VPN and SSL - Expert Held Needed!
March 21, 2011 6:10 PM   Subscribe

VPN/SSL question - Expert Help Needed! I would like to connect to a Usenet provider through a VPN. The Usenet provider offers an SSL connection. The VPN will be an OpenVPN connection. My understanding is that, under this scenario: the usenet provider will know what files I download but not my IP address or who I am (setting aside billing information), while the VPN provider will know my IP address and what Usenet provider I connect to, but not what files I download. Is that correct?

Obviously, my concern here is personal privacy, and in particular: what if my VPN provider does not keep its promise not to log my activity? By routing my connection through a VPN in a foreign country, it seems to me that I can separate my personal information in such a way that no one party has complete information about me.

To avoid the billing address issue, I intend to pay for these services using prepaid gift Visa cards, purchased with cash, that don't have any billing information related to me, and then provide the service provider with an assumed name and a mail forwarding address in a third country that is not easily traceable.

Please ignore the possibility of a man-in-the-middle attack by the VPN provider: I'm comfortable assuming that risk. Mainly, I don't want to show up in someone's logs.

Despite the extensive nature of these precautions, I promise I'm not uploading pirated material or anything exceptionally risky like that. I just like my privacy (and this has been an interesting challenge for me to work on lately).

Thanks in advance for your help.
posted by trystero to Computers & Internet (6 answers total)
 
usenet provider will know what files I download but not my IP address or who I am (setting aside billing information),

So the question is, who are you trying to protect yourself from? What's your threat model? Be specific, this is a serious question.

In any threat model worth worrying about, you can't just handwave away information that has your name and home address attached to it. You'll log into that service with a username and an account, and transactions that take place via that username and account are, potentially at least, trackable. But, sure, your VPN provider won't (in theory) be able to read the traffic between your machine and Usenet in this model, and the Usenet provider won't see that traffic as being requested from your home address.

That said, the fact that you have to pay for and log into these services means that if you download something that the Usenet provider is actively watching for people to download (which happens) that the authorities or whoever won't need to do any fancy CSI trace-your-IP nonsense; they'll just look up your billing information with the cooperation of the Usenet provider and add your name to a list.
posted by mhoye at 7:13 PM on March 21, 2011


Response by poster: So the question is, who are you trying to protect yourself from? What's your threat model? Be specific, this is a serious question.

In this threat model, I am trying to protect my privacy from well-funded, litigation-minded private parties. I am not concerned with protecting against threats from law enforcement, governmental authorities, or criminals/black hats. Does that answer your question?

the fact that you have to pay for and log into these services means that if you download something that the Usenet provider is actively watching for people to download (which happens) that the authorities or whoever won't need to do any fancy CSI trace-your-IP nonsense; they'll just look up your billing information with the cooperation of the Usenet provider and add your name to a list.

I intend to pay using a Visa gift card purchased for cash that is not in any way tied to my real name. My billing address will be an assumed name and a mail forwarder located in a foreign country. I'm aware that this could ultimately be traced back to me, even by a sufficiently motivated and well financed private party, but my goal is not complete anonymity: it's simply to be sufficiently anonymous that determining my identity is more trouble than it's worth.
posted by trystero at 7:35 PM on March 21, 2011


I am trying to protect my privacy from well-funded, litigation-minded private parties.

I wouldn't worry about them, in this scenario.
posted by mhoye at 9:20 PM on March 21, 2011


the usenet provider will know what files I download but not my IP address or who I am (setting aside billing information), while the VPN provider will know my IP address and what Usenet provider I connect to, but not what files I download. Is that correct?

More or less. But the Usenet provider will still log the IP address of the VPN and so if some entity were to compel or subpoena both parties, then there is enough data between the two of them to reconstruct what files you downloaded. (That is, assuming that data is logged.)
posted by Rhomboid at 1:13 AM on March 22, 2011


Response by poster: But the Usenet provider will still log the IP address of the VPN and so if some entity were to compel or subpoena both parties, then there is enough data between the two of them to reconstruct what files you downloaded. (That is, assuming that data is logged.)

Fair enough. My concern is that one party (either the Usenet provider or the VPN provider) will be compromised and will share my personal information. The odds that anyone would go to the effort to compromise two parties in two legal jurisdictions to track me down is vanishingly small.

I just wanted to make sure I accurately understood how SSL would work through a VPN (and what information would be available to each party). It sounds like I do?

Thanks!
posted by trystero at 4:10 AM on March 22, 2011


Best answer: Yes, the VPN provider would be able to tell what address and port you're connecting to but nothing beyond that. Well, they'd also have the number of packets, size of each packet, and timing of the flow which would make it pretty clear that you were downloading binaries from a nttp server, but that much could most likely be inferred from the IP address (and reverse DNS/netblock whois) and port number alone.
posted by Rhomboid at 6:51 AM on March 22, 2011


« Older My Mackbook is a crackin.   |   Get outta my dream! Newer »
This thread is closed to new comments.