Ran across this story in my news feed and instantly thought about all of the people who think it’s better to use a VPN with Tor for “added security.” This is certainly not the first occurrence, nor will it be the last. If it’s not encryption failures it is log files they claim not to keep.
Admittedly, I used to be one of those people. It only took 10 minutes in this sub to change my mind, though.
What makes this even worse is that this particular provider is popular with users in repressive regions mainly China. I hope that no users had anything sensitive going through that infrastructure.
I don’t trust any of them: ISP, VPN, Tor. You can use them without fully trusting them. Encrypt, defense in depth, give fake data, test, verify, etc.
The reason to use a VPN while using Tor is not for “added security” for the onion traffic. Tor is secure. VPN doesn’t help or hurt Tor. The VPN is there to protect the non-Tor traffic coming out of your system. You don’t want that traffic revealing your home IP address, for example.
I run a VPN 24/365, then when I want to run Tor, I leave the VPN running underneath. Tor over VPN.
If you’re in a country like the US, it might make sense to use a VPN to hide the fact that you’re using Tor, since some ISPs block Tor traffic. Though I guess you could just use a bridge.
I’m not sure you really lose any security by using a VPN, you just don’t gain anything. Your traffic is already encrypted by Tor. It wouldn’t really matter if the VPN was compromised.
Edit: /u/BiggerThanGayJesus brings up a good point. If compromised entry nodes are constantly collecting traffic, and if at some point in the future Tor is broken, they could link your traffic to your IP. This seems this is a valid reason for using a (trustworthy) VPN.
If someone was using tor with this vpn they would still only see tor traffic though wouldn’t they? I’m not an expert but isn’t it the same thing as if they requested information from your isp?
If the authorities were able to seize the servers at runtime, encryption won’t matter. As all encryption keys are loaded in memory. If you want to use a VPN, host your own (prefferably on your own hardware) as that’s the only time you can be sure about your VPN security.
How do I change the theme on that site? It hurts my eyes
EDIT: never mind. Misunderstood the article.
The big facts is that bridges are not apply under the GFW, so you can only apply VPN to connect tor network.
Yeah, this is pretty much what I do. VPN isn’t a magic bullet: providers can’t be trusted, webpages still tracking you via fingerprinting, etc etc. But it’s an extra layer, one piece of the puzzle.
Also good for streaming services.
spot on, mate! couldn’t agree more. especially if you’re rocking the wireguard protocol
I run a VPN 24/365, then when I want to run Tor, I leave the VPN running underneath. Tor over VPN.
The problem here is that your browser can be fingerprinted as the VPN works off your browser and you could potentially be unmasked if targeted,
All Tor browsers are configured the same. Firefox with same Windows OS showing, same time zone, same fonts, same screen size, same extensions, etc. - as long as you don’ t modify the Tor browser, which they tell you not to do. This is how the Tor browser gives you the best anonymity. Without this, Tor otherwise provides an encrypted tunnel with 3 hops that does not reveal your real IP like a VPN. The Tor browser and network need to go together for security and especially anonymity.
Or you can run your entire connection through tor.
Why aren’t bridges the default option though?
Bridges are almost all owned by agencies who wish to break Tor and unmask users, VPN companies have staff with accredited backgrounds who you can actually talk to. Ever heard of warehouses full of government data storage? Some of that data comes from the many many bridges they own and the reason why they store it is so they can go back and find everyone at a later date once an exploit or weakness has-been found. Some VPN providers have been raided by LEA and nothing at all was recovered, the link between real IP and entry node used is forever lost and always disprovable.
It would see your outbound to the first hop in the TOR network just like your ISP would. The problem lies in the fact that it centralizes you to the VPN provider which makes you easier to track down than your isp.
I would say host your own, but use a vps or a zombie host somewhere 
That is true. My goal with this post is mainly to show that VPN providers are no more trustworthy than your ISP.
No, I want to run a normal distro.
Besides:
onion does not handle UDP traffic
onion imposes a performance penalty
more sites block onion than block VPN
VPN works off your browser
No. Just, no.
Your assumption that you could be fingerprinted this way is fully wrong.
You can use TBB over VPN and your browser fingerprint would still be that of TBB.