TOR vs VPN Services…. Who Wins?

VPN Types Add comments

Finally, and as we promised some time ago :D, we will address this important question:

Why not use TOR, which is a free service, for providing anonymity and privacy online?

 

To the layman, TOR is defined as:

TOR is a free software and open network that helps protect you from all forms of online surveillance and threats to your personal freedom and privacy. Tor protects you by routing your communications through a network of servers distributed around the world and provided / managed by volunteers.

 

In this sense, the objective of TOR and a VPN service such as TUVPN.COM is the same. Protecting the security, privacy and anonymity of your communications. One of the differences, as you may have already noticed, is that there is usually a small fee attached to accessing a VPN service, while TOR is free. In this difference lies the core advantages / disadvantages of both options.

 

Let us now graphically look at the TOR network structure. It is important to emphasise again that this is a network created from servers offered and run by volunteers. Looking at the implications of this is point:

 

TOR vs VPN anonymity and privacy service

 

As we can see, our communication enters the TOR network through an entry node, then it tumbles from one server to another within the network and finally reaches a TOR exit node, and from there to our Internet destination. The communication is encrypted from your computer to the exit node that decrypts it before sending it to its destination.

Anyone can create a TOR node and add it to the network. This can be for honest and selfless reasons, or not. You can't choose whether your node will be an entry, exit, or intermediate node as this is random in each communication but it will probably go through all the roles at some point.

Imagine now that we are very bad and we decide to create our own TOR server node and add it to the network to serve our own purposes …  Let's see how much evil we can do depending on the role of our server in each communication. Lets use innocent "John" in this example. Remember, our server will go through all the server node roles according to TOR's random design:

 

1 – Our server acts as a TOR input node for John's communication.

As the communication we received from John is encrypted, the only thing we know is that John is connected to the TOR network (we can identify his IP). But knowledge of this alone is not important enough to feed our bad intentions.

 

2 – Our server acts as an intermediate node in John's communication on the TOR network.

Our evil intentions are not satisfied here either. The communication we recieve is encrypted and all we know is that it has come from a node on the TOR network before reaching us. Hopefully the next role our server can play on the TOR network will provide food for our evil appetite! ;)

 

3 – Our server acts as a TOR exit node for John's communication.

Now things get interesting for our evil intent! Our mission here is to decipher the communication through our exit node and send it to your destination. In so doing, we can see all data communication. We cannot know who sent the now transparent communication, we only know that we received it from an intermediate TOR node.

We can argue that by protecting the communication with the target (eg our bank or our e-mail or …) with SSL, there is no way for us to get to know the contents of John's communications.

Wrong again. As security researcher Moxie Marlinspike showed at the last  BlackHat Europe, we can mount a man-in-the-middle attack from our beloved TOR exit server and crack John's SSL communications.

Moxie gave a real-time demonstration of this attack that obtained a large number of passwords for all kinds of services from many users whose traffic was going through his TOR node. For more complete information about this topic: http://blog.phishme.com/2009/02/moxie-marlinspike-un-masks-tor-users/.

 

So we can see that the very nature of decentralised and distributed communication on the TOR network brings some problems.

 

Another drawback, in our humble opinion, of TOR vs a VPN service, is speed. Anyone who has used TOR for something more than just reading emails will know what we are talking about. Unfortunately, bandwidth has a price. Free and open services like TOR just cannot deliver this bandwidth.

By contrast, a VPN provider such as TUVPN.COM, has the resources to secure and supply this bandwidth for their services, and allow its customers to enjoy streaming and other bandwidth intensive activities. Something that is unthinkable with TOR.

 

There is no doubt that TOR has its uses, if one is aware of its limitations. All the same, VPN services also have their uses and , most probably, their limitations. It is just a matter of being able to choose and with the right information come the right decisions !

 

PS: Not to add fuel to the fire, but this week has seen TOR in the news. It has asked its users to upgrade their software as a result of attacks on its servers that run TOR directory authorities. More information:  http://news.zdnet.co.uk/security/0,1000000189,40004185,00.htm


Get Your VPN NOW!

10 Responses to “TOR vs VPN Services…. Who Wins?”

  1. Justin Says:

    I think you accidentally the encrypted/non-encrypted colors in your graph ;) It’s the other way around, obviously.

  2. Bidcactus - my updated review Says:

    bidcactus…

    Good post once again!…

  3. Peter Males Says:

    I just read another article on TOR which reveals some security and anonymity issues on TOR in conjunction with Bittorrent. For all those who are interested here is the link:

    http://www.usenix.org/events/leet11/tech/full_papers/LeBlond.pdf

  4. Anyt Says:

    “As security researcher Moxie Marlinspike showed at the last BlackHat Europe, we can mount a man-in-the-middle attack from our beloved TOR exit server and crack John’s SSL communications.”

    But this same MITM attack or for that matter MITM attacks apply equally to VPN and just about everything.

  5. Tor 0.2.2.33 | Daily Freeware Download Says:

    [...] tracks so no observer at any single point can tell where the data came from or where it's going. If you want more safe and secure on the Internet and you should use Tor 0.2.2.33 application. With T…e TCP protocol. When you use this application, communications are bounced around a distributed [...]

  6. Xeron Says:

    Good point concerning the tor exit node. But the vpn server, which is at the same time entry/middle and exit node, can see John’s traffic (even SSL via MITM attack) and John’s identity….

    The most secure would be to connect to vnp {a vpn with authentication through preshared keys/certificates, like OpenVppn) through Tor, so that tor’s exit node only sees traffic encrypted by the vpn, and the vpn only sees tor’s exit node identity. As the Tor’s exit node doesn’t know the preshared keys/certificats, it is unable to perform ainy MITM attack. So you have privacy AND anonymity.

  7. Mr. French Says:

    Thank you for this wealth of information.
    Very useful, and helpful.
    hsvpcrepair. com

  8. Live Says:

    Good point concerning the tor exit node. But the vpn server, which is at the same time entry/middle and exit node, can see John’s traffic (even SSL via MITM attack) and John’s identity….

    The most secure would be to connect to vnp {a vpn with authentication through preshared keys/certificates, like OpenVppn) through Tor, so that tor’s exit node only sees traffic encrypted by the vpn, and the vpn only sees tor’s exit node identity. As the Tor’s exit node doesn’t know the preshared keys/certificats, it is unable to perform ainy MITM attack. So you have privacy AND anonymity.

  9. jaydeep Says:

    always tor wins no chance for vpn

  10. PROMISES OF INTERNET ANONYMITY | sreaves32 Says:

    [...] surprisingly, most of this chatter comes from competing Internet anonymization services, including Virtual Private Networks. It has been widely reported on the Internet, for instance, that Tor exit nodes are dangerous [...]

Leave a Reply

*

Get Your VPN NOW!

©2011 TUVPN.COM. All rights reserved.