51

Let's say I visit Twitter using HTTPS and a VPN

First, I know that HTTPS is end-to-end encrypted, so no one except Twitter can know what data is sent, not even the VPN provider. Second, I know that when I am using a VPN no one can know who is the user, except the VPN provider.

So, Twitter doesn't know the user, and the VPN provider doesn't know the data. Is this true? Am I 100% anonymous?

uihiuh
  • 611
  • 1
  • 5
  • 6
  • 11
    twitter could fill a complaint against your vpn and depending of it, they could forward it to you. So it is not anonymous. Hence the vpns 0 logs. – Xavier59 Jan 04 '18 at 20:23
  • @Xavier59 how can the VPN knows me and all the data are encrypted? –  uihiuh Jan 04 '18 at 20:26
  • 33
    Nothing is 100% anonymous even a stand alone computer. – 0x90 Jan 04 '18 at 21:41
  • 6
    HTTPS is transport encryption, not E2E. The content can be man-in-the-middled, where as if it were E2E'd, the eavesdropper would only see encrypted data. – Trent Nelson Jan 05 '18 at 01:25
  • 3
    This discussion is incomplete without mentioning Tor. You should look into Tor if you have already – sudo rm -rf slash Jan 05 '18 at 03:10
  • 8
    https is NOT the same as "end to end encrypted", unless you OWN both ends of the pipe (ie: from your laptop into your house TLS server). to twitter, one end is in YOUR machine, and the other end is in a data center. in the case of cloud services like AWS, the cloud sees the plaintext going into and out of its end of the pipe (ie: os.Read, os.Write); and you PRESUME that they don't abuse the privilege. But they have to respond to law enforcement requests to peek... so they can't hold up that bargain. Your IP shows up on your end of the VPN as well; obfuscate that with Tor. – Rob Jan 05 '18 at 03:49
  • HTTPS/TLS is not end-user to end-user encryption (which is what end-to-end is usually about), but it is end-to-end encryption between your browser and the HTTP server. Content can be eavesdropped in the Twitter server infrastructure or on your own computer, but it can't (if properly implemented) be eavesdropped by the ISP or the VPN provider. – zakinster Jan 05 '18 at 10:45
  • 1
    ...but since the source and destination IP/domain, timestamp and request size remains (obviously) visible to all involved parties, HTTPS/TLS doesn't provide much for anonymity. – zakinster Jan 05 '18 at 10:51
  • 2
    In infosec, never speak in absolutes... – multithr3at3d Jan 05 '18 at 15:55
  • 1
    I always find this useful, even though it's only about Tor and HTTPS: https://www.eff.org/pages/tor-and-https – icc97 Jan 06 '18 at 06:01
  • 1
    Did you login to Twitter? Then they know the user. – Barmar Jan 06 '18 at 22:57

7 Answers7

94

Twitter doesn't know the user

If you have ever used that browser to connect to Twitter outside of the VPN then it is possible that twitter have used cookies or (even in the case of a complete browser data wipe) browser fingerprinting to identify you. Even if they haven't you should assume their ad providers have.

no one can know who is the user, except the VPN provider.

Anyone with visibility of entrance nodes and exit nodes to the VPN (ISPs, state actors etc) can apply packet matching techniques to try and identify traffic flows.

You also have the risk of both Twitter and the VPN sharing the information they hold on you with other parties.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • @DavidGrinberg - I explicitly mentioned browser fingerprinting. I'd roll other client side storage techniques into cookies - its just a unique bit of data the client stores identifying a session. – Hector Jan 05 '18 at 15:47
  • 15
    Browser fingerprinting? [Mandatory panopticlick link](https://panopticlick.eff.org/). – marcelm Jan 05 '18 at 22:12
  • Twitter needs a login for any sort of interaction, so once logged in, it does know the user. It may not know the operator of the user account, or the device being used to access the account. There a number of layers you can deploy to ensure this anonymity (forced HTTPS, VPN, Tor, Sandboxed browser, generic VM, newly built system a.k.a air-gapped), but each adds complexity and will slow and deteriorate the user experience. – Reece Jan 09 '18 at 00:02
59

As Steffen points out, you are perhaps more anonymous that you would be without the VPN, however you are far from 100% anonymous.

  • Your web browser itself can reveal a tremendous amount of information about your computer, browser and other services you might be connected to. JavaScript has been used to de-anonymize people on Tor.
  • Things you post, and interactions you have while on social media can potentially be correlated back to you, especially if your OpSec is weak.
  • A DNS Leak could unmask you
  • If your VPN provider keeps connection logs and operates within a jurisdiction that would require them to turn over that information (or if they wilfully comply with LEA's) then you could be hosed.
  • If you slip up and land on the radar of a Law Enforcement Agency they can look up whether you had payments to your VPN provider, engage your ISP to correlate traffic from the ISP to the VPN to when posts were made on Twitter, etc

I don't know if you can ever be 100% anonymous on the internet, but if you can it requires more than HTTPS and a VPN connection.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • 3
    At the very least you would want to be using a machine which is only used for that anonymous identity only via VPNs that you trust not to keep any logs and with entry and exit nodes which are unlikely to be viewable by the same entities. – Hector Jan 04 '18 at 22:22
  • Perhaps the wording of the first sentence should be that you are more likely to remain anonymous, as you are either anonymous or not. Once your identity finds it's way to an untrusted party you have to assume it is out to everyone, as you cannot know who that untrusted party shares with (even Twitter, perhaps especially a company like Twitter who use lots of third party marketing services). – Ben Jan 05 '18 at 03:12
  • correlations: 1) the larger a (well-known) file is, the more likely that a (ciphertext only) size match indicates a file match...ie: how many 1GB + 357byte files are there?. 2) timing... if you want to watch a twitter account, you can look at the timing of connections.... ie: every tweet is preceded by a TLS connection 2s before from a consistent IP address. – Rob Jan 05 '18 at 03:55
  • 1
    You can be 100% anonymous on the internet. I purchased a Mobile Wi-Fi + SIM in a UK shop several years ago. Paid cash. The only way law enforcement could know it's me is by camera footage when I purchased it. I don't try to be anonymous, but I know a path through which I could. – gerrit Jan 05 '18 at 09:52
  • @gerrit again, as you keep using the same computer all the time, you are not anonymous at all. It's not only about internet access. – Herr Derb Jan 05 '18 at 10:55
  • @HerrDerb Right. Of course, I would also buy a dedicated laptop, again cash, and only ever use laptop + Mobile Wi-Fi together, and never use any account I also use elsewhere. I would only use it when in crowded public places so law enforcement cannot conclude I live in a particular neighbourhood. They could probably still walk up to me and arrest me while I sit in a café using that device red-handed (I suppose), but I don't see how they would know my identity prior to arrest. – gerrit Jan 05 '18 at 11:31
  • @HerrDerb And if I came across a stash of sensitive information I needed to share with the world, I'd probably do this one-off and then dispose of both laptop and mobile wifi device after they had served their purpose. – gerrit Jan 05 '18 at 11:37
16

Use of an VPN only means that Twitter can not determine details about the user from the IP address. It might though have other ways to get enough details about the user, for example from cross-domain user tracking (using third-party cookies and other techniques) which many sites employ.

Apart from that Twitter might determine that the IP address belongs to a specific VPN. And, if you broke laws while interacting with Twitter they might use the law to require the VPN to give detailed information about you. If the VPN provider keeps logs which user was assigned which IP address at which time they will probably provide these information to law enforcement too.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • In order to remain anonymous, you generally have to "launder" the source address, the timing, and the message sizes. Things like a client-cert may provide undesired correlations between connections. – Rob Jan 05 '18 at 03:58
11

HTTPS is about confidentiality and integrity of content, not anonymity of parties. It may provide end-to-end encryption between your browser and the server but it doesn't hide the source and destination IP address, timestamps and requests sizes. It doesn't provide anonymity in regards of the network infrastructure.

The VPN however will hide your personal IP address (allocated by your ISP) from Twitter but if your VPN provider keeps logs and they all talk (or are made to talk*) to each other, they can simply follow the tracks to your personal IP which can be used by your ISP to identify you. They may not even need your ISP cooperation if your VPN provider is able to identify you (through client registration or payment information).

There are other networking solutions (such as Tor) whose purpose are to make that network tracking much more difficult or practically impossible if used correctly.

Also beware that your IP address is not the only thing that can be used to identify you, your browser may also leak some useful informations (cookies obviously but also its more-or-less unique fingerprint).

To mitigate those risks, you should use a safe and secure browser in incognito mode (to avoid cookies and such) and use it only for this very purpose (to avoid fingerprint cross-matching).

*: All services providers data may be disclosed to law enforcement authorities depending on jurisdiction or may potentially be retrieved by some resourceful organization by one mean or another.

zakinster
  • 624
  • 3
  • 10
4

I know that HTTPS is end-to-end encrypted, so no one except Twitter can know what data is sent, not even the VPN provider.

Yes, if everything with SSL operates correctly, but by very definition the VPN is a man-in-the-middle.

https://stackoverflow.com/questions/14907581/ssl-and-man-in-the-middle-misunderstanding

I would rather use my ISP than use a VPN provider from China, India or Russia. The middle letter P stands for private and that's very subjective.

Second, I know that when I am using a VPN no one can know who is the user, except the VPN provider.

They will know the VPN, and the IP address is shared with other users. So you're not anonymous. They've likely seen that IP address many times before.

What I mean to say, is they might allocate more server CPU time in the monitoring of VPN IP addresses compared against other IPs. It's called being guilty by association. You've put a flag on your connection to their servers.

VPNs make you look like the woman in the red dress from the Matrix movies. You stand out in a crowd of busy users.

So, Twitter doesn't know the user, and the VPN provider doesn't know the data. Is this true? Am I 100% anonymous?

Why should Twitter depend upon network traffic to identify a user?

Your behavior alone can be enough for them to identify you, if you do one of the following:

  • Use a VPN to like your own tweets.
  • Use a VPN to post links to your own websites.
  • Use a VPN to follow your own account.
  • Use a VPN to view accounts for people you know in real-life.
  • Use a VPN to attack people you know in real-life.
  • Someone is able to identify you base upon your activity.

If Twitter wanted to track a user back to the real-world, they could do one of the following:

  • Twitter can fake a network error on unique URLs to see if you come back without the VPN.
  • Twitter can profile you by baiting you with fake tweets.
  • Twitter can position you by tracking location of tweets you interact with.
  • Twitter asks other users to help identify you.
  • Twitter asks the VPN to identify you.
  • Twitter asks Facebook or Google to help identify you.
  • Twitter can redirect all VPN traffic to dedicated servers that have extra resources for tracking high-risk users.

I have no proof they do any of the above, but I also think it's perfectly reasonable to think they would. Given the history of idiots who use Twitter to do stupid things or even worse things.

Reactgular
  • 320
  • 1
  • 6
1

100% anonymity does not exist in this universe. Even with perfect OpSec, you are still vulnerable.

HTTPS is considered reasonably secure, but that does not make it totally impervious to eavesdropping. Cryptographic weaknesses can potentially still exist in TLS allowing it to eventually be broken (which becomes more and more likely as hardware continues to evolve and perform faster, giving attackers more and more processing power to spare on attacks).

Also, as zakinster pointed out, HTTPS does not provide anonymity, it only provides confidentiality. HTTPS does not mask the originating host of a request or the host the request is being sent to. It only masks the contents of the request.

A VPN can provide a degree of anonymity, but the VPN itself still knows who is connected to it and it is still possible that someone could obtain your identity from the VPN (e.g. social engineering/hacking the VPN provider, law enforcement subpoena for information, etc.)

Also, as Hector pointed out, ISPs can see your network traffic to/from the VPN and can potentially figure out it was you based on traffic analysis. It could be as simple as checking the timestamps on packets and correlating them with when the remote host (Twitter) received them.

There is no such thing as 100% anonymous. A determined enough person with the right resources can still eventually find you no matter what measures you take.

ag415
  • 119
  • 2
  • I'll go even farther than ag415, even with more privacy oriented vpnish protocols like [Tor](https://www.torproject.org/) you are not 100% anonymous. One of the biggest problems is [Timing analysis](https://blog.torproject.org/one-cell-enough-break-tors-anonymity") which means if a nation-state adversary wants to figure out who you are, they will know. This analysis can be defeated (constant bitrate, constant timing, constant packet size between parties) but such are highly visible to meta-analysis and thus require large active user base for plausible deniability. – Seth Robertson Jan 07 '18 at 21:41
-3

No, you never are 100% anonymous with a VPN. On 7 August, 2017, a complaint was issued by the US Centre for Democracy and Technology (CDT), blaming Hotspot Shield for applying logging practices and using third-party tracking libraries so that more personalized advertising could be implemented. The complaint was given to the Federal Trade Commission (FTC) and consisted of twelve pages.

schroeder
  • 123,438
  • 55
  • 284
  • 319
John Doe
  • 19
  • 3
  • 1
    so ... that one VPN service violated privacy - I'm not sure you can conclude that VPN, as a technology, suffers the same problem. – schroeder Jan 08 '18 at 12:42