Both Tor and VPNs are privacy tools with pros and cons, which we’ll closely examine in this VPN vs Tor guide. So which one of these tools is best for you? That depends on your own unique needs and threat model.
Helping you select the best option for your use case is the goal of this guide. Here are the areas we’re going to examine in comparing Tor vs VPN:
- Encryption and security
- Browsing, streaming, and torrenting
- Ease of use
1. Speed: VPN vs Tor
With speeds, there is a huge difference between VPNs and Tor.
VPN: With VPNs, I can often get around 150 Mbps with nearby servers on a 160 Mbps (non-VPN) connection. Here’s an example with ExpressVPN on a server in Switzerland:
Now let’s look at Tor.
Tor: Although Tor speeds have slightly improved over the years, it is still much slower than VPNs. Tor suffers from high latency due to the traffic being routed over three relays. In testing Tor, my speeds average around 5 Mbps, but I can sometimes get 9-10 Mbps if the relays are good, such as here.
Notice above the latency is very high with the Tor network. This results in sluggish performance and websites being slower to load.
2. Encryption and security: VPN vs Tor
Tor: Tor uses a layered system of encryption that incorporates perfect forward secrecy. Traffic is passed through three relays, all of which are encrypted:
- Guard relay – The first relay in the circuit, which can see your IP address.
- Middle relay
- Exit relay – The last relay in the circuit where your traffic exits onto the regular (unencrypted) internet. A malicious exit relay could potentially see your data and modify traffic.
By default, traffic with Tor is routed through these three hops before exiting the Tor network circuit.
With Tor, encryption only works within the browser. This means everything else on your operating system, such as documents, torrent clients, updates, etc. are exposing your traffic and real IP address to the unencrypted internet. In my opinion, this is one major drawback of Tor.
VPN: Most VPNs secure traffic via OpenVPN or IPSec protocols with the connection also being encrypted with perfect forward secrecy. OpenVPN is the most common protocol, usually secured with an AES 256-bit cipher, which is universally considered very secure. Some VPN providers still offer weaker forms of encryptions, such as PPTP for streaming purposes, but this is no longer considered secure.
Most VPN providers only route traffic through one hop. There are a few multi-hop VPN services, which can route traffic over 2-4 hops.
Unlike with Tor, a VPN encrypts all traffic on your operating system. This offers a higher level of protection since it is not restricted to only a browser.
3. Anonymity: VPN vs Tor
Anonymity closely ties in to the previous section on security and how strong the underlying encryption is against exploits that could de-anonymize the user.
Tor: With Tor, there have been various cases over the years showing that it can be exploited. Specifically, a court case in 2017 proved the FBI can de-anonymize Tor users and determine their real IP address and activities:
In this case, the FBI managed to breach the anonymity Tor promises and the means used to collect the evidence from the dark web make up a sensitive matter. The technique is valuable to the FBI, so the government would rather compromise this case rather than release the source code it used.
There is also other evidence illustrating how government actors can identify Tor users, thereby rendering Tor useless as a tool for anonymity.
VPN: Unlike with Tor, I have not seen any evidence of governments being able to break strong, correctly-configured VPN encryption, such as OpenVPN with an AES-256 cipher. There is evidence that weaker VPN protocols, such as IPSec and PPTP, are vulnerable to exploits, but OpenVPN appears to remain secure when implemented correctly.
When governments have targeted specific VPN users, they have done so not by cracking the encryption, but by pressuring the VPN service to log specific users. Examples:
- FBI pressured IPVanish into logging data of a specific user for a criminal case.
- FBI pressured PureVPN into logging data of a specific user for a cyberstalking case.
Exploitation in the wild (the key difference)
This is the big difference between Tor and VPN is how each has been exploited. With Tor, the FBI is able to break/exploit Tor and identify Tor users. (Their methods for doing this are classified.)
With VPNs, the FBI could not break the encryption, but instead had to pressure the VPN service itself to target a specific user and log data. This again proves the importance of using a trustworthy VPN in a good jurisdiction (outside of 5/9/14 Eyes countries) that can remain independent.
4. Cost: VPN vs Tor
Cost may be a deciding factor for some people.
Tor: One big advantage with Tor is that it’s free. The Tor Project is a non-profit funded by various sources, but mostly the US government (we’ll discuss this more below).
VPN: One drawback of VPNs is that they can be rather expensive.
ExpressVPN, for example, runs about $6.67 per month. On a positive note, there are also some cheap VPN services that are more affordable. There are also free VPN apps available, but studies show these to be bad choices that are often riddled with flaws and adware.
5. Browsing, streaming, and torrenting: Tor vs VPN
I’ve been testing VPNs and Tor for a number of years and here’s my impression.
Tor: When using Tor, you will definitely notice a performance tradeoff. Latency (ping) will be much higher and so will your bandwidth speeds.
- Browsing: Regular browsing will be more sluggish as traffic is routed through three Tor network relays.
- Streaming: Due to high latency and slow speeds, streaming will not work well. Tor has gotten faster over the years, but streaming videos is still problematic, especially in high definition.
- Torrenting: You should not use Tor for torrenting, as stated by the Tor Project. Even if you configured a torrent client to route traffic through the Tor network, torrent speeds would be horrible. (Better to use a VPN for torrenting instead.)
VPN: If you are using a good VPN, you should not notice any negligible difference in relation to your non-VPN speeds.
- Browsing: Browsing should be just as fast (little to no difference).
- Streaming: Streaming should also be good (I regularly stream Netflix with a VPN).
- Torrenting: VPNs may decrease torrenting speed somewhat, but it shouldn’t be huge.
6. Ease of use: Tor vs VPN
Both Tor and VPNs are easy to use.
Tor: As long as you are using the unmodified Tor browser, then Tor is easy to setup and use.
- Download the Tor browser bundle.
- Click the button to connect to the Tor network.
However, manually configuring Tor on another browser can be challenging. Setting up apps to go through the Tor network can also be difficult. And you may run into issues when trying to use Tor on mobile devices, but there are options for that as well.
VPN: VPNs are also easy to use.
- Sign up for a VPN subscription.
- Download the VPN client for your device.
- Connect to a VPN server.
In some cases, setup can be slightly more complex, such as installing VPNs on a router or manually configuring a VPN on your operating system (such as with Linux).
Winner: Tie (both are easy to use)
7. Versatility: Tor vs VPN
In the context of versatility, I’m looking at the ability to adapt or be used for different functions.
VPN: VPNs can be used in many different ways, aside from simply encrypting traffic on a desktop computer:
- Most operating systems have VPN functionality built in, such as with the IPSec protocol.
- VPNs can be easily used on mobile devices with various protocols that are better adapted to intermittent connectivity, such as IPSec/IKEv2.
- VPNs can be combined with different features. For example, some VPNs incorporate an ad-blocking feature, such as with NordVPN and CyberSec.
- There are a handful of different VPN protocols available for different use cases, with new ones in development (see WireGuard).
Tor: Tor is not as versatile as VPNs, although it still can be tweaked and configured to a degree. Tor is not built in to major operating systems, such as Windows, Mac OS, Android, or iOS, but there are a few Linux operating systems that incorporate Tor (see Whonix and Tails).
In comparison to Tor, VPNs are more versatile and more comparable (with various devices and operating systems).
8. Trustworthiness: Tor vs VPN
Trust is a major factor when selecting privacy tools, but it’s also subjective. Here’s my take:
Tor: While some in the privacy community consider Tor to be trustworthy, there are many red flags to consider. Here’s an overview of my findings on Tor that raise questions about its trustworthiness:
- Tor is compromised (and not anonymous). There have been various examples and court cases over the past few years confirming this fact. The FBI (and presumably other government agencies) can now de-anonymize Tor users.
- Tor developers are cooperating with US government agencies. This is another bombshell that was uncovered by a journalist who sifted through thousands of pages of FOIA requests. In one example, Tor developers tipped off US government agents about Tor vulnerabilities that could be exploited to de-anonymize users.
- No warrant is necessary to spy on Tor users. A judge ruled that the US government is perfectly lawful in exploiting Tor to uncover Tor users’ real IP addresses.
- Tor was created by the US government (contractors with the Naval Research Lab and DARPA).
- Tor is still funded by the US government to the tune of millions of dollars.
- Tor is a tool for the US government, specifically the military and intelligence branches. They need regular users on the Tor network so these agents can be camouflaged (as Tor developers have explained).
- Anybody can operate Tor nodes, including hackers, spies, and government agencies.
- Malicious Tor nodes do exist. One academic study found over 100 malicious Tor relays.
On a positive note, Tor is open source and the code can be examined by anyone. This, however, does not necessarily make it “secure” or impervious to exploits.
VPN: VPNs are also not a silver bullet in the trust category.
- There have been a few VPNs caught lying about logs, such as PureVPN and also IPVanish.
- Free VPN services are fraught with controversy, including hidden malware, ads, and data collection. (But this is true of many free products today.)
- Some VPNs are also flawed and may leak IP addresses and DNS requests. These leaks can be fixed via firewall rules (or just using a good VPN service that doesn’t leak).
OpenVPN, the standard protocol used by most VPN services, is open source and has been publicly audited. There are also various third-party open source VPN apps, such as Tunnelblick (Mac OS) and OpenVPN GUI (Windows).
Some VPNs have undergone third-party security audits. See for example with TunnelBear and also ExpressVPN.
Source of funding
Sources of funding may also influence trustworthiness.
VPN: Paying subscribers are the source of funding for VPN companies, which are generally private businesses. If VPN services do not do a good job for their subscriber base, they will go out of business.
Tor: Various branches of US government are the largest funding source of Tor, having contributed millions of dollars to the Tor Project over the years.
When Tor was ready for deployment, the Naval Research Lab released it under an open source license with guidance coming from the Electronic Frontier Foundation. Even today, the US government agencies, such as DARPA, State Department, and National Science Foundation remain large sponsors of Tor.
The Tor project admits that donors will get to “influence the direction of our research and development.” Therefore according to the Tor Project, the US government is influencing the research and development of Tor.
Distribution of trust
VPN: With VPNs, you can distribute trust by using more than one VPN at the same time (chaining VPN services). You can easily do this by using VPN1 on your router and VPN2 on your computer. You can also chain two or more VPNs using virtual machines. Most people, however, do not chain VPNs and therefore all trust falls on the VPN provider (in most cases).
To further protect your anonymity with VPNs, you can:
- Chain VPNs and effectively distribute trust across different VPN services. In this scenario, VPN1 could see your IP address and VPN2 could see your traffic, but neither VPN could see the full picture.
- Pay for the VPN anonymously thereby ensuring there is no “money trail” (Bitcoin, cryptocurrencies, or with gift cards purchased with cash). The need to pay for VPNs anonymously, however, is overblown as this has zero bearing on the effectiveness, security, or encryption of the VPN – even if your adversary knows what VPN you are using.
- Use only verified no-logs VPN services
Tor: The problem with Tor is that it is an entire ecosystem you must trust.
The core system that manages the code base, relays, and onion servers must be all trusted by the Tor user. You also need to trust that relay operators, through which your traffic is running, are being honest, which is not always the case. Unfortunately, there is no vetting mechanism for Tor node operators, which has proven to be a problem (malicious nodes, snooping nodes, etc.)
As noted in the introduction, both Tor and VPNs are privacy tools with pros and cons. You should select the best fit for your unique situation.
For most users, a good VPN will probably be the best option because it will provide a high level of privacy and security without a negligible loss in performance. VPNs can also be used easily on a large array of devices and operating systems, with various VPN protocols and configurations options available. The main thing to keep in mind is finding a trustworthy VPN provider that offers the features and security you need.
Tor may be a good choice for various use cases, especially if you are short on funds and need a free tool for specific tasks.
You can also combine Tor with VPNs. This can be tricky and risky, so we will explore this concept in a future guide.
Why Does Anyone Still Trust Tor? (here on Net Todays)