
In the present era of Mass Surveillance by intelligence agencies like NSA, GCHQ & RAW, you should know that every border you cross, every purchase you make, every call you dial, every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route is in the hands of some electronic system whose reach is unlimited, but whose safeguards are questionable. This amount of metadata collected about you is more than enough to create simulations of you and predict your behaviour in any given circumstance. It involves a systematic interference with individual’s right to privacy in terms of subjection to significant indiscrimination, monitoring and censorship. Hence, Privacy & Anonymity are rising concerns among informed citizens, journalists, whistleblowers and Edward Snowdens of the world.
When it comes to technology, privacy and anonymity enthusiasts extensively use encrypted proxy services like VPN & TOR Anonymity network to hide their identities & activities online. But let’s understand how useful & worthy they are, what are the differences and how can we leverage the potential of both.
VPN is faster than TOR, and is suitable for P2P downloading. The major downside however (and reason VPN is said to provide privacy rather than anonymity) is that it requires your trust the VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. VPN also allows you to easily spoof your geographic location.
On the contrary, TOR is much slower because of the built-in Onion Routing, is often blocked by websites, and is unsuitable for P2P, but it does not require your truston anybody, and is therefore much more secure & truly anonymous.
Interestingly, VPN & TOR can be clubbed and used together in order to provide an extra layer of security, and to mitigate some of the drawbacks of using either technology exclusively. The main downside, however, of doing so combines the speed hit of both technologies, making connections more secure but slow. It is also important to understand the difference between connecting VPN to TOR and connecting TOR to VPN for accessing the Internet. Order Matters!
VPN to TOR
Under this configuration you first connect to your VPN server, and then to the TOR network before accessing the internet:
Your computer -> VPN -> TOR -> Internet
This is what happens when you use TOR Browser while connected to a VPN server.
Your apparent IP on the internet = IP of the TOR exit node.
Pros:
1. Your ISP will not know that you are using TOR (but it can know that you are using VPN).
2. The TOR entry node will not see your real IP address, but the IP address of VPN server.
3. Allows access to TOR hidden services (.onion websites).
Cons:
1. Your VPN provider knows your real IP address.
2. No protection from malicious TOR exit nodes. Non-SSL traffic entering and leaving TOR exit nodes is unencrypted and could be monitored.
3. TOR exit nodes are often blocked by popular websites.
TOR to VPN
This configuration involves connecting first to TOR using TOR client and then to a VPN server to access the internet using regular browser:
Your computer -> TOR -> VPN -> Internet
This setup requires you to configure your VPN client to work with TOR, and note, not all but some VPN providers support this like AirVPN, BolehVPN, etc.
Your apparent IP on the internet = IP of the VPN server.
Pros:
1. Your VPN provider cannot ‘see’ your real IP address – only that of the TOR exit node.
2. If combined with an anonymous payment method (such as properly-mixed / well-laundered Bitcoins) made anonymously over TOR, the VPN provider will have no way of identify you.
3. Protection from malicious TOR exit nodes - As data is encrypted by the VPN client before entering (and exiting) the TOR network.
4. VPN Provider Allows you to choose server location (Great for geo-spoofing).
5. All internet traffic is routed through TOR (even by apps that usually don’t support it).
6. Bypasses any blocks on TOR exit nodes (Important!).
Cons:
1. Your ISP will know that you are using TOR.
2. The VPN provider can see your internet traffic (but can’t identify you - true anonymity)
3. Slightly more vulnerable to global end-to-end timing attack as a fixed point in the chain exists (the VPN provider).
4. Does not allow access to TOR hidden services (‘.onion’ websites).
TOR after TOR to VPN
This configuration involves connecting first to TOR using TOR client, and then to a VPN server and using TOR Browser to access the internet:
Your computer -> TOR -> VPN -> TOR -> Internet
Note, this setup requires you to use TOR Browser as well as configuring your VPN client to work with TOR.
Your apparent IP on the internet = IP of the TOR exit node of 2nd TOR circuit.
Pros:
1. Your VPN provider cannot ‘see’ your real IP address – only that of the TOR exit node.
2. If combined with an anonymous payment method (such as properly mixed Bitcoins) made anonymously over TOR, the VPN provider will have no way of identify you.
3. Protection from malicious TOR exit nodes - As data is encrypted by the VPN client before entering (and exiting) the 1st TOR Circuit.
4. VPN Provider allows you to choose server location (Extra-functionality not required actually because, 2nd TOR circuit will provide geo-spoofing).
5. Allows access to TOR hidden services (‘.onion’ websites).
6. Less prone to global end-to-end timing attack because of two TOR circuits.
Cons:
1. Your ISP will know that you are using TOR.
2. The VPN provider can see your internet traffic (but can not identify you - true anonymity)
3. TOR exit nodes are often blocked by popular websites.
So which one is better?
However, before that, two important things to ponder upon:
1. Malicious exit nodes:
When using TOR, the last exit node in the chain between your computer & open internet is called an exit node. Traffic enters and exits this node unencrypted (unless some additional form of encryption is used like SSL), which means that anyone running the exit node can spy on users’ internet traffic. This is not usually a huge problem, as a user’s identity is hidden by the 2 or more additional nodes that traffic passes through on its way to and from the exit node. If the unencrypted traffic contains personally identifiable information, however, this can be seen by the entity running the exit node.
Such nodes are referred to as malicious exit nodes, and have also been known to redirect users to fake websites. SSL connections are encrypted, so if you connect to an SSL secured website (https://) your data will be secure, even it passes through a malicious exit node.
2. End-to-End (E2E) timing attacks:
This is a technique used to de-anonymize VPN & TOR users by correlating the time when they were connected, vis-a-vis the timing of otherwise anonymous behavior on the internet. An incident where a Harvard bomb-threat idiot got caught (http://www.businessinsider.com/harvard-student-used-tor-for-bomb-threat-2013-12) while using TOR is a great example of this form of de-anonymization attack in action.
On a global scale, pulling off a successful E2E attack against a TOR user would be a monumental undertaking, but possibly not impossible for the likes of the NSA, who are suspected of running a high percentage of all the world public TOR exit nodes. If such an attack (or other de-anonymization tactic) is made against you while using TOR, then using VPN as well will provide an additional layer of security.
Conclusion
Note, TOR to VPN is usually considered more secure than VPN to TOR since it allows you to maintain complete (and true) anonymity if the correct precautions are taken because not even your VPN provider knows who you are. It also provides protection against malicious TOR exit nodes, and allows you to evade censorship via blocks on TOR exit nodes. You should be aware, however, that if an adversary can compromise your VPN provider, then it can control one end of the TOR chain. Over time, this may allow the adversary to pull off an E2E timing or other de-anonymization attack. The additional benefit you get if you use TOR after TOR to VPN is that you can access ‘.onion’ websites, but with a caveat that tor exit nodes are often blocked by popular websites.
Hence, the bottom line is that any user who requires a very high level of security, privacy & anonymity must carefully weigh up the pros and cons of each of the above three configurations in relation to their particular needs.
No comments:
Post a Comment