{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T12:07:03Z","timestamp":1773144423559,"version":"3.50.1"},"reference-count":70,"publisher":"Association for Computing Machinery (ACM)","issue":"CSCW2","license":[{"start":{"date-parts":[[2023,9,28]],"date-time":"2023-09-28T00:00:00Z","timestamp":1695859200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Hum.-Comput. Interact."],"published-print":{"date-parts":[[2023,9,28]]},"abstract":"<jats:p>Users face security folklore in their daily lives in the form of security advice, myths, and word-of-mouth stories. Using a VPN to access the Tor network, i.e., Tor over VPN, is an interesting example of security folklore because of its inconclusive security benefits and its occurrence in pop-culture media.<\/jats:p>\n          <jats:p>Following the Theory of Reasoned Action, we investigated the phenomenon with three studies: (1) we quantified the behavior on real-world Tor traffic and measured a prevalence of 6.23%; (2) we surveyed users' intentions and beliefs, discovering that they try to protect themselves from the Tor network or increase their general security; and (3) we analyzed online information sources, suggesting that perceived norms and ease-of-use play a significant role while behavioral beliefs about the purpose and effect are less crucial in spreading security folklore. We discuss how to communicate security advice effectively and combat security misinformation and misconceptions.<\/jats:p>","DOI":"10.1145\/3610193","type":"journal-article","created":{"date-parts":[[2023,10,4]],"date-time":"2023-10-04T15:54:10Z","timestamp":1696434850000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Investigating Security Folklore: A Case Study on the Tor over VPN Phenomenon"],"prefix":"10.1145","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2894-3751","authenticated-orcid":false,"given":"Matthias","family":"Fassl","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6119-9701","authenticated-orcid":false,"given":"Alexander","family":"Ponticello","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0340-6204","authenticated-orcid":false,"given":"Adrian","family":"Dabrowski","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2425-3013","authenticated-orcid":false,"given":"Katharina","family":"Krombholz","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,10,4]]},"reference":[{"key":"e_1_2_2_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376440"},{"key":"e_1_2_2_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.65"},{"key":"e_1_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3054926"},{"key":"e_1_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833633"},{"key":"e_1_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1595676.1595684"},{"key":"e_1_2_2_6_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Binkhorst Veroniek","year":"2022","unstructured":"Veroniek Binkhorst, Tobias Fiebig, Katharina Krombholz, Wolter Pieters, and Katsiaryna Labunets. 2022. Security at the End of the Tunnel : The Anatomy of VPN Mental Models Among Experts and Non-Experts in a Corporate Context. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, USA, 3433--3450. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/binkhorst"},{"key":"e_1_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.15"},{"key":"e_1_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3411764.3445061"},{"key":"e_1_2_2_9_1","doi-asserted-by":"publisher","DOI":"10.1191\/1478088706qp063oa"},{"key":"e_1_2_2_10_1","volume-title":"The Study of American Folklore : An Introduction","author":"Brunvand Jan Harold","unstructured":"Jan Harold Brunvand. 1978. The Study of American Folklore : An Introduction second ed.). Norton, New York."},{"key":"e_1_2_2_11_1","volume-title":"Influence: Science and Practice. Pearson Education.","author":"Cialdini Robert B.","year":"2009","unstructured":"Robert B. Cialdini. 2009. Influence: Science and Practice. Pearson Education."},{"key":"e_1_2_2_12_1","volume-title":"The Effect of Social Influence on Security Sensitivity. In 10th Symposium On Usable Privacy and Security (SOUPS ). USENIX Association, 143--157","author":"Das Sauvik","year":"2014","unstructured":"Sauvik Das, Tiffany Hyun-Jin Kim, Laura A Dabbish, and Jason I Hong. 2014a. The Effect of Social Influence on Security Sensitivity. In 10th Symposium On Usable Privacy and Security (SOUPS ). USENIX Association, 143--157."},{"key":"e_1_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660271"},{"key":"e_1_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.14722\/usec.2018.23015"},{"key":"e_1_2_2_15_1","unstructured":"Roger Dingledine. 2012. [Tor-Talk] Tor plus VPN (Was Re: Hi All!). https:\/\/lists.torproject.org\/pipermail\/tor-talk\/2012-January\/022917.html Retrieved 2022--11--23 from"},{"key":"e_1_2_2_16_1","volume-title":"Proceedings of the 14th Privacy Enhancing Technologies (PETS )","author":"Dingledine Roger","year":"2014","unstructured":"Roger Dingledine, Nicholas Hopper, George Kadianakis, and Nick Mathewson. 2014. One Fast Guard for Life (or 9 Months). In Proceedings of the 14th Privacy Enhancing Technologies (PETS ). Amsterdam, Netherlands. https:\/\/doi.org\/10.1.1.645.7692"},{"key":"e_1_2_2_17_1","unstructured":"Roger Dingledine and Nick Mathewson. 2021. Tor Path Specification. https:\/\/github.com\/torproject\/torspec\/blob\/master\/path-spec.txt Retrieved 2022--11--22 from"},{"key":"e_1_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.48550\/ARXIV.2002.11834"},{"key":"e_1_2_2_19_1","unstructured":"Edward Snowden [@Snowden]. 2016. Use Tor. Use Signal. https:\/\/t.co\/VLvBsbVHKs. https:\/\/twitter.com\/Snowden\/status\/778592275144314884 Retrieved 2022--11--22 from"},{"key":"e_1_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134034"},{"key":"e_1_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1177\/2056305118763366"},{"key":"e_1_2_2_22_1","volume-title":"Predicting and Changing Behavior: The Reasoned Action Approach","author":"Fishbein Martin","year":"2010","unstructured":"Martin Fishbein and Icek Ajzen. 2010. Predicting and Changing Behavior: The Reasoned Action Approach. Psychology Press, New York. BF637.B4 F57 2010"},{"key":"e_1_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/11564096_55"},{"key":"e_1_2_2_24_1","volume-title":"Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS ). USENIX Association","author":"Gallagher Kevin","year":"2017","unstructured":"Kevin Gallagher, Sameer Patil, and Nasir Memon. 2017. New Me : Understanding Expert and Non-Expert Perceptions and Usage of the Tor Anonymity Network. In Proceedings of the Thirteenth Symposium on Usable Privacy and Security (SOUPS ). USENIX Association, Santa Clara, CA, USA, 385--398. https:\/\/www.usenix.org\/system\/files\/conference\/soups2017\/soups2017-gallagher.pdf"},{"key":"e_1_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2665943.2665953"},{"key":"e_1_2_2_26_1","volume-title":"Privacy Advice. In 31st USENIX Security Symposium (USENIX Security 22)","author":"Geeng Christine","year":"2022","unstructured":"Christine Geeng, Mike Harris, Elissa Redmiles, and Franziska Roesner. 2022. \u201cLike Lesbians Walking the Perimeter \u201d: Experiences of U. S. LGBTQ Folks With Online Security, Safety, and Privacy Advice. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, USA, 305--322. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/geeng"},{"key":"e_1_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1177\/20539517231164108"},{"key":"e_1_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1207\/S1532785XMEP0403_04"},{"key":"e_1_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978--3--319--73356--2_2"},{"key":"e_1_2_2_30_1","volume-title":"Proceedings of the Fourteenth Symposium on Usable Privacy and Security (SOUPS ). USENIX Association","author":"Habib Hana","year":"2018","unstructured":"Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor. 2018. Away From Prying Eyes : Analyzing Usage and Understanding of Private Browsing. In Proceedings of the Fourteenth Symposium on Usable Privacy and Security (SOUPS ). USENIX Association, Baltimore, MD, USA, 159--175. https:\/\/www.usenix.org\/system\/files\/conference\/soups2018\/soups2018-habib-prying.pdf"},{"key":"e_1_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2020-0020"},{"key":"e_1_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3544548.3581328"},{"key":"e_1_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987471"},{"key":"e_1_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978310"},{"key":"e_1_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.5555\/3235838.3235842"},{"key":"e_1_2_2_36_1","volume-title":"Eleventh Symposium On Usable Privacy and Security (SOUPS 2015)","author":"Kang Ruogu","year":"2015","unstructured":"Ruogu Kang, Laura Dabbish, Nathaniel Fruchter, and Sara Kiesler. 2015. \"My Data Just Goes Everywhere\": User Mental Models of the Internet and Implications for Privacy and Security. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015) (SOUPS ). USENIX Association, Ottawa, ON, Canada, 39--52. https:\/\/www.usenix.org\/system\/files\/conference\/soups2015\/soups15-paper-kang.pdf"},{"key":"e_1_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278570"},{"key":"e_1_2_2_38_1","volume-title":"User Mental Models of Cryptocurrency Systems - A Grounded Theory Approach. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020","author":"Mai Alexandra","year":"2020","unstructured":"Alexandra Mai, Katharina Pfeffer, Matthias Gusenbauer, Edgar Weippl, and Katharina Krombholz. 2020. User Mental Models of Cryptocurrency Systems - A Grounded Theory Approach. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, 341--358. https:\/\/www.usenix.org\/conference\/soups2020\/presentation\/mai"},{"key":"e_1_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278549"},{"key":"e_1_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1037\/0882--7974.15.4.596"},{"key":"e_1_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1463160.1463191"},{"key":"e_1_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359174"},{"key":"e_1_2_2_43_1","unstructured":"Know Your Meme. 2010. Good Luck I 'm Behind 7 Proxies. https:\/\/knowyourmeme.com\/memes\/good-luck-im-behind-7-proxies Retrieved 2022--11--22 from"},{"key":"e_1_2_2_44_1","unstructured":"Rebecca Moody. 2020. VPN Market Report 2022: Who 's Got the Biggest VPN Market Share? https:\/\/www.comparitech.com\/blog\/vpn-privacy\/vpn-market-share-report\/ Retrieved 2022--11--22 from"},{"key":"e_1_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2020-0006"},{"key":"e_1_2_2_46_1","unstructured":"Nic Newman Richard Fletcher Craig T Robertson Kirsten Eddy and Rasmus Kleis Nielsen. 2022. Reuters Institute Digital News Report 2022. Technical Report. 164 pages. https:\/\/reutersinstitute.politics.ox.ac.uk\/sites\/default\/files\/2022-06\/Digital_News-Report_2022.pdf Retrieved 2022--11--22 from"},{"key":"e_1_2_2_47_1","unstructured":"nusenu. 2021. OrNetStats. https:\/\/nusenu.github.io\/OrNetStats\/ Retrieved 2021-07-05 from"},{"key":"e_1_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3544548.3580766"},{"key":"e_1_2_2_49_1","volume-title":"Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022","author":"Pfeffer Katharina","year":"2022","unstructured":"Katharina Pfeffer, Alexandra Mai, Edgar Weippl, Emilee Rader, and Katharina Krombholz. 2022. Replication: Stories as Informal Lessons about Security. In Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022). USENIX Association, Boston, MA, 1--18. https:\/\/www.usenix.org\/conference\/soups2022\/presentation\/pfeffer"},{"key":"e_1_2_2_50_1","volume-title":"Javier G\u00f3mez Santander, Pablo Roa, Fernando Sancrist\u00f3bal, Esther Morales, David Barrocal relax (Writers), and Javier Quintas relax (Director).","author":"Pina \u00c1lex","year":"2017","unstructured":"\u00c1lex Pina, Esther Mart\u00ednez Lobato, Javier G\u00f3mez Santander, Pablo Roa, Fernando Sancrist\u00f3bal, Esther Morales, David Barrocal relax (Writers), and Javier Quintas relax (Director). 2017. Money Heist - A Matter of Efficiency (Season 2, Part 3). https:\/\/www.imdb.com\/title\/tt6851508\/"},{"key":"e_1_2_2_51_1","volume-title":"The Importance of Visibility for Folk Theories of Sensor Data. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017","author":"Rader Emilee","year":"2017","unstructured":"Emilee Rader and Janine Slaker. 2017. The Importance of Visibility for Folk Theories of Sensor Data. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). USENIX Association, Santa Clara, CA, 257--270. https:\/\/www.usenix.org\/conference\/soups2017\/technical-sessions\/presentation\/rader"},{"key":"e_1_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2335356.2335364"},{"key":"e_1_2_2_53_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24285"},{"key":"e_1_2_2_54_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Ramesh Reethika","year":"2023","unstructured":"Reethika Ramesh, Anjali Vyas, and Roya Ensafi. 2023. \"All of Them Claim to Be the Best\": Multi-perspective Study of VPN Users and VPN Providers. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/ramesh"},{"key":"e_1_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1098\/rstb.1990.0090"},{"key":"e_1_2_2_56_1","unstructured":"Tor Reddit. 2021. FAQ : \"Should I Use a VPN with Tor ?\". https:\/\/old.reddit.com\/r\/TOR\/wiki\/index#wiki_should_i_use_a_vpn_with_tor.3F_tor_over_vpn.2C_or_vpn_over_tor.3F Retrieved 2022--11--22 from"},{"key":"e_1_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978307"},{"key":"e_1_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489218"},{"key":"e_1_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/msp.2017.3681050"},{"key":"e_1_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/3171533.3171534"},{"key":"e_1_2_2_61_1","doi-asserted-by":"publisher","unstructured":"Bruce Schneier. 2008. The Psychology of Security. In AFRICACRYPT. 30. https:\/\/doi.org\/10.1007\/978--3--540--68164--9_5","DOI":"10.1007\/978--3--540--68164--9_5"},{"key":"e_1_2_2_62_1","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2021-0049"},{"key":"e_1_2_2_63_1","volume-title":"Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS ). USENIX Association","author":"Tang Jenny","year":"2022","unstructured":"Jenny Tang, Eleanor Birrell, and Ada Lerner. 2022. Replication: How Well Do My Results Generalize Now ? The External Validity of Online Privacy and Security Surveys. In Proceedings of the Eighteenth Symposium on Usable Privacy and Security (SOUPS ). USENIX Association, Boston, MA, USA. https:\/\/www.usenix.org\/conference\/soups2022\/presentation\/tang"},{"key":"e_1_2_2_64_1","unstructured":"TOP10VPN and globalwebindex. 2020. Global VPN Usage Report 2020: An Exploration of VPNs and Their Users around the World. Technical Report. 19 pages. https:\/\/www.top10vpn.com\/assets\/2020\/03\/Top10VPN-GWI-Global-VPN-Usage-Report-2020.pdf Retrieved 2022--11--22 from"},{"key":"e_1_2_2_65_1","unstructured":"TorProject Trac. 2022. Tor VPN. https:\/\/trac.torproject.org\/projects\/tor\/wiki\/doc\/TorPlusVPN Retrieved 2022--11--22 from"},{"key":"e_1_2_2_66_1","unstructured":"Matt Traudt. 2016. VPN Tor : Not Necessarily a Net Gain. https:\/\/matt.traudt.xyz\/posts\/2016--11--12-vpn-tor-not-net-gain\/ Retrieved 2022--11--22 from"},{"key":"e_1_2_2_67_1","volume-title":"Observing Password Creation in the Lab. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015","author":"Ur Blase","year":"2015","unstructured":"Blase Ur, Fumiko Noma, Jonathan Bees, Sean M Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. \u201cI Added `!' At the End to Make It Secure \u201d: Observing Password Creation in the Lab. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). USENIX Association, Ottawa, ON, Canada, 123--140. https:\/\/www.usenix.org\/conference\/soups2015\/proceedings\/presentation\/ur"},{"key":"e_1_2_2_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/1837110.1837125"},{"key":"e_1_2_2_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278551"},{"key":"e_1_2_2_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376570"}],"container-title":["Proceedings of the ACM on Human-Computer Interaction"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3610193","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3610193","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,21]],"date-time":"2025-08-21T04:17:07Z","timestamp":1755749827000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3610193"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,28]]},"references-count":70,"journal-issue":{"issue":"CSCW2","published-print":{"date-parts":[[2023,9,28]]}},"alternative-id":["10.1145\/3610193"],"URL":"https:\/\/doi.org\/10.1145\/3610193","relation":{},"ISSN":["2573-0142"],"issn-type":[{"value":"2573-0142","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,9,28]]},"assertion":[{"value":"2023-10-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}