ON VPN anonymity

Let us assume that a VPN does not keep the logs and does give anonymity.

Most VPNs do not own the servers in the many countries they serve but hire them, they also use local ISP providers. The server provider may keep logs and the ISP certainly does. Could traffic be monitored by these people?

Here is the scenario. On a site, someone posts at 2:15pm. The site knows the IP address of the poster. This IP address is a VPN in country XYZ. The VPN is not helpful so they go to the server provider that serves this VPN. If that is not helpful they go to the ISP requests the info on who was on the VPN at 2:15 pm.

The ISP may log who connects to the VPN node, but all the egress traffic to the Internet will be from that specific nodes public IP.

So in theory some entity may be able to see that nIPs connected to VPN node, in XYZ country, but they are likely limited to correlate traffic after that.

These types of questions are best answered by defining a threat model you are defending against. If your privacy concernes are motivated by legitimate nationstate capabilities (E.g. dissident in hostile country), then you definitely should not assume that a VPN provides much protection.

There are plenty of browser fingerprinting capabilities that can do a good job of identifying your machine from others, and a VPN doesn’t help there.

But, if you are just concerned about preventing limited capability adversaries from tracking your activity, or have concerns about browsing on untrusted WiFi networks, VPN is probably worth something.

[Not sure what this has to do with home networking. OP is talking about a consumer outbound VPN-to-internet.]

Every additional step in the chain makes traffic correlation harder. If VPN does not log and cooperate, attacker quickly gets to “well, it’s one of these 200 users who all were using that VPN server at about that time”.

Related question: do VPN servers do anything to avoid strict identical ordering of input and output traffic ? Maybe randomize the queue a bit ? I guess if there is parallelism (multiple network interfaces, multiple CPU cores) maybe that would introduce some variance.

To an extent. But correlating traffic would only get you so far without the middle info the VPN has. Assume 5000 customers on a single VPN company that does not keep logs, and one goes to an illegal site while all are connected. You will never be able to get any closer to who did what than to know it was one of those 5000. Even if you know that VPN exit IP w.x.y.z connected to illegal sites, you can’t tell which entrance IP out of those 5000 was that particular one.

LOL, sorry for the clutter, folks.

This dude was challenging me in another forum, unwilling to believe that it was commercially feasible to use a VPN to create an anonymous presence in social media. He got so desperate to convince me (TCP/IP kernel dev) that he decided he’d enlist troops of powerusers to help him.

I see that some of you are trying to explain to him the same thing I’ve tried to explain to him 6 times (LOL). Maybe he’ll get it now that others are confirming what I tried to explain.

The issue that prompted the discussion is that Australia’s RWNJ govt is lawsuit-crazy and likes to go after people who say things on social media that they don’t like. So they want to force large social media companies to force Australian users to identify themselves, so that when the RWNJ’s come callin’, the social media company can tell them who to sue.

I tried to explain that the use of VPNs to sign up and use an identity were the way out of this. Most people got it (my original comment got many upvotes.) But this one redditor just doesn’t want to believe it, LOL.

He’s going on and on about local ISPs at the destination node, unable to understand that by the time the local ISP in your destination country sees the traffic, it offers no identification as to the source of the traffic outside of the VPN. And that once the connection is severed, as it’d be by the time a lawsuit-related trace was instigated, a non-logging VPN won’t have a record of who was signed on at the time.

I explained that without CIA-level access and determination (our RWNJ’s don’t have that – our CIA-equivalent is unlikely to be willing to get involved in a matter of an internet user calling a politician a potato, for example… overthrowing a country, yes, namecalling, nah), a VPN is absolutely safe enough for slagging on an RWNJ politician.

Perhaps I’m just too used to dealing with fellow experts to use the right words to explain it to a poweruser type. Sigh. Good luck with him, folks.

Some ISPs are not that big and their servers are often not busy. So I would recommend only using a major VPN company.

Yeah, before COVID I used to travel to Iran a few times. There almost half the internet was censored using public ISPs. However, advertising in government newspapers VPNs was openly being sold. If you used these VPNs everything worked. Some of these were well known in the West. It made me wonder about them. I thought that you would have to be a fool to use them though if you wanted privacy from the authorities.

Browser fingerprinting will tell them a lot eg I am an Australian, my main language is English and my time zone but not who I am.

Yeah, I tried to explain that without CIA-level cooperation to investigating you, which an RWNJ politician wanting to sue someone for calling them a social media won’t have, VPN’s are quite good enough.

If you knew our politicians, you’d know that “limited capability adversary” is a pretty good description, and our CIA-equivalent authorities would nup out of involvement in politicians wanting to investigate namecalling as it’s a waste of their time.

Not all offer these services.

Related question: do VPN servers do anything to avoid strict identical ordering of input and output traffic ? Maybe randomize the queue a bit ? I guess if there is parallelism (multiple network interfaces, multiple CPU cores) maybe that would introduce some variance.

I do not see how that makes any difference. You are still logged on.

The VPN has several servers and has 5000 customers but not all are on 24/7 and not all use that server.

Assume 5 servers and a user doing an average of an hour a day, you have 41 users to check. If you have a few incidents you are down only to a few.

It’ll only tell you these things IF you:

1. Don’t reset your local timezone on your computer. (LOL, amateur!)

2. Don’t configure your computer to look like, for example, a UK or US rather than Australian computer. (Again: LOL, amateur!)

I did significant financial transactions in another country that required me to be onshore. Plenty of them. Via VPN, on a computer registered to that target country, not to Australia. The world shrugged. Every transaction completed successfully.

It makes a difference to the attacker outside the VPN, trying to do traffic correlation.

Still, can’t prove anything really. Even if you can match one packet in and one packet out you still have to prove that the time for everyone was 100% in sync at that exact time. Lots of doubt there. Can you prove something over a very long time? More possible. If I have weeks or months of tracing on both sides I can show a pattern and that may be able to be enough proof. For example, if it boils down to the only time the illegal site sees traffic from the VPN corresponds over months to times the VPN is getting traffic from IP a.b.c.d and no other IP is attached to more than 1 incident, then as someone working on their MS in Cybersecurity I would even agree it is probably that person. Maybe lower correlation might meet that standard too.

Of course if I can prove that only you were coming in for 5 minutes and packets were flowing from illegal site during that time I probably have you. Reason enough to use a large VPN.

Thing is, this stuff might be anonymous enough for average users but never think you are 100% anonymous online no matter how many VPN and proxy you go through. If you do something illegal enough, someone can find a way to identify you and probably get past reasonable doubt.

The Browser fingerprinting will still be unique, so they can identify it was this user.

Why as long as you are logged in, you will be listed.

This depends on your adversary, its methods and its goals. Wikipedia identified one IP address as spam, so it blocked it from editing it. They ended out blocking the whole of Kuwait.

One of my original conditions was to use a separate computer so that you couldn’t fingerprint things like your local computer’s timezone, language settings, region, etc.

(And I suppose if you can’t do that, it would at least help to reset timezone and region and obviously pick a different browser.)

The VPN will know who is using it. But we were talking about:

If VPN does not log and cooperate, attacker quickly gets to “well, it’s one of these 200 users who all were using that VPN server at about that time”.