Differences between using Tor browser and VPN
I can't quite figure out the differences between using the Tor browser and using a VPN (like concretely proXPN). From what I understand the idea is the same, that they both hide the IP address. The only difference that I can see is that Tor seems slower because it has to pass through several computers.
So is using the Tor browser better in terms of hiding your identity and online traffic? Is there a difference between who can see your traffic?
(I am guessing that there is a difference.)
(I see this question Which is more secure - a VPN, a proxy-server, Tor, etc.? And why so, exactly? was closed as being too broad, but I hope my question is a bit more concrete.)
Tor provides anonymous web browsing but does not provide security. VPN Services provides security (sort of) and anonymity, but the anonymity might be more in question depending on the service. Since you're depending on them not logging pieces of information that may or may not be able to be traced back to you.
A traditional Virtual Private Network does not extend your ISP. A VPN extends an existing private network across a public network. For example, let's say my company has a private network with email servers, web servers (intranet), and DNS setup for company related services. It's a private network for company employees only. However, some employees want to work from home. A VPN is set up so that employees can securely connect to the private network remotely. This provides two features:
- Authentication - Users present their credentials to gain access to the VPN
- Encryption - The entire tunnel between the remote user and the private network's gateway is encrypted.
Take that last statement: "The entire tunnel between the remote user and the private network's gateway is encrypted." Once you're through the gateway, communication is un-encrypted. Unless the services within the private network itself use another means of secure communication.
Keep in mind that no anonymity is provided by this setup. In fact, the company knows exactly what IPs are connecting to its private network.
Nowadays VPN seemingly takes on many meanings, and online/cloud/[insert Internet buzzword here] have complicated things. We see questions now, "Which VPN takes your anonymity seriously?" What has happened is that VPN Services have become a kind of "secure anonymity service". A service will provide secure communications to a proxy server that will then dump your communication out into the clear to whatever your destination.
This is kind of like what a traditional VPN does, except now the statement of "a VPN extends your ISP" is kinda true. Now you're just encrypting the first half of your communications. It extends in the sense that you can access websites and services you might not normally be able to due to your geographic location. But "extends" really isn't the right word to use.
Take ExpressVPN for example, it advertises the following:
- Encrypt your Internet traffic and hide your IP address from hackers and spies.
- Access any website or app without geographic restrictions or censorship.
Take out "Encrypt your Internet traffic" from the first statement, and you basically have an anonymous proxy. But now that the tunnel is encrypted it's a VPN to your anonymous proxy (gateway) that then forwards your traffic on, into the public Internet.
Onion routing was designed to provide complete anonymity to a connection. It accomplishes this with encryption. Three layers of encryption. When using the Tor Network a path is determined with a minimum of 3 nodes (can be more). Encryption keys are setup and exchanged between you and all three nodes. However, only you have all of the encryption keys. You encrypt your data with each of the nodes' keys starting with the last node's (exit node) and ending with the first (entry node). As your data moves through the network a layer of encryption is peeled off and forwarded to the next node.
As you can see the exit node decrypts the last layer, and forwards your data to its destination. Which means your data is in "plaintext"1 at this time, but complete anonymity is accomplished. With at least 3 nodes no node knows both the source and destination.
Anonymity not Security
Tor does not promise secure communications. Encryption is only used to provide anonymity between nodes, your data is not encrypted otherwise. This is why it is still highly encouraged to use HTTPS-enabled websites while using Tor. As @LieRyan mentioned in another thread's comment, sending personally identifiable information through Tor without using other security measures will break any anonymity that Tor provides.
As far as traffic visibility if there is an admin on the network they will be able to see your traffic. Let's take a situation with a VPN: you have your remote laptop R and your private network gateway/secure anonymous proxy (G). Now you have a private network IP that is encrypted from R to G. A network admin sitting on G can see your plaintext1. As stated above if you are using another secure protocol like SSL/TLS through the VPN/VPN Service then the "plaintext" is really encrypted, and the network admin would not see anything but encrypted data.
So this really depends on where the network admin is sitting in the connection, and whether or not you use a secondary secure protocol underneath the VPN. This same logic applies to Tor. Because as I stated earlier encryption is only used for purposes of maintaining anonymity.
Both traditional VPNs and VPN services are to protect against external visibility into the network. Neither of them will protect you from authorized administrators for the network you're on. It's all about protecting your data from unauthorized eyes. Even with SSL/TLS, a website that you're visiting sees your decrypted traffic. It has to in order to process the request. Admins on that website can see those same requests and/or log them. It's the security protocols used initially and in between that make the biggest difference in the security of communication.
1 It's plaintext as far as the data that was sent is seen here. If the data is encrypted with something like SSL/TLS before going through the onion routing then the encrypted data would be seen at this point.
Which _security_ does VPN provide though? With Tor, you have to trust the exit node operator, and with VPN you must trust the man who has physical access to the machine where VPN server runs. In both cases there is a possibility that the exit node mistreats your data, and it will see the plaintext if TLS isn't used.
@SargeBorsch It depends on how you're using a VPN. If you're using a VPN for its original intended purpose which was to securely bridge two private networks then the *security* is that you can communicate between your two networks without someone eavesdropping on your traffic. If you're using internet VPN services to anonymize your traffic then I'd argue they add no *security* at all. Tor is the same, they don't advertise that they provide security. They advertise anonymity.