What is the advantage and disadvantage of VPN over TOR

Thu Dec 24 14:45:57 UTC 2009

On Thu, 2009-12-24 at 15:25 +0100, Werner Schram wrote:
> Rashkae wrote:
> > arshad wrote:
> >   
> >> On Thu, 2009-12-24 at 06:52 -0500, Rashkae wrote:
> >>     
> >>> arshad wrote:
> >>>       
> >>>> and how to configure a VPN in jaunty? (i don't have a VPN router, im
> >>>> connecting to interent using mobilephone)
> >>>> thank you very much.
> >>>>
> >>>>
> >>>>         
> >>> Advantage: non-whatsoever
> >>>
> >>> Disadvantage: You'll be routing your vpn traffic through routers
> >>> controlled by other people, who include a handful of University computer
> >>> science departments and even the NSA, who will all be given the first
> >>> chance to sniff all your traffic for passwords and what not.
> >>>
> >>> It should go without saying, this is not at all what TOR is designed for.
> >>>
> >>>       
> >> so you mean,
> >> TOR is better than vpn?
> >>     
> >
> > A vpn tries to keep the communication between two computers secure and
> > private.  TOR strives prevent two computers which are communicating with
> > each other from seeing each other.  Not only are they two completely
> > different objectives, in several ways, they can be considered mutually
> > exclusive.  (Unless you are tyring to connect to a vpn with stolen
> > credentials and want to prevent the vpn  owner from tracing connection
> > back to you.)
> >
> >   
> >> i would like to confirm the following with TOR:
> >>
> >> 1) the site i visit doenst know where i origin from
> >>     
> >
> > Correct
> >
> >   
> >> 2) an eavesdropper cannot intercept the message
> >>     
> >
> > No such protection.  In fact, a security researcher recently published a
> > whole whack of government officials e-mail username and password because
> > he noticed several people using TOR mistakenly thinking it was a
> > security tool rather than an annonimizer.  If you are sending any kind
> > of username / password over TOR, you defeat the pupose entirely.
> > (unless, as I said, the username/password aren't yours.)
> >
> >
> >   
> >> 3) ISP doesnt know which sites visited.
> >>
> >>     
> >
> > Maybe, though there's nothing stopping the ISP from participating in
> > TOR, and maybe end up being part of the chain that brokers the
> > connection.  I don't know enough about TOR internals and encryption to
> > give information on how successful this goal will be.
> >   
> Tor uses entry, relay and exit nodes. When you use tor, you make a 
> connection to a random entry node. The entry node connection a path to a 
> random relay node, which makes a connection to a random exit node. Your 
> communication will be encrypted from you till the exit node, so the 
> entry and relay node cannot read it. This way, the entry node doesn't 
> know the destination (because of the encryption), and the exit node 
> doesn't know where it is from (because that information is only known by 
> the entry node and removed from the packet header). So to know both the 
> origin and the destination of packets traveling trough TOR, you must 
> control an entry, relay and exit node, and make sure the client uses 
> that path. So even if your ISP participates in TOR, it is extremely 
> unlikely that they will be able to track your traffic. Of course this is 
> assuming that you are not enclosing any identifiable information in your 
> package content, in which case the exit node will be able to identify you.
> 
> To repeat what Rashkae already noted, TOR does not provide any 
> protection for your content at all, it merely anomizes the destination 
> (before tor entry) or the source (after tor exit).
> 
> Werner
> 
> 

thank you very much Werner,
i understand this now. :)