Hope you guys don’t mind a fairly rookie question on the whole TOR/VPN debate. This is something I’ve been wondering recently.
Reading threads on /r/privacy and elsewhere, I can see that I’m not alone in believing that there are no truly secure commercial VPN options.
I think that I can think of how to provision a reasonably safe VPN (anonymously sign up to some infrastructure provider and create your own VPN; alternatively, physically manage your own infrastructure in some secured location).
But no matter what any VPN says about it being zero logs etc, isn’t there basically always a chance that it’s BS (or ownership is malicious or the VPN has been coerced into providing backdoor access by law enforcement / the intelligence community)?
From what I understand about VPN tech (please correct me if I’m mistaken), so long as the provider can encrypt your connection, they retain the ability to decrypt it and inspect your traffic. So until we have some kind of foolproof auditing system in place, the most we can say about any commercial VPN operator is that “they say they don’t log my traffic and I hope that’s really the case.” And even then: “they could probably be coerced into handing over my traffic by somebody with authority.”
Now consider TOR: from what I understand TOR randomizes your traffic en route to the internet. Even though an exit node could be compromised, the chances of any part being able to identify you are very small … because the route to the internet is randomized every time.
I’m sure this all sounds very sketchy but the impetus for this whole query is a friend who wants to start a truly anonymous blog and asked me whether TOR of VPN would be a safer option if he were really concerned about a platform not being able to decipher his/her identity. My answer was TOR for the above reason.
Yes Tor is ‘safer’ than any VPN out there. But it also has downsides, mainly speed.
It also depends on what you want to do. Want to access regional locked content: use a VPN. Want to spread Winnieh the Pooh memes in China: use Tor.
Want to privately browse at work: use VPN. Want to run a criminal operation: use Tor.
I think personal responsibility and awareness is the key to those questions. I use ExpressVPN which in the top 2 of every list. They do not keep logs and any info that lingering is destroyed upon disconnect. However I recently relocated to a place where I can’t get private WiFi, so I use a mobile hotspot. My device is hidden however the hotspot IP can still be seen. It makes me cringe. However I know that there’s no logs that will lead back to me directly. As far as TOR, my biggest issue I have is that if you are not being completely safe you can expose yourself, rendering the anonymity useless. Do I turn on JS or leave it off. Do I leave it off until I get to the desired site? What if I’m redirected? All of these things have to be considered and you must stay vigilant. And the biggest problem with that is if SOMEONE ELSE, isn’t being as vigilant as you, then they run the risk of exposing themselves and you. You have no control over what the next person does.
So this thread actually skips through all the vagueness and explains why I was wondering this.
But it wasn’t really why I asked this. More a theoretical question.
Further context:
I worked for a number of years as a freelance writer and realize that there is an enormous amount of vendor-sponsored misinformation that basically distorts the truth. I don’t know a ton about the VPN industry, but I know that a lot of players have deep pockets and work closely with apparently impartial informational sites to … create the narrative that sounds as appealing as possible to consumers that just do the very basic research.
While only knowing the basics (I’m neither a dev nor a cybersec pro), it seemed kinda obvious to me that there’s literally no VPN that anybody could reasonably trust. A VPN provider says that they’re not logging your data. But is there any mechanism in existence to actually validate that. And if there isn’t, doesn’t that basically mean that any VPN provider could be … simply lying.
TOR didn’t seem to have that “limitation” to me. But again there’s so much distortion out there on this whole subject that I wasn’t sure if it was “just me” particularly as I don’t have an expert level background in the field. I also only know the bare details of how TOR actually works.
Sorry if this is a stupid question but would using Tor with a VPN running in the background “best of both worlds” assuming you’re not worried about speed etc?
Right. There are very different levels of risk and privacy sensitivity.
In the one I’m thinking about (anonymous blog; no illegality but a requirement of anonymity): I guess you just have to trust that there would be no wildly unlikely situation in which the VPN itself were hacked and you would be doxxed in the process. I guess that’s about the only credible concern you’d face.
Then there’s the fact (separate objection entirely) that many privacy-minded people (presumably the large white hat TOR use-base) simply don’t like the fact that the whole privacy arrangement with commercial VPNs is a lot less transparent than it’s depicted to be and basically we’re all at least theoretically at their mercy irrespective of whatever they say about logging etc.
Ie, the idea of using TOR is nice simply because - even if it’s not a requirement - you don’t have to worry about a VPN provider having access to what you do.
On the other hand, if you were worried about the above for illegality or the situation that you outlined (IDK … protester living in an autocratic regime) … then truly no degree of risk would be acceptable.
What u mean with trustworthy VPN?
A trustworthy VPN provider is one that wont rat you out to law enforcement when they will ask to provide logs cuz they dont have any. Thats my definition of trustworthy VPN.
You can use Tor as a free VPN if that is what you mean, but you can’t access all sites using Tor especially online banking/payments are almost impossible using Tor and Tor doesn’t always give you the best speed.
Yup. I know in Cloudflare there’s an option to block TOR traffic. I guess all the exit nodes are understood. The other potential “problem” with TOR is that you’re going to be connecting from a different exit node / geo each time (right?).
I use TOR once every few months but if I were to start using it for what made me ask this question (set up an anon blog) I could see that triggering all sorts of annoying restrictions.
“To better understand such free-riding attacks, we
need to describe how existing zero-rating framework
adopted by ISPs differentiates charged and zero-rating
tactic. %e tactic widely adopted in real-world ISPs is
to directly inspect the track based on meta-data thus
differentiating zero-rating contents. However, because
a zero-rating policy involves three parties, the ISP can
never tell whether the contents are indeed authorized
by the CP as zero-rated, especially under the condition
that one of the communicating party, i.e., the client, is
malicious. Specifcally, according to the nature of end-
to-end communication, the client has the ability to mod-
ify or inject any non-zero-rated contents in between the
ISP and the CP, even if the communication is encrypted.”
True, but I believe various services also don’t allow VPN traffic. It’s not as scrutinized as tor, but just as detectible.
Tor traffic comes from publicly listed nodes, and vpn traffic comes from the VPN providers, and they just blacklist that said service provider (sometimes rightfully so, because tor/vpns are abused to send spam and abuse).
Really wish privacy/anonymity based services were more accepted in general, but just pointing out that both protocols got this issue sadly.
Definitely would always use a VPN over tor for downloading/streaming. Puts a strain on the network as a whole anyways, hurting everyone’s usage for tor.