Tor over VPN versus Tor over Bridge

VPNs involved in Tor over VPN are vulnerable to website traffic fingerprinting attacks.
Information: TorPlusVPN · Wiki · Legacy / Trac · GitLab

What about Tor over bridge? Are the bridges also vulnerable to website traffic fingerprinting attacks? How is that working?

Hi @Gaai_Chia

I’ m not sure, however, your conclusion should be wrong. Or I don’t understand you correctly. I didn’t look at the further links though.

The text says that there are attacks against VPN and SSH that tell an ISP what websites you visit.

It is assumed that similar attacks can also be used to detect whether you are connecting to the Tor network via SSH or VPN.

But it is not suspected that the ISP can read which websites you visit. It’s just that they can see that you are using Tor despite VPN or SSH.

The text wants to tell us that you probably can’t hide the use of Tor with these methods.

I work for an ISP, not for end users, just for server operators. Or as they say today, “cloud” customers. If we want to, we can carry out such attacks with enormous effort. But if they are to be successful, they have to be targeted. You can’t just filter the entire network and see where the traffic you’re looking for is.
This is exactly how it will be with local ISPs. They can only find out if they specifically watch individual customers.

And this specific search, to specifically observe a single customer, is a prerequisite for success.

And that answers your question whether a bridge is better or not.

If your connection is specifically being monitored, then they will always find out what you are doing. No content, no targets, but they know that you are using tor.

I generally run bridges on port 443, which works with bulk and looks like HTTP traffic for simple mechanisms. However, if an ISP looks closely, he will find out that it is a tor bridge.

The same way the ISP can figure out if the kind of traffic you have via SSH or VPN with a certain destination is Tor traffic or something else.

I would say that the safest way to hide tor from your local ISP is to have a bridge on port 443. VPN and SSH are immediately recognizable by their metadata, a bridge requires a closer look.

On the other hand, you can also run SSH or VPN over 443. Probably it all doesn’t make much difference.

1 Like