There are just some things not right about this post. Traffic correlation generally happens not from massive blanket search requests to ISP about which users was using Tor at a certain time. That would be ridiculous. Do you know how many fucking ISPs there are around the world? In most parts of the world using Tor isn't illegal too. So such request makes no fucking sense. How would it be ridiculous? Without any information on a suspect, then sure it would be ridiculous. But if LE were to be reasonably sure of what country and/or state a suspect resides, then it wouldn't be to hard. In the USA for example, the most used ISPs are AT&T, T-Mobile, Sprint, Verizon, Comcast, Charter and Cox. I'd bet my nut that 99% of USA users are with one of those ISPs. All they would then need is market access logs and subpoenas.

This is the most stupid thing I've ever heard, you don't know anything about opsec I guess. Have a great day getting caught.

Yeah but Paris you are assuming a flawed use of the VPN for the sake of anonymity. If we leave human error to the side and consider a technically sound setup, such as using QubesOS and NetVMs with killswitches and proper DNS configuration, for instance, and also assume that a user who is wise enough to set those chains up will not use the VPN to log into his personal Pornhub account, then the argument for adding extra hops is an enticing one. The whole goal is to escape your ISP as much as possible. As per my other comment, this is best achieved by adding combinations of Proxies and VPNs before your initial Tor connection, as well as between the Tor sandwich. Yes, at some point along the chain a VPN will be a "permanent entry point", but in a simplified setup such as You -> VPN -> (bridge) Tor -> VPN2 -> (bridge) Tor2 -> onion, it does not matter. The Whonix documentation on running concurrent Gateways pretty much says that the main concern is getting the same guard node on both gateways, which is a game of chance, really. Stacking Tor on top of Tor is "undefined" in terms of increased or decreased privacy. You could argue that by introducing more relays into the chain it makes it more likely that at least two will be controlled by LE, but with the added latency of a long chain and packet obfuscation it ought to be harder the way I see it. I'll concede that one problem with a convoluted setup like that is that if one of the early hops in the chain fails, provided you have a killswitch, then all subsequent hops will also fail pretty much simultaneously, which could lead to correlation. I do agree that for most people using a bridge + Tor is fine enough, but we need to keep in mind that LE probably has an assortment of 0days that could catch you with your pants down if you only rely on Tor. And also, the way Tor's threat model defines its adversary is really quite lacking in terms of what most of us here consider our adversary.

Just because someone uses Tor doesn't mean they were doing anything wrong with it. I am not saying they can't request that information (they can and ISPs do retain which websites you visit, what you download, etc...) but it does nothing to really prove that a certain ISP user is a specific Tor user. Only that they used Tor. Which for most part of the world isn't illegal. The better way they correlate traffic is from running Tor relays. Edit: if you mean market access logs, and the market you are talking about is running an onion site and the user visits via the onion site, there are no really identifiable logs that the market can provide. Onion services work both ways. They protect both the website and the user. This is what makes DDOS attacks much harder to protect against on the Tor network and why we have so many fucking captchas.

When users login to their market account, that can be logged. And the duration that they are logged in for can also be logged. Those are the market access logs that I'm referring to. Also, a lot of websites will make it public knowledge that a user is logged on, unless you change that in settings. So a website doesn't even necessarily need to be compromised for access logs like that to be obtained. Explain to me why you think that LE couldn't use those access logs from the market website, get all the popular ISPs in a country/state to run a search for someone who used Tor at the same times as those access logs? I am not saying this evidence alone would be enough to convict someone, but it could definitely get someone put under heavy observation.

That's a fair assessment. But quite paranoid. Just a few days ago there was 4 million users to the Tor network (see here⚠️). In the US alone there was just about 600,000 users on the 23rd (see here⚠️). These are directly connecting users reported by relays who share info to the tor metrics. Even if you go and separate these things down you are talking about thousands of people. All it takes is a few people to really use Tor every single second of every single day to make such information from the ISP just worthless in my view. If LEAs are seeing a specific target worth spending so much time and resources to find, that target should be protecting themselves in other ways to make it harder. Instead of just relying upon a single system to protect their identity. Nothing is perfect here but it is good enough for the vast majority of people.

To be honest, I don't think it's very paranoid. If I were LE and I got access to a hidden service such as a market, this is probably one of the first things I'd try, given I could get sufficient cooperation from ISPs. Get a few major ISPs on board with just giving me records for tor users with timestamps, exact packet contents (yes it's encrypted but the volume can help here), etc. Yes, as you say, there is nothing illegal about using tor in many countries, but we all know how LE and major telecom companies are in bed together in various ways, so it's not that far fetched. Once you have this information from ISPs (which would be very technically easy for the ISPs to get), a correlation attack would be really easy, just based on log-in times to markets. If LEAs are seeing a specific target worth spending so much time and resources to find, that target should be protecting themselves in other ways to make it harder. Instead of just relying upon a single system to protect their identity. The thing is, they could very easily do this at a large scale once they compromise a site/market, as long as they have cooperation from ISPs, which is not that outlandish.

It's not as easy as you think it is. Timing correlation attacks are hard to pull off on Tor for a few reasons. One is the latency between different relays in the chain. There is large variation in both the responsiveness of each relay and the connections between the different relays. Remember there are 6 relays in-between a user and an onion service site. The circuits change occasionally and sometimes at random (when some relays stop responding). There are also packet padding on each Tor requests. Which makes the packets look basically indistinguishable from one another. There is also many different layers of encryption which gets unwrapped like an onion that changes the packet sizes too. You may think it's an easy process and it is when there is only one user and one site. But when there is just a few users the traffic gets really fucking hard to correlate. People need to remember Tor is designed to counter this kind of large scale correlation attacks. They are really fucking good at it.

Thanks for the response. I probably am underestimating the difficulty a little bit. But it seems like with a blanket approach, if you get a whole lot of data from ISPs, you could filter some people out pretty easily, with hardly any effort. For example, suppose a user logs in at 12pm and 8pm one day, and then 10am the next day. That's three separate log-in times. As LE, you could then go to your data from ISPs and query it for IP addresses that were connected to the tor network at all three of those times. Out of the thousands or even hundreds of thousands of tor users, these three log-in times alone probably narrow that down to a pretty small number. Get a fourth or fifth log-in time and that number will go even lower. Collect this data for a couple of weeks and you are sure to correlate several users' real IP addresses (assuming no VPNs, etc.) to log-ins on the hidden service you've compromised. I'm not saying this is enough to charge someone with a crime or anything, but it seems like a reliable tool for LE if they have the right setup. Add as much latency padding as you want, you're not going to get around this type of attack involving general log-in times. Also, circuit changes, which you mention, don't do anything to mitigate this type of attack.

That's assuming you are using Tor only for those things and immediately stop using Tor after you are done. Also don't discount the possibility some people may be using Tor at other times too which breaks down the narrowing of who is doing what. The latency is exactly what will make these things extremely difficult to do. The traffic on Tor isn't individualized. It's a cluster of so many users sending so many packets all over the place. Assuming that you use Tor for other things at other times (and so do others) it's harder to pick people off from the crowd.

Explain to me why you think that LE couldn't use those access logs from the market website, get all the popular ISPs in a country/state to run a search for someone who used Tor at the same times as those access logs? because the constitutional protections in the US prevent LE from using search warrants as fishing expeditions

Parallel construction

but they'd still need to be able to get those logs in the first place, and a judge wouldn't sign off on a warrant.

Assuming the three letter agencies don't already have access inside the ISPs (think CALEA)

in the US this wouldnt pass muster under the constitution, and its highly unlikely that a judge would sign off on an overly broad warrant like this just to identify a drug dealer. unlikely that LE would try getting such a warrant either because it would be subject to a very strong legal challenge and get thrown out in court later on.

I agree with you. However, you should be very cautious about assuming you're not a high enough value target. For example, LE and Facebook used two zero days to deanonymize a Tor user. The Tor user was a child predator extorting nudes out of children on Facebook. This is an awful crime, sure, but do you think it's at the level of using a zero day on?

i don't think that most DNM vendors are worth using up a zero day exploit for. maybe some mega fent vendor or if they could use it to nab multiple vendors at once.

Oh really? What did I say which was wrong?

There are just some things not right about this post. Traffic correlation generally happens not from massive blanket search requests to ISP about which users was using Tor at a certain time. That would be ridiculous. Do you know how many fucking ISPs there are around the world? In most parts of the world using Tor isn't illegal too. So such request makes no fucking sense. How they do it is by running tor relays and timing the traffic between multiple relays. If they control all three of your relays it's easy to identify the specific user because you just follow the packets. If they control two of your relays (the guard, and exit node) it's possible to correlate the traffic a user sends. A bridge acts as a dedicated guard. You basically swap out a random guard from the Tor network with a "hidden" relay which acts as a entry point into the Tor network. It is possible to identify some "hidden" relay traffic with deep packet inspection (mainly the handshake process and traffic usage afterwards because it doesn't really act like a regular website). The problem people don't understand with VPNs is you are basically making a dedicated guard node FOR ALL YOUR TRAFFIC. Including your identifiable kind. All it takes is you to sign in to a personal account with the VPN on and now you have made yourself stand out far more than others. VPN companies are also not perfect. Some "no log" VPNs do in fact log. Adding more hops doesn't mean you are more safe. In fact it makes you less safe because there is more points of contact with your traffic to be correlated and have yourself compromised against. VPN connections are also not as stable and there has been many times that people got fucked because their VPN connection dropped and their real IP leaked. With a Tor bridge that doesn't happen because if you lose your connection with your bridge your connection to the Tor network just drops. That's it. It's isolated from your computers regular traffic. There are trade offs but if your worry is that some LEA will find you via traffic correlation know it's not really a thing happening. The Tor network pushes a lot of traffic from a lot of users and that makes correlation really difficult. It's not perfect but it's good enough for the vast majority of people. The defaults are private enough for like 99% of users. Don't go doing things you don't fully understand which will then harm your privacy. Try your best to look like others.

Care to elaborate on this? It's much better to discuss these things. Sure you might end up being totally wrong about something, but it's better that, than ending up doing ten years in prison because you didn't understand a small detail

I will elaborate some. Althought, I am not tip-top in opsec myself and have a small threat model to worry about. To futher /u/Paris' thesis that it only takes a very small number of tor users, logging-in just a few seconds, everyday to add enough traffic making it difficult to narrow anyone. Being that xmr is being minned on home machines accross the world. I also imagine there are many tor users that are logged in to tor 24/7. And even some that are logged in 24/7, twice! It would be difficult to correlate that type traffic with anything time related, wouldn't it? I am just sayin. At any rate, yea I would think you would need to be a pretty Big Target especially as you said, this couldn't even be considered as evidence for a warrant, much less conviction.

What's the proper use of a VPN in conjunction with TOR?

if you are a long term tor user and a high priority target you should be using a vpn + qubes + using your own guard nodes. most of people get arrested for stupid opsec mistakes or using bitcoin, but in the rare cases otherwise it is always a client exploit or malicious guard in action.

just hide in plain sight

i log in from my work laptop at DEA headquarters

Even more hilarious if actually true LOL