71

I can't quite figure out the differences between using the Tor browser and using a VPN (like concretely proXPN). From what I understand the idea is the same, that they both hide the IP address. The only difference that I can see is that Tor seems slower because it has to pass through several computers.

So is using the Tor browser better in terms of hiding your identity and online traffic? Is there a difference between who can see your traffic?

(I am guessing that there is a difference.)

(I see this question Which is more secure - a VPN, a proxy-server, Tor, etc.? And why so, exactly? was closed as being too broad, but I hope my question is a bit more concrete.)

Thomas
  • 3,861
  • 4
  • 22
  • 26

6 Answers6

60

TL;DR

Tor provides anonymous web browsing but does not provide security. VPN Services provides security (sort of) and anonymity, but the anonymity might be more in question depending on the service. Since you're depending on them not logging pieces of information that may or may not be able to be traced back to you.

VPNs

Traditional
A traditional Virtual Private Network does not extend your ISP. A VPN extends an existing private network across a public network. For example, let's say my company has a private network with email servers, web servers (intranet), and DNS setup for company related services. It's a private network for company employees only. However, some employees want to work from home. A VPN is set up so that employees can securely connect to the private network remotely. This provides two features:

  1. Authentication - Users present their credentials to gain access to the VPN
  2. Encryption - The entire tunnel between the remote user and the private network's gateway is encrypted.

Take that last statement: "The entire tunnel between the remote user and the private network's gateway is encrypted." Once you're through the gateway, communication is un-encrypted. Unless the services within the private network itself use another means of secure communication.

Keep in mind that no anonymity is provided by this setup. In fact, the company knows exactly what IPs are connecting to its private network.

VPN Services
Nowadays VPN seemingly takes on many meanings, and online/cloud/[insert Internet buzzword here] have complicated things. We see questions now, "Which VPN takes your anonymity seriously?" What has happened is that VPN Services have become a kind of "secure anonymity service". A service will provide secure communications to a proxy server that will then dump your communication out into the clear to whatever your destination.

This is kind of like what a traditional VPN does, except now the statement of "a VPN extends your ISP" is kinda true. Now you're just encrypting the first half of your communications. It extends in the sense that you can access websites and services you might not normally be able to due to your geographic location. But "extends" really isn't the right word to use.


Take ExpressVPN for example, it advertises the following:

  1. Encrypt your Internet traffic and hide your IP address from hackers and spies.
  2. Access any website or app without geographic restrictions or censorship.

Take out "Encrypt your Internet traffic" from the first statement, and you basically have an anonymous proxy. But now that the tunnel is encrypted it's a VPN to your anonymous proxy (gateway) that then forwards your traffic on, into the public Internet.

Tor Browser

Onion Routing

Onion routing was designed to provide complete anonymity to a connection. It accomplishes this with encryption. Three layers of encryption. When using the Tor Network a path is determined with a minimum of 3 nodes (can be more). Encryption keys are setup and exchanged between you and all three nodes. However, only you have all of the encryption keys. You encrypt your data with each of the nodes' keys starting with the last node's (exit node) and ending with the first (entry node). As your data moves through the network a layer of encryption is peeled off and forwarded to the next node.

As you can see the exit node decrypts the last layer, and forwards your data to its destination. Which means your data is in "plaintext"1 at this time, but complete anonymity is accomplished. With at least 3 nodes no node knows both the source and destination.

Anonymity not Security
Tor does not promise secure communications. Encryption is only used to provide anonymity between nodes, your data is not encrypted otherwise. This is why it is still highly encouraged to use HTTPS-enabled websites while using Tor. As @LieRyan mentioned in another thread's comment, sending personally identifiable information through Tor without using other security measures will break any anonymity that Tor provides.

Traffic Visibility

As far as traffic visibility if there is an admin on the network they will be able to see your traffic. Let's take a situation with a VPN: you have your remote laptop R and your private network gateway/secure anonymous proxy (G). Now you have a private network IP that is encrypted from R to G. A network admin sitting on G can see your plaintext1. As stated above if you are using another secure protocol like SSL/TLS through the VPN/VPN Service then the "plaintext" is really encrypted, and the network admin would not see anything but encrypted data.

So this really depends on where the network admin is sitting in the connection, and whether or not you use a secondary secure protocol underneath the VPN. This same logic applies to Tor. Because as I stated earlier encryption is only used for purposes of maintaining anonymity.

Both traditional VPNs and VPN services are to protect against external visibility into the network. Neither of them will protect you from authorized administrators for the network you're on. It's all about protecting your data from unauthorized eyes. Even with SSL/TLS, a website that you're visiting sees your decrypted traffic. It has to in order to process the request. Admins on that website can see those same requests and/or log them. It's the security protocols used initially and in between that make the biggest difference in the security of communication.


1 It's plaintext as far as the data that was sent is seen here. If the data is encrypted with something like SSL/TLS before going through the onion routing then the encrypted data would be seen at this point.

Luc
  • 32,378
  • 8
  • 75
  • 137
RoraΖ
  • 12,347
  • 4
  • 51
  • 83
  • 4
    So... Tor+VPN+SSL on burner device from different countries ? :) – vol7ron Oct 16 '16 at 02:52
  • 1
    Which _security_ does VPN provide though? With Tor, you have to trust the exit node operator, and with VPN you must trust the man who has physical access to the machine where VPN server runs. In both cases there is a possibility that the exit node mistreats your data, and it will see the plaintext if TLS isn't used. – Display Name Dec 05 '17 at 17:41
  • 1
    @SargeBorsch It depends on how you're using a VPN. If you're using a VPN for its original intended purpose which was to securely bridge two private networks then the *security* is that you can communicate between your two networks without someone eavesdropping on your traffic. If you're using internet VPN services to anonymize your traffic then I'd argue they add no *security* at all. Tor is the same, they don't advertise that they provide security. They advertise anonymity. – RoraΖ Dec 05 '17 at 20:58
  • 1
    well in the first case VPN can't be compared to Tor at all because they are solving totally different problems then. – Display Name Dec 06 '17 at 17:26
  • 1
    @RoraΖ great answer! Can you please update it from the perspective of the recent widespread adoption of HTTPS?. Isn't it correct that with HTTPS in Tor, one gets anonymity *with* security? My point being such a config is no worse than a VPN Service, speed notwithstanding. – lineage Jun 09 '21 at 19:06
21

A VPN means your connections pass through one other server. The administrator of your network can't see anything but the fact that you're talking to that VPN server; the administrator of the computer you're ultimately connecting to generally can't see your real source address (though they can see that you're connecting from a given VPN service); but the VPN administrator can see everything (where you're coming from, where you're connecting to, what you're saying provided you're not using end-to-end encryption like TLS). That means that by going to the VPN provider, someone may be able to find out what you're doing.

This isn't just a hypothetical -- VPNs are often used by organizations so that people authorized to use their network can achieve comparable security on an unsecure network (this is the real point of them: protecting against you against the network you're physically connected to, not hiding your identity from the site you're trying to reach). These organizations may well cooperate with an investigation of an illegal use of their network (e.g. illegal filesharing), just like they might do so if you're actually on their network directly. They may have to cooperate with law enforcement conducting a criminal investigation. You're essentially trusting the VPN provider completely to hide your identity, as you would be trusting your network admin absent a VPN.

In contrast, the point of onion routing schemes like Tor is that there isn't a single server that knows who you are and who you're talking to. Each node knows where it got traffic from and where it sent that traffic, but that doesn't mean it knows where the ultimate source or ultimate destination is (only the entry node knows the original source [but it doesn't know it knows this], only the exit note knows the ultimate destination, and neither of them knows who the other one is, because they only talk through a third relay node). Because it's decentralized, there's no single point of failure who can identify you and what you're doing.

cpast
  • 7,263
  • 1
  • 30
  • 35
  • So the Tor browser option the administrator also can't see anything? – Thomas Nov 10 '14 at 20:18
  • 3
    @Thomas With Tor, the only person who knows who you are and your ultimate destination is you. The admin of your network knows only the entry node you connect to. The admin of the destination knows the plaintext and the exit node, but not who you are. The connection goes through three nodes; only the last one knows anything (i.e. the ultimate destination and the plaintext absent TLS), which is essentially what a VPN operator knows, _but_ they don't have the slightest clue who you yourself are. – cpast Nov 10 '14 at 20:36
  • 2
    @cpast Unless, of course, you transmit PII (personally identifiable information) over Tor, in which case the exit node can log that. For example, all BitTorrent traffic contains your IP address. Several exit nodes will log any HTTP form data with a field named `password`. – Riking Nov 10 '14 at 23:48
6

TOR

Tor, known as "The Onion Router", is an anonymization service. Tor makes it difficult to trace your online activities back to you and protects your privacy online. It basically works by routing your Internet traffic through their Tor network made of randomly selected relays which are actually run by volunteers from all around the world.

All the Internet traffic passing though the relays gets encrypted and re-encrypted multiple times until it gets to the exit node.

At the exit node, the last layer of encryption gets decrypted and the data is sent to the destination without exposing the sender's is.

VPN

In a nutshell a VPN service helps to protect your privacy with masking your IP address and encrypting Internet traffic. When connected to VPN server your traffic is encrypted in the VPN tunnel acting as a proxy for your desired website.

Since you're connecting via the VPN tunnel, the websites that you access can only see IP of the VPN server, not original IP of your device. Also since you're in an encrypted tunnel, no one, including hackers and your ISP, can snoop on your web activity or steal your sensitive information.

PROXY

When it comes to security, proxy provides low-level security unlike VPNs. Also most proxies are very slow and unreliable since they are usually free and are used by unlimited number of people. They mostly only used to bypass geographical restrictions, but provide minimal security and privacy. Checkout the VPN v Proxy Comparison link for more info.

Both Tor and Proxy are free, which is OK if you're not looking for great speeds and online security rather than simply anonymity.

With a VPN you have the following:

  • Connection speed is a lot faster through VPN tunnel compared to Tor and Proxy

  • Provides better privacy and security than Tor and Proxy

  • More reliable and stable connection.

vpn-guru
  • 61
  • 1
  • 1
3

A VPN masks your IP address by routing all your internet traffic through the VPN. Tor hides your IP address by making your internet traffic pass through multiple computers in succession so your ISP or government can't decipher which computer originally made the request. VPNs typically keep logs, and some that say they don't keep logs do keep logs due to government pressure. Tor is safe to use if you disable javascript and don't login to any clearnet sites on it.

how tor works diagram

desbest
  • 201
  • 1
  • 7
1

Yeah so my understanding is that Tor relays your traffic through several computers in the middle, which make it near impossible to determine from the exit node who originated the traffic.

VPN's act as a sort of extended ISP that that can track who made the connection (if logging is enabled) to trace it back to you.

The Tor browser also has built in protections within the browser software to protect you from other scripts and plugins that can give away your true source IP.

That being said, Tor is better for anonymity but if you wanted to you could use both a VPN and Tor, even a proxy chain if you really wanted to go crazy.

Curtis
  • 86
  • 1
0

Your apparent IP address will vary according to the exit node you are randomly assigned when you start Tor, and there will be an unknown number of intermediate nodes (controlled by unknown parties) between you and the exit node, creating an unpredictable amount of latency. There is no quality-of-service guarantee. There's also no logging-in necessary.

The random IP assignment is useful if you want to circumvent the limitations on some hosting websites (the kind that only lets you download one file every X minutes or hours)--just tell Tor to find a new exit node before each download.

  • I'm pretty sure Tor uses 3 nodes by default, and can only change this if you build from modified source. – timuzhti Nov 14 '15 at 03:01