Controversies aside, Tor is gaining traction as a free, pro-human rights privacy tool. But how well does it stack up against a VPN with things like convenience, privacy-related concerns, bypassing geo-blocks, and more?
Well, the short answer is that it doesn’t. In fact, in some circumstances you might actually put your device in danger using Tor, unless you use Tor over a VPN. That includes anything valuable you keep on your hard drive, from family pictures, to work files, and even saved passwords.
How Does Tor Work?
Tor was previously known as The Onion Router because it has layers, like an onion. Tor works by rerouting your traffic through several random servers called "nodes” before it arrives at its destination (the website or service you’re trying to access). Volunteers run these nodes from all around the world.
Moreover, the nodes your traffic passes through are randomized every 10 minutes, so nobody can figure out who you are based on your online activity. As for the layers we mentioned, those are the extra layers of encryption your traffic receives as it passes through each node.
The key thing to note here is that every node is only aware of two things:
- Where the connection is coming from (i.e. the previous node in the "circuit”)
- The next node your traffic is heading towards.
As a result, the first node in the circuit knows your IP address, but not the website you’re trying to access. Meanwhile, the final exit node can see the website, but does not know you’re the one accessing it. In this respect, we have to hand it to Tor for offering a more "complete” online anonymization package than a VPN.
Want to know more? Check out our ultimate guide to Tor for a deep dive into the details.
So, why isn’t Tor a suitable alternative to VPN?
Tor is less reliable at bypassing geo-blocks
Over half of all VPN users opt for a VPN so they can access geo-blocked content, a lot of peopel use a VPN to watch Netflix, unblock Hulu, or stream BBC iPlayer outside the UK. You could technically use Tor in the same way by re-connecting until your exit node is in the country of your choice, but this is a painstaking process compared to the ease of a VPN.
And since public Tor nodes are available, services like Netflix have no problem just blocking them. In fact, the Tor developers maintain a list of services that block the network where Netflix is often featured. Meanwhile, VPN providers, particularly those that heavily advertise their ability to unblock content, continuously acquire new IP addresses for their users as services attempt to block old ones.
The only advantage Tor has in this case is that it’s completely free, allowing you to read geo-restricted articles if GDPR regulations are giving you trouble, without having to dive into your pocket. Unfortunately for Tor, there are plenty of reliable free VPNs that do the same thing without the hassle of having to reconnect 50 times before you land a good exit node.
Tor is less convenient than a VPN
Nobody likes slower internet speeds, especially if you already have a poor connection to begin with. Sadly, Tor is naturally slow given its lengthy workaround to privacy. These speeds have improved over the years, but your traffic still has to go through at least three nodes to reach its destination.
Using a VPN will also slow down your connection, which is especially true of free VPNs, but a decent VPN provider has the benefit of dedicated, high-speed servers - which can’t be said about all volunteers on the Tor network. We recommend you check out our list of the fastest VPNs to avoid slowdowns when you’re streaming your favorite shows or playing video games that require low ping.
The other thing that will bring your browsing to a halt is what CloudFlare thinks of Tor. More specifically, their data shows that a majority of requests across the Tor network come from spam bots, content scrapers, login scanners, and other malicious automation. Consequently, even innocent Tor users will be hit by irritating "CAPTCHA” tests on any website with CloudFlare protection.
It’s not that they don’t have a point with these security measures. For the moment, they’re probably the most effective way of countering bots. But if your concern is to maximize convenience over, say, staying safe from an oppressive government (journalists, whistleblowers, dissidents, etc.), then you’re better off using a VPN.
Tor has clear ties to the US government
Speaking of governments, privacy-minded people might want to know a few things:
- The Tor project was started by Dr. Paul Syverson of the US Naval Research Lab, along with then-MIT's Roger Dingledine and Nick Mathewson. Onion routing was further developed with the aid of The Defense Advanced Research Projects Agency (DARPA).
- They used to receive funding from the US government through independent third parties. Not only that, but they said themselves that sponsors get to influence the direction of the Tor project.
- FOIA (Freedom of Information Act) documents requested by a journalist suggest that Tor makes the government aware of security flaws before informing the public.
Considering how many times the NSA and other governmental or non-governmental actors have attacked the network (and partially succeeded), it puts into question how much Tor is working against overreaching governmental powers.
Of course, we have to consider the other side of the argument here:
- Since CIA, NSA, etc. agents use Tor to anonymize their online traffic, that means it should work exceptionally well for non-agents too.
- DARPA were key players in developing what eventually became the internet as we know it today. Believe it or not, the government can also fund good research!
Finally, it might seem strange that the US government is funding the project while simultaneously trying to exploit its every vulnerability. But we need to remember that the government isn’t a single entity. It’s not unfeasible that one part of the government would try to catch actual bad people on the network, while another tries to perfect anonymization software for its own agents.
Governments and ISPs Can Block Tor
Just as Netflix can block exit nodes, so can an ISP, and your government can even create firewall rules against them by using the public Tor node list. They’ve already done it in Venezuela, Turkey, and (surprise, surprise) China.
There are, of course, obfuscation methods called 'Tor bridges' that allow users to connect to the network even if their country tries to block it. Currently, there are only about 1000 of them and they are not listed publicly, making them much harder to block. The problem, which is recognized by the Tor developers, is that they can still end up on a block list, so they constantly need new volunteers to act as bridges.
VPNs can also be blocked (for example, by blocking the IP of known VPN servers) – but there are just as many ways of bypassing VPN blocks as well.
Malicious Exit Nodes Are a Huge Problem
Remember how exit nodes could see what service you’re trying to access, but not your identity? Well, they don’t really need to know anything about you to cause some damage. According to ThreatPost, an exit node was adding malicious code to binaries (i.e. any non-text file) downloaded through Tor.
As the article puts it, this could cause massive trouble if the malicious actors found a way to insert their code into a crucial service like Windows or OS X updates. Something seemingly secure and trustworthy could become a dangerous weapon against people who are simply trying to protect their privacy.
This is why we mentioned that your device could be at risk. Previously, over 110 Tor nodes have been caught snooping on user traffic.
While your privacy is somewhat protected with exit nodes unable to see who the traffic belongs to, WikiLeaks managed to intercept over 1 million documents transferred using the Tor network. Of course, this exposed some shady dealings of the powers that be, but it is a clear-cut example of exit nodes being able to harvest data on a massive scale, which could inevitably be used to identify you depending on what the documents contain.
There are a few other things that could be said about Tor. For one, its slow speeds make it a poor choice for P2P file-sharing. In fact, it’s considered poor manners as it slows down the network for other users, too. Before using it for data-intensive services like torrents or streaming, please think of users who live under oppressive regimes and depend on the Tor network for safety.
Another thing to keep in mind regarding exit nodes is that you never know how trustworthy that node is. Let’s say more people join the Tor network and you have a statistically higher chance of landing a good one. Well, that node is still subject to data collection and subpoenas asking for that data.
Considering many Tor volunteers aren’t especially technically savvy, that doesn’t bode well for your data security. In the case of no-logs VPNs, you know that they don’t keep any tabs on your online activity. Obviously, it depends on how much trust you put in your provider as well, but the same can be said of any Tor node.
All of this isn't to say that Tor is useless. It has plenty of uses that a VPN cannot offer, such as protecting against browser fingerprinting, which makes it all the more upsetting that the service is struggling with the coronavirus pandemic and requesting donations as support. But if your threat level is at the point where browser fingerprinting is a worry, then we recommend you check out the Tor over VPN guide, anyway.