Slicing Onions: Part 2 – Onion recipes; VPN not required.

When I explained the myths surrounding Tor in my last post, I realized that in addition to outright myths about the protocol, inaccurate suggestions about how to use Tor properly are everywhere. This often includes worrying advice on connecting to Tor via VPN services, proxies, or other anonymity systems. So in this part of the “Slicing onions” series, I will attempt to clarify why you should not combine Tor with such networks and techniques and highlight the negative consequences if you do.

How This Technology Works

To help illustrate why combining Tor with other services is sub-optimal, here’s a recap of how Tor, VPNs and proxies work. Those who read the first blog in the series or are familiar with the protocols may skip this.

Tor Tor works by sending your traffic though a network of voluntarily run nodes (also called “servers” and “relays”) that bounce your traffic around three random nodes spread across the planet before reaching its final destination, a website for example. See below for a simple visualization:

To protect your traffic, Tor will encrypt your packets three times. Each node only has the key to remove its own layer. Once a node removes its encryption layer, it will be able to see which node the packets should go to next, and this continues until your traffic is decrypted at the last node, which forwards it to its final destination. The exact reverse process happens for return traffic, as shown in the graphic below:

So what do we learn from this? Well we learn that Tor allows us to connect to a website without any single party knowing the entire path. The first node knows who you are, but not where you are going; the second node doesn’t know who you are OR where you are going; and the last node knows where you are going, but not who you are. Because the last node makes the connection, the destination website will never know who you are (the IP address of the originating device).

Proxies A proxy is a server that acts as an intermediary for requests from your device to other devices or services (websites etc.). An anonymous proxy will not forward your email address to the destination site, so it can protect your privacy. It will always be possible for the proxy owner to know both where you connect from (your IP) and what you connect to (the destination website/server). Proxies do not necessarily protect your traffic with SSL/TLS encryption so unless you connect to the destination via HTTPS they can see your content too.

This shows a simple proxy server without encryption:

VPN Services Strictly a VPN (Virtual Private Network) is the extension of a private network across a public one. The best example of this is connecting to a corporate network over the internet to access applications and files at your workplace. VPNs are encrypted to protect the content in the private network from being accessible outside of the VPN.

VPN services that we may use as consumers are a little different. These are really just groups of encrypted proxies that we can pick from instead of connecting directly to destination sites. This hides your IP from the destination site as described above, and the encryption hides your content and destination from your local network and ISP (anything between your device and your VPN provider’s server).

VPNs suffer from the same weakness as proxy servers, in that the VPN provider will always know your IP and destination and HTTPS is still required to hide your content from them.

Here is a VPN server in action, note the connection from you to the VPN server is encrypted, but not the connection from there to the destination:

The Issue With Centralized Trust

Now that we understand how these technologies work I will explain why the last two are problematic in the context of anonymity. With VPNs and proxies, the entire path is known to the provider of the service. Therefore, your anonymity is only as strong as the providers promise.

Imagine letting someone you don’t know put a gun against your head and being fine with it, because for $5 a month they will promise not to pull the trigger. That would be crazy now wouldn’t it? What if someone else offers them $500 to break their promise? $5000? $5000000?

With Tor, the entire path will never be known, and the user will be safe; trust is distributed across all the nodes you use. It’s like giving one person the gun, another the bullet, letting the third hold a rubber chicken to your head, and not paying any of them any money!

Another benefit of Tor is that with more then 6000+ nodes spread across the globe, watching all traffic going in, and all traffic going out, is much harder and more expensive than watching the servers of a VPN provider (most have tens or low hundreds). If your threat model includes capable adversaries working to de-anonymize you, Tor will make that much less likely.

Why 3 is better than 1

Now that you understand the issue you should start to see why a VPN is not an option for anonymity. It can make tracking harder, but you still have to trust one single party. With Tor, you don’t need to trust any single party. So lets spell out the pros and cons:

  1. Tor Pros: Hides your IP address; encrypts traffic, preventing local network or ISP snooping; and when using Tor browser, intelligently separates streams to avoid traffic correlation; free to use, which is a double benefit as it leaves no financial trail; easy to use with a simply app on Android or any desktop OS; most censorship can be evaded using bridges; fast enough to watch 720p and sometimes 1080p videos (nowadays!). Cons: Speed is often slower than a single hop VPN as depends upon all 3 nodes in your current circuit and is probably not going to play 4k video; some services block Tor nodes in a misguided attempt to deny access to bad actors, refreshing your circuit may find an unblocked node; exit nodes could snoop http traffic; torrenting will be slow and is strongly discouraged as it hurts Tor and breaks anonymity; no udp support (Signal requires this for VoIP calls).

  2. VPN services Pros: Generally fast and low latency; most are easy to use with apps for any OS; hides your IP address and encrypts traffic to the VPN server, preventing local network or ISP snooping; usually fast enough to watch high res 4k videos; torrents will work; UDP is possible. Cons: Absolute trust placed in a single point of failure. Your VPN provider can see who you are and where you are going, and when not using HTTPS, the content of your traffic; leaves a money trail unless paid for with cash or cryptocurrency; provider sees your real IP address and could be pressured in cooperation by the local government to hand over data; VPN server can be hacked to retrieve all data; anonymity depends on policies and the security of a single server.

Why 2 is not better than 1

The worst piece of advice I commonly see is to use both Tor and a VPN. Tor is not intended to be run with VPN or in combination with other services. I absolutely do not recommend you to ever run Tor with a VPN. By doing so you essentially create either a permanent entry or exit node, which often also has a money trail. You also create more attack surface for near zero theoretical benefit. The two commonly proposed configurations are:

Tor over VPN. Here a user will first connect to the VPN server, and then connect to Tor. The most common rationale behind this setup is to hide Tor usage from an ISP or circumvent censorship of the Tor network. This is unnecessary as you can hide Tor usage and circumvent censorship by using bridges. You can either use the bridges that are included in Tor Browser for this, or request other bridges from in any of the ways described here. A bonus of bridges is that they don’t leave a money trail, which VPNs often do. The last blog explained that even if you were to end up on a watch list, it would be a uselessly large list as Tor has more then 2 million daily users. It strikes me as very naive to imagine that someone powerful enough to trace you over the Tor network will be stopped by a $5 a month VPN service.

VPN over Tor. Here a user will first establish a connection to the Tor network before connecting to the VPN service. The purpose of this is to reach services that are blocking Tor nodes. This setup may succeed in making access to such services easier, but it is terrible for anonymity for two reasons: VPN providers often know you from the money trail; and Tor splits all data streams across different circuits to prevent correlation of traffic as a means to de-anonymize users, but all of your traffic will come from the VPN provider’s IP, making correlation a LOT easier.

Conclusion

As you can see, in the vast majority cases where a VPN could be used, Tor would easily suffice. Not only is it free to use, it actually allows you to browse anonymously. This is impossible with a VPN service by design. A VPN is privacy by policy, Tor is privacy by design. This isn’t to say VPNs are completely useless; they do protect your IP address from the websites you visit; protect you from local network adversaries; and they also allow you to watch 4k footage.

Generally, you should be using Tor if anonymity and privacy are your goals, or indeed if you just want to help improve the availability of anonymity to others who need it and make mass surveillance harder. There is more to consider though: your IP address is just one of the many ways you can be tracked. Another threat comes in the form of browser fingerprinting, which is the topic of my next blog post: [Slicing onions: part 3 – Don't leave your fingerprint!]()

If you have feedback on this article, or would like to debate the topic with me, then you can reach me in any of the ways listed on my About page