Tor vs. VPN

In this post, I wrote about what I consider bullshit with VPN. Now, I would like to discuss the use of Tor, the universal onion router.

Permalink to heading Disclaimer Disclaimer

My point is not to discourage the use of VPN. Even if I wanted to, I couldn’t ^^, but it’s not my point here. I just don’t want people to use it for the wrong reasons.

Permalink to heading Is VPN a right choice for privacy, perhaps anonymity? Is VPN a right choice for privacy, perhaps anonymity?

No.

It could be an extra layer of security, for example, if you suspect some MITM (Man In The Middle) attack, which frequently happens in unsafe (I mean public 🤭) environments.

A practical example would be the public airport WiFi.

In another perspective, it might be convenient to access content from another country that blocks your access.

However, even those benefits are not specific to VPN technology, as there are other ways.

If your goal is to browse the dark side of the moon or outrun authorities (perhaps government adversaries), you don’t use a VPN, even if some providers dare using this bullshit as a marketing argument:

The limits of what some anonymous email services will tolerate became clear last week, over revelations that VPN service provider HideMyAss.com, based in the United Kingdom, turned over information that led to the arrest of 23-year-old Cody Kretsinger in Phoenix.

Source: Darkreading

I admit it’s an extreme example, though. If you have something to hide, not necessarily Hacktivism or criminal activities, but, for example, porn history or some online searches, you don’t use a VPN.

A VPN does hide the traffic from your ISP, but that’s pretty much it. As I wrote in the other post, VPN providers have strict legal duties, and some of them may log your activities and even sell your traffic.

Besides, using a VPN for privacy may raise curiosity. However, that’s probably the case for any measure you take to protect your life these days.

VPN traffic is now flagged by almost all web platforms systematically, and you get more CAPTCHA to solve.

Permalink to heading Don’t use a VPN to encrypt your online traffic Don’t use a VPN to encrypt your online traffic

VPN advocates often explain that the service allows for encrypting your data, making your online activities way more secure.

Not all VPN providers use the latest protocols, which sometimes makes the traffic more vulnerable than you think. Besides, only the connection between you and the VPN server (~ secure tunnel) is encrypted. Data must remain unencrypted once you pass this tunnel to allow Internet traffic.

Permalink to heading What is Tor, and what are the benefits of onion routing? What is Tor, and what are the benefits of onion routing?

It’s amazing how much people think about criminal activities when they hear about Tor. While it’s undeniably one aspect of the problem, many people use it for valid reasons, such as freedom of speech.

Tor is the onion router, which consists of wrapping data with multi-layer encryption using several random relay servers. Each node only knows the path to the next relay. Theoretically, none of them knows the entire journey, especially the exit node, a.k.a. the last relay.

It’s powerful, and provides a high level of anonymity, but even Tor does not reach the “100%” that some VPN providers advertise. Tor has been cracked multiple times by several three-letter agencies and international organizations such as Europol with various techniques such as correlation attacks but not only.

In addition, the list of exit nodes is available publicly, making many web platforms block anyone that emerges from these tunnels.

The cherry on top, neither VPN nor Tor protects you against malware and other viruses you might download by clicking unwisely on malicious links. The dark web is not the devil’s kingdom, but there are a lot of scams, misinformation, and other electronic dangers, making it everything but a safe place to go unless you perfectly know what you are doing.

However, Tor is built for privacy while VPN isn’t.

Permalink to heading Wait, wait, wait… why not use both? Wait, wait, wait… why not use both?

That’s a possibility. Indeed, some people connect to a VPN server before using Tor. It does not solve all problems, but, at least, their ISP does not know they are using Tor.

Besides, it may prevent some of “the bad guys of the dark web” from finding their real IP.

Note that using a VPN is not mandatory to hide that you’re using Tor. The onion browser has an internal setting to select a Tor bridge. It’s beneficial for users in countries where Tor is blocked by the authorities.

However, Tor is significantly slower because of the onion routing, so it’s not the ultimate technology for everything.

Permalink to heading It’s all about your threat model It’s all about your threat model

OWASP defines threat modeling as the act of identifying, communicating, and understanding threats and mitigations within the context of protecting something of value.

It works for applications but real persons too. There are specific techniques you have to apply in a professional context, but you can use simple good sense to assess your personal situation:

What are you doing? What are or can be your adversaries?

You can find your threat model and the associated mitigations according to these elements.

For example, if you suspect your family, friends, or lover of being curious about your activities, you may only need to restrict your social accounts (e.g., protected Instagram or Twitter accounts), secure your phone, and avoid using weak passwords.

If you have good reasons to believe authorities are looking into your activities but you absolutely don’t do anything illegal, then you’d better use Tor and buy a dedicated phone for your calls. However, that can make you look even more suspicious, so be aware of that.

A security researcher or a hacktivist would probably take additional security measures such as using dedicated operating systems.

Some may even buy dedicated hardware, perhaps with cryptocurrencies, and not using an Internet connection that can ultimately point to a personal address.

However, that could also look pretty suspicious (and a bit paranoid).

In the worst-case scenario, if you have highly dangerous activities (not necessarily criminal) that can get you in serious trouble (e.g., advanced investigations by authorities, perhaps government services), then it might be a question of time before you get eventually caught. In other words, there are cases where there’s no mitigation.

Permalink to heading How to configure and use Tor safely How to configure and use Tor safely

It’s essential to remember that Tor does not prevent any data collection or browser fingerprinting. It can be helpful for everything that does not require a user account (no authentication).

Before you jump in, there are several possible configurations, and depending on where you go, you might need to set the maximum level of safety, which means blocking all kinds of scripts (no JavaScript). Otherwise, you could be at risk even if you route your traffic with Tor.

Again, depending on your plan, you might want to take additional security measures. For example, don’t use the tor browser on your operating system directly. Use virtual machines instead, or better, another operating system (e.g., Linux).

It’s best to use a live USB key, a micro SD card, or an external drive. Once you have that, install the Tor Browser and see privacy settings to set the safest mode (no JavaScript). I would also force Tor to use HTTPS only, as I don’t know why I would visit a non-https website.

After that, never reveal any personal information about you, and don’t use nicknames or pictures that could lead back to you, wherever you go. Don’t click unwisely on any link.

Don’t do anything aside like checking your email or running a Google search in a regular browser.

Tor is not an anti-malware solution, so if your machine is already infected with a keylogger, for example, then your activities won’t be private at all.

However, it is not even the safest way. Special Linux distributions and operating systems such as Tails will isolate your activities and prevent classic attacks by anonymizing sensitive inputs such as keystrokes.

You’ll also get tons of additional features to protect your privacy. If you combine it with a live mode installation, your activities will be erased when you power off.

Permalink to heading Conclusion Conclusion

100% anonymity does not exist, whether you use Tor or a VPN. Both have their advantages and inconveniences, but you can combine their use to add an extra layer of safety.

Unfortunately, neither Tor nor a VPN prevents misusages (e.g., you connect to your Twitter account while connected to your VPN) and malicious attacks. However, VPN providers might offer additional services for that.

In short, it’s best if you can think about your threat model to choose the appropriate strategy for your privacy.