What's best for internet privacy: Tor then VPN, or VPN then Tor?
There's ongoing confusion about how VPNs and Tor compare in regards to privacy and anonymity and competing opinions on how and when it makes sense to combine them. Do they work together, is there ever mutual contradiction, and what threats do they actually protect you from?
It’s time to settle the debate once and for all and get to the heart of how to properly use two of the most powerful internet privacy tools.
Internet anonymity in Tor
Tor is, without a doubt, the stronger anonymity network. Your data enters the network through a random node around the globe, makes at least two hops, then passes through a random exit node to its final destination.
Ideally, your information should be additionally encrypted, preventing the exit node from reading it.
Unlike with a VPN, no single node in this route gets the full picture of what you are doing. The entry node can only see your location but not who you are communicating with, while the exit node sees who you are communicating with, but not your location.
A relay in the middle prevents the exit node from finding out what the entry node was, in case an adversary manages to operate them both.
However, this process is slow and inefficient. And for a variety of privacy reasons, the Tor network cannot compensate volunteers for running nodes. Participants are also unable to speed up connections with payments, as this would de-anonymize them as well as the entry/exit nodes.
The VPN internet privacy model
VPNs provide a different privacy trade-off. They perform with high speeds and typically only route traffic through a single hop, usually in an industrial-grade data center.
To keep services stable and fast as well as develop apps, the VPN provider either has to charge their customers, like ExpressVPN, or somehow monetize their user data.
Like with Tor, a user is unable to see what happens inside the servers they are using. For example, it’s impossible to see if the VPN server is keeping logs, altering traffic, or injecting malware.
Though, given that a user can be identified through their login details or payment method, or repeatedly using the same service, a malicious VPN provider can gather details far more threatening to a person’s privacy than that of a Tor node.
To evaluate if a VPN provider is malicious, a user can look out for complaints on the internet, particularly from users who have been kicked off a VPN for breaching terms of service or violating copyright codes.
A VPN provider would be unable to determine which of their users committed violations if they HAD A STRICT POLICY TOWARDS LOGS.
To combine VPN and Tor or not combine?
The debate over how to combine the services often comes down to the assumption that more hops mean more privacy, which is not necessarily true. However, adding a single, permanent node (i.e. a VPN) might entirely compromise the anonymity model that Tor provides.
The official website of the anonymous Operating System TAILS uses harsh words when discussing the utilization of a VPN with Tor:
“VPNs make the situation worse since they basically introduce either a permanent entry guard (if the VPN is set up before Tor) or a permanent exit node (if the VPN is accessed through Tor)”
That being said, there are cases when using one with the other can be invaluable. The question is: Do you connect to VPN first and Tor second, or vice versa?
You -> VPN -> Tor
This model is easy for anyone to set up. Simply connect to VPN on your computer, then open the Tor Browser and continue to use it as you are used to.
Your traffic will first be routed to the VPN server, from where it enters the Tor network before it leaves it again at one of the system’s exit nodes.
According to the Tor Project, the arrangement works, but with one caveat--your VPN/SSH provider's network is in fact sufficiently safer than your own network.
Your VPN will not be able to see your traffic but may find out that you are using Tor. On the upside, you are hiding your Tor activity from your Internet Service Provider and likely your local government. Depending on their stance on Tor, you might be safer or more private.
You -> Tor -> VPN
This model is a bit different to set up, as it requires you to fiddle with a virtual machine, and is generally not supported by VPN companies natively.
Your traffic first enters the Tor network, leaves through an exit node and then to a VPN server, from where you connect to the sites you are visiting.
The Tor Project advises against this arrangement:
“The VPN/SSH can build a profile of everything you do, and over time that will probably be really dangerous.”
The result is that your VPN often finds out who you are, perhaps because you connect from home regularly or because you made the VPN subscription payment through your credit card. Any provider could observe you long enough to “fingerprint” your behavior.
In theory, by signing up for a VPN through Tor, and paying through an anonymous payment method like Bitcoin, you can prevent your VPN from knowing any payment details. And if you always connect to the internet with Tor network, your current location would be disguised.
Your identity is still not as strongly protected as when using a Tor exit node, but you will not get flagged as a Tor user by the sites you are visiting.
Do you want to hide who you are? Or where you are?
The essential question you will have to ask yourself when using a Tor over VPN, or a VPN over Tor, is whether you want to hide your location or your identity.
Using VPN, then Tor guards your identity as close as currently technically possible. But Tor followed by VPN effectively hides your location and leaves you able to surf the web without the hassle of using a Tor exit node IP.
The choice is yours.
This difference can be a subtle one, but it can be essential. Imagine you are hiding from an oppressive dictatorship, but still want to maintain contact with the outside world. Keeping your location a secret will be far more important than maintaining anonymity.
If you, however, intend to leak information exposing corruption and misconduct in your country, hiding your identity is equally important to hiding your location.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN
Comments
Thank you, more helpful and informative than my history would suggest should be expected.
Wow what a great article and a even better debate on the 2 technologies /services. My question is for ios based devices ie. iphones , ipad , etc. does the tor app. For ios. provide a similar amount of anonymity and location privacy ? If it does provide the benefits that are mentioned in the article, does ExpressVPN Think its a good idea to 1st - log in through the ExpressVPN app and once connected to a server of choice 2nd- launch the tor app . ? Thanks for any feedback. Btw , Ps i guess I'm Screwed that I chose the credit card as payment method!
Hi, Unfortunately there is no official release of the Tor Browser yet for iOS, and I cannot recommend any of the inofficial ones. Otherwise, logging into ExpressVPN first, and then open Tor would be a good thing to do for anonymity. Lexie
"You already have zero privacy, get over it" - Scott McNealy
thats especially true for the idiots that post there lifes history on social media
@TOR - That guy, Scott McNealy is so wrong! Me, you and everybody else is subject to this : "Article 12. - No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." - Universal Declaration of Human Rights. People shed blood in the past so we can have rights now, I think we should stick to those rights and protect them to honour ourselves and our heroes!
To late Friend the minute the patriot act was signed into law your Rights when out the same door the law just kicked in without the warrant
I don't understan. I open ExpressVpn on my PC. Then, I open Tor. Ok, easy enough. Then I read that http://expressobutiolem.onion is your hidden service on Tor. So then I use the search box in the toolbar? Why? I' running the VPN before I open Tor. Stop confusing old guys like me that grew up with no internet,cable or cell phones....LOL
Hi Dan, We certainly don't want to confuse you! Great to hear you are using ExpressVPN on your computer. Your usual browsing and online activity is safe. It's also cool that you have the Tor Browsser installed. You can use it when you want to be super anonymous or surf the dark web. You can leave your VPN on while doing that. Our hidden service is just like our website, but accessible on the dark web. It helps people who are in countries where our site is blocked to acccess our site, purchase our service and manage their subscriptions. Lexie
I am really surprised that more people don't realize the importance of having a VPN. To all those people that have been hesitant to purchase a subscription, don't wait until your personal information has been stolen. I have been extremely pleased with ExpressVPN, their tech support is very helpful if you have any questions or concerns. ExpressVPN user out of Texas!
Hi! Thank you for all this information. I do have IOS and am constantly worried about both hiding my IP address and my identity of course. Believe it or not, I think what’s most important for myself is finding out what’s best to protect yourself from getting “SIM hi-jacked or hacked” this has happened to me and the hackers main reason was to take over a social media platform I built up. Can you please provide any and all information you have on the best steps to take to help prevent this from ever happening again? Thanks in advance!