Tor and other VPN alternatives
Tor has long been regarded as the gold standard for privacy and anonymity. See how easy it is to go dark.
VPNs are advertised as being a boost for privacy, security and anonymity. Those nouns may well apply in particular situations. But it’s hard to call a VPN an anonymous service when you have to sign up with a very un-anonymous credit card. And it’s hard to say for sure if they’re private or secure if you’re talking about a bunch of effectively centralised servers that no one can audit. Fortunately there are alternatives, and one you’ve probably heard of is Tor (formerly known as The Onion Router).
Similar to a VPN, Tor proxies traffic through encrypted tunnels, obfuscating users’ IP addresses. It’s different though because no one entity owns Tor. Anyone can run a Tor node and anyone can connect to it for free, without any sign-up process. Tor connections – ‘circuits’ – are routed over at least three Tor nodes, with each hop unwrapping a layer of encryption (hence the old Onion name) to discover the next. In this way there’s no correlation between the first and final nodes. Tor is used in two ways: either as an intermediary to regular web service, or to access Tor’s hidden services, which have their own .onion domain names.
All manner of Tor users
You might have heard of Tor being used for organised crime, assassinations for hire, or any number of other bad things. Malfeasance certainly takes place there, but there are a number of legitimate services operating on the onions, too. The BBC News website, for example, is blocked in countries that would rather its citizens only tune in to state media. So since 2019 the BBC has operated a Tor service at www.bbcnewsv2vjtpsuy.onion.
Not exactly easy to remember, but a small price to pay to access a free press. Tor service names are generally 16-character long random strings, but with a little effort it’s possible to personalise the first few letters. Facebook (also blocked in a number of countries, but not necessarily deserving of a mention in a privacy feature) operates a Tor service at https://facebookcorewwwi. onion, for example.
It’s worth mentioning that logging into Facebook and Google type services does tend to identify you to some extent. Those ad-tracking cookies and Like and Share buttons follow you around whether you’re using a VPN, Tor or both. More on how to evade them over the page. For now just make sure you’re logged out of these services if you’re doing anything other than using them on Tor. Again, we’ve got ahead of ourselves and haven’t told you how to use Tor. Let’s remedy that by visiting www.torproject.org/download and downloading the Tor Browser Bundle.
The Linux build ships as a tar.xz archive, which on Ubuntu at least can be opened with the Archives utility. Extract it to your home folder (or wherever you like) and then run the bundled desktop file to add it to your Applications menu:
$ cd ~/tor-browser_en-US/ $ ./start-tor-browser.desktop --register-app
If you don’t like having a static copy of the Tor browser in your home directory then you can add the Debian repository (it’s not recommended to use the edition in the Ubuntu repos). How to do that is explained at https://support.torproject.org/apt/tor-deb-repo. If you look on FlatHub (or if your distro’s application manager
plugs into that) you can also avail yourself of the Tor Browser Launcher. This automates the process of downloading, configuring and keeping the browser up to date.
That browser, as you’ll see when you launch it, is a customised version of the Firefox ESR release. Hit the Connect button and see if you’re able to connect to Tor.
It’ll take a few seconds to establish relays and circuits and such, but even if you’re behind a firewall it should still find a way. In some countries publicly listed Tor
relays are blocked, but there are options to remedy this. In the Tor Settings page you can opt to use a bridge, which may come from a Tor Project listing or a trusted source. It’s much harder to block Tor bridges since a complete list of all of them doesn’t and can’t exist.
Once connected try and view your favourite website (which obviously is linuxformat.com) and you’ll see one of the main drawbacks of Tor. It’s slow. Sometimes very slow. All bandwidth on Tor has effectively been donated, so it’s considered bad form to (try to) use it for dataheavy activities such as streaming video. And if you use YouTube, since you have to sign in to watch videos, all you’re really doing is telling Google that you’re using Tor.
And that will inform future adverts it chooses to sling your way. Another odious technique the bad VPN sites use is to try to claim they’re better than Tor because Tor
is slow. Unfortunately lots of VPNs, especially bad ones, have some sort of bandwidth limits, too.
Exit, stage left
The bad VPNs vs Tor debate covers other areas too. It’s been well-publicised that occasionally people operate malicious exit nodes. These are the last hop before traffic leaves the Tor network and is routed to the requested resource. If the user is accessing a Tor Service, i.e. a .onion address, then exit nodes are not used. Otherwise they can see which domains etc are being accessed. Rather like a VPN provider can (in theory, if they accidentally left their no-logging option perhaps). Unlike the VPN case though, the exit node has no knowledge of the users IP address. So again this argument is specious. It’s probably more accurate to say that bad Tor exits are better than bad VPNs. Although neither are that good, really.
If you want to find other Tor sites, a good starting point is The Hidden Wiki. This is a regular website (you can access it without Tor) full of links to popular Tor sites. We would tell you the address, but since some of those sites aren’t exactly a family show we’ll leave it for your favourite search engine. By default the Tor Browser uses
Permanent Private Browsing mode, which will delete all cookies and site data when the browser is closed. Like Firefox’s regular Private windows it also isolates different website cookies from one another, making it harder (if not outright impossible) for ad trackers to do their respective things.
Much ado is made of the fact that Tor was originally a Naval Research Project, and for a long time was funded by the US Department of State. There is still some government funding for Tor, but most contributions come from the private sector. A famous NSA presentation titled Tor Stinks was leaked by Edward Snowden in 2013. In it, our favourite three letter agency decried their inability to decrypt Tor traffic, but noted that targeted de-anonymisation was theoretically possible, with some effort. So there’s no secret Tor back door, but all kinds of attacks have been both theorised and attempted. In 2014 researchers at Carnegie Mellon University carried out a successful deanonymisation attack against Tor. Two years later it was confirmed that the USG had paid Carnegie SEI institute a considerable sum to research this. And that the aim of the exercise was to catch the operator of a darknet marketplace, which they duly did.
So Tor isn’t impenetrable, and new and inventive ways will be found to attack it. But it’s an open source project, and as such findings will be shared and, we’d hope, vulnerabilities fixed. There are malicious nodes operating (see https://bit.ly/lxf286-kax17-vs-tor-users), but also lots of smart people tracking them. Your VPN company might do the same, but as @SwiftOnSecurity once said, “I don’t use a VPN because I’d rather Comcast aggregate my data than some dude wearing a dolphin onesie in his basement in Zurich.”
KEEP YOUR TOR USAGE LIGHT “All bandwidth on Tor has effectively been donated, so it’s considered bad form to (try to) use it for data-heavy activities such as streaming video.”