There was a time when we all thought we were supposed to use a VPN. Could the Tor Browser be the next generation of security? I have to admit, it’s a bit scary at first blush. The prospects of my communication bouncing around the computers of countless volunteers around the world doesn’t sound a bit secure to me. But after a grad student working on his doctorate in political science told me I should take a look, I did. See for yourself at…
www.torproject.org/projects/torbrowser.html.en
I had thought this “Tor” deal was mainly for the dark web. But as I checked into it more and more, I discovered that the very components attracting terrorists and drug dealers (the anonymous nature of Tor) were the same components attracting LOTS of people who just want general minimum web security. Think of Tor as a kind of “bit coin” view of the web. Tor prevents sites from discovering your physical location, your identity, and your web browsing habits. In 1 minute or so, you can learn how it works by watching this brief video:
https://www.youtube.com/watch?v=6czcc1gZ7Ak
What’s YOUR opinion of Tor? Any I.T. professionals willing to weigh in with a comment? You can do so anonymously, whether you’re browsing via Tor or not. : ) Just click Comment following the web version of this item. Thanks in advance for sharing! (Thanks for suggesting that we look into this, Caleb! : ) )
Tor won’t make you “secure”. Neither will VPN, nor other any other technology, including things like anti-virus and firewalls. The problem is that there is no such thing as “secure”, as a binary yes/no answer. Security is not a destination, but a journey.
Before you address specific methodologies, you have do the exercise of threat assessment: who is the opponent, what are their capabilities and intentions, why do they have reason to oppose you, and what are you trying to protect?
All the tools have specific uses to defend against specific threats, but even then, what is relatively secure today may be completely exposed tomorrow, when some new vulnerability or attack methodology is discovered. And with attack vectors, they may vary greatly in relative severity. I’ve seen it happen too often when a new vulnerability is found that generates lots of attention, but where the threat is mostly theoretical, and exploitation requires a very specific set of conditions.
With things like Tor and VPN, it’s essential to quantify who your opponent(s) is/are. If you’re a missionary working in a creative access country, it’s easy to over-focus on threats coming from your host government. In some places, that’s appropriate. In other places, there may be opponents that are more dangerous, both in-country and externally. In-country, opponents may not be governmental, as much as people who fear the kind of influence you may have, especially if it’s a threat to their own power and activities. There’s also lots of external threats, ranging from governments of neighboring countries and western governments, as well as diaspora communities, academics, and more. Even the criminal element can be a serious issue — the criminals may have zero interest or care about who you are, what you’re doing or why, they just want to find ways of exploiting your resources for their own profit.
All that said, the primary premise of Tor is to anonymize your activities, by obscuring where you’re coming *from*, but that’s one of the of the common uses of a VPN. For missionaries, the interest in VPN tends to be for proxying, of obscuring their outbound activities from in-country ISPs, but many don’t pay particular attention to what happens to traffic after it passes through a VPN provider. For the kind of anonymization that Tor provides, the most common reason to use tends to be activist type people or reporters, of trying to get information out of a country, without disclosing the source of that information. That’s actually harder than many understand, as a lot of communication will show the IP address of an insertion point, and in turn, it can often be easy to find physical location.
If you’re trying to hide the source of where you’re working from, Tor can work better than a VPN. With a VPN, it’s much more likely that your traffic is hitting the public Internet from the same point (i.e., “exit node”), although larger VPNs typically have more exit nodes, and may not route traffic through the same exit nodes consistently. With Tor, there are many more exit nodes, routing is randomized, and the result is a bigger haystack in which to hide the proverbial needle.
Tor really doesn’t accomplish a lot for proxying outbound traffic, any more than a VPN can. It might do it a little more cheaply, especially by comparison to a free VPN provider. As a general thing, I strongly discourage use of free VPN providers, because they have to have a revenue stream to keep their services going, and one of the common ways of making “free” work is to insert ads inside the VPN connection. With Tor, it’s a cooperative, where there’s a lot more altruism in the motivation of the providers, and less capacity for commercial exploitation.
The likely negatives to Tor:
– Tor has a finite number of exit points, and among practioners, it’s believed that various Western signals monitoring agencies (NSA, GCHQ in Britian, DGSC in France, and likely other countries with advanced capacities) know where most of the exit nodes are. Thus, if you’re trying to keep stuff away from those people, or others that those are friendly with, you probably won’t be as protected as you think you are.
– Use of Tor may cause performance issues. Encryption does add a small measure of performance hit, but routing through Tor’s system may be an issue if your exit point isn’t relatively close to the site(s) you’re trying to navigate to. This is also an issue with VPN, but perhaps more so with Tor.
– With both Tor and VPN, your traffic is encrypted only as far as your exit point. With VPN, that means that it’s absolutely essential that your provider is trustworthy, because they have access to all your content. With Tor, the decentralized nature is such that you’re less vulnerable (but not zero) from untrustworthy providers. However, once your traffic leaves the exit point, for both Tor and VPN, it’s totally open to the Internet, in the same way it would be if you’re making direct access through your ISP.
One other item: even if using Tor, that may not necessarily obscure your browsing habits. If you regularly visit the same site, over time, your habits will become evident to the site operator with repeated usage, even if you’re visiting from a variety of IP addresses.
Tor (and VPN) can be useful for certain activities to protect against certain threats, but neither is a panacea, that makes everything “secure”.
Wow — COMPREHENSIVE response! We can learn a TON from your reply. Thanks!
One other potential negative about use of both Tor and VPN is that “bad guys” also use those kinds of services as a way of masking problem activities (e.g., spam, botnet controllers, etc.)
Thus, if a particular IP address has been identified as being used for problematic activities and are considered “dirty”, some sites may block access from traffic that goes through that IP address.