I wrote a post two days ago titled Should you Use a VPN? in which I said that in most cases, you should use Tor for anonymity rather than a VPN. That post, however, did not really explain the difference, as it was mostly focused on explaining the concept of a VPN.

I wrote a post yesterday titled How Does Tor Work? to explain what Tor is and how it works.

This post will briefly describe the two, then compare and contrast them to help users make informed decisions about when to use each.

What Are These?

First, let's briefly explain what Tor and VPNs are.

VPN

A Virtual Private Network (VPN) for our purpose refers to an encrypted proxy server. Normally, when you use the internet, your computer connects to another computer somewhere, called a server. In some situations, you don't want the server to know it's you connecting, or you're worried that someone is eavesdropping on your connection to the server, so you privately contact a different computer (the VPN proxy server) and ask it to connect to the destination server and relay messages on your behalf.

If we think about the internet like the postal service, instead of having someone send you mail directly, you use your friend Victor's address. When you want to send someone a letter, you write the letter, put it in an extra envelope addressed to Victor, and send it off. When Victor receives it, he opens the envelope addressed to him, then mails out the letter to its actual recipient. When the recipient sends you a letter back, they send it to Victor. Then Victor puts it in an envelope addressed to you and forwards it on.

For a much, much longer explanation, see my post from two days ago.

Tor

Tor is similar but more complicated. Basically, instead of just sending your web traffic through one proxy server, you send it through three, and you use layers of encryption to ensure that each link in the chain only knows the identity of the previous link and the next link.

The mail analogy for this involves putting at least three envelopes around a letter. You send the letter to Alice. Alice opens the outermost envelope to find another envelope addressed to Bob. She forwards this to Bob. Bob opens the outermost envelope to find another envelope addressed to Carol. He forwards it to Carol. Carol opens the outermost envelope to find the actual letter (possibly also in an envelope) and forwards it to the actual recipient.

Alice only knows she forwarded something from you to Bob; she doesn't know what it was or who the final recipient was. Bob only knows he forwarded something from Alice to Carol. He doesn't know what it was, who sent it, or who will eventually receive it. Carol knows she's forwarding a letter from Bob to the recipient. She knows who the recipient is, and if the letter is not properly protected with an envelope, she can read it, like Victor can in the VPN analogy. But unlike Victor, Carol doesn't know who sent this letter; she only knows that she got it from Bob.

For a longer explanation, see my post from yesterday.

Comparison

Now, let's compare and contrast VPNs with Tor.

Anonymity

VPNs provide privacy from sites and your ISP, but the VPN provider will still know everything you do.

Tor provides strong anonymity; with Tor, no one should know both who you are and what you're doing.

Speed

Both VPNs and Tor will slow down your web traffic some because your traffic has to go through additional computers, beyond yours and the destination server's.

That said, VPNs tend to be much faster than Tor, so when using a VPN, you'll likely notice much less slowdown. The main reason for this is that VPNs involve fewer hops. It's you, VPN, server. With Tor, you have 3 hops in the middle: you, Tor node 1, Tor node 2, Tor node 3, server.

It may also be affected by other factors. VPNs are generally run by for-profit companies who might be able to afford better infrastructure, while Tor nodes are run by volunteers.

I've been using Tor for a long time (probably around 7 to 10 years), and the network has definitely gotten faster over time. But it will always be slow to route your traffic through 3 additional computers, compared to only 1 or connecting directly to the server.

Price

VPNs cost money. There are free VPNs, but they are not to be trusted. They often collect and sell your browsing data. VPNs are a commercial product; if you don't understand how the company is making money, you're the product.

This also means it's a lot harder to avoid identifying yourself to the VPN company. It's hard (not totally impossible, but at the very least inconvenient) to pay for internet services without identifying yourself.

Tor doesn't cost money. Unlike free VPNs, this isn't suspicious because Tor is free software, and the network is run by volunteers, rather than companies trying to profit off of you. The more people use Tor, the harder it is to deanonymize traffic. Therefore, it's in the best interests of the Tor network to make Tor accessible to as many people as possible.

Centralization

VPNs are centralized services, meaning the VPN service is controlled by one company. This means that company knows everything you do while connected to the VPN. They could be logging all your activity, and if asked, they could sell or turn over a history of everything you did while using that VPN. They also have the power to unilaterally shut off your service.

By contrast, Tor is decentralized. No one owns the Tor network. Lots of different people run Tor nodes. No node should individually have a full picture of what you do while using Tor. If someone wants to find out what you were doing on Tor, or to deanonymize a specific Tor user, they would need cooperation from multiple nodes, probably located in multiple legal jurisdictions. The Tor network cannot unilaterally shut off your service. If an individual node doesn't want to let you use it, for whatever reason, you can just use a different node instead, owned by a different person.

(There are other things to be said about Tor and decentralization, but they're out of the scope of this post.)

Torrenting

Torrenting is one of the primary uses for a VPN. When you use BitTorrent to share files back and forth with other internet users, your ISP will know you're connecting to those users, and it may even know what files you're sharing. Also, all the users you're connected with will know your IP address and be able to identify you. Someone who wants to know who's downloading a specific file might join a swarm sharing that file and record which other people are in that swarm.

Obviously this is a privacy concern. Since BitTorrent is often associated with sharing copyrighted material, your ISP may not like you using this type of traffic. So it makes sense to instead use a VPN provider that's okay with you torrenting using their network (not all are), so your ISP doesn't know that you're torrenting. (Your traffic will look just like all other VPN traffic.) Other people in the swarm will see your VPN's IP address, rather than your own.

Again, remember this is not strong anonymity. Your VPN provider could be keeping logs (even if it says it's not), and someone who wants to know which user torrented something could just ask the provider. But in some cases, it's a better precaution than nothing.

Don't torrent over Tor. Tor does not protect your identity effectively when using BitTorrent, and BitTorrent puts a strain on the volunteer-run network.

Mainstream Acceptance

VPNs have more mainstream acceptance than Tor. Normal people use VPNs sometimes, especially since they're being promoted to non-techies through sponsored ads on YouTube videos and podcasts and such. By contrast, Tor is seen as this weird niche thing that only criminals and privacy enthusiasts use.

Use of either one might make your traffic look "suspicious" to some sites, but because VPNs are more mainstream, sites are less likely to block VPN users than they are to block Tor users. Many sites are anti-privacy and will block both or require users to identify themselves before granting access.

Default Scope

VPNs (usually) are system-wide. When you turn on your VPN client, all your traffic is routed through that VPN.

Tor is usually application-specific. A specific program (Tor Browser, for instance) connects to the Tor network, while the rest continue to connect normally.

It doesn't have to be that way. The proprietary Chromium-based browser Opera (which I do not recommend using) includes what Opera calls a "browser VPN" which provides the same type of encrypted proxy connection as other VPNs but is restricted to only affect Opera's web traffic. On the other end, the Tails operating system routes all traffic through Tor.

I don't have a lot of analysis to give on this matter, but I think it's worth mentioning. A system-wide proxy can help prevent you from accidentally leaking information by not sending it through the proxy. On the other hand, if all traffic goes through the proxy, that might include identifying information you didn't want to share over the VPN.

Software and Ease-of-Use

Again, this is about defaults because anyone can write VPN software or software that uses the Tor network.

On common GNU/Linux distributions, OpenVPN is often included in the default desktop installation, as part of NetworkManager. It can be configured like the rest of your network settings. On other platforms, you will probably need to download additional software to use good protocols like OpenVPN.

Many VPN providers have their own program you can install and run to connect to their VPN. Some are free software, but I would guess most are nonfree. They also may only be available on some platforms (like Windows). There is free software that can be used on all major platforms to connect to VPNs using OpenVPN or other protocols, but this may not be as hassle-free as your provider's official client.

Tor is free software. The main way to use Tor to browse the web is with the Tor Browser program, which is a modified version of Mozilla Firefox with more privacy-conscious settings and tweaks that runs on the Tor network. Tor Browser is free software. It's very easy to use - just download and run! (I do recommend changing the security settings, though, as the default prioritizes ease-of-use over security. Click the little shield to the right side of the URL bar to access these settings.)

Using Tor with other applications is harder because it involves configuring proxy settings in those applications, and it may involve the use of the command line.

Using a VPN and Tor Together

Sometimes people talk about this, so I figured I should explain.

Tor over VPN

In this case, your traffic looks like:

You - VPN - Tor - Server

Some people say that you should never connect to Tor directly because you don't want your ISP to know you're using Tor. But VPNs, being more mainstream, will be less suspicious to your ISP. There may be some truth to this argument. Generally when people say this, they follow it up with a link to a VPN service that sponsors their page. This makes this argument more suspect.

In this situation, using Tor bridges (which are not publicly listed) and pluggable transports (which try to obfuscate the fact that you're using Tor) can help, without you having to pay for a VPN service.

Here's a relevant post.

If you want to do this anyway, here's how:

1. Connect to your VPN
2. Connect to Tor (using Tor Browser, for instance)

That's it. Your ISP will see that you're using your VPN but not the nature of the traffic. The VPN server will know you're using Tor, but not what you're doing. Tor works as normal - no one knows both who you are and what you're doing.

VPN over Tor

In this case, your traffic looks like:

You - Tor - VPN - Server

Don't do this.

The use case for this would be something like, your ISP blocks normal VPNs but not Tor (which would be very strange), or you need to use a specific VPN server, but you want to access it anonymously. Since you (generally, at least) need to authenticate yourself to a VPN server to use it, this use case doesn't really make sense.

This would also be a lot easier to misconfigure, and authenticating yourself to the VPN server defeats the point of using Tor to connect to it. Just don't do it.

Conclusions and Notes

Reasons to use Tor instead of a VPN

• Tor provides much stronger anonymity than a VPN.
• Tor is free-to-use, while VPNs cost money.
• Tor is decentralized; no one owns it.
• Tor Browser is easy to use.

Reasons to use a VPN instead of Tor

• VPNs are faster than Tor.
• VPNs are an appropriate tool for some purposes where Tor is not, like torrenting.
• VPNs are more mainstream than Tor, which means you're less likely to be regarded with scrutiny or blocked for using one.

Overall Conclusion

You should use Tor for most purposes where anonymity is desired, but Tor is just not well-suited for some activities, like torrenting.