Tor & VPNs - comparing & contrasting network privacy tech
One of the things we're asked sometimes is why anyone would choose a VPN service rather than use the Tor routing application. There's generally two motivations for the question: first, some folks are convinced that Tor has magical security/privacy/anonymity properties that are impossible for any other network security service to match. That's not true, and it's not even something the Tor folks themselves claim. Second, people like the fact that Tor is free: free is a very good price. Why pay for something, when you can get it for free?
We're writing up this note to help explain the pros and cons of these decisions. Sometimes, and for some people, Tor's terrific - ideal, even. It's got a rock-solid place in the spectrum of network security tools, and several hundred thousand folks make use of it in one form or another. Plus, in this post-PRISM era - the Age of #UnPRISM - having a diversity of tools and approaches and techniques to ensure protection against massive dragnet surveillance is a Good Thing. It's not a question of either Tor or VPNs being "better" than each other, as if this is a WWE event and one heavily-muscled, tights-wearing hunk is going to vanquish the other on live TeeVee. No, it's not like that.
What it's like is this: the Tor folks are enormously helpful in spreading the word about anti-surveillance technologies, globally. They make tons of presentations (mostly at hacker cons, but still), and they've managed to get some mainstream media coverage that's not terrible - which is saying something. Their network protects activists in a bunch of countries, and has helped to make the idea of using the internet without encryption seem crazy - "barebacking," as Jacob Applebaum memorably describes it. That's good work, and we're as far from "anti-Tor" as it's possible to get.
In fact, there's a number of criticisms of Tor that are bullshit, and are not part of any serious discussion of the issues. Yes, it's true that Tor was originally funded by the United States Department of Defense, and was supported by federal grants for years. That doesn't mean it's "backdoored" now - and in fact saying so is sort of silly, since the code is (and always has been) opensource. If there were backdoors, someone would see them. That sort of conspiracy-mongering is silly, and best forgotten. No, Tor isn't a massive Fed honeypot - if it is, and the Feds are able to run a scam like that for nearly a decade without the truth leaking out, then we're all fucked so just give up. Fortunately, it's not - it just isn't.
Still and all, Tor isn't the proverbial hammer that fits every nail just right. And, for alot of people Tor is absolutely the wrong tool for everyday network security - not because of some sort of fatal flaw in Tor, but because it's designed specifically to do some things well, and not others. That's true of all tech, and the trick is to be honest about it and work with others to stitch together various sub-tools into meta-constructs that cover everything.
A VPN service is a crucial - perhaps the crucial - element of any online security toolkit. Tor is a great extension, or addition, or temporary substitute... but it's not going to replace a VPN. There's just things a VPN can do that Tor can't, and there's some limits inherent to Tor that VPN services (good ones, anyway, like cryptostorm darknet) don't have.
We've boiled these factors down to three essentials:
1. Evil Exit Nodes are Evil - and Inescapable
One of the risks of using Tor is the problem of "evil exit nodes." The problem is pretty simple: when traffic runs through Tor, it has to come out somewhere. These departure ramps back to the plaintext internet are called "exit nodes" by the Tor folks. We have a really similar structure in the VPN world, and we also call them exit nodes. With Tor, the evil exit node problem (mostly) involves the fact that all Tor network resources - servers, basically - are donated by volunteers. It's a nonprofit project, which is why it's free to use, and thus everything has to be contributed. (there's some other, more technical, Tor exit node attacks that are beyond the scope of this little essay)
Problem is, you don't know who is running which exit node - or most folks who use Tor don't, since they just accept the default selections. There's about 4,000 exit nodes, and history shows that a chunk of them are "evil" - they are run by spy agencies, or people looking to sniff passwords from traffic, or others motivated to do bad things. By definition, traffic going through them is unencrypted on one side - it's exiting onto the plaintext internet, after all. So someone with evil intent can sniff that traffic - and also do things like inject nasty payloads into traffic streams: malware, spyware, rootkits, and so on.
Now, there's ways to protect against evil exit nodes on Tor: use SSL, run the browser in a sandbox, choose only exit nodes you (think you) know are "safe," and so on. But 99% of Tor users don't know anything about any of that - and they're vulnerable.
How are VPN exit nodes different? Pretty simple: you know who is running your VPN exit nodes - your VPN provider! Now, it's still possible for a VPN provider to be a evil 'honeypot' trap; however, it's far more straightforward how to choose a VPN company like cryptostorm that is pretty much 100% verified as not being a honeypot. Whereas, choosing your Tor exit nodes is a bit of a battle, and is a constant process too. Between the two, the decision is whether you want to roll the dice on Tor's model, or choose who you trust with a VPN provider.
Note: Tor operates in a "multi-hop" model, where each path through the Tor network is supposed to cover at least three "onion layers." This is one reason why it's slow (see #3 below). The theory is that this multi-hop model provides extra security. It's an interesting theory, but we're pretty sceptical of multi-hop handwaving in general... although Tor is not outright fraudulent in their claims, like some snake-oil VPN multi-hop nonsense we've seen over the years. In some extreme cases, Tor's "onion" model provides a marginal improvement in theoretical security.
However, even the Tor team is moving back from multi-hop as the be-all, end-all magical answer to network security - they're experimenting with single-hop models, because they're far more efficient and eat far fewer network resources. Once you start using Tor as a single-hop service, you're just using the equivalent of a VPN service... except you don't know who is running the exit node for your traffic! Which, obviously, isn't ideal.
Your VPN exit node might turn out to be evil - if your VPN company itself is evil - but a VPN company that has successfully protected customers for years, despite attacks and pressure from thugs of all stripes, is probably a better bet than some kid running a free Tor exit node for fun who, when faced with some guy holding a badge showing up at his Mum's house, is quite likely to piss his pants and let the cops have free rein of the server. Which is bad.
2. Tor only protects some of your internet data
The Tor folks built the service so that it hooks into specific applications, and asks those specific applications to use it to send and receive internet data. Jacob argues persuasively that this is a better way to architect a secure networking service.
We respectfully - but vehemently - disagree.
From its founding in 2007, the cryptostorm darknet had as a fundamental and absolutely uncompromising basic requirement that the service encrypy all data, all packets, all ports, all protocols, all traffic - when you're connected, everything comes and goes securely. Period. We're extending that with the Leakblock opensource anti-leak project we're sponsoring - that's how strongly we feel about all traffic being secured. It's almost a religious issue with us, and was the core of our founding CTO's vision for the service.
Make it absolutely clear that connected to cryptostorm = secure. That's been our core standard, and we feel it provides far better real-life securitty because 99% of internet users aren't going to successfully twiddle the proxy settings in a bunch of applications - and do it correctly - on every computer they use. They'll make mistakes, or do it right... but the application will make mistakes. Or they application does an auto-update, and wipes the proxy settings. And on and on. In real life, making network security an issue for application-layer configuration is a terrible plan. On this, we just disagree with the Tor folks.
Let us get more specific:
For alot of people, their use of Tor is as an 'extension' to their web browser: the Tor browser bundle. Their thinking is that they can just use it in that application alone - no IM, no filesharing, no email - and since the Tor team has custom-rolled a browser version to be deeply bonded to Tor as a network service, things are safe and sound. Right?
Unfortunately, no. There's a wide range of ways that web browsers can "leak" local/physical IP information - and any of those leaks will break Tor's security (to be clear, they also can break VPN security, as we've discussed in a thread here). However, because Tor is trying to stay only connected to their web browser, there's a whole bunch more possible ways Tor can fail than a comparable VPN service. All that an attacker has to do is get some IP traffic to drop outside of the web browser, and they can identify local/physical IP for someone using Tor. These aren't far-fetched attacks; instead, they're extensive, well-documented, and visible in the wild. For a toe in the water, watch this excellent presentation on Tor browser attacks. There's a bunch more than that, too. The same limitations are present in every application that you can wire into Tor.
It is possible to jigger Tor so that it tries to grab all network traffic - just like a real VPN service - but this is strongly discouraged. Because (as we discuss below) Tor is highly bandwidth-constrained, it's seriously Not Cool to hammer their network with bittorrent traffic, Mega downloads, Netflix streams, or any other such uses. Which means you have to stick some applications "onto" Tor, and not others. Which is, frankly, a huge pain in the ass - and a security disaster waiting to happen.
A serious VPN service interconnects directly with the network stack, and it sends and receives every damned packet from every application and every protocol across the secure, encrypted VPN network - period. That's how the cryptostorm darknet works, and always has - it's part of why we've begged our customers for years not to use PPTP as a VPN protocol. It's a big part of why we were the first VPN service to deploy OpenVPN exclusively, in 2007, at a time when everyone else was PPTP-only and couldn't imagine why someone would bother using a "real" protocol like OpenVPN.
We built cryptostorm to do what we'd want as customers of a VPN service: protect our internet traffic, period. No exceptions, no footnotes, no partial guarantees. That peace of mind - that when we are connected, we're protected - is backed up by the reality of full-spread coverage of all applications and protocols and ports. For many - perhaps most - people, trying to get Tor to work, application by application, is just a disaster waiting to happen... not to mention a pain in the ass.
3. Tor is sloooow
There will never be enough bandwidth for Tor to be quick. That's a simple fact - it's something the Tor folks acknowledge, and being super-fast really isn't a design goal of Tor so it's not like this is some failure on their part. Rather, it's a specialized tool that's not designed for all-day, every-day, all-application usage. In contrast, VPN service is designed for exactly that - and it's designed to be consistently fast. We see independent tests of our service that achieve 20+ megabits/second... that's something Tor simply can never, ever hope to accomplish.
Tor capacity is donated by volunteers, so it's always at a premium. You can't torrent on it (or you're not supposed to - it's really bad form), and even for simple web browsing it's slow. Some of that's the multi-hop stuff, which is overkill for almost every user of the network, but is currently default. Most of it's the donated/free model. That's a benefit - free! - and it helps people who can't pay get protection (no, it doesn't keep people safe by avoiding the payment process itself - those worried about that can pay for VPN service with Bitcoins, or cash). But it means that using it regularly is an exercise in frustration - that's not what it's form.
There's one real "solution" to Tor's slow speeds: have someone buy a whack of server capacity, and "donate" it to the project. A handful of gigabit-level dedicated servers would more than double available capacity from where it's at today, and a VPN service like cryptostorm deploys servers like that on a routine, almost daily, basis. However, if you move Tor towards having someone buy and manage big chunks of servers like that, you're basically moving it towards some weird mutated version of a "donated VPN service" - all the exit nodes controlled by one company. Which breaks the decentralized/distributed security aspect, and breaks the "volunteer" model philosophically. In other words, it becomes something like cryptostorm but paid for by donations from people. Which is sort of interesting, but clearly not what Tor currently is.
And if you centralize server capacity, within Tor, you run into the evil exit node problem even more so: who is that company donating the servers? How reliable and stand-up are they? Who else has access to the machines? Are they logging traffic? All the same questions we ask of VPN companies, basically. Which, in theory, is what Tor is supposed to avoid... so the solution just turns it into a donated clone of a VPN company. Not ideal.
Worse, the more server capacity you donate, the more demand there is - as Tor has finally admitted. There's no "magic number" where there's "enough" capacity for everyone to use. Since it's free, it attracts more participants the better/faster it works - no matter how much capacity you give it, it'll always attract more users until it's slow again... and you're right back at Square One.
Being "free" is great for things like software - it doesn't cost anything to replicate infinitely. Network resources aren't like that. They cost money still. The more you use them, the more they cost. There is no free lunch here, and Tor has no magical solution to this (nor do they claim to). In the VPN world, you see these "free" VPN services come and go like outbreaks of herpes - advertising supported, they are privacy nightmares. And slow - always. They either go kaput, or suck up tens of millions of dollars of investor money subsidizing their free model (since the adverts they carry are utterly ignored by their users, the advertisers won't pay much for the ads... the whole thing is a bad plan). It just doesn't work.
That's why real, serious VPN companies have always operated on a paid model. It sort of sucks that you have to pay - everyone loves free. But as we've seen with Google, if it's free then there's a cost: you lose your privacy when the NSA comes calling. That might be a reasonable trade for, say, a search engine... but trading privacy for a free privacy service is a special kind of dumb. Right?
Tor is a great tool. Like all tools, it's designed for specific uses - trying to loosen a screw with a hammer is going to be really frustrating, and trying to use Tor for everyday network security is similar. Back before Snowden blew the whistle on PRISM, only a relatively few folks were talking seriously about massive dragnet surveillance by the US and other big countries - mostly people figured that was a problem for "them," people who lived places like Tunisia (before Arab Spring) or Belarus. And, in that context, using Tor for "emergency" situations sort of seemed ok... because otherwise, what was the big panic?
Now, we know what the big panic is.
Any serious decision to #UnPRISM must involve decoupling physical IP from online activity - not just sometimes, but always. We quote our colleagues at Baneki, who have written in "Seeing Beyond the #PRISM" that...
5. Never connect to cloudy resources from your physical IP
This should be self-evidently true, but we'll repeat it nevertheless. If you log into your Yahoo! (do we really still need to use the !, or can we dispense with it now?) mail account from your Comcast-issued, DHCP-cycled physical IP address then you've mapped all that email traffic right to your name, address, phone number, and billing data. This isn't theoretical - it's real. It's how #PRISM collates disparate communications streams into user-based profiles: IP address.
We all know this, right? Running about with your physical IP on display, when out and about on the internet, is totally crazy. And entirely unnecessary. You can geek out and push traffic through a SSH-based proxy, or struggle through Tor's byzantine configuration decisions, or just spend a few bucks and get a no-compromise VPN account that solves the problem across the board. However you do it, decoupling your physical IP from your online activities is simply mandatory.
You can't do this with Tor. It's not designed to do this, and there's not even any credible way it could magically "scale" to do so. VPN service can do that - indeed, the cryptostorm was designed for exactly this use scenario, and to protect against exactly this kind of threat vector. Since those seminal decisions in 2007, the "VPN industry" has grown... and unfortunately along with that growth has come some really dodgy behaviour, the 'outing' of #snitchware like Hide My Ass, the rise of big-pimpin' VPN "review" sites, the spread of bizarrely self-contradictory Terms of Service, and the inexplicable development of bloatware-laden, closed-source, leaky VPN "client" applications that are security disasters on the hoof (more on that later!). Which is to say, most of the "big players" in the industry have either forgotten what the whole point was... or never knew in the first place.
Cryptocloud was one of the founders of the industry: first with OpenVPN, first with seriously privacy-centric Terms of Service, first to commit publicly to 'corporate seppuku' if some government goons try to force us to backdoor our service. Some of these have since become "standards" in the VPN industry... and some we still lead everyone else in our pioneering approach to the challenge of real network security. We built the service to protect against PRISM before anyone outside of the NSA knew what PRISM was. So in a roundabout way, the world is catching up to us... and our customers benefit from the years we've invested in doing things right.
Does that mean that Tor is somehow inferior? Not at all - not even a little bit! Tor is a special tool - a switchblade, for use in a crisis or in an extreme setting. The Tor folks are badassed coders, and genuine advocates for a free, censorship-proof future for the internet. They do good work, and have earned everyone's respect. But to expect Tor to solve the #UnPRISM challenge is totally unfair: not what it was designed to do. It can handle the security side of things, no question... but it can't handle the everyday internet usage of a whack of customers - even a few hundred heavy filesharers would bring the entire Tor network to its knees. Seriously. Whereas, for cryptostorm, we're built ground-up to support heavy filesharing and we've never throttled a connection in seven years' continuous operation. It's just a different model.
Our hats are forever off to the good folks at Tor. They have pioneered the path, and continue to solve a particular use-case need that nobody else can handle. For the rest of the #UnPRISM challenge, a robust no-compromise VPN service like cryptostorm is the tool for the job: designed for it, optimized for it, and managed to enable it.
- A note on process: if you see something in this essay that makes you crazy, call us out! Post a reply (no registration necessary, natch), make your case in our twitter feed, send us an old-fashioned email... whatever (please don't facebook us, lol: #dumpfacebook). If we're wrong - and it happens, just like anyone - we'll correct it & cite your contribution if you'd like. Or if we disagree, we'll say why we think we're on the right track. That's how real security technology works: open, direct, often passionate debate and discussion and critique. The idea is that everyone gets smarter when we all state clearly what we have to say, and when we (respectfully) challenge each other if we disagree: with facts or counter-examples or our own well-honed hunches, if it comes to that. Too often in the "VPN industry," any sort of criticism is seen as an "attack" and results in childish, counterproductive temper tantrums. Or petty, stupid personal attacks try to substitute for real security expertise. Enough of that. We're all adults - let's act like it.
The stakes are high. Now is the time to subvert the coalescing surveillance machine that threatens to engulf the entire planet in its iron grasp. We can #UnPRISM and continue to evolve a free, diverse, decentralized internet - but to do so we need good tools, and good selection of tools for specific jobs. We must all work together to spread knowledge of these tools to the huge swaths of citizens who at this moment in time have no idea - literally no idea - how to protect themselves from dragnet surveillance (they're often frantic for solutions, but easily fall prey to snake-oil nonsense or square-peg/round-hole mis-specified toolsets).
Now is the time to show leadership, and to make it count.
- ~ The Cryptostorm Team
edited to add: In this otherwise-excellent presentation on OpSec, @thegrugq initially describes Tor as a service that "fails closed." That's not accurate, unfortunately (he clarifies later on, and provides plenty of useful suggestions on creating hardware-based systems to 'fail closed' consistently). Indeed, the way that Tor can drop connection if not manually massaged (or wrapped in fairly sophisticated automation of some sort, scripting that actually works) is at the root - by most accounts - of Sabu being busted by the Feds... which resulted in Jeremy Hammond being busted, Topiary being busted, and on and on (see the linked thread for details). That said, current VPNs do not "fail closed" either. So that's a wash between the two - although the Leakblock project (twitter: @leakblock) has as its goal the provable, reliable resolution of this problem for VPNs. There's talk of a Torified version of it, but no coding has been done yet. This goes to show that security tools that are sufficiently complex to make errors eventually inevitable, and whose errors "fail open" and have serious negative consequences, are actually really dangerous. VPNs can be almost as bad, so again it's a wash - but worth mentioning in any case.