What is the most secure way to browse highly sensitive clearnet sites?
Like when you're on this Reddit forum, or checking the blockchain (blocks TOR often), or on usps.com checking tracking or printing shipping labels.
Correct me if I'm wrong, but VPN over TOR would work because despite your ISP seeing you're using TOR, the clearnet site would only see the VPN so it wouldn't look suspicious and your real IP would be masked. And if your VPN connection drops suddenly, the clearnet site would see TOR briefly but wouldn't see your real IP address.
On the contrary, VPN and Public Wifi would eliminate all use of TOR and any suspicions that might be raised from that (to either the ISP or the clearnet site). And if the VPN drops suddenly, again your real IP address wouldn't be revealed, only the location of the Public Wifi.
Any thoughts? My knowledge of this is minimal, I'm trying to wrap my head around it.
Will be a long post so sorry in advance. Want to just explain whatever I can in a few minutes. Writing this fast so may be some typos, apologies in advance if there are.
You have to be careful in public places. In almost all the indictments against the DNM owners/administrators (SR1, SR2, etc.) the agencies had a lot of physical evidence that stemmed from watching / observing connections to public networks. Anything with a camera, potential to be seen more easily should be approached with caution.
You're already talking about clearnet sites here and not .onion, so your main thing you should check for is SSL on the clearnet site (though it's still based on X509/Certificate Authority) to prevent MitM attacks as a single precaution. Also, with VPN + TOR you do solve that issue of your ISP knowing you are utilizing Tor, however you want to make certain that you are doing this correctly. Use Tails if you are very concerned about the security because it does a lot of the work for you, or if you're more tech savvy you can use restricted BSD (but that's uncommon) because it has a lot of customization. Anyways, you want to make sure your VPN is acting wholly - something like a proper dd-wrt configured router works best. You can then use Tor browser on top of that, but for something like USPS or Blockchain you should be fine -- it's not recommended to use Tor for USPS anyways and if you are say connecting to a dd-wrt VPN'ed router and then using Tor Browser it will still show up as a Tor connection to USPS.
In any of these clearnet cases, you need to make sure they have SSL at the very least. It's not perfect, but you don't want MitM attacks -- that's the most common and easiest to protect against by far. Also, your trust in the VPN provider is the shortcoming of the classic "SSL style" authority based schemes. Your VPN company knows your IP address just like the direct hop (single one) to your computer with Tor is unencrypted by nature as it needs to relay the data to you somehow. That's the design of Tor and is always how it's worked. The key is if you're using a .onion service you get Onion Routing, which is another topic that can be discussed about a lot but is basically the Tor protocol design. With the hidden service properly configured you're going to make a, in theory, secure relay to a hash table and request the info with a secret one time key - like "I want this hidden service. Here is my message." This is all encrypted with three standard relays that act like an "onion" hence the term onion routing and the whole Tor logo. Each relay uses DH key exchange so you get forward secrecy. Once you request the information for the hidden service, the server (which gets the information from a cloud-like distributed hash table) "redirects" you to establish a relay to one of the three current introduction points. These are nodes that have direct relays with the hidden service's webserver. Note that these intro nodes don't know the identity at all of the hidden service as they are all still onion routed in the three tiered setup as mentioned. At the end there's the exit node which sends unencrypted data to the hidden service, and if all goes well your message/request to view hidden service gets passed via. encrypted Tor relays from the hash table "nodes" -> one of the intro node -> exit node -> hidden service. Hidden service, in the case of .onion services, will only see your message which will be like "I want to view your content. Here is me signing something with your public key and a secret. Let's meet up at ABC." The hidden service decrypts this and then establishes a relay to the server ABC that you told to meet at - the rendezvous node. You, the client, then connect via. standard onion routing (three layer) to the rendezvous node and basically "meet up" with the onion service and you have successfully connected. The whole point of that was that, in a perfect world/most cases, you're going to request a hidden service descriptor and the hidden service will meet you somewhere and neither of you will know anything about each other. In the absolute end of your connection you have generally 6 onion relays: your client -> guard node -> relay -> relay -> [ rendezvous server - "the internet" ] <- relay <- relay <- exit <- hidden service. Each " -> " is a onion routed hop.
Sorry for the long explanation - but that's how Tor works. Only for .onion sites though. You don't want to send regular clearnet there without being careful beforehand. If the site you visit doesn't use SSL/TLS, you're going to send unencrypted data at hops since you're not using the onion routing which is basically the DNS and heart of Tor. You'll also notice that two sites - Blockchain and Facebook have now setup .onion sites with SSL. They're big companies so they are pushing it and DigiCert (a large SSL authority) granted them SSL's for .onion websites. This basically gives them "proof" of ownership of their onion URL and extra security through the network, though the studies are still not 100% on this. Tor has a lot of flaws but you don't have to worry about most of them unless you're doing some really shady shit :) But better safe than sorry of course.