Finally, and as we promised some time ago , we will address this important question:
Why not use TOR, which is a free service, for providing anonymity and privacy online?
To the layman, TOR is defined as:
TOR is a free software and open network that helps protect you from all forms of online surveillance and threats to your personal freedom and privacy. Tor protects you by routing your communications through a network of servers distributed around the world and provided / managed by volunteers.
In this sense, the objective of TOR and a VPN service such as TUVPN.COM is the same. Protecting the security, privacy and anonymity of your communications. One of the differences, as you may have already noticed, is that there is usually a small fee attached to accessing a VPN service, while TOR is free. In this difference lies the core advantages / disadvantages of both options.
Let us now graphically look at the TOR network structure. It is important to emphasise again that this is a network created from servers offered and run by volunteers. Looking at the implications of this is point:
As we can see, our communication enters the TOR network through an entry node, then it tumbles from one server to another within the network and finally reaches a TOR exit node, and from there to our Internet destination. The communication is encrypted from your computer to the exit node that decrypts it before sending it to its destination.
Anyone can create a TOR node and add it to the network. This can be for honest and selfless reasons, or not. You can't choose whether your node will be an entry, exit, or intermediate node as this is random in each communication but it will probably go through all the roles at some point.
Imagine now that we are very bad and we decide to create our own TOR server node and add it to the network to serve our own purposes … Let's see how much evil we can do depending on the role of our server in each communication. Lets use innocent "John" in this example. Remember, our server will go through all the server node roles according to TOR's random design:
1 – Our server acts as a TOR input node for John's communication.
As the communication we received from John is encrypted, the only thing we know is that John is connected to the TOR network (we can identify his IP). But knowledge of this alone is not important enough to feed our bad intentions.
2 – Our server acts as an intermediate node in John's communication on the TOR network.
Our evil intentions are not satisfied here either. The communication we recieve is encrypted and all we know is that it has come from a node on the TOR network before reaching us. Hopefully the next role our server can play on the TOR network will provide food for our evil appetite!
3 – Our server acts as a TOR exit node for John's communication.
Now things get interesting for our evil intent! Our mission here is to decipher the communication through our exit node and send it to your destination. In so doing, we can see all data communication. We cannot know who sent the now transparent communication, we only know that we received it from an intermediate TOR node.
We can argue that by protecting the communication with the target (eg our bank or our e-mail or …) with SSL, there is no way for us to get to know the contents of John's communications.
Wrong again. As security researcher Moxie Marlinspike showed at the last BlackHat Europe, we can mount a man-in-the-middle attack from our beloved TOR exit server and crack John's SSL communications.
Moxie gave a real-time demonstration of this attack that obtained a large number of passwords for all kinds of services from many users whose traffic was going through his TOR node. For more complete information about this topic: http://blog.phishme.com/2009/02/moxie-marlinspike-un-masks-tor-users/.
So we can see that the very nature of decentralised and distributed communication on the TOR network brings some problems.
Another drawback, in our humble opinion, of TOR vs a VPN service, is speed. Anyone who has used TOR for something more than just reading emails will know what we are talking about. Unfortunately, bandwidth has a price. Free and open services like TOR just cannot deliver this bandwidth.
By contrast, a VPN provider such as TUVPN.COM, has the resources to secure and supply this bandwidth for their services, and allow its customers to enjoy streaming and other bandwidth intensive activities. Something that is unthinkable with TOR.
There is no doubt that TOR has its uses, if one is aware of its limitations. All the same, VPN services also have their uses and , most probably, their limitations. It is just a matter of being able to choose and with the right information come the right decisions !
PS: Not to add fuel to the fire, but this week has seen TOR in the news. It has asked its users to upgrade their software as a result of attacks on its servers that run TOR directory authorities. More information: http://news.zdnet.co.uk/security/0,1000000189,40004185,00.htm