Privacy on iOS over VPN

I’m connecting to the internet through VPN on iOS, knowing that the VPN by itself isn’t a sufficient tool so in addition to other privacy practices. I was wondering if the VPN component has any meaning at all given that iCloud and other apps log in and communicate with their servers. So they see the VPN server IP, along with my login, so they associate my identity with that server/IP (?). And if several services share information then all of them can know who I am given my connection from a certain IP and other potential metadata leakage.

Is there any truth in this? Is it also applicable to desktop setup where I connect to multiple services by VPN? If so, is there any way to address that to improve privacy?

If you use a VPN server, your device is logically connected to the VPN server, and your network traffic is typically forwarded by the VPN server to the servers behind it:

Assuming that all of your network traffic passes the VPN server, then all servers behind it see the IP address of the VPN server as your IP address. However, other factors that can be used for fingerprinting like your web browser fingerprint, device fingerprint, or other app fingerprints don’t change.

Imagine that you take the bus line 10 from your house to your workplace each day. Line 10 is a direct line. Somebody at your workplace can assume that you live somewhere near a bus stop of line 10. Now you change this: You take bus line 8 to the city center, then you switch to line 17 that also goes to your workplace. A person at your workplaces now assumes that you live somewhere near line 17.

However, everything else did not change: You have the same physical appearance, the same human characteristics, the same clothes, and so on. You change a single parameter in a sea of parameters that can be used to identify you.

Use the Tor Browser. Why? Tor doesn’t only change your IP address in a way that each Tor node can’t see the full route of the traffic, but the Tor Browser itself is modified in a way that it looks the same for each user. So a website that deploys fingerprinting techniques will see many of the same parameters for different Tor users.

3 Likes

Thanks, that makes sense. But Tor is so slow for me for normal webpages, let alone videos. Is there either a way to make it faster (not likely) or an alternative solution to be anonymous but not to the same degree as with Tor?

The speed depends on the Tor nodes chosen by the Tor Browser. If slow nodes are in use, the speed might be annoying. However, most nodes should allow watching even full HD movies these days.

As said before, achieving anonymity online isn’t that easy. Some people, blogs, or media share tips to be “100% anonymous on the web,” but given all of these tracking possibilities and the custom behavior of people, this can’t be achieved. There are also some testing websites that show you your uniqueness on the internet, but they don’t test all possibilities to identify you, so take the results with a grain of salt.

So Tor is the only way to go then. Hopefully I can really stream video in it in a reasonable time.
The biggest issue is that after some idle time of now using the browser, it takes a lot of time to start a new tab and get any result, potentially because the browser needs to set up a new Tor session?
And then any extension I add is a possible exploit, right? What if I need a password manager (Bitwarden) or a cookie/tracking monitoring? It actually says ‘An unexpected error occurred’ when trying to add the Bitwarden extension to Tor browser on Mac.
Thanks

From the security perspective, every web browser add-on can introduce security vulnerabilities or can be misused for malicious actions. However, this isn’t limited to the Tor Browser but affects all web browsers.

From the uniqueness perspective, add-ons might change some of the parameters controlled by the Tor Browser. This may result in more uniqueness or – in other words – less anonymity. Thus, the Tor project suggests to only use the add-ons that come with the Tor Browser as is.

The error may originate from some web browser features that are disabled in the Tor Browser. The Tor Browser comes with several features disabled to avoid fingerprinting.

I see, thanks.

So now every time I restart the browser I have to log in to all of the things I need because saving cookies might lead to tracking? I don’t see an option to restrict cookies from only some selected sites from being deleted.

Also, any idea why the frame of the website is smaller than the actual browser window? I guess it has something to do with the uniform dimensions to prevent fingerprinting, but is there no way to scale it up to the actual window size?

Of course, cookies can be misused for tracking – as well as any other custom setting. From the security perspective, one should frequently delete cookies to avoid that somebody is able to “steal” them (technically by duplicating valid authentication cookies). There are some server-side settings to prevent most ways to do so; however, not all servers are configured securely.

Because your web browser’s window size can be used for identifying you. The idea of the default window size of Tor is that every Tor user has the same size. If you change it, you create uniqueness. To make fingerprinting harder, Tor Browser deploys the following technique:

Tor Browser 9 ships with a fingerprinting defense for those scenarios as well, which is called Letterboxing, a technique developed by Mozilla and presented in 2019. It works by adding white margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.

Source: https://support.torproject.org/tbb/maximized-torbrowser-window/

Great, thank you.

Apparently I can’t use eBay to checkout as guest or even when I try to log in. Sometimes even youtube and other common websites block the traffic with some random error. Any workaround for these cases?

eBay
Screen Shot 2020-08-15 at 7.15.30 AM
Youtube
Screen Shot 2020-08-15 at 9.27.06 AM

Also, is there no ad block on the Tor browser? I see a lot of ads and since installing any plugin is problematic…

Many services block access from Tor network because it’s frequently used for spam and other abuse.

Tor browser has uBlock origin installed by default and it blocks most ads, I think. You can adjust it if you want but be careful so that you don’t accidentally make yourself more identifiable if you do that.

If you use Tor you will stick out like a sore thumb, because that is not a “normal” internet browser. Sure, your IPS wont see what you are doing but if you use a VPN they cannot see either.

“Nomal” internet browser stick out way more than tor never heard of browser fingerprinting?

1 Like

Using a VPN service provider means this single provider sees everything that you do while connected. The VPN service provider replaces the ISP. Instead of trusting your ISP, you need to trust the VPN service provider. The ISP still knows when you connect to the internet, how much traffic you transmit and receive, and that you are connecting to the VPN service provider.

Using Tor means that the guard node knows your identity but doesn’t know to which server you ultimately connect. On the other hand, the exit node knows to which server someone connects but doesn’t know the identity of the “someone.” So, as long as the same entity doesn’t deploy the guard node and exit node, no one knows what you are doing on the internet. The ISP still knows when you connect to the internet, how much traffic you transmit and receive, and that you are connecting to the Tor network.

In summary, using a VPN provider with your (likely customized) “normal” web browser only shifts trust from your ISP to this provider. On the other hand, using the Tor network with an out-of-the-box Tor browser makes you more anonymous (but never wholly anonymous).

1 Like

Yes, that is my understanding. Routing my network through Tor - VPN over Tor is my current set-up.
I would rather trust a random VPN provider in some far off country than my ISP.
*If and that’s a big if, LE ever wanted my browsing history it will be very difficult for them to get it off a VPN provider than my local ISP