Common mistakes that lead to deanonymization

9 May 2023 14 minutes Author: D2-R2

Deanonymization on the Internet

Deanonymization (slang: deanon; also doxxing) is a violation of anonymity, which consists in the publication of personal data (real name, place of residence or work, etc.) of an Internet user, in particular: wikis, blogs, forums, etc. De-anonymization can also be understood as a comparison of several accounts of one person on one or more websites. To de-anonymize a user, open information and open ways of processing it are almost always enough, first of all, correct search queries (for queries, see, for example, the recent thread about habrausers and adding to favorites). Mathematically, de-anonymization describes the identification of new intersection areas of sets that reflect the user’s traces in the network. Currently, users in places of communication on the Internet have the right to dispose of their anonymity (in the case of Ukraine, EU countries, USA, etc.).

It is important to know that if you do not want to disclose your identity, you need to follow certain rules of communication and carefully see what information will be displayed in your profile (you can preview the profile of several random users of this site). It is also highly undesirable to use the same nicknames when registering on different sites. If you ever plan to provide commercial information (even in a comment on an unpopular blog), please provide the minimum possible information for your identification when registering. It is advisable to conduct the simplest linguistic analysis of your texts and use spell check.

Anonymity in social networks

If you have registered in vk (social network), indicating your phone number. Then they connected to vk via Tor to write in the official group of the Zadryshchensk City Administration “the deputy of the second convocation of the city council Nikiforov S.S. is a thief”. Does this mean you are anonymous because you used Tor?

No, it doesn’t. At least because your social network account is linked to your phone number. And the IP address is not really needed for your identification.

Anonymity and cookies

Cookies are small pieces of information that are stored in your web browser after a website has sent them to you.

If you went to the site, got your cookies, then reconnected via Tor and wrote in the comments something like “the deputy of the second convocation of the city council Petrov D.S. is also a thief”, then the cookie can link the author of the comment and the user who previously entered with a different IP address.

Cookies are designed to identify the user regardless of your IP address.

Many sites save the IP of previous actions

For example, I registered a VPN account that I will connect via Tor. But I registered it from my IP (because Tor is slow, and in general that site does not accept connections from the Tor network). Will I be anonymous if I connect to a VPN via Tor? No, because information about previous operations with the IP address is saved.

I BUY VPN (or VPS server to set up OpenVPN) and will be anonymous

Even if you read the third point and went to register through Tor, but use wallets that can lead to you, then there is no anonymity in question. Moreover, when buying disposable SIM cards and when entering wallet sites, you also need to remember about your anonymity, otherwise it is simply pointless.

That is why Tor alone is more anonymous than Tor + OpenVPN. It is quite difficult to buy something without leaving traces.

OpenVPN is very good, but not for anonymity

If we recall the original purpose of VPN networks, it is the organization of virtual private networks, within which computers scattered around the world can access each other’s local network resources. In this case, the traffic exchange is encrypted, but this traffic is encrypted only for an external observer, but not for the server and clients of the OpenVPN network.

For this reason, if you have purchased a free or paid VPN account, then be prepared that the server owner can do ANYTHING with your traffic and keeps activity logs – which requests were made from which client.

As it is written in the Whonix reference: a third of the popular VPN providers belong to Chinese companies (China is not a country where privacy is respected), and the rest of the countries like Pakistan are also “wonderful” countries. How many of them are ‘honeypots’ and record activity is impossible to say, but in my opinion, 100% of paid and free VPN providers do this.

There are 1000 and 1 ways to find out the real IP address of a remote user

The options range from the simplest one of sending a link to a controlled site and viewing the IP (if communication is via an anonymous messenger) or a file with a Trojan to quite sophisticated ways.

If you use any closed source software for illegal activities.

Backdoors can also be in legitimate closed-source software – as a severe vulnerability that the vendor knows about, or just an ordinary dumb-as-a-cork backdoor – such were found, for example, in official router firmware.

As for illegal closed source software that distributes anonymously, please tell me, why not install a backdoor? The owner will not know anything, and even if he does, what will he do? He will go to the police and say: I bought scripts to hack the protection of stolen phones, and they installed a virus there… It is unlikely that he will do that. In his article, bo0om exploited this very feature.

Lack of understanding of the simplest technical aspects of networks, servers, applications, information accumulated and available in open sources

In my articles linked above, I found the attacker’s sites simply by analyzing where the POST request goes. Why did the attacker leave scripts in the archive on this site? Apparently, he just did not know that it is very easy to track where the POST request goes, even if the HTML code is obfuscated. And there can be a lot of such “technical” punctures: a simple SSH connection password (“no one knows where my server is”), misunderstanding of what information on the server can be accessed by the researcher, misunderstanding of what Cloudflare is for, etc.

The big picture

Example: infrastructure objects are attacked and IP traces and other indirect signs lead to somewhere far away. However, the objects and methods of attack are similar to those used by a well-known hacker group. At least there is a reason to think.

Metadata in files

You should know everything about metadata and programs to view and clean it. Otherwise, if you distribute files, all other anonymity measures may become useless. Approximately as in the first point, when Tor is used, but you log in to the social network under your account.

Should I use Tor with VPN, proxy, SSH?

This is the most common question in different variations. And there is no clear answer to it. Suppose in my country or my ISP blocks access to the Tor network, then not as good as the only solution is to use VPN + Tor. At the same time, I must clearly understand the risks of VPN, which is designed to organize private virtual networks, not anonymity. If I don’t understand the risks of adding different intermediate nodes, and I do it just because I read on some forum that it is better, then it is a bad idea: there is no working technology to find out the real IP address of a Tor network user, but the VPN “honeypot” will know everything about you:

  • your real IP address
  • which sites you made requests to
  • what answers were received

The following is a translation from the official Tor Project documentation. I agree with these opinions, provided that there is trust in the Tor network. I don’t have 100% trust in the Tor network, but of the other options to hide your IP, this is the best solution.


Can I use a VPN with Tor?

Generally speaking, we do not recommend using a VPN with Tor unless you are an experienced user who knows how to configure both methods in a way that does not compromise your privacy.

There are many discussions on the Tor mailing list about how to combine Tor with VPNs, SSH and/or proxies in various variations. The letter X in this article means “VPN, SSH or proxy”. All the different ways to combine Tor with X have different pros and cons.

Anonymity and confidentiality

You can very much compromise your anonymity with VPN/SSH in addition to Tor. (Proxies are described below.) But if you know what you are doing, you can increase anonymity, security and privacy.

VPN/SSH providers keep a history of financial transactions and you will leave traces unless you choose a truly anonymous payment method. VPN/SSH acts as a permanent inbound or permanent outbound node. This may solve some problems but create new risks.

Who is your opponent? Against a global adversary with unlimited resources, adding more intermediate nodes makes passive attacks (slightly) harder, but active attacks become easier because you provide more surface to attack and send more data that can be exploited. Adding nodes strengthens you against Tor node collusion and against blackhat hackers who target Tor client code (especially if Tor and VPN are running on two different systems). If the VPN/SSH server is under the control of an attacker, you weaken Tor’s security. If the server is trustworthy, you can increase the anonymity and/or privacy (depending on your settings) provided by Tor.

VPN/SSH can also be used to bypass Tor censorship (if your ISP blocks access to Tor or if an endpoint blocks connections from the Tor network).

VPN/SSH vs proxy

The connection between you and VPN/SSH is encrypted, but not always. On the other hand, the connection between you and OpenProxy is not encrypted. “SSL proxy” in most cases is only an http proxy that supports the connect method. Initially, the connect method was designed to allow you to use SSL connections to web servers, but other interesting things are possible, such as connections to IRC, SSH, etc. c. Another disadvantage of http proxy(s) is that some of them, depending on your network settings, even pass your IP through the “http forwarded to” header. (Such proxies are also called “non-anonymous proxies”. Although the word “anonymous” should be understood with caution in any case, OpenProxy alone is much worse than Tor).

VPN vs SSH or proxy

VPN works at the network level. An SSH tunnel can offer a socks5 proxy. Proxies work only at the application level. These technical details pose their own challenges when combined with Tor. The problem for many VPN users is the complicated setup. They connect to the VPN on a machine that has direct access to the Internet.

  • VPN user may forget to connect to the VPN first
  • without special precautions, if the VPN connection is broken (VPN server reboot, network problems, VPN process failure, etc.), direct connections without VPN will be made.

To solve this problem, you can try something like VPN-Firewall. When working at the application level (using socks5 SSH tunnels or proxy servers), the problem is that many applications do not respect the proxy server settings. The most secure solution to eliminate these problems is to use a transparent proxy, which is possible for VPN, SSH and proxy.

You -> X -> Tor

Some people under certain circumstances (country, ISP) are forced to use a VPN or proxy to connect to the Internet. Other people want to do it for other reasons, which we will also discuss.

You -> VPN/SSH -> Tor

You can route Tor through VPN/SSH services. This can prevent your ISP and others from seeing that you are using Tor. On the one hand, VPNs are more popular than Tor, so you won’t stand out much, on the other hand, in some countries replacing an encrypted Tor connection with an encrypted VPN or SSH connection will also be suspicious. SSH tunnels are not as popular. Once the VPN client is connected, the VPN tunnel will become the default route for the Internet connection and the TBB (Tor Browser Bundle) (or Tor client) will be routed through it.

This may be a good idea, assuming that your VPN/SSH provider’s network is more secure than your own network. Another advantage here is that Tor will not be able to see your IP behind VPN/SSH. Therefore, if someone manages to hack Tor and find out the IP address where your traffic is coming from, and your VPN/SSH does not monitor you, then it will help you to remain anonymous.

You -> Proxy -> Tor

This does not prevent your ISP and other observers from seeing that you are using Tor because the connection between you and the proxy is not encrypted.

Depending on the configuration on the proxy side, sometimes this prevents Tor from seeing who you are. Therefore, if someone manages to hack Tor and find out the IP address from which your traffic is coming and your proxy server does not give you away, then the attacker will not see your real IP.

You -> Tor -> X

As a rule, this is a really bad option. Some people do this to avoid connection bans from the Tor network. Tor usually switches its path through the network frequently. When you choose to permanently assign X, you give up this benefit, which can have serious consequences for your anonymity. For example, accumulating information about requests made from different IP addresses of the Tor network is difficult, but using one exit node you lose this advantage.

You -> Tor -> VPN/SSH

You can also route VPN/SSH through Tor. This hides and protects your internet activity from the originating Tor nodes. Although you can be monitored by the source VPN/SSH nodes. This option only makes sense if you use VPN/SSH in such a way that you can pay for them anonymously.

However, it is not so easy without the use of virtual machines. And you will need to use TCP mode for VPN (for routing through Tor). In our experience, establishing VPN connections via Tor is quite difficult.

Even if you pay for them anonymously, you create a bottleneck where all your traffic goes through – VPN/SSH can create a profile of everything you do, and later on it’s likely to be really dangerous.

You -> Tor -> Proxy

You can also route proxy connections through Tor. This does not hide or protect your internet activity from Tor source nodes because the connection between the source node and the proxy is not encrypted, not one but two parties can now log and manipulate your unencrypted traffic. There is no point if you can’t pay for proxies anonymously.

You -> X -> Tor -> X

There are no studies whether it is technically possible. Remember that this is probably a very bad option because ви -> Tor -> X – is already a very bad plan.

You -> your (local) VPN server -> Tor

This is different from the one discussed above. You don’t need to pay a VPN provider because you host your own local VPN server. This will not protect you from your ISP seeing your Tor connection, nor will it protect you from Tor exit server spying. This is done to ensure that all your traffic goes through Tor without any leaks, otherwise it makes no sense.

The principle of the elusive Joe

What should I do to make sure I am not found? One hundred percent guarantee is only if you will not be searched for… Even if you have studied the “anonymity manuals” from cover to cover, even if it is written by a person who understands (and this is unlikely, because a person who understands would not write such a thing and take such responsibility on his conscience) and even if you have done everything right, but do not understand other aspects of the above, then your chances of “burning” in one of the above idiotic ways are great. It is better to be a law-abiding person and apply knowledge and skills in lawful activities:

“Lately it’s become so hard to steal that I feel like I’ve earned that money.”

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.