Tor vs VPN - a quick analysis

, , ,

In this short post, I want to bring VPNs to your attention, show how I use them and dispel some myths that you may have. If you use VPNs and are familiar, this is probably not for you.

What is a VPN?

A VPN (Virtual Private Network) is, in essence, a network configuration where a server accepts and forwards connections on behalf of the client devices. The server should be publicly accessible so clients can connect to it from anywhere. It should also be powerful enough to service traffic quickly and efficiently.

The VPN server, in essence, does three things:

  • Connect: Any device connected to the VPN network will be accessible as if it were on LAN
  • Encrypt: All traffic between client and server is encrypted, hopefully to a sufficient standard, depending on the VPN settings you apply.
  • Mask: Any server you connect to through the VPN will see the VPN’s IP address. Likewise, your ISP will see you connecting only to the VPN server, and nothing else.

At this point, it should be noted that a VPN server will not make you anonymous. Why? There is a series of identifiers which can be used to pinpoint your identity and location:

  • IP address: No matter which VPN service you use, there is a trail leading to your “real” IP address. If you’re connecting from home, that is going to show up in logs. If you’re on mobile, that IP address will be shown.
  • Time of connection: Most people, I assume, connect to a VPN service when they need it. Usually, you will not be logging on at random times during the night, you will connect when you’re awake. This can be used to at least pinpoint the timezone you’re in, roughly.
  • The end connection: The VPN server, whoever is providing it, has to make its own connection to a proper server on the Internet, and as such, there will be a connection that your IP (from the VPN server’s perspective) connected to a website on the Internet.
  • Connection correlations: You can hide behind any VPN service you like, but once you go on Facebook and log in as John/Jane Doe, your identity is instantly matched. In such a case, a VPN does nothing for you in terms of masking.

No-log policies

Of course, VPN companies will swear to you that they do not keep logs. This, however, cannot be trusted or enforced. If a government comes knocking on the company’s door, they have a warrant that can put you on a blacklist of sorts. If no logs have been kept until now, they will be. From the point where the police ask for logs onwards, you are no longer in a no-log situation. As such, we should not treat VPNs as the ultimate anonymizers.

Oh, but I use a Swiss VPN! I’m not Swiss, so they won’t find me!

Government agencies cooperate. If a local police force can’t get a warrant for an offshore service, they will contact their police department and agree on that police getting a local warrant. Just as the Internet connects people together, the police and government agencies have their own connections. And even if the company itself keeps no logs and sends cops packing, they can just go to the physical locations of the servers, the actual server farms, and ask for information there.

Important point: Your channels encryption ends at the VPN server. From that point on, it’s just a normal Internet connection and can be eavesdropped on.

What is a VPN actually good for, then?

In terms of privacy, a VPN is good for the last mile. If you find yourself in an environment where you do not trust the service provider (public WiFi, library, your mobile connection, etc.), you can mask the type of traffic in that particular environment. However, this only goes from your device to the VPN server, no further. It will not make you “hacker-proof” from attacks on the Internet, it will only shield your connection from being re-routed by someone at the next table.

In terms of connectivity, a VPN that you control can provide you access to devices behind NAT. If you have a VPN server on the Internet and your devices are connected to it, they can get addresses in a private range (something like 192.168.0.0/24) and you can address them as such. At that point, you can say connect to your home server even if it is behind NAT. This is how VPN got its name, it is a virtual (not physical) private network (similar to a LAN). An example of this usecase is Hamachi, which allows you to create a “LAN party” over VPN instead of having to connect to everyone in the same place.

What is no VPN good for?

Mostly, privacy. When you use some commercial VPN service, it will provide you a “masked” IP address. From a privacy standpoint, that IP is used by multiple devices together with yours. Well, even if you are doing no wrong, someone else may be under observation by a court order and spied on. In that case, you get caught in the net of surveillance unwittingly.

Another thing may be paid services. A list of VPN endpoints is usually available (or can be obtained for relatively cheap). Many services have a list of known bad IP addresses, and if you are seen using them, you will not be allowed in. Netflix can disable your access easily if they find you using some VPN services, as can any other service, should they feel that way. Banks especially don’t like VPNs, and I can’t blame them. It is the first thing I would do as an attacker, mask my IP address and log in as some victim to withdraw/move money around.

It is very difficult to keep your VPNs separate. After a while, the discipline will fade away. We all make mistakes, and it would be a matter of time until you, too, get complacent. At that point, your VPN can be “burned” and your secret profile a company has on you will say “Uses VPN? YES, from so-and-so.”

Need privacy? Add layers.

If you are in need of privacy in the original sense, there are ways to obtain it. The best one I can think of is TOR, The Onion Router. It was developed by the US Navy, as far as I know, to create a secure communications channel where neither endpoint knows who the other is, and where no intermittent server has the full picture.

Any TOR connection includes 5 devices in total. Your device, 3 TOR nodes, and the endpoint you want to connect to. When a channel is set up, your device connects to an entry node. This node knows who you are. The entry node connects to an intermediary, the middle node. This node knows the entry node and exit node, but not you or the server. Lastly, we have the exit node, which connects the intermediary to the end server. It knows the middle node and where the connection is going, but has no idea who the entry node or your device is. The Onion router gets its name from the fact that you start with 3 layers of encryption, and one layer being removed at every hop.

Compare this with a VPN: Client connects to a VPN server, VPN server connects to website. At this point, the VPN server knows who you are and where you’re going.

This way, we have secrecy even if we cannot trust some servers in the chain. An attacker would have to compromise the entry, middle, and exit nodes to be able to snoop on your traffic and get the full picture. Alternatively, they could just hijack your device, but that is a different story.

As you can see, TOR hides your traffic from your ISP, the end server, and the servers themselves. The cost is given: The connection can be painfully slow. The distance between servers can be huge, with the entry point being near, the middle server being halfway across the world, and the exit node again being near where you are. The physical distance, combined with encryption that happens at every hop, makes the connection slow and, at times, unreliable. Still, it is the most private way to connect, if you don’t use it to log into Facebook.

One issue with TOR is that you cannot always rely on it. The TOR exit nodes are well-known, and can often be set as “known bad” by companies. In that case, they will drop any connection you will try to open. In such cases, some people use TV (Tor+VPN) connections to mask their IP and still get the benefit of TOR. This way, you get a horribly bad connection, but the VPN service shouldn’t know who you are (provided you don’t pay with a credit card, of course.)

So what should we use?

The answer, as with many things in life, is the ultimate “depends.”

  • If you need privacy and can live with a slow connection, go with Tor.
  • If you need speed for streaming, uploading data, or need to see region-locked content, use a VPN service.
  • If you want to access your devices from anywhere and don’t want to (or cannot) punch holes in your router, you can build your own VPN service. In that setup, you only get one IP address and the server is most likely tied to you in some way (payment information, where you logged in from, etc.), but you can connect to any other server you connect to it.

Please, consider what would be the easiest for you. Do not just buy a VPN subscription if you don’t need it. Do not set up a VPN server on your own without knowing the risks and locking it down. There are manuals on that online, feel free to use them. If you need something free and quick to set up, Tor is the way to go, in my opinion. It has been vetted, has had its issues, but then the responsibility is on you. If you need a VPN service, pay with crypto (Monero is best).

I hope this helps clear up any misconceptions you may have had and will challenge me if I fumbled any of the explanations, or got something horribly wrong!