Different needs and different threat models lead to misunderstandings between people. Let’s say you want to leave the most anonymous comment possible on a social network. What do you need for it? VPN? Hill? An SSH tunnel? Well, it is enough to buy any SIM card and a used phone in the nearest store, then go to a considerable distance from where you live, insert one into another, post your message and sink the phone. You have fulfilled your mission 100%.
But what if you don’t want to just leave a unique comment or hide your IP address from some site? What if you want such an advanced level of anonymity that you will create the most intricate puzzle leaving no room for any tricks at any level? And also hide the very fact of using anonymity tools along the way? This is what I am going to talk about in this article.
Perfect anonymity is above all a dream, like everything perfect. But that doesn’t mean you can’t get pretty close. Even if you are being identified by system fingertips and other means, you can still remain indistinguishable from the general mass of Web users. In this article I will explain how to achieve this.
This is not a call to action, and the author in no way calls for any illegal action or violation of the laws of any state. Consider it just an “if I were a spy” fantasy.
Basic protection level
The basic level of protection and anonymity looks something like this: client → VPN/TOR/SSH tunnel → target.
Actually, this is just a slightly more advanced version of a proxy that allows you to substitute your IP. You won’t achieve any real or quality anonymity this way. Just one wrong or default setting in WebRTC notorious, and your real IP is revealed. This type of protection is also vulnerable to node compromise, fingerprinting, and even simple log analysis with your provider and data center.
By the way, there is a common opinion that a private VPN is better than a public one, since the user trusts his system settings. Consider for a moment that someone knows your external IP. So you know your data center too. Therefore, the data center knows the server that this IP belongs to. And now imagine how difficult it is to determine which real IP connected to the server. What if you are the only customer there? And if they are numerous, for example 100, it becomes more and more difficult.
And that’s not to mention that few people will bother to encrypt their disks and protect them from physical deletion, so they’ll barely notice their servers rebooting to boot level 1 and turning on VPN logs under the guise of “minor technical difficulties.” in the data”. center.” Also, there’s no need even for things like this, because all the incoming and outgoing server addresses are already known.
Speaking of Tor, its use itself can raise suspicions. Second, the outgoing nodes are only around 1000, many of them are on the block list and are no-no’s for many sites. For example, Cloudfare features the ability to enable or disable Tor connections through a firewall. Use T1 as the country. Also, Tor is much slower than a VPN (currently Tor network speed is less than 10 Mbit/s and often 1-3 Mbit/s).
Summary: If all you need is to avoid showing your passport to everyone, bypass simple site blocks, have a fast connection, and route all traffic through another node, choose VPN, and a paid service should be better. For the same money, you’ll get dozens of countries and hundreds or even thousands of outgoing IP addresses instead of a single-country VPS that you’ll have to painfully configure.
In this case, there is little point in using Tor, although in some cases Tor will be a decent solution, especially if you have an additional layer of security like VPN or SSH tunnel. More on this below.
Medium protection level
A medium protection level looks like an advanced version of the basic: client → VPN → Tor and variations. This is an optimal business tool for anyone who is afraid of IP spoofing. This is a case of synergy when one technology strengthens the other. But make no mistake. While it is really hard to get your real address, it is still vulnerable to all the attacks described above. Your weak chain is your workplace: your work computer.
High level of protection
Client → VPN → Remote Workplace (via RDP/VNC) → VPN.
Your work computer should not be your own, but a remote machine with, say, Windows 8, Firefox, a couple of plugins like Flash, a couple of codecs, and no single font and other plugins. A boring and simple machine indistinguishable for millions of people. In the event of a leak or compromise, you will still be covered by another VPN.
Previously it was believed that Tor/VPN/SSH/Socks allowed for a high level of anonymity, but today I would recommend adding a remote workplace to this setup.
Perfect
Client → Double VPN (in different data centers, but close to each other) → Remote Workplace + Virtual Machine → VPN.
The proposed scheme consists of a primary VPN connection and a secondary VPN connection (in case the first VPN is compromised due to a leak). It is used to hide ISP traffic in order to hide your real ISP address in the data center with a remote workplace. Then goes a virtual machine installed on the server. I guess you understand why a virtual machine is so vital: falling back to the more standard and banal system with a standard set of plugins after every download. And this needs to be done at a remote workplace rather than a local one, because people who used a virtual machine locally in conjunction with TripleVPN once opened the IP verification site and were very surprised to see their real, real IP address on the “WebRTC” field. I don’t know and I don’t want to know what software some developer will develop tomorrow and install in his browser without his concern. So just don’t think about it and don’t store anything locally. Kevin Mitnick found out 30 years ago.
We have tested this configuration, the delays are significant even if you set everything correctly in terms of geography. But these delays are tolerable. We assume that the user will not place the servers on different continents. For example, if you physically reside in New York, place your first VPN also in New York, the second in Mexico, etc., your remote workplace in Canada, and the final VPN in, say, Venezuela. Don’t put different servers in the eurozone as those governments cooperate closely, but on the other hand, don’t spread them too far apart from each other. Neighboring countries that hate each other would be the best solution for your chain 😉
You can also add automatic background website visiting from your real machine, thus mimicking web browsing. With this, you dispel suspicions that you use some anonymity tools because your traffic always goes to a single IP address and through one port. You can add Whonix/Tails and go online over public Wi-Fi in a cafe, but only after changing your network adapter settings, which could also lead to your de-anonymization. You could even change your appearance so as not to be visually identified in the same cafe. You can be identified by various means, from your coordinates in a photo captured by your phone to your writing style. Just remember that.
On the other hand, most people are perfectly suited to an anonymizer, but even our anonymizer, after all our efforts to make it useful, still lacks browsing experience. Yes, a regular VPN is a normal and adequate solution to bypass simple blocks with decent speed. Need more anonymity and ready to sacrifice some speed? Add Tor to the mix. I want something else? Do as mentioned.
Fingerprinting, such as efforts to detect VPN use, is very difficult to circumvent due to the time it takes to send packets from the user to the website and from the website to the user’s IP address (not taking into account blocking requests). specific starters). You can cheat on one or two checks, but you can’t be sure that a new “nightmare” won’t appear overnight. This is why you need both a remote workplace as well as a clean virtual machine. So that’s the best advice you can get right now. The cost of such a solution starts from just $40 per month. But keep in mind that you have to pay with Bitcoin only.
And a little epilogue. The main and most important factor in your success in achieving true anonymity is separating personal and secret data. All tunnels and intricate schemes will be absolutely useless if you log in, for example, to your personal Google account.
Be anonymous!