SEL is Security Enhanced Linux or SELinux for short. Originally developed and supported by the NSA. It is a mandatory access control (MAC) system operating within the kernel. It's another layer of security preventing unauthorized use of resources by processes (limiting privilege escalation for example even if a process gains root user access). Competing MACs include Tomoyo or Ubuntu AppArmor. Other security suites include POSIX capabilities which has been implemented by Capsicum and supported in FreeBSD 9+ though does not seem to be widely deployed.

SELinux is the default MAC software in RedHat Enterprise Linux. I still believe it is good to use. A lot of resources and 3rd party security review has gone into reviewing it.

No. Your ISP sees the tunnel originating from your location. But, if you nest the tunnels then they can't see the eventual end of it; just the beginning. But if you wrap the tunnel in an SSL wrapper it is not blatantly obvious to them that you are logging in to a VPN. We can only guess at some of the things that trip the algo's. But I'm guessing obvious connections to known VPNs is probably one of them.


See above.

See above.

IDK, that all depends on the VPN config. Go to their web site and ask. But, as I said: I'm not legally authorized to run scans against anybody and I won't do it to figure out the answer to this question. Also, re-read my last post vis-a-vis nothing is perfect and airvpn actually recommends that you hit Tor first.

Now you're getting in to grey areas where you have to take all available info and decide what risk level you are comfortable with in various scenarios.

Personally, the only reason I'll be dinking around inside Tor will be to help people who I feel need it to hit the private circuit I'm going to build.

In my scenario having a last leg *ultimately* traceable to me is something I can live with as the stuff I will be doing will not be illegal, just likely to piss off some governments; including our own.

I am trying to achieve day to day privacy to work and protect others; not ultimate anonymity for myself. You do see what my user name is right? I call my elected representatives *every week* and comment on this stuff. How many Steven_G's (and I use that handle all over the place and it's my real name) used to be techs at MS and constantly scream about invasion of privacy? They know who I am. Come and get me. (We need an emoticon for the bird!)

OpenVP is very configurable. I use alt DNS for day to day. I'm still looking at DNScrypt and I'm not sure how the two would work together. But, if you use the VPN for remote DNS then they can potentially see the names you're calling and you could be tracked that way. I try to achieve as many degrees of separation as possible.

Security Enhanced Linux. It is a MAC that is in common use. It may well be in the distro you are running now.

http://www.hackershandbook.org/tutorials/proxychaining

(One of my goals is to get good enough at scripting to be able to make this happen automagically.)

That depends on what you are trying to achieve. There are no hard and fast answers. You have to do your own risk assessment and decide what you can live with. But don't think you're going to get all Harry Potter and wrap yourself in a cloak of invisibility.

It will be more like a cloak of obfuscation that the powers that be may or may not decide to poke at depending on what they think you are up to.

Exactly, which is why a VPN service with a butt-load of addresses and / or a Tor connection is not a bad idea.

There are no zippers.

I dabbled in playing with anonymity in the past. It led me to create proxytester. When you give it a list of open anonymous proxies it will test them for integrity and then generate a wpad.dat file (web proxy auto detect used by browsers to select a proxy). The interesting thing is that wpad.dat files is processed with JavaScript and can contain any logic. Therefore, I wrote a script which Firefox would randomly select a different proxy for each connection. i.e. Loading the index.html is through one proxy, loading the header image is a different proxy, and a css file a different proxy, etc.

It would be interesting to run as anonymous as possible with something like...

Tor -> VPN -> Tor -> random proxy per connection.

Then there's also using SSH as a SOCKS proxy.

Then set the proxy to localhost:1080. There's a lot of interesting and easy to configure solutions.

I think the main thing to keep in mind is that no matter what you use, it's going to drastically slow down the more layers you use making the connection practically unusable. Personally, I just directly connect to the net and mostly have done the research for fun experimentation. With exception for the SOCKS5 SSH proxy. That's just too easy not to use sometimes. Combine that with foxyproxy and you can proxy some connections through the proxy and keep others direct connect.

Well, I think that what people don't get is that there is a big difference between anonymity and security. And to a big extent the more you have of one the more you have to give up of the other.

It's easy to be real secure and readily visible. But, to a big extent to get less visible you have to give up some security.

And no matter how you "securitize" it you'd be insane to run your banking through Tor. They tell you straight up to not run anything through there that you don't want seen and that it is strictly to make it harder for people to tell where you are; not to hide what you are doing, although it can be used to help with that.

And chain scenarios can get very creative. There are tuts on the net that will show you how to exit 8 Tor nodes at once. So this would be theoretically possible:

Proxy -> Tor -> VPN -> Tor / exiting 8 nodes -> multiple proxies after each of the 8 nodes.

But it would take forever to do anything and your connections would constantly time out and you'd have to have a big pool of proxies and a script to keep it all running; which is well beyond my current skill level.

Why? PKI and TLS work the same whether you're on Tor or connecting directly to the bank on public wifi. Sure they "say" not to but the SSL negotiation with said bank or any SSL enabled service works the same regardless of the underlying proxies. Unless you doubt the validity of CA certificates and how SSL negotiates secure connections (integrity of the CA aside which is a risk regardless of Tor). What you're saying doesn't make much sense to me even after rereading a few of your posts. I simply disagree with your assessments.

Certificate validation will pick up a MITM attack if the trusted CA is not compromised (again not a problem specific to Tor but a risk not using Tor as well). There's also even more security with PKI since browsers started certificate pinning and websites started using HTTP Strict Transport Security (HSTS).

Visiting a banking website should make no difference through Tor or "direct" connection.

What people are you referring? The participants of this conversation thread? I can't speak for other users but I understand the difference and I disagree that you can't have both. It depends on who you're trying to be anonymous *from*.

Continuing with the "bank" example. If you're using Tor to connect to a bank and you're trying to "stay anonymous" from the bank then I agree you've already lost the battle as soon as you log in. Because that's your whole intent if you're doing online banking. However, if you wish to remain anonymous to would be eaves droppers on the wire while you're doing your online banking then you're banking both securely and anonymously from the perspective of the eaves dropper.

Security has come a long way as well. The usability of many utilities mean that the average Joe has security and confidentiality (not anonymity) without even realizing it. All without sacrificing a good user experience. The iPhone is a great example of this. Disk encryption enabled by default using the user's phone pass code as the master key. Want a long pass phrase but don't feel like typing it in? The iPhone's biometrics scanner scans your fingerprint and logs you in giving a seamlessly good user experience without sacrificing having a strong passcode (nor the inconvenience that comes with it assuming the user remembers said pass code).

I'm simply trying to bring you up to date since you said in an earlier post that you've been out of the security game for a long time.

B/c Tor is known to be full of bad actors. And I don't mean just criminals, even though there are a ton of those in there. A lot of the exit nodes actually belong to "hostile forces" from inside various governments including America, Russia and China.

And a lot of the nodes are set up by criminal organizations specifically to intercept info for a profit.

There have been multiple exploits in Tor over the years by both governments and criminals. Some have been extremely complex. Some have been very simple.

Info sec is an arms race. You'll never "win" it. Just as soon as you figure out how to tie your rock to a stick some joker will come back over the top with an atlatl. And just as soon as you build a wall some joker will figure out sapping.

There have been multiple exploits in Tor over the years. And there are tons of ways *around* encryption w/o breaking it. Why would I want to intentionally route my money through a mine field?

The regular net is bad enough.

In general. Most people watch a move and think they know how this stuff works.

Don't get touchy. I'm not casting dispersions at you. You're obviously smarter than the average bear. But most users don't know what the cup holder is for. And when I say "sec-vs-anon" I mean the whole big picture: Tech, law, politics, guys bragging in the pub to their girl about the killer exploit they just pulled. We can debate this for ages if you like. But I stand by what I said. You can have *some of both*, but you can't have absolute sec AND absolute anonymity. (It's not like either one of those things exist any way.)


Exactly. There are a ton of variables. You have to perform you're own risk assessment and decide what risk factors you can live with. And those considerations are not just technical. Depending on your goals they can be legal and political as well. But there has never been and will never be any such thing as perfect security. Trust me, I know, I did military and government security for 15 years.

(Emphasis mine). 1) Don't get me started on the iPhone. I could do a megathread and argue for weeks about that stupid thing. Long story short: Apple is evil. And it ain't all it's cracked up to be. It's chocked full of holes. 2) Like you just said: It ain't the same thing. 3) Joe thinks that means he is all Harry Pooter and can dl a gaziilion songs from bt and then he's all shocked when he gets a cease and desist from the RIAA.

No worries mate, I love a good debate. And it's even better when somebody proves me wrong and I learn something new.

And yeah, I got real sick for a long time. I'm doing a lot better now. I kept up on as much reading as I could from the hospital bed. But as far as practical application goes it's been several years since I've done anything more complex than log in to my bank.

I'm rusty. I've already tinkered w/ trying some of my old tricks and a lot of them just flat out don't work any more.

Oh, well. I'll get back in the swing now that my innards aren't rotting out any more.

Going round in circles but the answer to the title's question still evades us, I know it's not blatantly obvious to the ISP that you're wrapping a tunnel inside an HTTPS link. The question is what can the ISP do to detect or prove a tunnel exists wrapped in the link, NOT to find out where the tunnel connects.

AND THIS FOR A GIVEN PERSON THAT THEY HAVE CHOSEN TO MONITOR, not all their customers.

I think this is a key question, all the rest seem later issues. The title should be:

How can an eavesdropping ISP distinguish an HTTPS connection wrapping a VPN tunnel from one that does not?

I think you have the best answer you're going to get here:

If it's hosted directly on metal they shouldn't know the dif. And some vt set ups (but not all) can expose the dif to *potential* sniffing.

I think if you want better than that you'd have to go to the forum of the VPN service itself and engage the admins to see what short comings their particular service suffers from. And they all have some sort of short coming. There is no such thing as perfect sec. But the best you can do is a long sight better than doing nothing at all.

Can't they do a MITM attack?

On a massive scale, ie to all customers, isn't deep packet inspection software available to ISP's?

Depends on how you're doing CA validation. If you're using a private CA for signing the MITM is least likely so long as your client doesn't blindly trust every certificate it is handed. That's why using options like the --insecure option in curl is a vey bad idea.

Deep packet inspection is available to pretty much anyone. e.g. Bro - https://www.bro.org/

But...

But...

But...

What part of this thread is not computing for you?

There is no perfect sec. The best you can do is better than nothing. But you cannot escape the Matrix! However that does not mean that resistance is futile.

YOU ARE NOT GOING TO GET AWAY FROM THE NSA PERIOD!!!

It's not your ISP who's tapping you. It's NSA, KGB, GCHQ, MSS, et.al, taps inside the edges / BGPs / trunks that suck up *everything*. Period. No matter what it is.

And it is happening on a massive scale:

Repeated attacks hijack huge chunks of Internet traffic, researchers warn

Could your ISP theoretically put a malicious MTM server on it's network and route all of your traffic through it? Yes. Are they going to? No? Why? They're a business.

For the most part they couldn't care less what you're doing out in the big wide world so long as you are not attacking their net or or using it to launch attacks.

Do they like to see where you are going when the can? Yes. Why? It's not evil conspiracy. It's greed. They just like to be able to make money off of you by sending ads based on your surfing patterns. But, blocking their ads is trivial. And defeating that type of tracking is not very much harder.

And why in God's name would they want to add another drain on the bottom line by installing and maintaining malicious servers to pull James Bond movie attacks on you when it's already costing them a ton of overhead to mirror everybody's traffic and then send the copy to Bluffdale for permanent storage / latter analysis?

REMEMBER WHAT I SAID: It's a cloak of obfuscation and the powers that be probably won't poke at it unless you give them reason to. So don't think you're going to call all invisible and attack whatever you want and get away with it forever. You are not China! Or disappear like a fart in the wind and buy a nuke w/o anybody knowing about it.

But that does not mean that sec is worthless. Criminals are good. Criminals have more resources than you do. But they don't have the resources of the NSA. There is a lot you can do to not have your money stolen directly from you. But that's about it.

It also does not mean that a little locality obfuscation is a bad thing. My wife just got doze 10 forced on her at work and nobody, including their "IT guy", can figure out how to get it to stop from *literally* broadcasting their current location to the world. To quoth Mr. Mackey: "Umkaaay, That's bad."

Have you even been to a doctor? Yes? Then all the info needed to steal your identity is probably sitting on an XP machine that is directly on the net and not even behind a firewall. There's a good chance I can buy all the info I need to screw up your life and thousands of other people's lives on Alpha Bay for 10 bucks.

Like sag47 said: Security, confidentiality and anonymity are not the same thing.

I say you can have some blend of them and you have to decide what risks you can live with.

Don't like that answer? Then quit living an industrialized life style, get off the grid, become completely self sufficient, possibly starve or freeze to death and still not get completely away from "them" b/c "they" are flying more and more drones over remote areas.

You cannot escape the Matrix!

But can dismantle it!

When is the last time you called your Congressman's office, called him to task for all of his crappy votes and citied bill numbers and told the staffer that if he/she didn't knock that crap off you were going to actively campaign against them in the next election?

If 1 in 10 people did that a lot of this crap would stop tomorrow.

The system is open to modification by the people. You have no one to blame but yourself for the state of things if you refuse to participate in the process.

Are you talking about GPS location or just IP geographical location?

It's a desktops. Every time they go to a geo-aware site (think google maps) it already know their *exact* address. And I don't mean the city. I mean:

Which goes far beyond any geolocation service I've seen in any desktop browser before. They will always pull your city if you don't block those services. And usually it's a map pointer and it will say something like "accurate to within 27 meters".

This is the first time I've even seen a desktop broadcasting the company's actual address in the browser.

I haven't played with 10 yet. I left MS before they released it. And I'm not authorized to play with 'puters where my wife works. But it has to be some kind of advertised service; which means it's just sitting there blabbering its little head off and waiting for anybody's API to hook it.

And nobody can figure out how to get it to shut up. They've already killed geolocation in the control panel and it's still blabbering away.

I can think of a lot of scenarios where that's probably not a good idea.

That's incredible. It probably requires a thoroughly collaborating telecoms company/ISP, how on earth can they get such accuracy?

Is changing browser any good against this? Not that I use windows online any more, haven't done for ages.

Maybe this will help in the long run.