General Questions

[JohnnyMoney 0]

Hello,

 

I am still a VPN newbie so I thought I would ask these questions on this forum to get a better idea of how the service works. Allow me to ask three of them:

 

1. Purely theoretically, if a law enforcement agency such as the FBI was suspecting somebody was using one of your servers for illegal purposes (whatever they may be), and sent you an official letter to share information about the usage of the VPN server in question at any given point in time (for example, the VPN server was used to access a Gmail account at a particular time, and the FBI would reach out to you and ask you who used that VPN server exactly at that time), how would AirVPN respond?

Do you have, as a service provider, a legal obligation to respond to such requests? As far as I know, you do not keep any logs, so would there be any information that you would even be able to give to the law enforcement agency?

I would really appreciate elaboration from you on how this scenario would play out. Not that I want to do anything illegal, it is just a theoretical question.

2. I read somewhere on the internet that if a VPN provider says they do not keep logs, it is often a false statement, and even if they do not keep logs, usually the upstream ISP of the VPN provider (the ISP through which the VPN servers are connected to the Internet) do keep logs.

I would like to ask you what you think of this theory and whether it may represent a potential risk of logging.

In other words, even if you do not keep any logs at all yourself, can it be a potential security risk that the upstream ISP you use for your servers does keep logs, and, as a result, could potentially give this logging information to potential law enforcement agencies?

 

3. If I use AirVPN over Tor, meaning I connect from my computer to the Tor network first and from there to the VPN server, will the Tor exit node periodically change in order to make the route more anonymous?

Because if the Tor exit node did not change and an attacker was controlling both the guard (entry) Tor node I would be connecting to, as well as the Tor exit node that would be connecting to the VPN server, although the attacker would not be able to see the actual traffic, he would see the amount of bytes flowing through from one end to the other, and if the attacker also got control of, for example, the websites I would be visiting via the AirVPN server, he could correlate the amount of bytes flowing from my real IP to the entry node, then through to the exit node and finally to the destination server of the websites I would be visiting, thereby deanonymizing me.

So that is why I am asking if the exit node changes when the traffic is routed through the AirVPN over Tor channel. If it does, I think I can feel safer?

[JohnnyMoney 0]

Anyone?

[corrado 100]

Using an OpenVPN provider is about trust. Afaik, there is no way to determine "from outside" whether a provider is really keeping the promise to not log. If there are no logs, there is nothing to share with law enforcement. There might be legal scenarios where a provider could be pressured/obliged to monitor user traffic - some providers have warrant canaries to warn users that the service cannot be trusted anymore. AirVPN, however, does not. The value of warrant canaries is disputed anyway. For legal specifics, you should approach AirVPN staff directly. In any case, OpenVPN is no silver bullet and doesn't provide ultimate protection. Nor is the TOR network. I'm not an expert on TOR but I guess frequently changing your exit nodes depends on your configuration. Against powerful adversaries such as the FBI or NSA, relying solely on OpenVPN (or TOR) as a defense strategy is naive. Correlation analysis as mentioned in your third point for example are an elaborate attack vector that can trace your real IP across multiple nodes. But realistically this is unlikely to be deployed to hunt down a torrent user for copyright violations or other minor things.

 

As you do not plan to commit any serious crime, I would not worry about such things. And as you are a newbie, it its far more important that you get the basics such as DNS leak protection and firewall configuration right. Eddie, AirVPN's OpenVPN client provides those out of the box.

[JohnnyMoney 0]

Thank you for the helpful and insightful answer.

 

If neither Tor nor VPN is "good enough" to be protected from attacks of such adversaries like the NSA, is there anything that is "good enough"?

 

From what I have read, NSA, in one of its leaked documents, claimed that at any moment in time, they are only able to deanonymize a small fraction of all Tor users.

 

So Tor is not a piece of cake for the NSA, this is how I would put it.

 

Now if you combine VPN with Tor (such as in the AirVPN over Tor scenario), I guess that would be real trouble even for the NSA, because even if the NSA was controlling both the entry node and the exit node of the Tor network, they would have no idea what traffic is flowing through those nodes, because the packets would pass through the exit node encrypted, impossible to be read or interpreted, all the way through to the VPN server and then to the final destination.

 

So it seems to be the case that the NSA would have to have to control the AirVPN server, also, in order to perform correlation analysis. What is better is that if you employ this ahead of time, no suspicion is even raised in the first place (I think that suspicion can be raised if you use Tor, for example, for something illegal and the NSA controls the exit node, so they can see what you are doing and analyze the traffic in real time. I guess "after something has been done", it is much harder for any intelligence agency to figure out who has done what, I think the real power comes from correlation in real time as "something is being done".

 

But I do not want to dilute this thread with unrelated stuff. So more answers to my questions are welcomed.

[corrado 100]

At this point we can only speculate what the true capabilities of the NSA are. Maybe OpenVPN over TOR is good enough, maybe it is not. BUT: What I really meant is that even if  your true IP were completely untraceable there are many other ways to reveal your identity. Have a look at the story how the Silk Road was brought down.