True no logging from VPN Companies

[Khoomn]

So I'm getting interested into making VPN services and I currently have my own one and all that but I'm wondering how companies like ExpressVPN, which have been proven multiple times that they do not log, keep their service from being logged by the datacenter host. Because I can get my VPS to not have any logs on it but my VPS provider can just get all the data that they keep logged. How does express do it? My only understanding of doing it is through hopping where it goes My IP -> VPN 1 -> VPN 2 -> Internet and maybe VPN 1 is an offshore VPS but thats about it. I'm not sure what data would be transfered through VPN 1 other than connection from VPN 1 to VPN 2 to mask the origin IP

 

If anyone can help or recommend me providers who have proven no logging through their network management, let me know

[Electronics Wizardy]

Are you worried about the vps host loggin what the vm does, or network traffic?

 

Colocation solves most of the vm host issue. You can't keep people in the middle from logging network traffic, but if you set it up right, they don't know which person using the vpn made the request to the website

 

You can prevent every ISP in the middle from tracking you, but if you have tons of connections going to one point, you can't say who made that connection.

 

 

[Khoomn]

19 minutes ago, Electronics Wizardy said:

Are you worried about the vps host loggin what the vm does, or network traffic?

 

Colocation solves most of the vm host issue. You can't keep people in the middle from logging network traffic, but if you set it up right, they don't know which person using the vpn made the request to the website

 

You can prevent every ISP in the middle from tracking you, but if you have tons of connections going to one point, you can't say who made that connection.

 

 

I'm worried about the VPS logging the network traffic

 

How would I set it up right so they don't know which person is using the vpn when the request was made to the website?

[Electronics Wizardy]

Just now, Khoomn said:

I'm worried about the VPS logging the network traffic

 

How would I set it up right so they don't know which person is using the vpn when the request was made to the website?

how would the vps provider know which one of your customers make the request? They would see many streams of encrypted data, and web reqests.

 

If you want to be fancy, get a few more vpss and bounce the encrypted traffic between them to make it harder.

 

 

THe VPS provider can't see the info of which client made which request.

[Khoomn]

2 minutes ago, Electronics Wizardy said:

how would the vps provider know which one of your customers make the request? They would see many streams of encrypted data, and web reqests.

 

If you want to be fancy, get a few more vpss and bounce the encrypted traffic between them to make it harder.

 

 

THe VPS provider can't see the info of which client made which request.

Yeah thats what im thinking about with the VPN hopping that I talked baout but I'm pretty sure once the request is made, its not encrypted to the company who is hosting even though my encryption is on AES256-SHA256

 

If anyone else here can confirm to me that if using a VPS as a VPN with OpenVPN or SoftEther VPN does encrypt all traffic out of the machine to websites then that would be great

[Electronics Wizardy]

Just now, Khoomn said:

Yeah thats what im thinking about with the VPN hopping that I talked baout but I'm pretty sure once the request is made, its not encrypted to the company who is hosting even though my encryption is on AES256-SHA256

How would the host see it?

 

They can see encrypted data go into the vps, and the web request go out of it. They won't know who made that request, other than its one of your customers.

 

SOme isp is always gonna see the web request, and can do what ever they want with that.

[Khoomn]

33 minutes ago, Electronics Wizardy said:

How would the host see it?

 

They can see encrypted data go into the vps, and the web request go out of it. They won't know who made that request, other than its one of your customers.

 

SOme isp is always gonna see the web request, and can do what ever they want with that.

They would see the encrypted data go into the vps which also has an ip linked to that request. And you just said in the message above that all data that goes out would be encrypted and now you say they can see the web request go out

[Electronics Wizardy]

Just now, Khoomn said:

They would see the encrypted data go into the vps which also has an ip linked to that request. And you just said in the message above that all data that goes out would be encrypted and now you say they can see the web request go out

But with multiple users, how do they know which user made the request.

 

You can also pass the encrypted traffic between multiple vps so its harder to track the data.

 

 

[brwainer]

How is this question different from what was talked about last month?

We went over the same thing about "I don't want the VPS host to be able to see/log the traffic, nor any of their ISPs".

@Electronics Wizardy Is providing the only sane or not-paranoid viewpoint in this topic so far. Please, listen to one of us, or learn enough about networking basics (from the bits up to the application layer) that you can make your own magical solution.

To answer the specific question "how companies like ExpressVPN ... keep their service from being logged by the datacenter host" - they don't. They have just enough customers that it isn't possible to work backwards from anything the datacenter host might log to an individual customer. If someone acquires the datacenter host's logs, all they will see is a huge number of incoming encrypted connections to the VPN server from the customers, and a huge number of outgoing unencrypted connections from the VPN server to whatever the customers are doing. Without logs of the VPN server itself, there's no definitive way to connect those two together.

[LAwLz]

7 hours ago, brwainer said:

To answer the specific question "how companies like ExpressVPN ... keep their service from being logged by the datacenter host" - they don't. They have just enough customers that it isn't possible to work backwards from anything the datacenter host might log to an individual customer. If someone acquires the datacenter host's logs, all they will see is a huge number of incoming encrypted connections to the VPN server from the customers, and a huge number of outgoing unencrypted connections from the VPN server to whatever the customers are doing. Without logs of the VPN server itself, there's no definitive way to connect those two together.

This isn't really true.

They could do an "end-to-end correlation" attack. Basically, look at which traffic enters the server and then match that with a traffic pattern that matches the traffic leaving the server.

The FBI and NSA have been doing that type of stuff (correlating incoming and outgoing data) through Tor circuits for ages, and that's through multiple servers and jumps. Doing it on a single server would be trivial.

 

 

https://blog.torproject.org/traffic-correlation-using-netflows

Spoiler

The way we generally explain it is that Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math.

 

And the math is really effective. There are simple packet counting attacks (Passive Attack Analysis for Connection-Based Anonymity Systems) and moving window averages (Timing Attacks in Low-Latency Mix-Based Systems), but the more recent stuff is downright scary, like Steven Murdoch's PET 2007 paper about achieving high confidence in a correlation attack despite seeing only 1 in 2000 packets on each side (Sampled Traffic Analysis by Internet-Exchange-Level Adversaries).

 

[brwainer]

4 hours ago, LAwLz said:

This isn't really true.

They could do an "end-to-end correlation" attack. Basically, look at which traffic enters the server and then match that with a traffic pattern that matches the traffic leaving the server.

The FBI and NSA have been doing that type of stuff (correlating incoming and outgoing data) through Tor circuits for ages, and that's through multiple servers and jumps. Doing it on a single server would be trivial.

 

 

https://blog.torproject.org/traffic-correlation-using-netflows

  Reveal hidden contents

The way we generally explain it is that Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math.

 

And the math is really effective. There are simple packet counting attacks (Passive Attack Analysis for Connection-Based Anonymity Systems) and moving window averages (Timing Attacks in Low-Latency Mix-Based Systems), but the more recent stuff is downright scary, like Steven Murdoch's PET 2007 paper about achieving high confidence in a correlation attack despite seeing only 1 in 2000 packets on each side (Sampled Traffic Analysis by Internet-Exchange-Level Adversaries).

 

Shhhh I'm trying to make them less paranoid. Yes I was aware of correlation, and was intentionally ignoring it. If you're being targeted enough for correlation (especially correlation of TOR) then someone is already investigating you for something and looking for evidence.

Edit: To add a bit more logic to my statement: "where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math" - basically they suspect that user ABC is going to site XYZ, and then watch those two endpoints. If they suspect you use some certain site, they're already on to whatever you're doing. Or you're being wrongly suspected and they won't find anything.