How to protect data, traffic, and servers visited via Outline from the server provider?

Suppose I set up a private VPN server using Outline. I then route all the traffic from my computer through that server using the Outline client.

Now, can the provider of this server theoretically listen in or log all the data that I sent through that server? Is it encrypted by default or only if I’m accessing https websites? What if I log into the terminal via SSH on my local machine and send the password there (I know we use keys, but I am just checking various use cases)? Can they also see the website names I’m accessing (not the URLs via https but the actual domains)?

If any of the above is the case, what’s the best way to increase protection?

​

theoretically listen in or log all the data that I sent through that server

Of course

encrypted by default or only if I’m accessing https websites

Everything between you and your server is encrypted. Everything between your server and the final destination is only encrypted if you’re using TLS, SSH, or other encrypted protocol.

log into the terminal via SSH on my local machine and send the password there

While SSH itself encrypts the transfer including the password, the host in theory can just read the RAM to grab everything once it arrives.

see the website names I’m accessing

Yes, in multiple ways. If your browser/OS doesn’t use DoH/DoT, it means the DNS query is sent in plain text. If you’re using DoH/DoT, the server can still see SNI since it’s plaintext unless the site and your browser are configured to use ECH. Even with ECH, if it’s a major site not using a CDN, the destination IP still can be trivially linked to a domain.

the best way to increase protection

Choose a provider you can trust, or at least not going to adhere to court orders from your jurisdiction.

When you use a VPN, you are not completely hiding your traffic. You are choosing to let your VPN provider see your traffic, instead of your ISP (the VPN is your “ISP”).

The most critical information that usually leaks is the domain names of the sites you visit, even when using HTTPS. Your device may also do unencrypted HTTP connections, which are vulnerable to injections or malware.

That’s why it’s important to trust the VPN/Internet provider and use end-to-end encrypted protocols like TLS/HTTPS or SSH.

While TLS/HTTPS mitigates the security issue, you still have the privacy issue. To mitigate the privacy issue, you can use a two hop set up, with an entry node that relays to an exit node that in turn connects to your destination:

[client/source]===[entry node]===[exit node]---[target/destination]

That way the entry node cannot see your destination (because the traffic between you and the exit node is encrypted) and the exit node cannot see what the source is (because the traffic is coming from the entry node). This prevents source-target correlation.

Tor implements that, in what they call “onion routing”, given the layers of encryption. They add a third node in the middle called “Relay”, to protect against the case where the entry and exit nodes may collaborate. The EFF has a really helpful diagram showing what the different actors in the network can see when you have Tor and HTTPS enabled or disabled.

I recommend using the Tor Browser if you are concerned about privacy. They not only do Onion routing, but also limits the information your browser leaks. It’s possible that you may have issues, like slow speeds and lots of captchas, so you may want to restrict usage to your more sensitive activity. Also, Tor may be blocked, but it’s possible to use the Tor browser over an Outline connection.

It’s also possible to do Onion Routing with Outline, but it’s not user-friendly. We have a command-line tool that runs a local web proxy that you can use to configure your browser or operating system. The local proxy will relay the traffic according to a “transport” config, which can contain multiple Outline hops. You can find the config format and a onion routing example in the Outline SDK documentation. The command would look something like this:

go run github.com/Jigsaw-Code/outline-sdk/x/examples/http2transport@latest -transport "ss://[OUTLINE_KEY1]|ss://[OUTLINE_KEY2]" -localAddr localhost:8080

Nothing is foolproof. At the end of the day there’s no way to mask network traffic beyond a point. If someone has access to your outline server they’ll be able to figure out details eventually by simply tracing the network packets both ways.

Thank you for such a detailed answer!

Doesn’t sound too safe to me then.

I wanted to ask you about this:

Everything between you and your server is encrypted. Everything between your server and the final destination is only encrypted if you’re using TLS, SSH, or other encrypted protocol.

So everything is encrypted between me and the server and then it’s encrypted again between the server and the final destination if I’m using one of the protocols, right? Or it’s decrypted on the server and then encrypted again to connect to the site I’m accessing?

Amazing. Thank you for this response!

The encryption goes like this (assuming you’re using TLS/SSH) : Your traffic is encrypted by your browser/SSH client, then get encrypted again by Outline client (or any Shadowsock client), sent to your Outline server, decrypted (still unreadable since it’s TLS/SSH), sent to the destination, and only then the destination server decrypt the traffic.