I recently read somewhere that even the best VPNs keep our logs, so how do these people who set up their websites in the dark web work?
And if no VPN is going to provide me a no logs feature, then what’s the point of having a VPN? They aren’t that safe then, are they?
Tor is not a VPN. Apples and Oranges.
/
A Tor circuit is a chain of three proxies, where the first proxy knows who you are, but not where you’re connecting to, and the last proxy knows where you’re connecting to, but not who you are. Logs aren’t helpful, because no proxy in the chain can put the two pieces of information together.
By contrast, VPNs are single-hop proxies: The VPN provider knows both who you are (and not only your IP address like Tor - presumably you’re paying the VPN provider, so they’ve got your financial information), and where you’re connecting to, and so is in a position to log everything.
VPNs are not designed to provide the same anonymity that Tor offers. VPNs are for browsing the net from an insecure coffee shop without worrying about someone at the next table packet sniffing you, or for accessing that website that’s only reachable from Ireland. It’s a totally different definition of “safety”.
I recently read somewhere that even the best VPNs keep our logs, so how do these people who set up their websites in the dark web work?
VPNs do not set up onion sites. A VPN is not a Tor onion site. Tor is not a VPN. Some VPNs secretly have kept logs, and at least one of them was the target of a cyber attack aiming to harvest data from the VPN logs. If you do a web search for “VPNs keep logs” or similar key words, you can find media reports about such VPNs. Any capable adversary can set up and operate a Tor onion site, conceal their identity and location from you, and attempt to do secret things against you.
then what’s the point of having a VPN?
The Tor Project recommends against using a VPN with Tor “unless you are an advanced user…”: Can I use a VPN with Tor? | Tor Project | Support
Well, you can be quite sure that your ISP keeps your logs and would definitely cooperate with the police. Meanwhile, there are VPNs that claim they don’t keep any logs, and they’ve never had a breach. It’s a matter of who you trust more: a VPN company or your ISP.
The VPN provider knows both who you are (and not only your IP address like Tor - presumably you’re paying the VPN provider, so they’ve got your financial information),
Certain VPN services allow you to pay for their service in crypto, so now my question is, would they still be able to identify you should you register for an account with a burner email and pay with crypto that has been mixed through a service like Wasabi or Samourai?
I wrote a more extensive post about the subject here because I see this question a lot, usually in the context of “should I use Tor to connect to a VPN”. I’ll quote in the relevant part:
What if the VPN doesn’t know who I am?
How are you pulling that off? Paying the VPN with cryptocurrency? Cool, this adds one extra financial hop, so the VPN doesn’t have your name and credit card, but it has your wallet address. If you use that wallet for any other purchases, that’s leaking information about you. If you filled that wallet through a cryptocurrency exchange, and you paid the exchange with a credit card or paypal, then they know who you are.
Even if you use a dedicated wallet just for this VPN, and filled it through mining, so there’s no trail back to you whatsoever, using the same VPN account every time you connect is assigning a unique identifier to all of your traffic, rather than mixing it together with other users like Tor does.
What if you use a new dedicated wallet to make a new VPN account every time you connect, and all those wallets are filled independently through mining so none of them can be traced back to you or each-other? Okay, this might work, but what an incredible amount of tedious effort to fix a loss in anonymity, when you could just… not use a VPN after Tor.
So you’d be paying money and then going through an elaborate laundering process to obscure that money trail, when you could just use Tor for free and get better anonymity.
If you’re connecting directly to a VPN, then things are even worse. The VPN might not have your real name, but they have your real IP address. If your threat model includes law enforcement contacting the VPN, then that same law enforcement could contact the ISP and learn who that IP address was assigned to at the time. VPNs are just not designed for the same kind of anonymity Tor is.
Thanks for this and the link. I just feel unsafe connecting to Tor without my VPN active on my host but logic is logic!
Thanks for the link… it gave more insight with regards to anonymity while using Tor with a VPN
There’s a lot of great reading on your website… thanks for linking it.