VPN and Tor

Virtual Private Networks (VPN) and Tor are tools that offer various degrees of encryption of online traffic. Both tools may also be used to circumvent filters that block content based on the network used for Internet access or physical location in the world. In order to make the best decision as to which tool to use, the capabilities of both must be understood. This document will help you make an educated decision and select the most appropriate tool.

VPN

VPN is a tool used to encrypt all Internet traffic between two devices, a process that is possible by downloading and installing software that allows a user to connect to a VPN service. This connection may be between the user’s personal computer and a server of a well-known VPN service such as Privacy Internet Access (https://www.privateInternetaccess.com/) or Witopia.net (https://www.witopia.net). In some cases, employers may have a VPN service to which employee work computers connect, usually installed by an IT professional. Many operating systems, including Windows, Apple OS X, iOS, and Android, have built-in VPN technology that can be set up by following instructions provided by the VPN service provider, making the VPN service rather flexible to use across several devices.

Secure Connection

When VPN encrypts a user’s traffic, nobody is able to view the activity between the user’s computer and the VPN server. This means that if the user is sitting in an Internet café while using a VPN, and the café owners monitor the traffic, they are unable to see which sites the user visits. If the VPN service is hosted outside of a given country, then the local Internet service provider (ISP) is also unable to view the traffic. However, the host of the VPN service and its ISP could possibly view the traffic.

Example: You are at a café in Nairobi, Kenya, using the café’s Wi-Fi and connecting to a VPN server hosted in Madrid, Spain. The owner of the café can see that you are connecting to a specific VPN server but cannot see any other sites are you visiting. However, the owner of the VPN server in Madrid has the ability to log your Internet traffic because the encrypted traffic ends on the host server. The company that provides Internet access to that server could also see that traffic.

The take-away message here is that the user must trust the company or person hosting the VPN service. The VPN server should be located in a country that has good privacy laws[1] and hosted by a company known for privacy protection[2]. At a minimum, the VPN service should not log Internet traffic, which should explicitly be stated as part of the VPN’s service features.

Access to Information

Any entities looking to control their Internet traffic may block certain sites. There may be a message telling visitors that a given site is blocked. Other times, pages will just fail to load. VPN can help users to access blocked sites by making a computer act as though it is located in a location where the VPN server is hosted. So, if a user is unable to view a blog due to filters on his or her Internet connection, connecting to a VPN service in a location where that blog is not blocked would allow access to it.

Tor

Tor[3] performs many of the same functions as a VPN, but it also anonymizes user traffic.

Why isn’t VPN anonymous?

When using a VPN service, a user makes one connection between his or her computer and the VPN service. This connection requires the user to provide the VPN service with an IP address, which is a numerical address unique to everyone connecting to the Internet. This address can easily identify the country, city, and even neighborhood from which a device is accessing the Internet. If the company that runs the VPN service wanted to physically locate a particular user, it can use this valuable piece of information to do so.

How does Tor protect against this?

Tor uses a minimum of three randomly selected servers before accessing a site on the Internet. Each server uses different encryption keys, so no server knows the entire path of the user’s Internet connection, making it very complicated, if not impossible, to determine the true IP address and therefore the user’s physical location. The diagram below provides a good visual explanation:

Diagram source: https://www.torproject.org/about/overview.html.en

Each green line shows traffic encrypted using Tor, and the red line shows when traffic is no longer encrypted. More detailed information on how this works can be found here: https://www.torproject.org/about/overview.html.en.

Wait, so the user’s traffic is no longer encrypted at some point?

Correct. Tor only anonymizes the user and does not guarantee that traffic is encrypted from end to end. However, the site that is being accessed cannot identify the user or the user’s location. Therefore, if the user is not posting personal information or accessing sensitive and identifying materials, then the fact that someone can see the traffic is irrelevant.
On the other hand, if and when working with materials that could potentially identify the user, basic practices for using HTTPS, PGP, and other encryption should also be utilized. More information about data visibility when using Tor and HTTPS can be found here: https://www.eff.org/pages/tor-and-https

How do I get started?

Though a whole system can be set up to run all traffic over Tor, the process still faces technical barriers and can quickly become complicated and technical to complete. The simplest way to get started with Tor is to download the Tor Browser Bundle (https://www.torproject.org/download/download-easy.html), which is a preconfigured Firefox Internet browser that works with Tor and includes plugins that increase browsing security. It is important to note that only the sites visited within the browser are anonymized by Tor, while all other activity on the computer (Skype, Outlook, Dropbox, etc.) is not protected by Tor.

Why shouldn’t I always use Tor instead of VPN?

Tor can be complicated to set up for all traffic and is best used through the Tor Browser Bundle, which only affects Internet browsing that takes place through the bundle. On the other hand, VPN encrypts all Internet traffic (Skype, surfing the web, torrents, etc.) on a computer rather easily. Though the Tor Browser Bundle is easy to use, the Internet browsing will be much slower than it is while using a VPN service. This is because in order for Tor to anonymize traffic, the connection must run through several servers, making the path to reach the target site longer. If a user is posting identifying information using Tor, such as a blog stating the user’s name, then Tor may be unnecessary for this work because posting identifying information defeats the purpose of Tor. The exception to this advice would be when the user is not concerned about revealing his or her name, but does not want the particular physical location to be known.

Summary

When to use VPN

A VPN should be used when the user does not care about being anonymous but also does not trust the network used to access the Internet. Examples may include using the Internet from within an Internet café, or when a user is concerned that the service provider is recording which sites he or she visits and might try to intercept the traffic. VPN is useful when a user wants more than just the Internet browser to be encrypted.

When to use Tor

The Tor Browser Bundle is best for individuals who do not want their physical location known. A user may want to post an anonymous blog, access sites monitored by ISPs or other parties, or access accounts that the user has taken care not to associate with his or her personal identity.

VPN and Tor each offer different kinds of protection of their users’ online activity. Every situation and context is unique, and the features offered by each tool must be considered in order to select the one that will work best for each user’s needs.

References

[1] “Where in the World Can You Get Some Privacy? (Infographic),” VentureBeat, October 13, 2013, accessed January 10, 2014, from http://venturebeat.com/2013/10/13/countries-privacy/

[2] “Which VPN Service Providers Really Take Anonymity Seriously?” TorrentFreak, October 7, 2011, accessed January 10, 2013, from http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/

[3] “Tor,” Tor, accessed on January 10, 2013, from https://www.torproject.org/