Tor versus a VPN - Which is right for you?

This article assumes you have a basic understanding of The Onion Router (Tor) and Virtual Private Networks (VPN), as well as a desire to protect your privacy on the Wild World Web.

Having chosen to not take refuge under a large, dense object for the last several decades (not that i'd blame you), you're probably aware of how fragile privacy and freedom has become in the digital age. At the network level a lot of people (including Ed) recommend The Onion Router (Tor) in order to protect ones privacy. Others prefer using a Virtual Private Network (a VPN is really more like proxy than a network) and still others recommend using both with a VPN preceding the connection to Tor. If you're wondering what i recommend, i don't. I'll leave that decision up to you since it's not a one-size-fits-all thing and, more importantly, i'm not qualified to make such a suggestion and neither are most other people making such suggestions. What i would like to do however is point out some of the differences between the Tor and so-called VPN's as i see them because each has distinct advantages and disadvantages.

• Using the Tor network is free, as is the Tor Browser, a privacy and security hardened version of Firefox used to connect to the Tor network. The Tor Project source code is public and the servers can be run by anyone, including bad actors, however there is debate as to how much impact a malicious operator can have.
• Unless you run your own VPN, which which i suspect requires a god-like level of technical prowess and secured hardware to do it right, a VPN service will cost you roughly $5 to $10 per month and a lot of the companies providing service are highly unethical. As a rule of thumb, never trust a VPN provider offering their service for "free". Personally i also avoid the big names, like NordVPN. I simply don't trust large corporations, many of which have very poor track records, including Nord.
• Tor advocates often describe Tor a "trustless", meaning that one does not have to trust the software since it's open-source, however this is misleading since no one really knows what a malicious Tor node operator can do or what exploits exist that have never been disclosed. While it is true that no VPN can be fully trusted regarding security or privacy, the same is true for the Tor network. See for example, Tor Network Compromised by Single Hacker Stealing Users' Bitcoin: Report and 'You Are Not Anonymous on Tor' - Study Shows Privacy Network Offers Superficial Anonymity. We know there is a massive amount of money to be made in malware and vendors, many of which sell exploits to governments and intelligence communities, have little or no incentive to disclose the vulnerabilities they discover. These vulnerabilities can remain secret for weeks, months, or years. Knowing this, i think it is dangerously illogical to conclude that anything is secure, including Tor.
• Picking a bad VPN that doesn't respect your privacy is easier than getting your drone stuck in a tree, however there is only one Tor Project and one official Tor Browser and the source code for both is public and open to auditing.
• When using the Tor network, it is strongly suggested to use the Tor Browser (a fork of Firefox) in its default configuration. Remaining anonymous on Tor depends heavily on uniformity and so, with few exceptions, you can kiss your beloved add-ons goodbye. With a VPN one has more choices as to what browser and add-ons they use, though these choices must be weighed carefully.
• Avoiding browser fingerprinting and tracking is much easier to achieve with Tor, while preventing fingerprinting outside of Tor is quite difficult whether using a VPN or not. In both cases however, and assuming you've taken some precautions, the websites you visit will not know your physical location and they will be less able to fingerprint and track your browser. That said, nothing can protect your privacy if you log on to privacy toxic surveillance platforms like Facebook, Instagram, Twitter, Google, YouTube, etc., using your real identity or the same credentials you used prior to using Tor or a VPN.
• Because of the layers of encryption that Tor employs, bandwidth limitations, the load on the nodes, etc., Tor will generally provide a slower web experience, higher latency, and a less stable connection than a good VPN. This problem is exacerbated if one adds more nodes to the Tor circuit. File sharing is discouraged with Tor and latency sensitive traffic such as gaming is out of the question. Even watching high definition videos can be problematic.
• Tor may insulate users from a malicious operator better than a VPN, partly because a Tor circuit is composed of multiple nodes whereas a VPN usually presents a single point of attack. Though some VPN providers offer an option to route traffic through more than one node, all the nodes are controlled by the same company. One could chain multiple VPNs, but at an added cost.
• Different people require different levels of privacy. A journalist wishing to communicate privately with a source may be better off using Tails and Tor. On the other hand, someone wanting to download copyrighted content whilst avoiding nasty-grams from their ISP, or stream high resolution videos, or game, or most other non-sensitive and bandwidth intensive activities, may be better off with a VPN.
• With Tor it is non-trivial and ill advised to choose what exit node you want to connect to, whereas any good VPN provider will allow you to swap between any of their servers and doing is usually just a couple mouse clicks away if you use their client software. One advantage of being able to choose among servers is the ability to access content which is blocked in a particular geographical region, such as certain videos.
• VPN client software may not be open source and may not respect your privacy even if it is, however any good VPN provider will allow connections using other methods, such as with OpenVPN or, better yet, WireGuard. Setting up a connection manually to your VPN provider will require a bit of time verses using their app, though doing so is usually fairly easy. This issue is non-existent with Tor.
• Both Tor exit nodes and VPN nodes are subject to having their IP addresses blacklisted by governments, corporate websites, and even private website owners which results in the inability to connect to them. In the case of a VPN this is fairly rare in my personal experience, however those who shop online are more likely to have trouble with either Tor or a VPN, though the problem may be exacerbated with Tor and the Tor Browser whereas with a VPN one can easily switch servers to try and solve the problem. That said, if you're shopping on-line and giving up personal information, there's probably no point in routing the connection through Tor or a VPN and in either case it is trivial to bypass them.
• Choosing to use Tor is more of a simple yes or no decision, while choosing to use a VPN requires research in order to locate a trustworthy provider that offers a stable service. The VPN market is exploding and so are the number of ethically retarded providers. Be careful when reading VPN "reviews" because many of them are written by the providers themselves or paid bloggers. I've had several offers from VPN providers asking me to post content here in exchange for money (i always turn them down).
• Unless you configure your network device to route through Tor, the only traffic routed through the network when using the Tor Browser is the web traffic generated by your browser, whereas with a VPN, typically all network traffic generated by your computer is routed through your VPN. With a suitable router you also have the option to set up the VPN on the router so that anything that connects to your local network is protected. This is fairly easy to do with routers which support it, such as the Peplink Surf SOHO, the Turris Omnia or the Vikings routers, or those for which you can install custom firmware, such as OpenWRT.
• An entire Tor network, including the entrance and exit nodes, can be run on a single machine using software such as The Shadow Simulator. This may present very serious privacy/security issues that undermine network layering if such a configuration is employed by a malicious party such an ISP, law enforcement or the intelligence community.

Because of the garbage disseminated in the mainstream media, much of the public sees Tor as being synonymous with the 'Dark Web' which many believe is nothing more than a haven for criminals. Tor can be thought of simply as a service, such as your phone company provides, and, as with any service, it can be used by bad people to do bad things or good people to do good things. For the average person wanting to protect their privacy, Tor may provide a portal to access the same websites one visits every day, but in a more private and secure way. That said, yes, there is a 'dark' web that is accessible only through software like Tor and while some of the content available in it is indeed illegal and extremely offensive, there is also a lot of quality content which is otherwise censored on the open web.

Some people believe that using Tor will attract the attention of the intelligence community and that claim is not entirely unwarranted. While it is apparently true that using encryption may raise the eyebrow of 'The Man', such criminal spying on the public by governments is certainly not limited to those using Tor. More importantly, our inherent right of free speech is under severe attack not only by governments, but by ourselves as individuals who tend to self-censor simply because of the belief that we are being watched. This is a very dangerous situation because we cannot work toward a free and transparent society if our ability to communicate is compromised.

I'm hesitant to recommend a VPN provider if you decide to go that route, however in the interest of hopefully steering you away from the plethora of garbage companies out there, and there are plenty of them, i will offer my personal insight.

I have used both NordVPN and AirVPN in the past, both of which should be avoided. The only VPN providers i would recommend at this point are those that own and secure their hardware, both physically and technologically.

NordVPN is a huge player in the VPN market, however Nord's service wasn't very good, one reason being unstable connections and another being blacklisted IP addresses. Also i find the shear size of the company, their cheap prices, rotten track record, and a recent merger to be worrying. Finally, Nord has had some extremely serious security issues. In 2018 NordVPN suffered a catastrophic hack and failed to handle the situation in an ethical manner.

NordVPN, a virtual private network provider that promises to "protect your privacy online," has confirmed it was hacked.

The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

[...]

NordVPN told TechCrunch that one of its data centers was accessed in March 2018. "One of the data centers in Finland we are renting our servers from was accessed with no authorization," said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server - which had been active for about a month - by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.

[...]

NordVPN said it found out about the breach a "few months ago," but the spokesperson said the breach was not disclosed until today because the company wanted to be "100% sure that each component within our infrastructure is secure."

A senior security researcher we spoke to who reviewed the statement and other evidence of the breach, but asked not to be named as they work for a company that requires authorization to speak to the press, called these findings "troubling."

"While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider's systems," the security researcher said. "That should be deeply concerning to anyone who uses or promotes these particular services."

NordVPN said "no other server on our network has been affected."

But the security researcher warned that NordVPN was ignoring the larger issue of the attacker's possible access across the network. "Your car was just stolen and taken on a joy ride and you're quibbling about which buttons were pushed on the radio?" the researcher said.

[...]

It's also believed several other VPN providers may have been breached around the same time. Similar records posted online - and seen by TechCrunch - suggest that TorGuard and VikingVPN may have also been compromised.

What Nord should have done is immediately cease service until the scope of the breach could be determined and the security hole patched instead of continuing to potentially compromise the security and privacy of all of its customers.

NordVPN, TorGuard and VikingVPN disclose security breaches

NordVPN, one of the most well-known VPN provider, had confirmed a security breach in early 2018. At fault, there's the data centre provider from Finland, where the server was hosted. The data centre provider used an insecure remote management system that NordVPN was "unaware" of. Although NordVPN seems to be playing down the occurrence, there's an anonymous post on 8chan, shared by Cryptostorm's Twitter account, that claims that the hacker had root access to the server. NordVPN states that the TLS key that was stolen was expired, and no VPN traffic could be decrypted.

The same 8chan user showed access to servers from two other VPN providers – TorGuard and VPNViking.

I have also personally found piles of user credentials on pastebin.com for NordVPN.

After i gave up on Nord i started using AzireVPN, a smaller Swedish company that focuses on the WireGuard protocol which has several distinct advantages over the older OpenVPN protocol. There are a few key reasons i switched to Azire, one being that they claim to own, secure and configure their hardware rather than lease it like virtually everyone else, Nord, Mullvad and Air included. They also claim to employ some interesting security measures to prevent tampering, including physically sealing unused ports and running everything in RAM (no hard drives).

Many speak highly of Mullvad VPN and while i have no personal experience with them, the company looks very interesting in that they support WireGuard and claim to own a portion of their own servers while the remainder are dedicated boxes. Many of their servers, whether owned or dedicated, run the OS in RAM (see their Servers page for details). Mullvad accepts cryptocurrency and doesn't require you to disclose any personal information. A comment by a reader prompted me to take a closer look at Mullvad which, for whatever reason, i incorrectly assumed rented all their servers.

Azire and Mullvad are the only companies i know of thus far that take these kinds of precautions and while there is no proof for some of these claims, nothing is guaranteed elsewhere in the digital world either. Previously i had included OVPN in this mix, however they have been acquired by Pango who also owns Betternet and Hotspot Shield.

Regarding performance i have had little trouble with Azire's service and latency and bandwidth have been excellent. Unlike Nord, i haven't had to switch server locations every few days because of network degradation. Lastly, Azire accepts cryptocurrency so you can purchase and use their service anonymously without having to provide any personal information, however all VPN service providers will know your IP address. If you choose Azire, please consider using my affiliate link which gives me some free time with them.

FreePN is also another interesting player in the privacy market. This project is building a free, open-source, distributed VPN service similar to the Tor network. There are caveats with this service however, so please do your homework. Read: FreePN: Free, open-source, distributed VPN.

In the end, i suspect that there may not be any service that is capable of providing truly anonymous electronic communications. It seems that any technology can be surveilled and crucial information gleaned from it, at least to some extent.

The Government is Buying Your Data With Your Money

Further resources on 12bytes.org

• FreePN: Free, open-source, distributed VPN – 12Bytes.org
• Navigating the VPN Hellscape – 12Bytes.org
• Search Results for "vpn" – 12Bytes.org

External resources

• A mysterious threat actor is running hundreds of malicious Tor relays
• About to use Tor. Any security tips? - Matt Traudt
• Exploit vendor drops Tor Browser zero-day on Twitter | ZDNet
• How Can You Trust a Virtual Private Network to Protect Your Privacy? | Stay Safe Online
• How the NSA Takes On the Tor Project
• Security and Privacy of VPNs Running on Windows 10 (white paper, PDF)
• Tor (anonymity network) | Wikipedia
• Torproject TOR : List of security vulnerabilities
• Tor Browser news: Three vulnerabilities allow spies to detect Tor browsers | Cloud Pro
• Tor Browser Has a Flaw That Governments May Have Exploited | PCMag.com
• Tor Network Compromised by Single Hacker Stealing Users' Bitcoin: Report | Yahoo Finance
• UNITED STATES DISTRICT COURT for the District of Massachusetts United States of America V. Ryan S. Lin | U.S. DOJ (PureVPN found to be keeping logs)
• Virtual private network | Wikipedia
• VPN + Tor: Not Necessarily a Net Gain - Matt Traudt
• Well, I read up on Tor… | MobilityDigest
• 'You Are Not Anonymous on Tor' - Study Shows Privacy Network Offers Superficial Anonymity | Privacy Bitcoin News

Miscellaneous resources

• 3 Years Later, the Snowden Leaks Have Changed How the World Sees NSA Surveillance | Electronic Frontier Foundation
• arkenfox/user.js: An ongoing comprehensive user.js template for configuring and hardening Firefox privacy, security and anti-fingerprinting | GitHub
• In Depth Review: New NSA Documents Expose How Americans Can Be Spied on Without A Warrant | Electronic Frontier Foundation
• Opt out of global data surveillance programs like PRISM, XKeyscore, and Tempora | PRISM Break
• Privacy International
• The second operating system hiding in every mobile phone | OSnews
• WikiLeaks