What is the advantage and disadvantage of VPN over TOR

Thu Dec 24 14:25:50 UTC 2009

Rashkae wrote:
> arshad wrote:
>   
>> On Thu, 2009-12-24 at 06:52 -0500, Rashkae wrote:
>>     
>>> arshad wrote:
>>>       
>>>> and how to configure a VPN in jaunty? (i don't have a VPN router, im
>>>> connecting to interent using mobilephone)
>>>> thank you very much.
>>>>
>>>>
>>>>         
>>> Advantage: non-whatsoever
>>>
>>> Disadvantage: You'll be routing your vpn traffic through routers
>>> controlled by other people, who include a handful of University computer
>>> science departments and even the NSA, who will all be given the first
>>> chance to sniff all your traffic for passwords and what not.
>>>
>>> It should go without saying, this is not at all what TOR is designed for.
>>>
>>>       
>> so you mean,
>> TOR is better than vpn?
>>     
>
> A vpn tries to keep the communication between two computers secure and
> private.  TOR strives prevent two computers which are communicating with
> each other from seeing each other.  Not only are they two completely
> different objectives, in several ways, they can be considered mutually
> exclusive.  (Unless you are tyring to connect to a vpn with stolen
> credentials and want to prevent the vpn  owner from tracing connection
> back to you.)
>
>   
>> i would like to confirm the following with TOR:
>>
>> 1) the site i visit doenst know where i origin from
>>     
>
> Correct
>
>   
>> 2) an eavesdropper cannot intercept the message
>>     
>
> No such protection.  In fact, a security researcher recently published a
> whole whack of government officials e-mail username and password because
> he noticed several people using TOR mistakenly thinking it was a
> security tool rather than an annonimizer.  If you are sending any kind
> of username / password over TOR, you defeat the pupose entirely.
> (unless, as I said, the username/password aren't yours.)
>
>
>   
>> 3) ISP doesnt know which sites visited.
>>
>>     
>
> Maybe, though there's nothing stopping the ISP from participating in
> TOR, and maybe end up being part of the chain that brokers the
> connection.  I don't know enough about TOR internals and encryption to
> give information on how successful this goal will be.
>   
Tor uses entry, relay and exit nodes. When you use tor, you make a 
connection to a random entry node. The entry node connection a path to a 
random relay node, which makes a connection to a random exit node. Your 
communication will be encrypted from you till the exit node, so the 
entry and relay node cannot read it. This way, the entry node doesn't 
know the destination (because of the encryption), and the exit node 
doesn't know where it is from (because that information is only known by 
the entry node and removed from the packet header). So to know both the 
origin and the destination of packets traveling trough TOR, you must 
control an entry, relay and exit node, and make sure the client uses 
that path. So even if your ISP participates in TOR, it is extremely 
unlikely that they will be able to track your traffic. Of course this is 
assuming that you are not enclosing any identifiable information in your 
package content, in which case the exit node will be able to identify you.

To repeat what Rashkae already noted, TOR does not provide any 
protection for your content at all, it merely anomizes the destination 
(before tor entry) or the source (after tor exit).

Werner