generally far less vulnerable than are most VPN services to passive adversaries with international network reach. It is far larger, and far less vulnerable to coercion. There are many more simultaneous users, and many more nodes (relays). Relays are distributed globally, in numerous data centers, among many nations, and with no central ownership or management. Furthermore, traffic paths change, frequently and unpredictably. Given that, it is arguably impractical for most adversaries to obtain enough intercepts. -Global passive adversaries would, by definition, have enough intercepts. However, there are typically about [four million Tor users](https://metrics.torproject.org/userstats-relay-country.html), and on the order of several million concurrent circuits. Tracing a particular Tor circuit would entail correlating conversations in one intercept (presumably starting with an exit relay or entry guard) with several million conversations intercepted from at most a few thousand other relays. That would be trivial for a global adversary. However, cross correlating all of the several million concurrent conversations from all Tor relays would involve on the order of 10{{< sup >}}13{{< / sup >}} comparisons, which is arguably not so trivial. In other words, all but the most resourceful global passive adversaries may be computationally bounded. And in any case, as discussed below, Sybil attacks against Tor are far easier. +Global passive adversaries would, by definition, have enough intercepts. However, there are typically about [four million Tor users](https://metrics.torproject.org/userstats-relay-country.html), and on the order of several million concurrent circuits. Tracing a particular Tor circuit would entail correlating conversations in one intercept (presumably starting with an exit relay or entry guard) with several million conversations intercepted from at most a few thousand other relays. That would be trivial for a global adversary. However, cross correlating all the several million concurrent conversations from all Tor relays would involve on the order of 10{{< sup >}}13{{< / sup >}} comparisons, which is arguably not so trivial. In other words, all but the most resourceful global passive adversaries may be computationally bounded. And in any case, as discussed below, Sybil attacks against Tor are far easier. Against adversaries with enough network reach to observe a given fraction of the system's nodes, mixnets resist compromise better than Tor does. That is so because mixnets distort traffic patterns, whereas Tor relays do not. That distortion hinders correlation of traffic flows captured in different network segments. Against adversaries with limited international network reach, Tor resists compromise correctly. That is so for two reasons. First, as noted, observing all system nodes is hard for Tor. Second, cross correlating user conversations between entry and exit intercepts involves a lot of comparisons. Conversely, cross correlating all Tor conversations would require on the order of 10{{< sup >}}13{{< / sup >}} comparisons. -Most VPN services are vulnerable against international reach adversaries. There are typically 10-100 servers, located in 5-20 data centers, in perhaps as many nations, with a hundred users per server. All servers are typically under common ownership and/or management. For providers offering only one-hop routes, an adversary only need to correlate entry and exit conversations on one server. For all but the largest VPN services, cross correlating all entry and exit conversations would involve far less than a million comparisons. +Most VPN services are vulnerable against international reach adversaries. There are typically 10–100 servers, located in 5-20 data centers, in perhaps as many nations, with a hundred users per server. All servers are typically under common ownership and/or management. For providers offering only one-hop routes, an adversary only needs to correlate entry and exit conversations on one server. For all but the largest VPN services, cross correlating all entry and exit conversations would involve far less than a million comparisons. A few large VPN services have several hundred or more servers, with numerous IP addresses per server, located in perhaps more than 100 data centers. But even for the largest, cross correlating all entry and exit conversations would involve at most a few million comparisons. It all depends on where entry and exit nodes are located, where an adversary can observe traffic, and how many comparisons among concurrent conversations would be required. However, given common ownership and/or management of VPN services, social engineering, or legal and/or political coercion, would be more-likely approaches. @@ -105,11 +105,11 @@ Even with limited organizational support, anyone with the financial resources an ### Sybil Adversaries vs VPN Services -Introducing malicious VPN servers is both difficult (because one entity owns and/or manages all of the servers) and immediately fatal to anonymity (because there's usually just one server between users and destinations). Given that, Sybil attacks involving malicious VPN servers amount to coercion, which we do not discuss. +Introducing malicious VPN servers is both difficult (because one entity owns and/or manages all the servers) and immediately fatal to anonymity (because there's usually just one server between users and destinations). Given that, Sybil attacks involving malicious VPN servers amount to coercion, which we do not discuss. Consider an adversary, with limited network reach, that seeks to deanonymize those using VPN services to access an Internet destination, such as a social networking site, a discussion forum or an IRC channel. While engaging targeted users there, it could carry out distributed denial of service (DDoS) attacks on various VPN servers, perhaps by initiating bogus TLS handshakes from numerous malicious clients. Unless those VPN servers were protected by intervening firewalls that limited the rate of new connections, this would tie up CPU capacity needed for handling traffic of already-connected clients, and might even crash them. -An effective DDoS attack on a particular VPN server would interfere with its users activity, and might even take them offline. Given enough testing, the Sybil adversary would know which VPN server each targeted user was connecting through. Knowing that, the adversary might try to directly compromise the server, or go after the operator and/or hosting provider. Depending on its resources, it might use such approaches as political or legal coercion, spearphishing and social engineering. +An effective DDoS attack on a particular VPN server would interfere with its users' activity, and might even take them offline. Given enough testing, the Sybil adversary would know which VPN server each targeted user was connecting through. Knowing that, the adversary might try to directly compromise the server, or go after the operator and/or hosting provider. Depending on its resources, it might use such approaches as political or legal coercion, spearfishing and social engineering. For adversaries that can observe traffic at Internet exchange points between users and VPN servers, there may be no need to compromise VPN servers or their operators. Given an effective DDoS attack on the right VPN server, the adversary would see impacts on both a user's online activity and their connection to the server. State-level adversaries are canonically resourceful for such attacks against all low-latency anonymity systems, but especially against VPN services. @@ -123,6 +123,6 @@ In other words, Sybil attacks on Tor aren't so much limited by an adversary's re Consider a pure Sybil adversary, which can wield numerous malicious Tor clients and relays, but lacks other resources. It fields two groups of malicious relays, one targeted for use as entry guards, and the other targeted for use as exit relays. By comparing traffic through circuits handled by member of those groups, it can identify circuits where it provides both an entry guard and an exit relay. That compromises clients, because the adversary knows both their IP address and the Internet destinations that they are accessing. -For malicious entry guards, the strategy involves avoiding the Exit flag by blocking connections to the Internet, and getting the Guard flag by being online continuously for at least eight days. In practice, malicious entry guards would remain online continuously during an attack, so as to maximize their usage. For malicious exit relays, the strategy involves getting the Exit flag by allowing connections to the Internet, and avoiding the Guard flag by being continuously online for periods of a week or less. +For malicious entry guards, the strategy involves avoiding the Exit flag by blocking connections to the Internet, and getting the Guard flag by being online continuously for at least eight days. In practice, malicious entry guards would remain online continuously during an attack, to maximize their usage. For malicious exit relays, the strategy involves getting the Exit flag by allowing connections to the Internet, and avoiding the Guard flag by being continuously online for periods of a week or less. An adversary can increase the speed and breadth of this Sybil attack by employing malicious clients in DDoS attacks against honest relays. By attacking honest entry guards, the adversary can gradually push user clients to its malicious entry guards. Similarly, by attacking honest exit relays, the adversary can push user clients to its malicious exit relays. From e56fc683c645a2961188af84da3116c0c01d6492 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sol=C3=A8ne=20Rapenne?= Date: Fri, 22 Dec 2023 11:49:22 +0100 Subject: [PATCH 3/5] improve wording --- .../adversaries-and-anonymity-systems-the-basics.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md b/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md index d929e21af..e0a889a8c 100644 --- a/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md +++ b/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md @@ -17,15 +17,15 @@ For email messages, anonymity systems do obscure the user's ISP-assigned IP addr ## Anonymity Systems -Three types of low-latency anonymity systems are available for general Internet access. There are numerous VPN services, [mix networks](https://en.wikipedia.org/wiki/Mix_network) (NymTech) and [onion-routing networks](https://en.wikipedia.org/wiki/Onion_routing) (Tor, Lokinet). All employ encryption to provide privacy and security between users and system exits. Even so, it's always prudent to use end-to-end encryption, because system exits (and adversaries observing them and/or destinations) can otherwise see unencrypted traffic. +Three types of low-latency anonymity systems are available for general Internet access. There are numerous VPN services, mix networks ([definition](https://en.wikipedia.org/wiki/Mix_network)) and [onion-routing networks](https://en.wikipedia.org/wiki/Onion_routing) (Tor, Lokinet). All employ encryption to provide privacy and security between users and system exits. Even so, it's always prudent to use end-to-end encryption, because system exits (and adversaries observing them and/or destinations) can otherwise see unencrypted traffic. Each of these anonymity systems provides anonymity in a particular way, more or less effectively against various adversaries. Excluded from this discussion are various proxy services, such as SSH tunnels (which are harder to use), and web proxies and browser plug-ins (which are far easier to compromise). Also excluded are Freenet and I2P. Freenet is a P2P network designed for anonymous and takedown-resistant publishing, often among closed groups of trusted participants. I2P is a [garlic-routing network](https://en.wikipedia.org/wiki/Garlic_routing) that focuses primarily on content sharing between I2P users. Neither Freenet nor I2P focus on general Internet access, although I2P does have Internet gateways. ### VPN Services -VPN services are the simplest type of anonymity system. Once a user client and remote VPN server have negotiated an encrypted virtual network connection, the server acts as a proxy for all the client's Internet traffic. Those services employing properly configured IPSec, OpenVPN or WireGuard protocols (but not the PPTP protocol) provide strong security and privacy (when [perfect forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) is used) between users and system exits. +VPN services are the simplest type of anonymity system. Once a user client and remote VPN server have negotiated an encrypted virtual network connection, the server acts as a proxy for all the client's Internet traffic. Those services employing properly configured IPSec, OpenVPN or WireGuard protocols (and not the obsolete PPTP protocol) provide strong security and privacy (when [perfect forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy) is used) between users and system exits. -VPN services provide privacy by hiding Internet destinations from ISPs. And they provide anonymity by hiding user information (such as ISP, IP address and geolocation) from destinations. That is, both ends (and associated network observers) see only a VPN server's IP address. Network latency is far lower than with either NymTech or Tor, and speed (bandwidth) is less likely to be limited. +VPN services provide privacy by hiding Internet destinations from ISPs. And they provide anonymity by hiding user information (such as ISP, IP address and geolocation) from destinations. That is, both ends (and associated network observers) see only a VPN server's IP address. Network latency is far lower than with either mixnets or Tor, and speed (bandwidth) is less likely to be limited. Reputable VPN services use perfect forward secrecy. For OpenVPN, that relies on TLS with transient symmetric session keys. The keys are negotiated on-the-fly, after the server and client have authenticated themselves. They are unpredictable, and frequently changed (by default, hourly). On the other hand, the [WireGuard](https://www.wireguard.com/) VPN protocol has perfect forward secrecy built in its protocol, every few minutes the negotiated temporary symmetric keys used between the peers are rotated with newly generated ones. An adversary that compromises a particular session can decrypt only traffic from that session. Traffic from retained intercepts and traffic from future sessions remain secure, because they're encrypted with different session keys. If an adversary wanted to decrypt snooped traffic by using a brute force technique, in case of success it would only work for a particular session before keys are rotated, which make this technique expensive and is a no-op, especially if the VPN uses a post-quantum resistant encryption algorithm. @@ -33,13 +33,13 @@ VPN services are very easy to set up and use, because providers handle the techn VPN services provide strong protection against local adversaries, and good protection against censorship and routine mass surveillance, even at the national level. However, they provide limited protection against adversaries with international reach. Such adversaries may coerce providers and/or their hosting providers or ISPs, and so may observe, manipulate and/or compromise their servers. They also provide limited protection against determined and resourceful censors. We discuss that further below, under `Passive Adversaries with Limited Network Reach`. -In some jurisdictions, VPN providers may be served with court orders that can not be disclosed without serious penalties. But there's a workaround: the warrant canary. As long as no such court order has been received, the provider may regularly publish a statement to that effect. If the warrant canary isn't renewed on schedule, users may safely infer that the provider has received such a court order. There is no need for the provider to take active steps that would violate the order. Canaries are often web pages, cryptographically signed and displaying the date of signature, so users can verify the authenticity of the canary, the signature prevents anyone from publish a fake canary. +In some jurisdictions, VPN providers may be served with court orders that can not be disclosed without serious penalties. But there's a workaround: the warrant canary. As long as no such court order has been received, the provider may regularly publish a statement to that effect. If the warrant canary isn't renewed on schedule, users may safely infer that the provider has received such a court order. There is no need for the provider to take active steps that would violate the order. Canaries are often web pages, cryptographically signed and displaying the date of signature, so users can verify the authenticity of the canary, the signature prevents anyone from publishing a fake canary. Some VPN services provide multi-hop routing. Users' traffic is proxied, in turn, through multiple servers, it's best when those are located in different nations. Given that, users sharing a given entry node are typically using different exit nodes, and users sharing a given exit node are typically using different entry nodes. Other VPN services rotate users' traffic among multiple exit servers. Such approaches protect better against adversaries with limited international reach. Even so, all bets are off for those who are targeted by more resourceful state adversaries. ### Tor -[Tor](https://www.torproject.org/) is a second-generation onion-routing anonymity system, currently comprising about 8000 anonymizing relays (as of December 2023) ([Tor Servers Metrics](https://metrics.torproject.org/networksize.html)). It is an open system, with highly distributed trust, and no centralized ownership. It provides anonymity through dynamic, unpredictable and hard-to-trace routing through a large network of untrusted relays. Unlike VPN services, adversaries are free to participate by running relays. Even so, there is oversight by a core group of trusted developers and relay operators, and there is a vetting process for new relays. +[Tor](https://www.torproject.org/) is a second-generation onion-routing anonymity system, currently comprising about 8000 anonymizing relays (as of January 2024) ([Tor Servers Metrics](https://metrics.torproject.org/networksize.html)). It is an open system, with highly distributed trust, and no centralized ownership. It provides anonymity through dynamic, unpredictable and hard-to-trace routing through a large network of untrusted relays. Unlike VPN services, adversaries are free to participate by running relays. Even so, there is oversight by a core group of trusted developers and relay operators, and there is a vetting process for new relays. User clients connect through the Tor network, creating encrypted three-relay circuits at random, and changing them frequently. Circuit traffic is relayed in fixed-size (512-byte) cells. At each step, relays remove a layer of encryption. That prevents non-adjacent relays from identifying each other, and helps protect against malicious relays. Traffic between relays is TLS encrypted, on top of the onion-routing circuit encryption. That somewhat obscures the circuit's cell pattern (number and timing) from external adversaries. However, unlike mixnets, Tor relays do not explicitly mix traffic. @@ -47,7 +47,7 @@ Although the Tor network is large, many of its 8000 relays have limited uptime, ### Mix networks -A [Mix network](https://blog.nymtech.net/a-simple-introduction-to-mixnets-6783a103d20e), commonly called "mixnet", is a system that routes network traffic between peers but hiding the metadata associated with the traffic, mostly by routing fake traffic and adding delay in the transmission to prevent traffic correlation if an adversary monitors multiple nodes. There are currently two young implementations of mix networks: [NymTech](https://nymtech.net/docs) and [Lokinet](https://lokinet.org/). In order to offer a high quality of service those networks make use of blockchain tokens, both to incentivize the hosting of highly available routers by rewarding operators, and to fully decentralize the network management. This also mean the network isn't free of use as you need to own tokens. +A Mix network ([detailed explanations](https://blog.nymtech.net/a-simple-introduction-to-mixnets-6783a103d20e)), commonly called "mixnet", is a system that routes network traffic between peers but hides the metadata associated with the traffic, mostly by routing fake traffic and adding delay in the transmission to prevent traffic correlation if an adversary monitors multiple nodes. There are currently two young implementations of mix networks: [NymTech](https://nymtech.net/docs) and [Lokinet](https://lokinet.org/). In order to offer a high quality of service those networks make use of blockchain tokens, both to incentivize hosting highly available routers by rewarding operators, and to fully decentralize the network management. This also mean the network isn't free as you need to spend tokens to use them. A mix network should provide full anonymity as the network packets are mixed between different layers of routers, cover packets can be created to reach the desired [level of anonymity](https://blog.nymtech.net/an-empirical-study-of-privacy-scalability-and-latency-of-nym-mixnet-ff05320fb62d), fake bouncing packets create fake inbound traffic to reduce correlation possibility, and packets are delayed in each layer of routers, so the timing can't be analyzed by an observer to trace a packet from the destination to its origin. The only fact that could be known would be that a user is connected to the mix network. However, we still lack feedback about these networks in a real world usage as they are quite recent, compared to Tor which has been successfully running for decades. From dfa229cceed5f0ffe9d7085533ff9ed46394b256 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sol=C3=A8ne=20Rapenne?= Date: Fri, 22 Dec 2023 16:48:59 +0100 Subject: [PATCH 4/5] fix after review --- .../adversaries-and-anonymity-systems-the-basics.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md b/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md index e0a889a8c..a1ccb9a9b 100644 --- a/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md +++ b/src/content/pages/privacy-guides/adversaries-and-anonymity-systems-the-basics.md @@ -27,7 +27,7 @@ VPN services are the simplest type of anonymity system. Once a user client and r VPN services provide privacy by hiding Internet destinations from ISPs. And they provide anonymity by hiding user information (such as ISP, IP address and geolocation) from destinations. That is, both ends (and associated network observers) see only a VPN server's IP address. Network latency is far lower than with either mixnets or Tor, and speed (bandwidth) is less likely to be limited. -Reputable VPN services use perfect forward secrecy. For OpenVPN, that relies on TLS with transient symmetric session keys. The keys are negotiated on-the-fly, after the server and client have authenticated themselves. They are unpredictable, and frequently changed (by default, hourly). On the other hand, the [WireGuard](https://www.wireguard.com/) VPN protocol has perfect forward secrecy built in its protocol, every few minutes the negotiated temporary symmetric keys used between the peers are rotated with newly generated ones. An adversary that compromises a particular session can decrypt only traffic from that session. Traffic from retained intercepts and traffic from future sessions remain secure, because they're encrypted with different session keys. If an adversary wanted to decrypt snooped traffic by using a brute force technique, in case of success it would only work for a particular session before keys are rotated, which make this technique expensive and is a no-op, especially if the VPN uses a post-quantum resistant encryption algorithm. +Reputable VPN services use perfect forward secrecy. For OpenVPN, that relies on TLS with transient symmetric session keys. The keys are negotiated on-the-fly, after the server and client have authenticated themselves. They are unpredictable, and frequently changed (by default, hourly). On the other hand, the [WireGuard](https://www.wireguard.com/) VPN protocol has perfect forward secrecy built in its protocol, every few minutes the negotiated temporary symmetric keys used between the peers are rotated with newly generated ones. An adversary that compromises a particular session can decrypt only traffic from that session. Traffic from retained intercepts and traffic from future sessions remain secure, because they're encrypted with different session keys. If an adversary wanted to decrypt snooped traffic by using a brute force technique, in case of success it would only work for a particular session before keys are rotated, which make this technique expensive not viable, especially if the VPN uses a [post-quantum resistant](https://www.ivpn.net/knowledgebase/general/quantum-resistant-vpn-connections/) encryption algorithm. VPN services are very easy to set up and use, because providers handle the technical aspects. However, the privacy and anonymity that VPN services provide hinges entirely on the operator's integrity and discretion, on its technical competence, and on its ability to prevent adversaries from observing, manipulating and/or compromising its servers. @@ -47,7 +47,7 @@ Although the Tor network is large, many of its 8000 relays have limited uptime, ### Mix networks -A Mix network ([detailed explanations](https://blog.nymtech.net/a-simple-introduction-to-mixnets-6783a103d20e)), commonly called "mixnet", is a system that routes network traffic between peers but hides the metadata associated with the traffic, mostly by routing fake traffic and adding delay in the transmission to prevent traffic correlation if an adversary monitors multiple nodes. There are currently two young implementations of mix networks: [NymTech](https://nymtech.net/docs) and [Lokinet](https://lokinet.org/). In order to offer a high quality of service those networks make use of blockchain tokens, both to incentivize hosting highly available routers by rewarding operators, and to fully decentralize the network management. This also mean the network isn't free as you need to spend tokens to use them. +A Mix network ([detailed explanations](https://blog.nymtech.net/a-simple-introduction-to-mixnets-6783a103d20e)), commonly called "mixnet", is a system that routes network traffic between peers but hides the metadata associated with the traffic, mostly by routing fake traffic and adding delay in the transmission to prevent traffic correlation if an adversary monitors multiple nodes. There are two implementations of mix networks in an early stage of adoption at the time of writing of this guide: [NymTech](https://nymtech.net/docs) and [Lokinet](https://lokinet.org/). In order to offer a high quality of service those networks make use of blockchain tokens, both to incentivize hosting highly available routers by rewarding operators, and to fully decentralize the network management. This also mean the network isn't free as you need to spend tokens to use them. A mix network should provide full anonymity as the network packets are mixed between different layers of routers, cover packets can be created to reach the desired [level of anonymity](https://blog.nymtech.net/an-empirical-study-of-privacy-scalability-and-latency-of-nym-mixnet-ff05320fb62d), fake bouncing packets create fake inbound traffic to reduce correlation possibility, and packets are delayed in each layer of routers, so the timing can't be analyzed by an observer to trace a packet from the destination to its origin. The only fact that could be known would be that a user is connected to the mix network. However, we still lack feedback about these networks in a real world usage as they are quite recent, compared to Tor which has been successfully running for decades. @@ -93,7 +93,7 @@ Against adversaries with limited international network reach, Tor resists compro Most VPN services are vulnerable against international reach adversaries. There are typically 10–100 servers, located in 5-20 data centers, in perhaps as many nations, with a hundred users per server. All servers are typically under common ownership and/or management. For providers offering only one-hop routes, an adversary only needs to correlate entry and exit conversations on one server. For all but the largest VPN services, cross correlating all entry and exit conversations would involve far less than a million comparisons. -A few large VPN services have several hundred or more servers, with numerous IP addresses per server, located in perhaps more than 100 data centers. But even for the largest, cross correlating all entry and exit conversations would involve at most a few million comparisons. It all depends on where entry and exit nodes are located, where an adversary can observe traffic, and how many comparisons among concurrent conversations would be required. However, given common ownership and/or management of VPN services, social engineering, or legal and/or political coercion, would be more-likely approaches. +A few large VPN services have several thousands or more servers, with numerous IP addresses per server, located in perhaps more than 100 data centers. But even for the largest, cross correlating all entry and exit conversations would involve at most a few million comparisons. It all depends on where entry and exit nodes are located, where an adversary can observe traffic, and how many comparisons among concurrent conversations would be required. However, given common ownership and/or management of VPN services, social engineering, or legal and/or political coercion, would be more-likely approaches. Some VPN services offer multi-hop routes. For example, there might be three servers (A,B,C) in different countries, with six available two-hop routes (A-B,A-C,B-A,B-C,C-A,C-B). Multi-hop routes can offer better protection against passive adversaries with limited network reach, because all users' traffic transits two or more nations. Also, as the entry and exit servers connect using VPNs, adversaries can't intercept individual user connections between servers. But again, common ownership and/or management is the key vulnerability. Multi-hop providers are less vulnerable when the servers are not all in the reach of the adversary who would either know from the VPN entry point that a user is using a multi hop VPN, or from the VPN exit point that a request was done from a multi hop setup. From c5bb182807c70a35c38b48d772dde4d98cd76e8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sol=C3=A8ne=20Rapenne?= Date: Wed, 27 Dec 2023 17:10:15 +0100 Subject: [PATCH 5/5] Update text and fix links: "18 questions..." (#45) * Update text and fix links * Add an extra Email provider --- ...stions-to-ask-your-vpn-service-provider.md | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/content/pages/privacy-guides/18-questions-to-ask-your-vpn-service-provider.md b/src/content/pages/privacy-guides/18-questions-to-ask-your-vpn-service-provider.md index 934b4544a..dbe9d85b2 100644 --- a/src/content/pages/privacy-guides/18-questions-to-ask-your-vpn-service-provider.md +++ b/src/content/pages/privacy-guides/18-questions-to-ask-your-vpn-service-provider.md @@ -19,20 +19,20 @@ layout: guides-details --- ### Introduction -Choosing a VPN service can be a nerve–wracking ordeal. You've probably read about the Snowden leaks and NSA related revelations. You probably don't trust your ISP to protect your privacy (and as the [FTC recently concluded](https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf), you really shouldn't). Perhaps you don't trust your government. You may even distrust all governments and corporations. +Choosing a VPN service can be a nerve–wracking ordeal. You've probably read about the Snowden leaks and NSA related revelations about mass surveillance. You probably don't trust your ISP to protect your privacy (and as the [FTC concluded in 2021](https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf), you really shouldn't). Perhaps you don't trust your government. You may even distrust all governments and corporations. Indeed, you may not trust this guide, and think that it's just an advertorial. While that's an understandable concern, I invite you to read on, and judge for yourself. I also invite you to read this in the context of my other writings about VPNs, Tor and such, primarily on [Wilders Security Forums][1] and [Tor.StackExchange][2]. -If you're especially concerned about privacy, you may want to obscure your research about VPN providers. Although many people use VPN services, extensive research might flag you as someone with something important to hide. You can mitigate that risk by using a free VPN service at this step (such as [Calyx VPN](https://calyxinstitute.org/projects/digital-services/vpn)) and free webmail (such as [VFEmail](https://vfemail.net/)). For even better privacy, you can add the [Tor Browser Bundle][3] to tunnel Tor through CalyxVPN, and use [VFEmail's hidden service][4]. +If you're especially concerned about privacy, you may want to obscure your research about VPN providers. Although many people use VPN services, extensive research might flag you as someone with something important to hide. You can mitigate that risk by using a free VPN service at this step (such as [Calyx VPN](https://calyxinstitute.org/projects/digital-services/vpn)) and free webmail (such as [mailbox.org](https://mailbox.org) or [RiseUP](https://riseup.net)). For even better privacy, you can add the [Tor Browser Bundle][3] to tunnel Tor through CalyxVPN, and connect through the hidden service access when offered, like [Mailbox.org][29] or [RiseUP][5] do. -Relatively little reliable and trustworthy information about VPN services is available online. It's generally best to ignore 'best VPN' and 'VPN review' sites. Most feature paid reviews, and some are protection rackets, featuring bad reviews for VPN services that refuse to buy favorable reviews. Even the honest ones are typically just popularity contests, dominated by clueless torrent users and wannabe 'hackers'. If you ever need to get information from a dedicated VPN review source look for those that don't use affiliate parameters on outgoing links (or even better, remove referer information). +Relatively little reliable and trustworthy information about VPN services is available online. It's generally best to ignore 'best VPN' and 'VPN review' sites. Most of them feature paid reviews, and some are protection rackets, featuring bad reviews for VPN services that refuse to buy favorable reviews. Even the honest ones are typically just popularity contests, dominated by clueless torrent users and wannabe 'hackers'. If you ever need to get information from a dedicated VPN review source look for those that don't use affiliate parameters on outgoing links (or even better, remove referer information). ### TorrentFreak's Surveys TorrentFreak's VPN surveys are notable exceptions to the norm. In late 2011, it became clear that Luzlsec member 'Recursion' had been identified and arrested based on connection logs that the VPN service HideMyAss provided to the FBI. TorrentFreak responded by publishing ['Which VPN Service Providers Really Take Anonymity Seriously?'][5] (now rephrased as "Which VPN Providers Really Take Privacy Seriously?"). This Q&A has been updated yearly since the original version, now supplying unedited answers to 12 privacy-related questions. -These are the following (as of 2021): +These are the following (as of [2023][6]): 1. Do you keep (or share with third parties) ANY data that would allow you to match an IP-address and a timestamp to a current or former user of your service? If so, exactly what information do you hold/share and for how long? 2. What is the name under which your company is incorporated (+ parent companies, if applicable) and under which jurisdiction does your company operate? @@ -53,9 +53,9 @@ Introducing their results, they note: This is arguably a fairly comprehensive starting list. TorrentFreak staff seem dedicated and knowledgeable, and their earlier surveys attracted the attention of many providers that had been omitted. But there are two key limitations. First, more obscure and low-key privacy-friendly VPN services don't appear on the TorrentFreak lists (e.g. cryptostorm). Some providers don't cater to BitTorrent users and have no motivation to appear on this list. Second, TorrentFreak is, for the most part, merely summarizing VPN providers' responses, and has not verified any of their claims. Comments in both reviews are also worth reading, by the way, but can't always be taken seriously. -Even so, revelations about three providers – EarthVPN.com, Proxy.sh and PureVPN – demonstrate the risk of relying on providers' privacy claims. In early 2013, an EarthVPN customer was reportedly arrested based on logs kept by its hosting provider in the Netherlands. EarthVPN denied responsibility, maintaining that they 'do not keep logs', and said that they no longer use that provider. Although the actual dialog between EarthVPN and its customer ([here](http://lowendtalk.com/discussion/11348/problems-with-my-life-situation/) and [here](http://lowendtalk.com/discussion/11348/problems-with-my-life-situation/p2)) is no longer openly accessible, there are quotes and discussion in the [AirVPN](https://airvpn.org/topic/9958-importance-of-partition-of-trust-for-critical-data-exchanges/) forums. Also, keep in mind that ISPs can log as easily as hosting providers can. +Even so, revelations about three providers – EarthVPN.com, Proxy.sh and PureVPN – demonstrate the risk of relying on providers' privacy claims. In early 2013, an EarthVPN customer was reportedly arrested based on logs kept by its hosting provider in the Netherlands. EarthVPN denied responsibility, maintaining that they 'do not keep logs', and said that they no longer use that provider. Although the actual dialog between EarthVPN and its customer ([here](https://web.archive.org/web/20130626030500/http://lowendtalk.com/discussion/11348/problems-with-my-life-situation/) (in comments) and [here](https://web.archive.org/web/20130731123057/http://lowendtalk.com/discussion/11348/problems-with-my-life-situation/p2)), the pages aren't accessible anymore but they were archived by the [Wayback Machine](https://wayback.archive.org), there are quotes and discussion in the [AirVPN](https://airvpn.org/topic/9958-importance-of-partition-of-trust-for-critical-data-exchanges/) forums. Also, keep in mind that ISPs can log as easily as hosting providers can. -In TorrentFreak's 2011 and 2013 surveys, Proxy.sh responded: 'No information whatsoever is being recorded or held in our facilities. Our services are run from RAM and all our system services come with state-of-the-art configuration that ensures nothing is left after usage.' However, in late September 2013, they installed Wireshark on one of their US servers, and retained packet captures for several hours. This was reportedly a voluntary response to complaints about hacking and harassment by one of their customers. For more specifics, see these TorrentFreak articles ([here](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/) and [here](https://torrentfreak.com/vpns-is-it-ok-to-monitor-bad-users-on-ethical-grounds-131006/)). In TorrentFreak's 2014 survey, Proxy.sh answered as follows to the first question: +In TorrentFreak's 2011 and 2013 surveys, Proxy.sh responded: 'No information whatsoever is being recorded or held in our facilities. Our services are run from RAM and all our system services come with state-of-the-art configuration that ensures nothing is left after usage.' However, in late September 2013, they installed [Wireshark](https://www.wireshark.org) on one of their US servers, and retained packet captures for several hours. This was reportedly a voluntary response to complaints about hacking and harassment by one of their customers. For more specifics, see these TorrentFreak articles ([here](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/) and [here](https://torrentfreak.com/vpns-is-it-ok-to-monitor-bad-users-on-ethical-grounds-131006/)). In TorrentFreak's 2014 survey, Proxy.sh answered as follows to the first question: > We do not keep any logs and we do not record any IP-address, headers or anything. In terms of time stamp, we only record those associated with support tickets creation and update (invoices and renewals are only recorded by date) for management purposes. The only personal information we do record is an email address and a payment type, that corresponds to either the word “Money” or “Bitcoin”. This is made clear in our privacy policy. Our system will also hold services credentials, namely the account password and network login/password pair. All this data can be permanently removed at any time on customer’s request. All other data and information involved in our operations (connections, traffic, etc.) is neither monitored nor recorded. @@ -71,9 +71,10 @@ Conversely, these incidents also demonstrate that news spreads very quickly on t Further positive signals you can look for: 5. Open source VPN applications. - 6. Publicly available audit results from independent, third-party auditors that investigate no-logs claims. Audits however, are constrained by their scope and provide only a temporary view, they are not persistent proofs about claims. + 6. Use of open source VPN protocols. + 7. Publicly available audit results from independent, third-party auditors that investigate no-logs claims. Audits however, are constrained by their scope and provide only a temporary view, they are not persistent proofs about claims. -All of the VPN services in TorrentFreak's recent survey deny keeping persistent logs. Assessing the plausibility of such claims in the context of pursuant data-retention requirements is a can of worms. Claims that there are no data-retention requirements in the US seem laughable in light of NSA documents released by Edward Snowden. The situation in Europe is complicated since the passing of GDPR and tensions between the 1995 Data Protection Directive and national legislations. The exact extent of NSA spying and EU collaboration with US operations is unknown and adds more uncertainty. For more about this issue generally, see [EFF's summary page][7]. +Nowadays, all of the VPN services in TorrentFreak's survey deny keeping persistent logs. Assessing the plausibility of such claims in the context of pursuant data-retention requirements is a can of worms. Claims that there are no data-retention requirements in the US seem laughable in light of NSA documents released by Edward Snowden. The situation in Europe is complicated since the passing of [GDPR](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) and tensions between the 1995 Data Protection Directive and national legislations. The exact extent of NSA spying and EU collaboration with US operations is unknown and adds more uncertainty. For more about this issue generally, see [EFF's summary page][7]. ### Presales Questions @@ -132,8 +133,9 @@ Here are some additional questions that you might ask, followed by expected answ [1]: https://www.wilderssecurity.com/ [2]: https://tor.stackexchange.com/ [3]: https://www.torproject.org/projects/torbrowser.html.en - [4]: http://344c6kbnjnljjzlz.onion/ + [4]: http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/ [5]: https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/ + [6]: https://torrentfreak.com/best-vpn-anonymous-no-logging/ [7]: https://www.eff.org/issues/mandatory-data-retention/ [9]: https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html [10]: https://openvpn.net/index.php/open-source/documentation/howto.html @@ -155,5 +157,6 @@ Here are some additional questions that you might ask, followed by expected answ [26]: #q16 [27]: #q17 [28]: #q18 + [29]: http://xy5d2mmnh6zjnroce4yk7njlkyafi7tkrameybxu43rgsg5ywhnelmad.onion [30]: https://benchmarks.cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.linux.redhat [31]: https://nsacyber.github.io/publications.html