Both Tor and VPNs are privacy tools with pros and cons, which we’ll closely examine in this VPN vs Tor guide. So which one of these tools is best for you? That depends on your own unique needs and threat model.
Helping you select the best option for your use case is the goal of this guide. Here are the areas we’re going to examine in comparing Tor vs VPN:
- Speed
- Encryption and security
- Anonymity
- Cost
- Browsing, streaming, and torrenting
- Ease of use
- Versatility
- Trustworthiness
1. Speed: VPN vs Tor
With speeds, there is a huge difference between VPNs and Tor.
VPN: With VPNs, I can often get around 150 Mbps with nearby servers on a 160 Mbps (non-VPN) connection. Here’s an example with ExpressVPN on a server in Switzerland:
Now let’s look at Tor.
Tor: Although Tor speeds have slightly improved over the years, it is still much slower than VPNs. Tor suffers from high latency due to the traffic being routed over three relays. In testing Tor, my speeds average around 5 Mbps, but I can sometimes get 9-10 Mbps if the relays are good, such as here.
Notice above the latency is very high with the Tor network. This results in sluggish performance and websites being slower to load.
Winner: VPN
2. Encryption and security: VPN vs Tor
Tor: Tor uses a layered system of encryption that incorporates perfect forward secrecy. Traffic is passed through three relays, all of which are encrypted:
- Guard relay – The first relay in the circuit, which can see your IP address.
- Middle relay
- Exit relay – The last relay in the circuit where your traffic exits onto the regular (unencrypted) internet. A malicious exit relay could potentially see your data and modify traffic.
By default, traffic with Tor is routed through these three hops before exiting the Tor network circuit.
With Tor, encryption only works within the browser. This means everything else on your operating system, such as documents, torrent clients, updates, etc. are exposing your traffic and real IP address to the unencrypted internet. In my opinion, this is one major drawback of Tor.
VPN: Most VPNs secure traffic via OpenVPN or IPSec protocols with the connection also being encrypted with perfect forward secrecy. OpenVPN is the most common protocol, usually secured with an AES 256-bit cipher, which is universally considered very secure. Some VPN providers still offer weaker forms of encryptions, such as PPTP for streaming purposes, but this is no longer considered secure.
Most VPN providers only route traffic through one hop. There are a few multi-hop VPN services, which can route traffic over 2-4 hops.
Unlike with Tor, a VPN encrypts all traffic on your operating system. This offers a higher level of protection since it is not restricted to only a browser.
Winner: VPN
3. Anonymity: VPN vs Tor
Anonymity closely ties in to the previous section on security and how strong the underlying encryption is against exploits that could de-anonymize the user.
Tor: With Tor, there have been various cases over the years showing that it can be exploited. Specifically, a court case in 2017 proved the FBI can de-anonymize Tor users and determine their real IP address and activities:
In this case, the FBI managed to breach the anonymity Tor promises and the means used to collect the evidence from the dark web make up a sensitive matter. The technique is valuable to the FBI, so the government would rather compromise this case rather than release the source code it used.
There is also other evidence illustrating how government actors can identify Tor users, thereby rendering Tor useless as a tool for anonymity.
VPN: Unlike with Tor, I have not seen any evidence of governments being able to break strong, correctly-configured VPN encryption, such as OpenVPN with an AES-256 cipher. There is evidence that weaker VPN protocols, such as IPSec and PPTP, are vulnerable to exploits, but OpenVPN appears to remain secure when implemented correctly.
When governments have targeted specific VPN users, they have done so not by cracking the encryption, but by pressuring the VPN service to log specific users. Examples:
- FBI pressured IPVanish into logging data of a specific user for a criminal case.
- FBI pressured PureVPN into logging data of a specific user for a cyberstalking case.
Exploitation in the wild (the key difference)
This is the big difference between Tor and VPN is how each has been exploited. With Tor, the FBI is able to break/exploit Tor and identify Tor users. (Their methods for doing this are classified.)
With VPNs, the FBI could not break the encryption, but instead had to pressure the VPN service itself to target a specific user and log data. This again proves the importance of using a trustworthy VPN in a good jurisdiction (outside of 5/9/14 Eyes countries) that can remain independent.
Winner: VPN
4. Cost: VPN vs Tor
Cost may be a deciding factor for some people.
Tor: One big advantage with Tor is that it’s free. The Tor Project is a non-profit funded by various sources, but mostly the US government (we’ll discuss this more below).
VPN: One drawback of VPNs is that they can be rather expensive.
ExpressVPN, for example, runs about $6.67 per month. On a positive note, there are also some cheap VPN services that are more affordable. There are also free VPN apps available, but studies show these to be bad choices that are often riddled with flaws and adware.
Winner: Tor
5. Browsing, streaming, and torrenting: Tor vs VPN
I’ve been testing VPNs and Tor for a number of years and here’s my impression.
Tor: When using Tor, you will definitely notice a performance tradeoff. Latency (ping) will be much higher and so will your bandwidth speeds.
- Browsing: Regular browsing will be more sluggish as traffic is routed through three Tor network relays.
- Streaming: Due to high latency and slow speeds, streaming will not work well. Tor has gotten faster over the years, but streaming videos is still problematic, especially in high definition.
- Torrenting: You should not use Tor for torrenting, as stated by the Tor Project. Even if you configured a torrent client to route traffic through the Tor network, torrent speeds would be horrible. (Better to use a VPN for torrenting instead.)
VPN: If you are using a good VPN, you should not notice any negligible difference in relation to your non-VPN speeds.
- Browsing: Browsing should be just as fast (little to no difference).
- Streaming: Streaming should also be good (I regularly stream Netflix with a VPN).
- Torrenting: VPNs may decrease torrenting speed somewhat, but it shouldn’t be huge.
Winner: VPN
6. Ease of use: Tor vs VPN
Both Tor and VPNs are easy to use.
Tor: As long as you are using the unmodified Tor browser, then Tor is easy to setup and use.
- Download the Tor browser bundle.
- Click the button to connect to the Tor network.
However, manually configuring Tor on another browser can be challenging. Setting up apps to go through the Tor network can also be difficult. And you may run into issues when trying to use Tor on mobile devices, but there are options for that as well.
VPN: VPNs are also easy to use.
- Sign up for a VPN subscription.
- Download the VPN client for your device.
- Connect to a VPN server.
In some cases, setup can be slightly more complex, such as installing VPNs on a router or manually configuring a VPN on your operating system (such as with Linux).
Winner: Tie (both are easy to use)
7. Versatility: Tor vs VPN
In the context of versatility, I’m looking at the ability to adapt or be used for different functions.
VPN: VPNs can be used in many different ways, aside from simply encrypting traffic on a desktop computer:
- Most operating systems have VPN functionality built in, such as with the IPSec protocol.
- VPNs can be easily used on mobile devices with various protocols that are better adapted to intermittent connectivity, such as IPSec/IKEv2.
- VPNs can be combined with different features. For example, some VPNs incorporate an ad-blocking feature, such as with NordVPN and CyberSec.
- There are a handful of different VPN protocols available for different use cases, with new ones in development (see WireGuard).
Tor: Tor is not as versatile as VPNs, although it still can be tweaked and configured to a degree. Tor is not built in to major operating systems, such as Windows, Mac OS, Android, or iOS, but there are a few Linux operating systems that incorporate Tor (see Whonix and Tails).
Winner: VPN
In comparison to Tor, VPNs are more versatile and more comparable (with various devices and operating systems).
8. Trustworthiness: Tor vs VPN
Trust is a major factor when selecting privacy tools, but it’s also subjective. Here’s my take:
Tor: While some in the privacy community consider Tor to be trustworthy, there are many red flags to consider. Here’s an overview of my findings on Tor that raise questions about its trustworthiness:
- Tor is compromised (and not anonymous). There have been various examples and court cases over the past few years confirming this fact. The FBI (and presumably other government agencies) can now de-anonymize Tor users.
- Tor developers are cooperating with US government agencies. This is another bombshell that was uncovered by a journalist who sifted through thousands of pages of FOIA requests. In one example, Tor developers tipped off US government agents about Tor vulnerabilities that could be exploited to de-anonymize users.
- No warrant is necessary to spy on Tor users. A judge ruled that the US government is perfectly lawful in exploiting Tor to uncover Tor users’ real IP addresses.
- Tor was created by the US government (contractors with the Naval Research Lab and DARPA).
- Tor is still funded by the US government to the tune of millions of dollars.
- Tor is a tool for the US government, specifically the military and intelligence branches. They need regular users on the Tor network so these agents can be camouflaged (as Tor developers have explained).
- Anybody can operate Tor nodes, including hackers, spies, and government agencies.
- Malicious Tor nodes do exist. One academic study found over 100 malicious Tor relays.
On a positive note, Tor is open source and the code can be examined by anyone. This, however, does not necessarily make it “secure” or impervious to exploits.
VPN: VPNs are also not a silver bullet in the trust category.
- There have been a few VPNs caught lying about logs, such as PureVPN and also IPVanish.
- Free VPN services are fraught with controversy, including hidden malware, ads, and data collection. (But this is true of many free products today.)
- Some VPNs are also flawed and may leak IP addresses and DNS requests. These leaks can be fixed via firewall rules (or just using a good VPN service that doesn’t leak).
OpenVPN, the standard protocol used by most VPN services, is open source and has been publicly audited. There are also various third-party open source VPN apps, such as Tunnelblick (Mac OS) and OpenVPN GUI (Windows).
Some VPNs have undergone third-party security audits. See for example with TunnelBear and also ExpressVPN.
Source of funding
Sources of funding may also influence trustworthiness.
VPN: Paying subscribers are the source of funding for VPN companies, which are generally private businesses. If VPN services do not do a good job for their subscriber base, they will go out of business.
Tor: Various branches of US government are the largest funding source of Tor, having contributed millions of dollars to the Tor Project over the years.
When Tor was ready for deployment, the Naval Research Lab released it under an open source license with guidance coming from the Electronic Frontier Foundation. Even today, the US government agencies, such as DARPA, State Department, and National Science Foundation remain large sponsors of Tor.
The Tor project admits that donors will get to “influence the direction of our research and development.” Therefore according to the Tor Project, the US government is influencing the research and development of Tor.
Distribution of trust
VPN: With VPNs, you can distribute trust by using more than one VPN at the same time (chaining VPN services). You can easily do this by using VPN1 on your router and VPN2 on your computer. You can also chain two or more VPNs using virtual machines. Most people, however, do not chain VPNs and therefore all trust falls on the VPN provider (in most cases).
To further protect your anonymity with VPNs, you can:
- Chain VPNs and effectively distribute trust across different VPN services. In this scenario, VPN1 could see your IP address and VPN2 could see your traffic, but neither VPN could see the full picture.
- Pay for the VPN anonymously thereby ensuring there is no “money trail” (Bitcoin, cryptocurrencies, or with gift cards purchased with cash). The need to pay for VPNs anonymously, however, is overblown as this has zero bearing on the effectiveness, security, or encryption of the VPN – even if your adversary knows what VPN you are using.
- Use only verified no-logs VPN services
Tor: The problem with Tor is that it is an entire ecosystem you must trust.
The core system that manages the code base, relays, and onion servers must be all trusted by the Tor user. You also need to trust that relay operators, through which your traffic is running, are being honest, which is not always the case. Unfortunately, there is no vetting mechanism for Tor node operators, which has proven to be a problem (malicious nodes, snooping nodes, etc.)
Winner: VPN
Conclusion
As noted in the introduction, both Tor and VPNs are privacy tools with pros and cons. You should select the best fit for your unique situation.
For most users, a good VPN will probably be the best option because it will provide a high level of privacy and security without a negligible loss in performance. VPNs can also be used easily on a large array of devices and operating systems, with various VPN protocols and configurations options available. The main thing to keep in mind is finding a trustworthy VPN provider that offers the features and security you need.
Tor may be a good choice for various use cases, especially if you are short on funds and need a free tool for specific tasks.
You can also combine Tor with VPNs. This can be tricky and risky, so we will explore this concept in a future guide.
Further Reading:
Why Does Anyone Still Trust Tor? (here on Restore Privacy)
Tor and its Discontents: Problems with Tor Usage as Panacea
Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries
Tor network exit nodes found to be sniffing passing traffic
On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records
Judge confirms what many suspected: Feds hired CMU to break Tor
I read the full case about what happened with The Playpen website . Yes , the FBI did manage to deanonymize Tor users . HOWEVER , you have to take into account how this was done.
Basically what happened is the guy that was running the site had it misconfigured . These hidden services are supposta be firewalled off from the rest of the internet, that was not so with this service. The FBI managed to hack his server and install malware which then was able to go outside the Tor network and thus make them able to discover the servers real IP .
After they got a warrant and raided the guys place , they took control of the server . When users logged in , the server injected a malicious code that exploited JavaScript in the Tor browser . HOWEVER , this exploit only worked for users on WINDOWS machines that had JavaScript enabled . If the user had JavaScript disabled , or was using Tails , the exploit didn’t work .
In conclusion : They never really broke the Tor network , they just hacked users machines connected to Tor .
Hi Sven,
Following up to understand better in my quest I’ve started.
Your own browser preference would be ? – if given only these two choices.
1. Tor browser without the Tor network (like any other standard browser – but a specifically hardened version of Firefox.)
2. Firefox (modified and tweaked for privacy).
(No reasoning needed, just based on the most privacy while still functioning well in everyday web use.)
–
I’ll add some interesting facts (lest I think) about the two, that some are dated so correct me – ok.
Looking for the Default Search Engine used in the Tor Browser isn’t documented well.
Disconnect became the default search provider for Tor back in May 2015.
[[ I’d though it only to be a browser extension ]]
https://blog.disconnect.me/disconnect-is-the-new-default-search-provider-on-the-tor-browser/
4. default search engine, make a choice between either Google, Yahoo, Bing, Amazon, DuckDuckGo, eBay, twitter or Wikipedia.
https://aboutdevice.com/change-the-default-search-engine-of-the-tor-browser/
3 years ago, A note on our search engine situation: now using DuckDuckGo as the default search engine and not Disconnect anymore.
https://blog.torproject.org/tor-browser-60-released
[[ Are these settings that follows only for the Tor Browsers end of effects ]] – Scroll to ‘Improved security’ then under ‘Levels of security’ see –
“several other layers of security are at user’s disposal:
*Low (default) – at this security level, all browser features are enabled.
This level provides the most usable experience, and the lowest level of security.
*Medium – at this security level, the following changes apply:
HTML5 video and audio media become click-to-play via NoScript.
On sites where JavaScript is enabled, performance optimizations are disabled. Scripts on some sites may run slower.
Some mechanisms of displaying math equations are disabled.
Some font rendering features are disabled.
JavaScript is disabled by default on all non-HTTPS sites.
*High – at this security level, these additional changes apply:
JavaScript is disabled by default on all sites.
Some types of images are disabled.
Some fonts and icons may display incorrectly.
https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Tor_Browser
.
In the upcoming Firefox 71 update, you’ll now be able to set the browser to default to separate search engines whether you’re using its normal or private browsing modes. Instead of having to manually swap between the two in Firefox’s settings, you can now set Google as your primary search engine and DuckDuckGo as your search engine for private browsing. Firefox will automatically swap between them when you change your browsing mode. https://lifehacker.com/how-to-change-firefoxs-default-search-engine-for-privat-1838880194
Thanks for your time Sven and RP readers.
Hi Hard Sell, I’d probably opt for standard Firefox, tweaked for more privacy. Tor browser might do better against fingerprinting though.
Thank you, Not so sure of the updates (nor trust as much) that Tor would get as compared to a tweaked Firefox. Then Firefox is vetted by documentation so much more.
Helped to get a second opinion ; )
Hello Sven,
Didn’t you have something offered here (I can’t find it – now),
on a setup in using the Tor browser without it’s Tor Network but instead being used over a VPN connection?
Can you link me/others to it?
–
On the Kill-Switch proven to work (Windows box), in looking over your suggestions, the ExpressVPN kill switch (Network Lock) seems best suited for me, as the points below call out.
{I do have a TP-Link AC2600 I’d like to flash VPN router firmware to – in time}.
“If your VPN connection is ever interrupted, Network Lock will immediately stop traffic from entering or leaving your device. By halting all online activity, Network Lock keeps your personal information from being exposed to your internet service provider (ISP) or other prying eyes.”
“Network Lock is activated by default. Your internet traffic will automatically be blocked if the VPN drops or your network is disrupted. When the VPN connection is back up, you’ll be unblocked and back in action in just moments.”
https://www.expressvpn.com/features/network-lock
*versus*
“Perfect Privacy VPN client provides three different kill switch levels of firewall protection.”
More advanced than I’d need as kill-switch is my reason to ditch VPN.ac
https://www.perfect-privacy.com/en/software?a_aid=vpnrep
–
Weighing the two with regards to myself,
Price Point – I see as a problem with both VPN’s.
Special Deal ExpressVPN 12+3 (through your link) 12 month subscription per month costs is really at $8.32 and in giving the free 3 additional months for 15 months total of costing $99.95, billed as first 15 months and 12 months thereafter.
They market it wrong stating a price of $6.67 per month – along with their standard side ads pricing of their 1 and 6 Month plans // all leads to buyer confusion in what’s being advertised.
If that were the case in a real price point of $6.67 per each month of the 12 months subscription – it would cost less than $99.95 being asked by ExpressVPN.
You can say FREE (as 3-months) but,,, then to show a price reflecting those 3 free months in having some cost factors valued in to the ad – is wrong, and very misleading – – without a proper disclaimer…
Poor marketing practices.
.
But if you looked at a comparison of their price points alone:
ExpressVPN 12 Months = $ 8.32 per month everyday pricing.
To get close in pricing with Perfect Privacy that involves going with a 2 year subscription at $8.95 per month.
This is interesting, as it’s bringing the cost within $0.63 a month of each others service, and as your privacy and income concerns are separated by less than a buck.
Granted – – one is a 12 month term and the other needs to be a 24 month term – to close the cost gap within $0.63 a month of each VPN service.
–
Not sure if your comment on ExpressVPN kill switch (Network Lock) about – “does not block traffic when switching servers.” Is witnessed in your testing of it or a possible fault in the software of ExpressVPN client, as it’s company is not aware of the issue. Explain please.
– On paper it states – It keeps your connection secure when:
You switch between Wi-Fi networks or your signal flickers
You close your laptop or put your computer to sleep
You toggle your internet connection on or off
Your ISP has a momentary outage
[Switching it’s VPN servers within the ExpressVPN client would be the same I’d think as most the above called out secure outages that’s already covered by ExpressVPN – wouldn’t it?]
AS – halting all online activity, Network Lock keeps your personal information from being exposed – – internet traffic will automatically be blocked if the VPN drops or your network is disrupted. Changing VPN servers is a disruption and covered – yes.
Please answer in as much detail that’s needed to understand and be helpful. I’m using your link if you help me on these thoughts/questions.
Thanks and best…
Hi Hard Sell, so on Tor browser without the Tor Network, that is discussed in the browser fingerprinting guide.
To your questions. Last time I tested ExpressVPN, when you manually disconnect from a VPN server to switch to a different server, then the kill switch is not active. For most people who may want to disable the VPN to access their bank website or something, this what they want. In other words, disconnect VPN, carry on without VPN as usual. Others, such as myself, like it if all traffic is blocked all the time, even after manually disconnecting the VPN, such as when switching servers.
Perfect Privacy has three levels. Their kill switch will block all non-VPN traffic:
1) When tunnel is active;
2) When VPN client is active; or
3) All the time (whether the VPN client is running or not)
So with ExpressVPN, when you are connected to a VPN server, there’s basically no way your traffic can leak. You have to manually disconnect. So that is like a Level 1 kill switch with Perfect Privacy. Hope that helps.
Yes Yes – the link you gave is exactly what I’d seen before.
1. go to the section of 4. Tor Browser
2. Then on to Tor browser with a VPN (Tor network disabled)
–
I don’t follow, why would you – “disconnect the VPN (turn it off) to switch to a different server, unless your meaning is in the action represents going back your ISP provider and it’s own IP address.
As in the action of disabling the VPN to access their banking website or some site/account where that ISP providers IP address is registered with you there.
I use none of the – remember me, stay logged in – – crud sites try to get you using. Then in answering to your security questions (setup) as a rule as I’ve seen required by using different IP addresses but I get in.
–
I agree and practice like when the PC starts as does my VPN automatically – so all my devices traffic is encrypted or blocked all the time by a good working kill-switch should the internet connection break. I DIDN’T KNOW, some offer after manually disconnecting the VPN, 3) All the time (whether the VPN client is running or not).
–
Questions
IS – ExpressVPN a number 2) When VPN client is active
as well so that it is like a Level 1 and Level 2 kill switch compared with Perfect Privacy.
Wished there was a 6 month subscription offered to Perfect Privacy.
Thanks will buy soon from your link…
So to switch VPN servers you need to disconnect from the VPN server you are connected to. After disconnecting, the VPN is no longer active. When you hit the Connect button to connect to a different server, Network Lock is activated. So there is a second or two when traffic is not blocked, but I understand Network Lock is activated as soon as you click connect, even if the VPN connection is not yet active. So again, even if the VPN connection drops for some reason, Network Lock will still have you protected. It’s only when you manually disconnect, when Network Lock is deactivated. So it’s kind of between Level 1 and Level 2 because it works if the connection drops (tunnel not active) but will be disabled when the user manually disconnects.
Wow – Sven, a VPN ‘kill-switch’ could be a whole new topic to itself as it’s roll seems like a simple one, but really can get complicated fast…
– I’ve only used the/a VPN clients ability to connect or disconnect from the servers it offers – the IP address I then share with it’s other paid users.
Maybe in your knowledge, you understand this better as Perfect Privacy is more like a software ‘firewall’ than simply a VPN kill-switch in features.
Thanks very much for your patience and helpful nature of your knowledge being shared – Sir.
Hello Sven,
Some times I’m sharp others times pretty dull.
This seems to be one of my dull times as I got hung on my mental picture of your answers – closing down the VPN client running on the system.
That’s not what you said but the picture I got, not to sharp of me is it.
“After disconnecting, the VPN is no longer active. When you hit the Connect button to connect to a different server, Network Lock is activated.”
–
That copied texts of your does say, ‘disconnected’ not meaning closed down, which was the direction in my mental picture I got.
Do apologize old man ; )
Very helpful information you gave me and I thank you.
Hello Sven,
Of all the VPN’s you’ve had a look at which one’s (top 3) have the best kill-switch proven to work (Windows box) either auto/manual without a hitch. Are there 3 at least?
–
VPN.ac still needs work and it’s manual – user action required.
– Question a person using Tor can the web do any fingerprinting of the browser or device. Don’t recall it covered above.
Regards
The Tor browser is a hardened version of Firefox that does very well against fingerprinting. You could always use the Tor browser with Tor disabled, with a VPN client running on your OS for anonymity. (So Tor browser without the Tor network.)
I think the best Windows kill switch I’ve seen was with Perfect Privacy. They offer a three-level kill switch that can even block all non-VPN traffic when the client is closed, as it creates a rule for the OS, discussed more in the Perfect Privacy review. ExpressVPN also has a good kill switch (Network Lock) but it does not block traffic when switching servers.
Tor is the poor man’s VPN.
Your opinion: “Tor is the poor man’s VPN.”
My opinion: “VPN is the wealthy fool’s Tor.”
Let’s see who’s opinion sticks around….
Hi Philip McAfferty,
Hey, I’ve before wondered if privacy as well as security would end up being a rich persons commodity instead of an equal service afforded to all. Not just of VPN’s but everything offing higher levels of privacy/security for the end user…
https://restoreprivacy.com/mass-surveillance-you-are-target/#comments
–
Looks like past-recent US ISP privacy trends have it leaning towards those that can pay for it, and I mean over and over again. As in a VPN subscription is required for your privacy of what you do online now.
– My opinion, the internet is like the wild west of our past still developing as the scope and grander hasn’t been determined, nor a fixed value related to know a point of exact affect.
Only sparse laws if any are setup for the everyday users protections on privacy that currently exists.
Just because your big and a company doing advertising for self/firm
– it shouldn’t mean EVERYTHING documented on myself be up for grabs to you. Especially if I’ve never bought it’s product(s).
–
Nothing as combined or by itself is 100% worry free for the added benefits of it’s use.
– If you’d elect to use any, and you’ll see this in most of their TOS policies if you dig.
– – Even in not going online the internet knows and/or traps you around your home town outings. Clouds keep surveillance video taken by bigger stores. You can’t buy gas from a station without some point in the action capturing your image and/or personal information..
Agree ?