If I connect to a website over HTTPS via VPN into Tor and make a self-identifying purchase, does that...
Let's work our way backward.
I understand that the Tor exit node would not know who I am, because the request it is sending out is encrypted via HTTPS. But, the website it connects to would realize that a connection from that Tor exit node made a purchase for myself, or logged into a self-identifying account. Put short, they'd know that my identity was connecting to them via that Tor exit node.
Let's say that website lets the world know that I made a purchase from that Tor exit node. My thought is that other websites probably couldn't deduce my identity simply from an exit node IP, even if they knew I exited from that node, previously. I'm also thinking that even though the exit node is consistently getting requests from the same middle node, it wouldn't be able to identify that any of those requests are coming from my identity vs. other identities from that middle node. Leading to the only possible case of compromised identity being someone having access to all 3 Tor nodes, making it possible for them to trace connections. But, even if they had all 3 nodes, in my setup the entry node would be seeing an HTTPS-encrypted connection from a VPN.
This leads me to believe that I could safely log into all of my accounts and buy the same item with the same credit card a million times over, and the only way my identity could be compromised to sites I don't make purchases on is if my VPN had access to all three of my Tor nodes. Am I wrong, or am I wrong?
END GOAL: I would like to be able to buy something on Amazon and login to Facebook, then go read some random journal, all through the same browser connection, and that journal would have no idea who I am, even if Amazon and Facebook told them that I'd made purchases or logged in from that specific Tor exit node.
networking security vpn privacy tor
|
show 4 more comments
Let's work our way backward.
I understand that the Tor exit node would not know who I am, because the request it is sending out is encrypted via HTTPS. But, the website it connects to would realize that a connection from that Tor exit node made a purchase for myself, or logged into a self-identifying account. Put short, they'd know that my identity was connecting to them via that Tor exit node.
Let's say that website lets the world know that I made a purchase from that Tor exit node. My thought is that other websites probably couldn't deduce my identity simply from an exit node IP, even if they knew I exited from that node, previously. I'm also thinking that even though the exit node is consistently getting requests from the same middle node, it wouldn't be able to identify that any of those requests are coming from my identity vs. other identities from that middle node. Leading to the only possible case of compromised identity being someone having access to all 3 Tor nodes, making it possible for them to trace connections. But, even if they had all 3 nodes, in my setup the entry node would be seeing an HTTPS-encrypted connection from a VPN.
This leads me to believe that I could safely log into all of my accounts and buy the same item with the same credit card a million times over, and the only way my identity could be compromised to sites I don't make purchases on is if my VPN had access to all three of my Tor nodes. Am I wrong, or am I wrong?
END GOAL: I would like to be able to buy something on Amazon and login to Facebook, then go read some random journal, all through the same browser connection, and that journal would have no idea who I am, even if Amazon and Facebook told them that I'd made purchases or logged in from that specific Tor exit node.
networking security vpn privacy tor
2
If you used a CC, they know who you are....
– Moab
Jan 1 at 21:39
I understand that the website I made the purchase on would know who I am. But, that wasn't my question. I'm wondering if I can be safe to make purchases on some sites while then opening up a new tab and navigating to another site anonymously.
– N N
Jan 1 at 21:42
1
I assume that this the purpose of TOR, but exit nodes have been known to be compromised.
– Moab
Jan 1 at 21:44
That's where the VPN and HTTPS are critical in this question. The VPN anonymizes the entry to the Tor network. And HTTPS means that none of the Tor nodes should be able to decrypt and obtain the original request information if compromised. Or so I'm thinking.
– N N
Jan 1 at 21:51
2
Tor conceals your location. It does not and cannot conceal your identity. That remains up to you to engage in proper operational security practices if you wish to do so.
– Michael Hampton
Jan 2 at 0:39
|
show 4 more comments
Let's work our way backward.
I understand that the Tor exit node would not know who I am, because the request it is sending out is encrypted via HTTPS. But, the website it connects to would realize that a connection from that Tor exit node made a purchase for myself, or logged into a self-identifying account. Put short, they'd know that my identity was connecting to them via that Tor exit node.
Let's say that website lets the world know that I made a purchase from that Tor exit node. My thought is that other websites probably couldn't deduce my identity simply from an exit node IP, even if they knew I exited from that node, previously. I'm also thinking that even though the exit node is consistently getting requests from the same middle node, it wouldn't be able to identify that any of those requests are coming from my identity vs. other identities from that middle node. Leading to the only possible case of compromised identity being someone having access to all 3 Tor nodes, making it possible for them to trace connections. But, even if they had all 3 nodes, in my setup the entry node would be seeing an HTTPS-encrypted connection from a VPN.
This leads me to believe that I could safely log into all of my accounts and buy the same item with the same credit card a million times over, and the only way my identity could be compromised to sites I don't make purchases on is if my VPN had access to all three of my Tor nodes. Am I wrong, or am I wrong?
END GOAL: I would like to be able to buy something on Amazon and login to Facebook, then go read some random journal, all through the same browser connection, and that journal would have no idea who I am, even if Amazon and Facebook told them that I'd made purchases or logged in from that specific Tor exit node.
networking security vpn privacy tor
Let's work our way backward.
I understand that the Tor exit node would not know who I am, because the request it is sending out is encrypted via HTTPS. But, the website it connects to would realize that a connection from that Tor exit node made a purchase for myself, or logged into a self-identifying account. Put short, they'd know that my identity was connecting to them via that Tor exit node.
Let's say that website lets the world know that I made a purchase from that Tor exit node. My thought is that other websites probably couldn't deduce my identity simply from an exit node IP, even if they knew I exited from that node, previously. I'm also thinking that even though the exit node is consistently getting requests from the same middle node, it wouldn't be able to identify that any of those requests are coming from my identity vs. other identities from that middle node. Leading to the only possible case of compromised identity being someone having access to all 3 Tor nodes, making it possible for them to trace connections. But, even if they had all 3 nodes, in my setup the entry node would be seeing an HTTPS-encrypted connection from a VPN.
This leads me to believe that I could safely log into all of my accounts and buy the same item with the same credit card a million times over, and the only way my identity could be compromised to sites I don't make purchases on is if my VPN had access to all three of my Tor nodes. Am I wrong, or am I wrong?
END GOAL: I would like to be able to buy something on Amazon and login to Facebook, then go read some random journal, all through the same browser connection, and that journal would have no idea who I am, even if Amazon and Facebook told them that I'd made purchases or logged in from that specific Tor exit node.
networking security vpn privacy tor
networking security vpn privacy tor
edited Jan 8 at 3:59
N N
asked Jan 1 at 21:25
N NN N
64
64
2
If you used a CC, they know who you are....
– Moab
Jan 1 at 21:39
I understand that the website I made the purchase on would know who I am. But, that wasn't my question. I'm wondering if I can be safe to make purchases on some sites while then opening up a new tab and navigating to another site anonymously.
– N N
Jan 1 at 21:42
1
I assume that this the purpose of TOR, but exit nodes have been known to be compromised.
– Moab
Jan 1 at 21:44
That's where the VPN and HTTPS are critical in this question. The VPN anonymizes the entry to the Tor network. And HTTPS means that none of the Tor nodes should be able to decrypt and obtain the original request information if compromised. Or so I'm thinking.
– N N
Jan 1 at 21:51
2
Tor conceals your location. It does not and cannot conceal your identity. That remains up to you to engage in proper operational security practices if you wish to do so.
– Michael Hampton
Jan 2 at 0:39
|
show 4 more comments
2
If you used a CC, they know who you are....
– Moab
Jan 1 at 21:39
I understand that the website I made the purchase on would know who I am. But, that wasn't my question. I'm wondering if I can be safe to make purchases on some sites while then opening up a new tab and navigating to another site anonymously.
– N N
Jan 1 at 21:42
1
I assume that this the purpose of TOR, but exit nodes have been known to be compromised.
– Moab
Jan 1 at 21:44
That's where the VPN and HTTPS are critical in this question. The VPN anonymizes the entry to the Tor network. And HTTPS means that none of the Tor nodes should be able to decrypt and obtain the original request information if compromised. Or so I'm thinking.
– N N
Jan 1 at 21:51
2
Tor conceals your location. It does not and cannot conceal your identity. That remains up to you to engage in proper operational security practices if you wish to do so.
– Michael Hampton
Jan 2 at 0:39
2
2
If you used a CC, they know who you are....
– Moab
Jan 1 at 21:39
If you used a CC, they know who you are....
– Moab
Jan 1 at 21:39
I understand that the website I made the purchase on would know who I am. But, that wasn't my question. I'm wondering if I can be safe to make purchases on some sites while then opening up a new tab and navigating to another site anonymously.
– N N
Jan 1 at 21:42
I understand that the website I made the purchase on would know who I am. But, that wasn't my question. I'm wondering if I can be safe to make purchases on some sites while then opening up a new tab and navigating to another site anonymously.
– N N
Jan 1 at 21:42
1
1
I assume that this the purpose of TOR, but exit nodes have been known to be compromised.
– Moab
Jan 1 at 21:44
I assume that this the purpose of TOR, but exit nodes have been known to be compromised.
– Moab
Jan 1 at 21:44
That's where the VPN and HTTPS are critical in this question. The VPN anonymizes the entry to the Tor network. And HTTPS means that none of the Tor nodes should be able to decrypt and obtain the original request information if compromised. Or so I'm thinking.
– N N
Jan 1 at 21:51
That's where the VPN and HTTPS are critical in this question. The VPN anonymizes the entry to the Tor network. And HTTPS means that none of the Tor nodes should be able to decrypt and obtain the original request information if compromised. Or so I'm thinking.
– N N
Jan 1 at 21:51
2
2
Tor conceals your location. It does not and cannot conceal your identity. That remains up to you to engage in proper operational security practices if you wish to do so.
– Michael Hampton
Jan 2 at 0:39
Tor conceals your location. It does not and cannot conceal your identity. That remains up to you to engage in proper operational security practices if you wish to do so.
– Michael Hampton
Jan 2 at 0:39
|
show 4 more comments
1 Answer
1
active
oldest
votes
After conducting more research and based off comments on the original question, it appears that other sites (sites other than Amazon or Facebook in this example) could identify you only via a few sneaky methods.
Browser fingerprinting -- this would be difficult to do if you're using the Tor Browser, since it uses default settings that most other users on the Tor network would share.
Cookies -- Facebook and Amazon might store cookies in your browser session that another site could potentially get access to. The Tor Browser only clears cookies automatically on startup, so these could be hanging around. But there are plugins to auto-delete cookies.
WebRTC, malicious javascript -- VPNs can disable all WebRTC (which could potentially expose your personal IP), and the Tor Browser has the NoScript plugin installed to allow control over what javascript runs on a page.
So, if you are using a VPN that can disable WebRTC and you're using the Tor Browser with properly configured plugins (NoScript, cookie auto-deleter, maybe even an intelligent canvas scrambler), there aren't any remaining openings that I am aware of.
From my understanding, webRTC is already disabled in Tor. The VPN does nothing for what the destination sites can see or do, it only affects what your ISP (and perhaps therefore your government) can see, namely that you are using Tor. I wouldn't risk using Tor simultaneously for identified traffic and anonymized traffic, there are too many vectors and it's an arms race. Simply change Tor Identities, or re-launch Tor, or run another Tor instance on a separate physical machine or VM.
– pseudon
Jan 2 at 19:14
But it depends on your threat model... what are the potential harms of correlating your identified traffic with your anonymous traffic? (rhetorical question)
– pseudon
Jan 2 at 19:19
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389609%2fif-i-connect-to-a-website-over-https-via-vpn-into-tor-and-make-a-self-identifyin%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
After conducting more research and based off comments on the original question, it appears that other sites (sites other than Amazon or Facebook in this example) could identify you only via a few sneaky methods.
Browser fingerprinting -- this would be difficult to do if you're using the Tor Browser, since it uses default settings that most other users on the Tor network would share.
Cookies -- Facebook and Amazon might store cookies in your browser session that another site could potentially get access to. The Tor Browser only clears cookies automatically on startup, so these could be hanging around. But there are plugins to auto-delete cookies.
WebRTC, malicious javascript -- VPNs can disable all WebRTC (which could potentially expose your personal IP), and the Tor Browser has the NoScript plugin installed to allow control over what javascript runs on a page.
So, if you are using a VPN that can disable WebRTC and you're using the Tor Browser with properly configured plugins (NoScript, cookie auto-deleter, maybe even an intelligent canvas scrambler), there aren't any remaining openings that I am aware of.
From my understanding, webRTC is already disabled in Tor. The VPN does nothing for what the destination sites can see or do, it only affects what your ISP (and perhaps therefore your government) can see, namely that you are using Tor. I wouldn't risk using Tor simultaneously for identified traffic and anonymized traffic, there are too many vectors and it's an arms race. Simply change Tor Identities, or re-launch Tor, or run another Tor instance on a separate physical machine or VM.
– pseudon
Jan 2 at 19:14
But it depends on your threat model... what are the potential harms of correlating your identified traffic with your anonymous traffic? (rhetorical question)
– pseudon
Jan 2 at 19:19
add a comment |
After conducting more research and based off comments on the original question, it appears that other sites (sites other than Amazon or Facebook in this example) could identify you only via a few sneaky methods.
Browser fingerprinting -- this would be difficult to do if you're using the Tor Browser, since it uses default settings that most other users on the Tor network would share.
Cookies -- Facebook and Amazon might store cookies in your browser session that another site could potentially get access to. The Tor Browser only clears cookies automatically on startup, so these could be hanging around. But there are plugins to auto-delete cookies.
WebRTC, malicious javascript -- VPNs can disable all WebRTC (which could potentially expose your personal IP), and the Tor Browser has the NoScript plugin installed to allow control over what javascript runs on a page.
So, if you are using a VPN that can disable WebRTC and you're using the Tor Browser with properly configured plugins (NoScript, cookie auto-deleter, maybe even an intelligent canvas scrambler), there aren't any remaining openings that I am aware of.
From my understanding, webRTC is already disabled in Tor. The VPN does nothing for what the destination sites can see or do, it only affects what your ISP (and perhaps therefore your government) can see, namely that you are using Tor. I wouldn't risk using Tor simultaneously for identified traffic and anonymized traffic, there are too many vectors and it's an arms race. Simply change Tor Identities, or re-launch Tor, or run another Tor instance on a separate physical machine or VM.
– pseudon
Jan 2 at 19:14
But it depends on your threat model... what are the potential harms of correlating your identified traffic with your anonymous traffic? (rhetorical question)
– pseudon
Jan 2 at 19:19
add a comment |
After conducting more research and based off comments on the original question, it appears that other sites (sites other than Amazon or Facebook in this example) could identify you only via a few sneaky methods.
Browser fingerprinting -- this would be difficult to do if you're using the Tor Browser, since it uses default settings that most other users on the Tor network would share.
Cookies -- Facebook and Amazon might store cookies in your browser session that another site could potentially get access to. The Tor Browser only clears cookies automatically on startup, so these could be hanging around. But there are plugins to auto-delete cookies.
WebRTC, malicious javascript -- VPNs can disable all WebRTC (which could potentially expose your personal IP), and the Tor Browser has the NoScript plugin installed to allow control over what javascript runs on a page.
So, if you are using a VPN that can disable WebRTC and you're using the Tor Browser with properly configured plugins (NoScript, cookie auto-deleter, maybe even an intelligent canvas scrambler), there aren't any remaining openings that I am aware of.
After conducting more research and based off comments on the original question, it appears that other sites (sites other than Amazon or Facebook in this example) could identify you only via a few sneaky methods.
Browser fingerprinting -- this would be difficult to do if you're using the Tor Browser, since it uses default settings that most other users on the Tor network would share.
Cookies -- Facebook and Amazon might store cookies in your browser session that another site could potentially get access to. The Tor Browser only clears cookies automatically on startup, so these could be hanging around. But there are plugins to auto-delete cookies.
WebRTC, malicious javascript -- VPNs can disable all WebRTC (which could potentially expose your personal IP), and the Tor Browser has the NoScript plugin installed to allow control over what javascript runs on a page.
So, if you are using a VPN that can disable WebRTC and you're using the Tor Browser with properly configured plugins (NoScript, cookie auto-deleter, maybe even an intelligent canvas scrambler), there aren't any remaining openings that I am aware of.
edited Jan 8 at 3:56
answered Jan 2 at 0:12
N NN N
64
64
From my understanding, webRTC is already disabled in Tor. The VPN does nothing for what the destination sites can see or do, it only affects what your ISP (and perhaps therefore your government) can see, namely that you are using Tor. I wouldn't risk using Tor simultaneously for identified traffic and anonymized traffic, there are too many vectors and it's an arms race. Simply change Tor Identities, or re-launch Tor, or run another Tor instance on a separate physical machine or VM.
– pseudon
Jan 2 at 19:14
But it depends on your threat model... what are the potential harms of correlating your identified traffic with your anonymous traffic? (rhetorical question)
– pseudon
Jan 2 at 19:19
add a comment |
From my understanding, webRTC is already disabled in Tor. The VPN does nothing for what the destination sites can see or do, it only affects what your ISP (and perhaps therefore your government) can see, namely that you are using Tor. I wouldn't risk using Tor simultaneously for identified traffic and anonymized traffic, there are too many vectors and it's an arms race. Simply change Tor Identities, or re-launch Tor, or run another Tor instance on a separate physical machine or VM.
– pseudon
Jan 2 at 19:14
But it depends on your threat model... what are the potential harms of correlating your identified traffic with your anonymous traffic? (rhetorical question)
– pseudon
Jan 2 at 19:19
From my understanding, webRTC is already disabled in Tor. The VPN does nothing for what the destination sites can see or do, it only affects what your ISP (and perhaps therefore your government) can see, namely that you are using Tor. I wouldn't risk using Tor simultaneously for identified traffic and anonymized traffic, there are too many vectors and it's an arms race. Simply change Tor Identities, or re-launch Tor, or run another Tor instance on a separate physical machine or VM.
– pseudon
Jan 2 at 19:14
From my understanding, webRTC is already disabled in Tor. The VPN does nothing for what the destination sites can see or do, it only affects what your ISP (and perhaps therefore your government) can see, namely that you are using Tor. I wouldn't risk using Tor simultaneously for identified traffic and anonymized traffic, there are too many vectors and it's an arms race. Simply change Tor Identities, or re-launch Tor, or run another Tor instance on a separate physical machine or VM.
– pseudon
Jan 2 at 19:14
But it depends on your threat model... what are the potential harms of correlating your identified traffic with your anonymous traffic? (rhetorical question)
– pseudon
Jan 2 at 19:19
But it depends on your threat model... what are the potential harms of correlating your identified traffic with your anonymous traffic? (rhetorical question)
– pseudon
Jan 2 at 19:19
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389609%2fif-i-connect-to-a-website-over-https-via-vpn-into-tor-and-make-a-self-identifyin%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
If you used a CC, they know who you are....
– Moab
Jan 1 at 21:39
I understand that the website I made the purchase on would know who I am. But, that wasn't my question. I'm wondering if I can be safe to make purchases on some sites while then opening up a new tab and navigating to another site anonymously.
– N N
Jan 1 at 21:42
1
I assume that this the purpose of TOR, but exit nodes have been known to be compromised.
– Moab
Jan 1 at 21:44
That's where the VPN and HTTPS are critical in this question. The VPN anonymizes the entry to the Tor network. And HTTPS means that none of the Tor nodes should be able to decrypt and obtain the original request information if compromised. Or so I'm thinking.
– N N
Jan 1 at 21:51
2
Tor conceals your location. It does not and cannot conceal your identity. That remains up to you to engage in proper operational security practices if you wish to do so.
– Michael Hampton
Jan 2 at 0:39