Week 36: VPN vs. Tor

Walter Buyu and I addressed the basics of cryptography in Week 16. Last week (i.e., Week 35), we introduced terms like Transport Layer Security (TLS), End-to-End Encryption (E2EE) and Secure Shell (SSH). Today, we’d like to introduce another topic related to encryption that causes confusion – VPN vs. Tor. Both can help you hide your online activity but have different pros and cons. So, let’s delve in.

Tor (a.k.a. The Onion Router) is a free and open-source tool to ensure anonymity over the internet. This is possible because your traffic is routed through a series of servers known as Tor Relays.

(Note: While privacy and anonymity are often used interchangeably, they are different concepts. The latter refers to maintaining your identity private and not your actions, while privacy is aimed, primarily, at protecting your actions).

Tor uses a layer-based approach, hence its name – Onion. These are:

• Entry node: This first server knows your IP address because you initiated the connection.
• Middle node: This serves as a bridge between the entry and exit nodes. It doesn’t know your IP address or the final destination. 
• Exit node: This is the last server through which your data passes. It knows your destination but knows nothing about the origin. 

(Note: The exit node may see the decrypted message, but it doesn’t know anything about the sender).

Just like a VPN, Tor can, as we’ve mentioned, hide your IP, while also providing access to those sites that aren’t indexed by search engines. These sites may provide individuals like activists, whistleblowers, and journalists a safe space to communicate anonymously. Because it prevents governments from tracking your online activity, many threat actors (not necessarily cyber) use it for illicit activities.

(Note: You may find links to some Tor sites here).

(Note: Tor publishes a list of exit nodes. You can find them here. In fact, many organizations prevent tor user’s from accessing their website).

(Note: Tor is legal to use in most countries; however, places like China have prohibited it.)

So, Tor has several pros:

• It’s available at no cost.
• It’s fairly intuitive to use.
• It’s hard to take down because it’s maintained by over 7,000 relays worldwide.
• It’s the best option to achieve anonymity. 
• It helps bypass censorship.

Now let’s look at its cons:

• It’s slow because your data passes through 3 different servers.
• It’s not the best option to download files because of its speed. In fact, many users have to wait x3 to download a file.
• It has some vulnerabilities at a node level. This means that if you’re not using HTTPS, as mentioned earlier, your data can be visible to the exit node. 
• It’s difficult to access geo-restricted content because nodes are randomly allocated. 

A VPN (or Virtual Private Network), on the other hand, provides an encrypted connection (or, in a more technical tone, creates a tunnel) for your data against cyber threat actors (CTAs)  and government surveillance.  This ensures that all your activity remains confidential. 

It also allows you to hide your IP address and replace it with one provided by the VPN service providers, such as NordVPN and ExpressVPN. An additional benefit of such a feature is accessing geo-restricted content. 

(Note: The use of VPNs is not limited to your home. It can be used by businesses to allow their geographically distributed staff to access resources as if they were in the same location). 

So, how does it work?

Well, the VPN creates a secure connection between your device and a remote server using a protocol like OpenVPN. Once that channel has been established, your data gets encrypted before traveling from Point A to Point B, thus making it extremely difficult for Man-In-The-Middle (MITM) attacks. The protected data is then routed using a VPN service provider. The server (or “destination”) will not see your real IP or location. It’s important to mention that tracking is difficult because the IP address allocated is shared with numerous other users. The only information that will be visible is that you used a VPN. 

The advantages of using a VPN include:

• There’s less latency because your activity only passes through one server. 
• While Tor only encrypts data leaving your browser, a VPN can encrypt all connections, including gaming and downloading.
• You can access, as mentioned earlier, specific content by choosing the desired server. 
• While some sites (i.e., government and streaming) are against its use, the vast majority permit it. 

The disadvantages include:

• While free VPNs exist, they aren’t as reliable and secure as the paid ones. 
• While navigating the internet, some VPN companies keep track of your history. 
• If VPNs aren’t deployed and tested properly, sensitive information can be leaked. 
• It’s more difficult to compromise Tor’s 3-node system than a VPN single server approach.

(Note: A third option is to combine the two together, you can find more details here). 

Next week we’ll look at WiFi Security. 

This article is part of a project called Security Chronicles, written jointly with Walter Buyu .

Sources:

• Tor vs. VPN: What’s the difference?
• Tor Project.
• Privacy Decrypted #4: Understanding anonymity vs. privacy. 
• Tor vs. VPN: What They Do and Which is Better.
• Tor vs. VPN: What’s the Difference and Which Is Better?