VPNs and Tor-How to Internet works and how to protect oneself while exploring it

Have you ever watched a video and then suddenly the youtuber in the middle of his spiel on why K-On! is the representation of a perfect utopia when suddenly “this is why I use this x brand VPN”? Yeah, so do I. VPNs are largely presented as a perfect way to be safe on the ‘net, and to stay anonymous. After all, we can all agree that staying private and secure while surfing on the world wide web is important right? Therefore you really should be using a VPN!

Well, let me completely and utterly shatter that outright lie. VPNs are a massive, massive security concern when it comes to Anonymity&Security. Now, I am not saying VPNs do not have their uses. But I am saying to be extremely wary whenever someone presents you a seemingly perfect solution. These are the modern snake oil salesmen. The best solution (and it is far from perfect) is the Tor Browser as of this moment. Now, whenever I bring up Tor, I have usually one of three reaction. Either a confused reaction as to what even is Tor, a “it was engineered by glowies therefore its a honeypot” or “So you wanna go look at snuff movies online and CP you creep”. My answer to that last statement is that if this were my goal, this kind of shit is considerably more easy to access on Facebook (no, I am not joking, there’s a thriving slave market on Facebook in certain…non-english speaking groups let’s say. It is a passion project of mine to find these groups and bring them up to the proper authorities.)

No, Tor has had a very bad reputation because people do not understand how the internet work at all. So, my dear Alice, time for us to dive in the rabbit’s hole, and acting as your Cheshire Cat, I shall guide you through a tour of the Wonderland that is the Internet.

Welcome to Wonderland

So, without entering into the technical details of how the internet works, let me illustrate how deep the internet goes. It has considerably more levels than most people even imagine. It is like an iceberg, only the tip emerges from the water. Our first layer is what most of you are aware of. Social Medias like Facebook, Twitter, Youtube and these giants of the industry, along with all the various apps that require a connection to the ‘net to work. This is what the overwhelming majority of end users truly use on a day to day basis.

It used to also include websites indexed by Search Engines, but with the push of entities like Google who uses A.I (which is another rabbit hole I will touch on in the future) to generate prepacked “answers”, and how the majority of people seem perfectly content to use these, along the extraordinarily dubiousness inherent to Wikipedia (seriously, Yasuke wasn’t a samurai, but if you ask a citation for that page, you get IP banned. I tried) and the obvious politicization of the same big search engines, I must put the indexed pages in a separate layer now. I lost several years of my life writing that last sentence so trust me when I say I don’t enjoy having to make that distinction.

So, as mentioned, the indexed pages are their own layer due to the curated indexation of Google, Duckduckgo and Bing. And no, I am not joking, even Duckduckgo is compromised nowadays. The best way to curate your searches now is with SearX, but that is also a rabbit hole for another time. The point is, people nowadays largely aren’t even aware what a non-reddit forum looks like. Which leads me to our third layer:

Non-indexed pages. While many websites are indexed on various search engines, few people are aware for example that most corporations have a page on their website concerning documentations for would be investors with projected earnings, changes in the administration etc. Those usually are not listed on most search engines. And it is on purpose. These are on a “need to know basis” kinds of pages, but that still must be technically widely accessible for various reasons, some legal, some convenience etc.

Our fourth layer is what most people are terrified of when I mention Tor. The Deep Web. These are non-indexed websites. Many of them have the suffix “.onion”, but that is not necessarily the case. Corporative intranets for example are on this category. These websites are, for one reason on another, completely unsearchable via search engines, and therefore are only accessible either by word of mouth, luck or if you directly are invited to it.

Now, I must take the time to make a very important distinction. The Deep Web does not equate to the Dark Web. The Dark Web is what most people are thinking of when snuff films and CP is mentioned. And while some of this does exist on the deep web, the dark web exists at all layers of the internet. The deep web is simply referring to websites that stay unlisted from search engines as a whole. Some do for political reasons (dissident forums from a dictatorship for example), others simply want to stay private like some chatrooms, other are purposefully hidden as part of an ARG, etc. There are many legitimate reasons to not want to be listed on Google.

In fact, this is what VPNs are pretending to offer you, a sense of anonymity and security online.

The VPN Jabberwocky

VPNs are, largely, a massive trap. To explain why I must first explain how a VPN works. To keep this in layman terms, imagine your ISP as a long cord connecting your device to the internet. It sees and monitors all that you do while on the internet. Meaning if, say in a scenario where the government suddenly becomes illegitimate and forces your ISP to, or your ISP itself decides that you are a dangerous extremist because you love looking up images of dogs on Google, and since Hitler had dogs, therefore you must be Hitler, and now doxx you in a self-destructive “martyr” move to stop you from making all these cookies in your oven (I know this sounds ridiculous, it’s an image to illustrate the point), and now people who didn’t read the full doxx think you are Hitler and must be put down immediately.

This is why VPNs supposedly exist. VPNs take that cord, and redirect it to itself, and then it itself connects to the rest of the internet. So that way your ISP only knows you are connected to a VPN, it doesn’t see anything else. Privacy protected.

The clever among you will probably have figured out the problem by now. That does not solve the privacy problem, it merely redirects the problem to yet another entity over which you have no control, who can decide to do the exact same move as the theoretical one discussed on the ISP, or that will bend down to a tyrannical government’s injunction to access your data. Heck, some of them downright have a specific clause giving them the right to sell your data, in an “anonymized manner”. On top of that, VPN Servers suddenly become a very juicy target for hackers, meaning yet another vector of attack you just gave to a would be malfeasant entity against your precious data.

Now, do not get me wrong, I may be speaking like VPNs are completely and utterly useless. This is not what I am saying. I am saying that from the angle of Security and Anonymity, they are a critical flaw. They are however a fantastic tool to access region-locked content like getting earlier tickets to visit a local museum for example, or visioning certain movies on Netflix. If this is why you use a VPN this is a perfectly acceptable reason and in fact a fantastically great way to achieve this. I would still recommend the Open-Sourced VPNs to mitigate the inherent security risk VPNs are, but otherwise, go for it! However, if you are using them due to security and anonymity reasons, this is a poor, poor choice as I have detailed.

The Onion

Enters Tor, a browser dedicated to privacy while surfing the ‘net. It is open-source, free and is maintained by the Tor Project, a worldwide group of volunteers. The fact that it is open-source means you can always verify it for vulnerabilities which is great, and the way it functions is extraordinarily ingenious. You connect your ISP cord as I imaged earlier to an entry point. This is where the ISP stops knowing anything as would a VPN.

That entry point then connects to a Node inside in an encrypted way. That node is randomly chosen each time you connect to a website and then connects to a third point, which is the exit node. That exit node only knows the requested website, so it pulls the page and sends it back the line to you, thus guaranteeing anonymity as each of these nodes are connected in an encrypted manner to avoid each giving information to each other that could compromise you. And despite all of this, if for some reason you suspect being watched, you can hit a simple button to completely reroute your entire traffic, choosing, randomly, three other nodes.

You can even add another layer on top of it by accessing Tor via a USB drive that boots a OS called TailsOs, which lives only on your RAM, meaning once you shut down the computer, no trace of your usage on that device remains. Or you can do it via Whonix, which works the same but is a Virtual Machine, of which I have my own qualms thereabout. Nonetheless, these are merely an optional additional step if you really do not want to take chances. Tor by itself works perfectly fine. Heck, you can use it on your mobile device, and connect to its network via Orbot (which can run all your Apps through Tor for added security and anonymity if you so wish).

Now, Tor is slow, but you trade convenience for the best anonymity and security of internet browsing currently available for the average end-user. It is also vulnerable to certain types of attacks. For example, a compromised exit Node could trace you back, and while the Tor Community keeps an eye on these things, it is nonetheless a possible vector of attack. Just make sure to change your traffic once in a while and you should be fine.

Another point of Tor is that it does not anonymize you if you use logins. You are still connecting as you, just for a wildly unusual position on earth. Which itself gives a clue to bad actors that you use Tor. So avoid those while you browse for them cat pictures.

There are a number of various possible attacks on Tor. As I said, I am not selling you a perfect solution, merely the best solution currently available. My next article will focus on these vulnerabilities and how to mitigate them so stay tuned for that.

Now, the final point I want to touch on Tor is about it having been created by Feds. That is true. However, the entire project was released as an external foundation and the code is free and open-source. Feds have no more control over the Tor Network than you or I do.

In conclusion, it is all about keeping a sanitized environment, as usual. By compartmentalizing your browsing habits, and learning about the various failure points in our threat model we have previously established on this website, we can mitigate significantly vectors of attacks against us while we browse the internet, regardless of which layer of the ‘net we are currently surfing on.

By using Tor and keeping in mind our various layers of defenses we have established, we can reclaim our privacy, anonymity and security from outside, untrustworthy entities. This is a war between you and those bad actors, be they hackers, ill intended corporations, and tyrannical governments all across the world, and you and your right to privacy. Keep fighting back.

We will be watching.

The G.H05t

Filed under: Uncategorized - @ July 23, 2024 5:57 am

 
Clicky