Tor vs VPN | When To Use Which
A 6 Minute Read
Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!
Tor and VPNs often get compared side-by-side, but unfortunately they are often conflated and treated as competing products. However, in reality neither is necessarily better than the other. Rather, Tor and VPNs are simply different. While a VPN may be more suitable in one context, Tor may be more suitable in another context. This guide will break down Tor and VPNs so that you know when to use which.
How They Work
Before you can understand the strengths and weaknesses of either system, you first need to have a basic understanding of how each of them works. If you already understand this, you can skip this section, otherwise give it a read.
What VPNs do is take your connection, encrypt it, and pass it through a server. This means that instead of your computer directly contacting Google.com, it first goes to a server, and then to Google.com. This process provides a couple of benefits.
- First, the encryption and diversion of your traffic means that anybody in-between you and the server cannot see what you're doing or who you're actually talking to. For example, if you're using public wifi, anyone else on the network watching your connection will just see jumbled garbage sent to a random server. The same applies to your Internet Service Provider (ISP).
- The second benefit is that the site you're visiting will think that you're somewhere that you're not. For example, if you're in Madrid and the VPN server is in Tokyo, any site that you visit will think you're from Tokyo. This allows you to get around geographic restrictions on services like Netflix or Hulu, and also adds to your privacy by preventing websites from knowing your real location.
Of course, there's a catch. Anything that you do through a VPN is also known by the operator of the VPN. While many VPN services claim not to log activity, we have to remember that this is simply a promise to us (and promises can be broken). If the VPN provider got a court order they'd most likely find a way to somehow link the activity back to you, either by revealing that 'oops, we log some things after all', or by starting to log only your account for any future activity without your knowing. So while VPNs are great for low risk situations, they're by no means ideal for when you need serious anonymity against a state actor.
Tor works somewhat differently. Instead of directly connecting to a server of your choice, your connection is encrypted, bounced around three other servers (usually called 'relays' or 'nodes'), before being decrypted and sent to your destination.
Importantly, while the first server you connect to knows your location, the second server in the chain only knows that the data came from the first server, and the third server only knows that the data came from the second server. This provides you anonymity, as the third server cannot know the origin of the data. With the vast majority of Tor servers not being malicious (they do not log activity), it is nearly impossible to relate the data at the end of the chain to an origin point. In fact, this anonymization strategy is so effective that the NSA can rarely de-anonymize a tor user, even with significant effort.
Moreover, because Tor encrypts your connection it provides the same benefits as a VPN for stopping middle-men, such as your ISP, from seeing your traffic. Although there is one caveat to this. The last server is where the decryption occurs, creating a point of vulnerability where your data can be spied upon. A malicious operator of the last server in the chain (called the 'exit relay') has the ability to read all the decrypted data. Therefore, if you're sending sensitive or private data through a regular HTTP unencrypted connection (which you shouldn't be doing anyways), then the operator of the exit relay can read everything. Nevertheless, if you're using HTTPS, which can usually be enabled with an add-on like HTTPS-Everywhere, then your data is safely encrypted and you have relatively little to worry about. Furthermore, even a malicious server couldn't deanonymize you unless the content was personally identifiable (i.e. includes your email, name, address, etc).
When To Use a VPN
At this point you're probably thinking that Tor is better due to the anonymity that it provides. However, Tor's anonymity comes at the cost of speed, as it is generally much slower than a VPN. While it's still usually fast enough for browsing static sites, downloading torrents or watching HD videos is not only painfully slow, it hurts the entire network. This is where VPNs shine.
VPNs are perfect for situations where the threat level is low and bandwidth is high. Low threat situations are those where the cost or risk of being deanonymized would bring little, if any, harm to you. Examples of this could include anything from casually browsing the internet while avoiding Google Analytics, to torrenting your favourite Linux distribution. Effectively, VPN's are great for achieving privacy in everyday browsing, and low-risk/bandwidth-heavy applications.
When To Use Tor
Tor is best used for situations which require a high level of anonymity. If your threat level is high and it is possible that more capable actors, such as law enforcement, would try to deanonymize you, then you need to be using Tor.
This means that if you're a journalist dealing with sensitive sources or documents, a whistleblower, a political activist, or a citizen living in an oppressive regime where the internet is heavily surveilled, then the promises provided by VPN companies are not enough. Use Tor. Although, keep in mind that Tor shouldn't be trusted as though it is bulletproof. Given enough time, it should be assumed that deanonymization is possible by agencies such as the NSA. This is where OPSEC comes into play. Nevertheless, the NSA isn't going to waste their time deanonymizing you unless you are very high value, and using Tor is better than not.
That being said, if the only people who used Tor faced threat levels as high as these the network would not be diverse enough to be safely used. Tor requires a diversity of users, otherwise it could be assumed that every Tor user should be investigated. So, if you're browsing sites which are low in bandwidth, such as Reddit, then Tor is a great option. Not only is it free to use while having a perfectly acceptable speed for static content, as Bruce Schneier once said, by using Tor you are directly providing cover for those who need it to survive. Just remember that while Tor requires diversity, it doesn't require unnecessary network load, so keep the torrenting to a VPN.
In essence, if you are a casual user that is concerned about your privacy, then use a VPN. Alternatively, if you're a casual user that doesn't mind slightly more latency, isn't sending sensitive traffic over unencrypted HTTP connections, and isn't using a huge deal of bandwidth, then go for Tor and add some diversity to the network to help out the third group of people: those who's lives depend on anonymity. If your adversary is more dangerous than a DMCA complaint, then Tor is a necessity. Use it, and use it wisely, keeping in mind that the system is merely a tool for anonymity, and bad habits can still reveal you to a truly motivated and powerful adversary.
Also keep in mind that these suggestions are generally applicable rules of thumb. There are other factors which may pull you in one direction or another, but following these general guidelines is a good place to start. Lastly, a reference that everyone can benefit from is The Grugq, who teaches operational security (OPSEC), in other words good security habits. Without proper OPSEC even the best anonymity tools can be rendered useless.