Tor and other VPN alternatives
Tor has long been regarded as the gold standard for privacy and anonymity. Let’s see how easy it is to go dark
VPNS ARE ADVERTISED as being a boost for privacy, security, and anonymity. Those nouns may well apply in particular situations. But it’s hard to call a VPN an anonymous service when you have to sign up with a very un-anonymous credit card. And it’s hard to say for sure if they’re private or secure if you’re talking about a bunch of effectively centralized servers that no one can audit. Fortunately, there are alternatives, including one you’ve probably already heard of, Tor (formerly known as The Onion Router).
Similar to a VPN, Tor proxies traffic through encrypted tunnels, obfuscating users’ IP addresses. It’s different, though, because no one entity owns Tor.
Anyone can run a Tor node and anyone can connect to it for free, without any sign-up process. Tor connections— or ‘circuits’—are routed over at least three Tor nodes, with each hop unwrapping a layer of encryption (hence the old Onion name) to discover the next.
In this way, there’s no correlation between the first and final nodes. Tor can be used in one of two ways: either as an intermediary to regular web service or to access Tor’s hidden services, which have their own .onion domain names.
ALL MANNER OF TOR USERS
You might have heard of Tor being used for organized crime, assassinations for hire, or any number of other bad things. Malfeasance certainly takes place there, but there are a number of legitimate services operating on the onions, too. The BBC News website, for example, is blocked in countries that would rather its citizens only tune in to state media. So, since 2019 the BBC has operated a Tor service at www.bbcnewsv2vjtpsuy. onion. Not exactly easy to remember, but a small price to pay to access a free press.
Tor service names are generally 16-character long random strings, but with a little effort, it’s possible to personalize the first few letters of a string. Facebook (also blocked in a number of countries, but not necessarily deserving of a mention in a privacy feature) operates a Tor service at https://facebookcorewwwi. onion, for example.
It’s worth mentioning that logging into Facebook and Google-type services does tend to identify you to some extent. Those ad-tracking cookies and Like and Share buttons follow you around whether you’re using a VPN, Tor, or both. More on how to evade them over on the following page. For now, just make sure you’re logged out of these services if you’re doing anything other than using them on Tor. Again, we’ve got ahead of ourselves and haven’t told you how to use Tor. Let’s remedy that by visiting www.torproject.org/download and downloading the Tor Browser Bundle.
Extract it to your home folder (or wherever you like) and then run the bundled desktop file to add it to your Applications menu:
$ cd ~/tor-browser_en-US/
$ ./start-tor-browser.desktop --register-app
If you don’t like having a static copy of the Tor browser in your home directory, then you can add the Debian repository.
How to do that is explained at https://support. torproject.org/apt/tor-deb-repo.
If you look on FlatHub (or if your application manager plugs into that) you can also avail yourself of the Tor Browser Launcher. This automates the process of downloading, configuring, and keeping the browser up to date.
That browser, as you’ll see when you launch it, is a customized version of the Firefox ESR release. Hit the Connect button and see if you’re able to connect to Tor. It will take a few seconds to establish relays and circuits and such, but even if you’re behind a firewall, it should still find a way. In some countries, publicly listed Tor relays are blocked, but there are options to remedy this. On the Tor Settings page, you can opt to use a bridge, which may come from a Tor Project listing or a trusted source. It’s harder to block Tor bridges since a complete list of all of them doesn’t and can’t exist.
Once connected, try and view your favorite website and you’ll see one of the main drawbacks of Tor. It’s slow. Sometimes very slow. All bandwidth on Tor has effectively been donated, so it’s considered bad form to (try to) use it for data-heavy activities such as streaming video. And if you use YouTube, since you have to sign in to watch videos, all you’re really doing is telling Google that you’re using Tor. And that will inform future adverts it chooses to sling your way.
Another odious technique the bad VPN sites use is to try to claim they’re better than Tor because Tor is slow. Unfortunately, lots of VPNs, especially bad ones, have some sort of bandwidth limits, too.
EXIT, STAGE LEFT
The bad VPNs vs Tor debate covers other areas too. It has been wellpublicized that occasionally people operate malicious exit nodes. These are the last hop before traffic leaves the Tor network and is routed to the requested resource. If the user is accessing a Tor Service, i.e. a .onion address, then exit nodes are not used. Otherwise, they can see which domains are being accessed. Rather like a VPN provider can (in theory, if they accidentally left their no-logging option perhaps). Unlike the VPN case though, the exit node has no knowledge of the user’s IP address. So again this argument is spurious. It’s probably more accurate to say that bad Tor exits are better than bad VPNs. Although neither is that good, really.
If you want to find other Tor sites, a good starting point is The Hidden Wiki. This is a regular website (you can access it without Tor) full of links to popular Tor sites. We would tell you the address, but since some of those sites aren’t exactly for family viewing, we’ll leave it for your favorite search engine. By default, the Tor Browser uses Permanent Private Browsing mode, which will delete all cookies and site data when the browser is closed. Like Firefox’s regular Private windows, it also isolates different website cookies from one another, making it harder (if not outright impossible) for ad trackers to do their respective things.
Much is made of the fact that Tor was originally a Naval Research Project, and for a long time was funded by the US Department of State. There is still some government funding for Tor, but most contributions come from the private sector. A famous NSA presentation entitled ‘Tor Stinks’ was leaked by Edward Snowden in 2013. In it, our favorite three-letter intelligence agency decried their inability to decrypt Tor traffic but noted that targeted de-anonymization was theoretically possible with some effort. So there’s no secret Tor back door, but all kinds of attacks have been both theorized and attempted.
In 2014, researchers at Carnegie Mellon University carried out a successful de-anonymization attack against Tor. Two years later it was confirmed that the USG had paid Carnegie SEI institute a considerable sum to research this. And that the aim of the exercise was to catch the operator of a darknet marketplace, which they duly did.
So Tor isn’t impenetrable, and new and inventive ways will be found to attack it. But it’s an open-source project and, as such, findings will be shared and, we’d hope, vulnerabilities fixed. There are malicious nodes operating ( see https://bit.ly/lxf286-kax17-vstor-users), but also lots of smart people tracking them. Your VPN company might do the same, but as @SwiftOnSecurity once said, “I don’t use a VPN because I’d rather Comcast aggregate my data than some dude wearing a dolphin onesie in his basement in Zurich.”