What commands would an eavesdropper type to find out which of the 3 is going on:

1. user is just visiting https://www.linuxquestions.org (HTTPS connection)

2. user is the admin of LQ and is logging into linuxquestions.org as the SITE (not forum) administrator (SSL or is it SSH?)

3. user is the admin and is hiding a link to TOR inside their connection to linuxquestions.org (SSL tunnel)

PS This is only to get a feel for the difficulty of this, not to actually do it.

https is port 443. ssh is port 22. An openvpn tunnel would be 1194. Unless the services are on non-standard ports.

3. was meant to be an openvpn tunnel that is itself tunneled through some other type of SSL coonection in an attempt to hide the fact that tunneling is being used.

OK, the basic idea is that with a VPN seeing what you are doing is non-trivial for your ISP.

(Now, if you're using the wrong set up / cypher the NSA has already cracked 3/4 of encrypted traffic (including VPN ) world wide b/c almost everybody is using still 1048 keys b/c they are either too stupid, too broke, too malicious or too complicit to upgrade to at least 2096 (if not better) like the IETF told everybody to do all the way back in 2005.)

But, even though your ISO can't see what you're doing they can see *how* you are doing it.

In other words your ISP can't read your encrypted traffic. But they can see that you're on a VPN.

In the US this will get you put on a list used by the retarded profiling algos that can't tell the dif between good guys and bad guys. Right now the only consequences of being profiled is that you can't get a govsec job. In a few days you may no longer be able to legally buy guns b/c some algo says you're a bad guy b/c you encrypt your traffic and b/c of that you shouldn't be able to get on a plane and the prez decided that means you can't buy a gun. (After all, if you aren't doing anything wrong then why do you have a problem running around naked for every one to see?) We are the frog in the ever increasing temperature pot of water.

In China the use of encrypted traffic is already life threatening. It can get you sent to a re-education camp.

So a lot of folks who want to have a little privacy have motivation to not be seen doing anything out of the ordinary. That's where tunnel wrappers come in.

How to hide OpenVPN traffic – an introduction

The basic idea is that I put an SSL "wrapper" around my VPN tunnel so that to anybody monitoring my connection it just looks like I'm logg in in to a web site.

This plays in to the sec scenario I laid out for you in the other thread which is non-trivial to achieve. It involves using a gateway and virtual machines and involves modifications of the communication protocols in your router, gateway, host OS NIC, VM OS NIC and the VM OS browser / chat / etc programs to achieve tunnels within tunnels within tunnels.

But, if you do it right, on the first leg of the trip out of your physical location (to your ISP) it just looks like you're logging in to a web site.

Meh ...

Mostly, what I want to do is to see to it that, "if it's nobody's business but ours," nobody else (easily) sees it. For instance, if I'm e-mailing a document that I would not post on the lunch-room wall, I'm going to encrypt that e-mail. (I digitally sign every email that I send anywhere.) If I put a document into a DropBox, that document is going to be encrypted. And so on.

I use VPN, with digital certificates (n-o-t "pre-shared keys (PSKs) == passwords!"), to secure all inter-server communication that must pass over the Internet. So that I can have confidence that the data "arrives as-tendered" and that no one else (easily) sees it.

Now, if a Federal Marshal shows up tomorrow with a search warrant, I will cooperate fully with him or her, as the US Constitution demands. I have things to conceal because no one else need know them (and because of ordinary business/personal prudence when using "the World Wide Party-Line"), but I have nothing to hide.

Far too many business-models today are predicated on the assumption that, "if it is technically possible for me to access this-or-that, then I am entitled to (profitably) do so." But, this is not the case and it has never (before) been thought to be the case. The telephone company carries my calls, but may not record or intercept them, and may not sell profiles of who I'm calling. The post office carries my letters, in envelopes, but may not steam them open.

I've kept up with reading on the subject. But I haven't been in to the practical application side of it for about 5 years.

I'm getting back in to it for various reasons.

While I was out of it a lot of things changed including the politics of information and the topology of the net, as well as my goals.

A lot of my old tricks either don't work any more or don't provide enough of an increase in sec to be worth the trouble for the level of stuff I'm in to.

IE, I personally don't have anything to hide. But I believe in helping where and how I can. So after a long time out of the game I'm going to drop a Tor exit in my DMZ. Yes, bad guys use it. But they use air too. There are people in the world who have no other relatively safe way to speak available to them. And I'd like to be involved in stuff like that again since I'm no longer sick.

Any way, for my needs I think I'm going to go with:

1) A very slightly obfuscated identity. I'll use my wife's SMB account to pay for the subscriptions if I like the tech after the 7 day trials.

2) Get a start mail account. (I've used their search page as my home page for years.) Use their disposable e mail aliases to sign up for air vpn. I'll wrap it in an SSL tunnel so my ISP just thinks I'm logging in to a web site.

3) Use the tools in my sig to increase the entropy of my fingerprint.

4) Use alternate DNS. For reasons technical, legal and political I like ClaraNet and CCC.

5) If I need to get more private than that I'll hit Tor from a VM and just make sure that I don't hit my own circuit.

I don't buy it will look EXACTLY the same as if you logged into a site. Wouldn't traffic patterns tell something?

Or are you just counting on the eavesdropper not having the resources to compare all user traffic signatures with all targeted site traffic signatures?

You can buy whatever you like.

Re-read what I said.

To my ISP. Not the NSA.

The ISP is not doing statistical analysis of all traffic around the world. They are just monitoring their systems for functional activity. As long as I'm just transiting their system peacefully and I'm not trying to get funky with them they don't really care what I'm doing so long as their segment of my traffic looks kosher and they're making money off of me.

Of course there are taps in their system sucking everything up; but that's a different story.

And if you don't believe that tunnel wrappers work then set up your own edges and BGPs with DPIFWs, break out wireshark, get some proof and then go over to the openvpn forums and have it out with the devs.

And even w/ the NSA: It's all being collected for later statical analysis in depth and not being monitored *in depth* in real time. Which is why it is all of a set and not just one piece. You have to do things like add entropy to your finger print so that when the algo goes back to look for you then you are harder to find.

And even then you still have to come to the attention of the alogs that do the minimalist real time monitoring which then alert a human who then decides if you need closer real time monitoring or deserve to have a data miner pointed at you.

So you do as much as you can to find the cracks; which is why I still need to look at IPv5. But you'll never be 100 gabazillion percent impossible to find no matter what you do; that's impossible. However, as long as you're not Kim Dotcom or planning to buy a decommissioned Russian warhead then they have bigger fish on their plate to fry. Nigerian princes still send out plenty of e mail every day. Their job is not (yet) to try to stamp out every little instance of everything from slightly fishy on up.

And you can forget not getting on some algo list somewhere. You already are just by having this conversation. (And I'm sure this is not the only one of this type you ever had.) In this case not only by the subject but by talking to me.

I'm on so many lists it's ridiculous:

1) I have specialized military training. So I'm a insane killer.
2) I had a security clearance. So I'm a leak threat.
3) I take cash out of the bank every so often and buy silver. So I'm a subversive.
4) I posses tech skills. So I'm a credible threat to infrastructure.
5) I own firearms. So I'm a revolutionary.
6) I speak out against the government and their illegal tactics. So I'm a communist.
7) I speak out against the militarization of the police. So I'm an anarchist.
8 ) I try to educate people on the basics of privacy and how to at least make it a PITA for the crims and the gov to crack you. So I'm a terrorist.
9) I call my reps in the House and Senate every week and comment on matters of sec, privacy and food quality / safety / labelling. So I'm a crypto-anarchist and an eco-terrorist.
10) I won't fly b/c I refuse to get sexually molested in order to exercise my freedom of movement within the borders of my country of origin. So I'm a guerilla.

I could go on. But you get the point. And I'm only being quasi-facetious.

All you can do is fight the power.

I think they don't need to, ie they don't need to look at anything else other than their segment of the link: if a site is deemed anti-gov by the local authorities, the ISP can download a few pages to their computers, note the signature of the resulting traffic (which is a vector of attributes like average block size etc, it's like a summary of the traffic), then evaluate the same vector for ALL their users offline. Doesn't look too hard.

Anyway, is there such a thing as plausible deniability for someone listed already when they are logged into an innocent site?

You're missing the point and I don't think you fully understand how internet routing works.

Your ISP does not handle the connection end to end. Heck ISPs rarely handle even more than the very first step in the link any more and are often just hosted services themselves. In my area the actual on the ground fiber from the street to my house for comcast has become a hosted service of synergy. (The short version) Their edge hands you off to comcast who hands you off to a BGP who hands you to a trunk, then you exit the high level route back down the same type of cascading chain on the other end in reverse.

Are there black holes and blocked chains? Sure. But all your ISP is going to see is a SSL tunnel headed to a hosted IP block: EXACTLY THE SAME THING THEY SEE WHEN YOU LOG IN TO ANY SECURE WEBSITE!!!

Want to argue it? OpenVPN forums.

All the super sleuth stuff you're talking about happens in Bond movies. I just told you how it actually works. Don't believe it? Go read the Snowden doc dump.

I don't understand the question.

The last question was: just like with truecrypt there can be a decoy partition and a hidden partition (the idea being that you can plausibly deny that the hidden partition exists if the hardware is confiscated), then, similarly:

If you are closely monitored when you log on to an innocent sporting site of your own, and wrapping a hidden tunnel inside the connection, can you plausibly deny this tunnel exists, or are there ways for them to PROVE the tunnel exists and therefore demand the password/private key/certificate?

The fact that the tunnel exist is as plain as the nose on your face and completely undeniable. The current net couldn't work other wise. It all depends on published routes. Maybe some day some super-Einstein will figure out how to create a quantum / stateless net? But now you're talking hyperbolic curves in Minkowski space, FTL / entanglement, null lines in vector space, etc.; over my pay grade boss.

For us mere mortals the trick is not to hide the tunnel. The trick is to hide what's in the tunnel, to hide the other end of the tunnel and to hide what you look like when you come out of the tunnel.

So, I get start mail and I get a disposable addy and use it to sign up for airvpn. This is just one tiny step at obfuscation. Many, many, many tiny steps add up to a PITA (but not impossible) to crack.

So, I use alt DNS so I'm not leaking DNS to my ISP. And the other end of the tunnel can't get an idea of my geolocation from my DNS. (DNScrypt may or may not be a good idea. I need to look at the implementation. If it can be configured to work with any DNS it would be a good idea. But I'm hesitant to touch a project from OpenDNS. They are in the NSA's pocket. But then again, SEL is supposedly clean and the NSA pretty much makes that.)

Then, once I have logged in to airvpn from the host NIC using an SSL wrapper so it just looks to comcast like I'm loggin in to a web site I'd fire up a Tor session inside a VM and route the Tor connection through the VNIC. Then, I'd fire up my browser inside the VM and point it a multiple pathway chained random proxies.

Tada!

Comcast just see me logging in to a website.
Airvpn sees me running Tor but can see past the first node.
The first proxy sees the last Tor node and the next proxy and on and on and on for as many as I want up to the point of killing the connection w/ latency or my running out of patience.

The destination only sees the last proxy in the chain.

Now work it backwards from destination to me across a dozen plus networks, with Tor sitting smack in the middle, across a dozen jurisdictions.

Impossible? No.

PITA? Yes.

And there are things that you can do to make the tracking even harder; like adding entropy to your fingerprint. (Look at my sig)

Basically, you are always you, no matter what route you take. Unless of course you aren't you any more.

It depends. If SSL site is being served via virtual hosts and server name indication (SNI) is used then, yes, a difference can be detected. This is because the host name is sent in clear text before the TLS encrypting the connection. This is so the server can negotiate the correct certificate depending on the host being requested (and fall back to sending a default certificate if SNI is not supported by the client.

Nothing is perfect. And I don't advocate or condone illegal activity. But now days a lot of stuff that is actually legal can still end up destroying your life. So a little paranoia is always good.

I'm not legally authorized to run active scans against airvpn. So I'm not going to try to see how they have this implemented. And airvpn actually recommends you hit Tor *before* you hit them to solve issues like you describe. But a lot of ISPs block Tor now and then your ISP has a log of you hitting a Tor node; which is a huge red flag to point the algos at you.

Besides you're talking about eavesdroppers which I've already said is whole other story.

In the end if they want you they are going to get you. There is no hiding from the matrix.

But, you can play shadow games and have fun thumbing your nose at the man.

You're talking about a global adversary providing the proof the tunnel exists, right? How about an ISP doing that? Can they provide the proof without help from the outside? If not, do they need help from companies operating major truncs of the internet, or more than that, like the NSA or something?

What about sag47's suggestion above? Is it visible to my ISP or a bigger adversary?

Doesn't DNS automatically go through the local SOCKS 5 proxy when you set openvpn's proxy as the system-wide proxy?

Sorry for the newbie question but what is SEL?

Is that a browser addon? I can only see one entry for an HTTP proxy in firefox's settings.

Isn't it better to be personally in control of the last proxy, in a VPS or something, or you risk the proxy doing MITM schemes on you to steal login passwords to the final sites?

Agent string randomising addons, I used to have, despite not using TOR but just to confuse trackers, but then it occurred to me that having a randomly changing agent string is not normal. It stands out, unless the changes are synchronized with IP changes.