top of page
Search
Writer's pictureAdolfo Ruiz
Oct 25, 201914 min read

TOR vs VPN

Updated: Oct 26, 2019

We have to understand first how VPN and TOR works before anything else.


TOR

Is free and open-source software for enabling anonymous communication the name is derived from an acronym for the original software project name "The Onion Router". Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult to trace Internet activity to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms".Tor's intended use is to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities unmonitored.

Tor does not prevent an online service from determining when it is being accessed through Tor. Tor protects a user's privacy, but does not hide the fact that someone is using Tor. Some websites restrict allowances through Tor. For example, Wikipedia blocks attempts by Tor users to edit articles unless special permission is sought.

Onion routing is implemented by encryption in the application layer of a communication protocol stack, nested like the layers of an onion. Tor encrypts the data, including the next node destination IP address, multiple times and sends it through a virtual circuit comprising successive, random-selection Tor relays. Each relay decrypts a layer of encryption to reveal the next relay in the circuit to pass the remaining encrypted data on to it. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing or knowing the source IP address. Because the routing of the communication was partly concealed at every hop in the Tor circuit, this method eliminates any single point at which the communicating peers can be determined through network surveillance that relies upon knowing its source and destination.

An adversary may try to de-anonymize the user by some means. One way this may be achieved is by exploiting vulnerable software on the user's computer. The NSA had a technique that targets a vulnerability – which they codenamed "EgotisticalGiraffe" – in an outdated Firefox browser version at one time bundled with the Tor package and, in general, targets Tor users for close monitoring under its XKeyscore program. Attacks against Tor are an active area of academic research which is welcomed by the Tor Project itself. The bulk of the funding for Tor's development has come from the federal government of the United States, initially through the Office of Naval Research and DARPA.



Tor aims to conceal its users' identities and their online activity from surveillance and traffic analysis by separating identification and routing. It is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers around the globe. These onion routers employ encryptionin a multi-layered manner (hence the onion metaphor) to ensure perfect forward secrecy between relays, thereby providing users with anonymity in network location.

The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997.

The alpha version of Tor, developed by Syverson and computer scientists Roger Dingledine and Nick Mathewson and then called The Onion Routing project, or Tor project, launched on 20 September 2002.The first public release occurred a year later. On 13 August 2004, Syverson, Dingledine, and Mathewson presented "Tor: The Second-Generation Onion Router" at the 13th USENIX Security Symposium. In 2004, the Naval Research Laboratory released the code for Tor under a free license, and the Electronic Frontier Foundation (EFF) began funding Dingledine and Mathewson to continue its development.

In December 2006, Dingledine, Mathewson, and five others founded The Tor Project, a Massachusetts-based research-education nonprofit organization responsible for maintaining Tor. The EFF acted as The Tor Project's fiscal sponsor in its early years, and early financial supporters of The Tor Project included the U.S. International Broadcasting Bureau, Internews, Human Rights Watch, the University of Cambridge, Google, and Netherlands-based Stichting NLnet.

From this period onward, the majority of funding sources came from the U.S. government.

In November 2014 there was speculation in the aftermath of Operation Onymous that a Tor weakness had been exploited. A BBC source cited a "technical breakthrough" that allowed the tracking of the physical locations of servers. In November 2015 court documents on the matter, besides generating serious concerns about security research ethics and the right of not being unreasonably searched guaranteed by the US Fourth Amendment, may also link the law enforcement operation with an attack on Torearlier in the year.

In December 2015, The Tor Project announced that it had hired Shari Steele as its new executive director. Steele had previously led the Electronic Frontier Foundation for 15 years, and in 2004 spearheaded EFF's decision to fund Tor's early development. One of her key stated aims is to make Tor more user-friendly in order to bring wider access to anonymous web browsing.

In July 2016 the complete board of the Tor Project resigned, and announced a new board, made up of Matt Blaze, Cindy Cohn, Gabriella Coleman, Linus Nordberg, Megan Price, and Bruce Schneier.


VPN (Virtual Private Network)

A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running on a computing device, e.g., a laptop, desktop, smartphone, across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, though not an inherent, part of a VPN connection.

VPN technology was developed to allow remote users and branch offices to access corporate applications and resources. To ensure security, the private network connection is established using an encrypted layered tunneling protocol and VPN users use authentication methods, including passwords or certificates, to gain access to the VPN. In other applications, Internet users may secure their connections with a VPN, to circumvent geo-restrictions and censorship, or to connect to proxy servers to protect personal identity and location to stay anonymous on the Internet. However, some websites block access to known VPN technology to prevent the circumvention of their geo-restrictions, and many VPN providers have been developing strategies to get around these roadblocks.

A VPN is created by establishing a virtual point-to-point connection through the use of dedicated circuits or with tunneling protocols over existing networks. A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely.



virtual private network topology where two or more participants connect to a central switchboard server managed typically by a third party in order to create a virtual private network between them, as distinct from a typical VPN arrangement whereby clients of an organisation connect to a VPN concentrator managed by the same organization.


TYPES

Early data networks allowed VPN-style connections to remote sites through dial-up modem or through leased line connections utilizing X.25, Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits, provided through networks owned and operated by telecommunication carriers. These networks are not considered true VPNs because they passively secure the data being transmitted by the creation of logical data streams. They have been replaced by VPNs based on IP and IP/Multi-protocol Label Switching(MPLS) Networks, due to significant cost-reductions and increased bandwidth provided by new technologies such as digital subscriber line (DSL) and fiber-optic networks.

VPNs can be characterized as host-to-network or remote access by connecting a single computer to a network, or as site-to-site for connecting two networks. In a corporate setting, remote-access VPNs allow employees to access the company's intranet from outside the office. Site-to-site VPNs allow collaborators in geographically disparate offices to share the same virtual network. A VPN can also be used to interconnect two similar networks over a dissimilar intermediate network; for example, two IPv6 networks over an IPv4network.

VPN systems may be classified by:

  • the tunneling protocol used to tunnel the traffic

  • the tunnel's termination point location, e.g., on the customer edge or network-provider edge

  • the type of topology of connections, such as site-to-site or network-to-network

  • the levels of security provided

  • the OSI layer they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity

  • the number of simultaneous connections.

Security Mechanisms

VPNs cannot make online connections completely anonymous, but they can usually increase privacy and security. To prevent disclosure of private information, VPNs typically allow only authenticated remote access using tunneling protocols and encryption techniques.


The VPN security model provides:


Secure VPN protocols include the following:

Authentication

Tunnel endpoints must be authenticated before secure VPN tunnels can be established. User-created remote-access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods. Network-to-network tunnels often use passwords or digital certificates. They permanently store the key to allow the tunnel to establish automatically, without intervention from the administrator.


Routing


Provider-provisioned VPN building-blocks

Depending on whether a provider-provisioned VPN (PPVPN) operates in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combine them both. Multi-protocol label switching (MPLS) functionality blurs the L2-L3 identity.


Customer (C) devices

A device that is within a customer's network and not directly connected to the service provider's network. C devices are not aware of the VPN.


Customer Edge device (CE)

A device at the edge of the customer's network which provides access to the PPVPN. Sometimes it is just a demarcation point between provider and customer responsibility. Other providers allow customers to configure it.


Provider edge device (PE)

A PE is a device, or set of devices, at the edge of the provider network which connects to customer networks through CE devices and presents the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and maintain VPN state.


Provider device (P)

A P device operates inside the provider's core network and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of providers.


User-visible PPVPN services


Virtual LAN

Virtual LAN (VLAN) is a Layer 2 technique that allow for the coexistence of multiple local area network (LAN) broadcast domains, interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE).


Virtual private LAN service (VPLS)

Developed by Institute of Electrical and Electronics Engineers, Virtual LANs (VLANs) allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. Whereas VPLS as described in the above section (OSI Layer 1 services) supports emulation of both point-to-point and point-to-multipoint topologies, the method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as Metro Ethernet.

As used in this context, a VPLS is a Layer 2 PPVPN, emulating the full functionality of a traditional LAN. From a user standpoint, a VPLS makes it possible to interconnect several LAN segments over a packet-switched, or optical, provider core; a core transparent to the user, making the remote LAN segments behave as one single LAN.

In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service.


Pseudo wire (PW)

PW is similar to VPLS, but it can provide different L2 protocols at both ends. Typically, its interface is a WAN protocol such as Asynchronous Transfer Mode or Frame Relay. In contrast, when aiming to provide the appearance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be appropriate.


Ethernet over IP tunneling

EtherIP (RFC 3378) is an Ethernet over IP tunneling protocol specification. EtherIP has only packet encapsulation mechanism. It has no confidentiality nor message integrity protection. EtherIP was introduced in the FreeBSD network stack and the SoftEther VPN server program.


IP-only LAN-like service (IPLS)

A subset of VPLS, the CE devices must have Layer 3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6.


OSI Layer 3 PPVPN architectures

This section discusses the main architectures for PPVPNs, one where the PE disambiguates duplicate addresses in a single routing instance, and the other, virtual router, in which the PE contains a virtual router instance per VPN. The former approach, and its variants, have gained the most attention.

One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 private address space. The provider must be able to disambiguate overlapping addresses in the multiple customers' PPVPNs.


BGP/MPLS PPVPN

In the method defined by RFC 2547, BGP extensions advertise routes in the IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8-byte route distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE.

PEs understand the topology of each VPN, which are interconnected with MPLS tunnels, either directly or via P routers. In MPLS terminology, the P routers are Label Switch Routers without awareness of VPNs.


Virtual router PPVPN

The virtual router architecture, as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label, but do not need routing distinguishers.


Unencrypted tunnels

Some virtual networks use tunneling protocols without encryption for protecting the privacy of data. While VPNs often do provide security, an unencrypted overlay network does not neatly fit within the secure or trusted categorization.For example, a tunnel set up between two hosts with Generic Routing Encapsulation (GRE) is a virtual private network, but neither secure nor trusted.[25][26]

Native plaintext tunneling protocols include Layer 2 Tunneling Protocol (L2TP) when it is set up without IPsec and Point-to-Point Tunneling Protocol (PPTP) or Microsoft Point-to-Point Encryption (MPPE).


Trusted delivery networks

Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic.

  • Multi-Protocol Label Switching (MPLS) often overlays VPNs, often with quality-of-service control over a trusted delivery network.

  • L2TP which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco's Layer 2 Forwarding (L2F) (obsolete as of 2009) and Microsoft's Point-to-Point Tunneling Protocol (PPTP).

  • From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.

VPN in mobile environments

Users utilize mobile virtual private networks in settings where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points without dropping the secure VPN session or losing application sessions. Mobile VPNs are widely used in public safety, where they give law-enforcement officers access to applications such as computer-assisted dispatch and criminal databases, and in other organizations with similar requirements such as Field service management and healthcare.


VPN on routers

With the increasing use of VPNs, many have started deploying VPN connectivity on routers for additional security and encryption of data transmission by using various cryptographic techniques.Home users usually deploy VPNs on their routers to protect devices, such as smart TVs or gaming consoles, which are not supported by native VPN clients. Supported devices are not restricted to those capable of running a VPN client.

Many router manufacturers supply routers with built-in VPN clients. Some use open-source firmware such as DD-WRT, OpenWRT and Tomato, in order to support additional protocols such as OpenVPN.

Setting up VPN services on a router requires a deep knowledge of network security and careful installation. Minor misconfiguration of VPN connections can leave the network vulnerable. Performance will vary depending on the Internet service provider (ISP).


Networking limitations

A limitation of traditional VPNs is that they are point-to-point connections, and do not tend to support broadcast domains. Therefore, communication, software, and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported as on a local area network. Variants on VPN, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation.


Public or private VPN

Users must consider that when the transmitted content is not encrypted before entering a VPN, that data is visible at the receiving endpoint (usually the public VPN provider's site), regardless of whether the VPN tunnel wrapper itself is encrypted for the inter-node transport. The only secure VPN is where the participants have oversight at both ends of the entire data path, or the content is encrypted before it enters the tunnel provider.


Legality

Unapproved VPNs are reportedly illegal in China, as they can be used to circumvent the Great Firewall. Enforcement, however, is likely not comprehensive.


VPN vs TOR

The purpose of Tor is very similar to VPN, primary purpose is to maintain internet users online anonymity and to evade firewalls. Like VPN, it can also be used to spoof Geo-location by the user continually re-connecting until the exit node is in the desired country.

Not only is the technology used dissimilar but they are also quite different in use.


Tor advantages

  • No-one can trace you to external IPs visited

  • Distributed network – almost impossible to shut down or attack in a meaningful way


Tor disadvantages

  • Very slow – because your data is randomly bounced through a number of nodes, each of which could be anywhere in the world, using Tor can be painfully slow

  • Not suitable for P2P file sharing – while there is no way to stop you from using BitTorrent over Tor (and people do it) it is a) very slow, and b) very bad form as it slows down the entire network for every other user, for some of whom access to the internet via Tor may be of critical and possibly importance

  • While it can, at a pinch, be used for location spoofing (see above), Tor is a very fiddly and inefficient way to go about it. In addition to this, the slowness of Tor means that using the service to stream Geo-restricted media services is unfeasible.


VPN advantages

  • Fast generally you will see little slowdown to your raw internet connection speeds when using a VPN service

  • Location spoofing is very easy most VPN providers offer servers in many locations worldwide. Because connections are fast, VPN is ideal for streaming Geo-restricted media content

  • Ideal for P2P file sharing while many providers prohibit it, many are set up with file sharing in mind

VPN disadvantages

  • The VPN provider can see your internet activity – and in many countries is required by law to keep records of it, which may be handed over to the authorities or to copyright lawyers. VPNs are also vulnerable to server raids by the police, in an effort to obtain the information they may contain. This is why it is vital to choose a provider who keeps no logs (and is in a position to keep this promise). Of course, even when a VPN provider promises to keep no logs, you must trust them to keep their word.

  • Costs money typically under $10 a month, or less if you buy in bulk.

VPN vs TOR Conclusion

The great advantage of Tor is that you do not need to trust anyone - your internet use is completely anonymized. ... As long as a trustworthy no logs VPN provider is used, then VPN is a very secure, privacy solution that provides much greater performance and flexibility than Tor can offer.


16 views0 comments

Recent Posts

See All

Comments

bottom of page