Jump to content
Not connected, Your IP:

The Cold Hard Truth Behind VPNs? - Whonix Blog article

Recommended Posts

Yeah, because the identities of TOR users haven't routinely been compromised by three letter agencies via TOR bundle exploits, redirecting target traffic to malicious nodes, remote code execution etc...


OpenVPN has its limits, especially publicly available services from anonymous individuals/corporations/entities. After all, you only have the word of AirVPN - for example - that they are 'privacy hacktivists' and not actually just another node in the NSA's swathe of operations. There are no names, addresses, offices and transparency operations to audit and you only have the word of the provider that they are who they say they are, and that they provide the non-logging service that they do. In fact I'd be amazed if the NSA et al. haven't already made it a mission objective to establish a hugely popular VPN service to amass as much plain text data foreign and domestic citizens would rather stayed private for whatever reason. Given the apparent concern over encryption and 'national security' it would seem rather backwards to not do such a thing - especially with an effectively unlimited budget and people willing to actually pay you to subsidise the operation(s)!


Some providers, such as PIA, allege to not only keep no logs but to maintain a 'zero knowledge network. They say they don't even know if or when users are connected and have no meaningful way to separate out user identities, especially retrospectively. Other providers such as Proxy.sh have stated they keep no logs but are able and willing to live monitor (amongst other things) to identify serious breaches of their ToS to identify (and if necessary report) those users responsible. 


"You pays your money [or not] and makes your choice", as they say. For me OpenVPN is the superior option, especially if further obfuscated via TOR and/or alternative methods. That blog seems like nothing more than an ill formed, unreferenced fanboyism to me. But what do I know?

Share this post

Link to post


I find some of those points to be irrelevant


They are relevant, but in agreement with rainmakerraw, I would say they're poorly argued:


1. Whonix blog's target audience must surely already know that you can't equate VPN providers with anonymity networks.   


2. I think it's indeed a safe assumption that many VPN users have a "false sense of security", but it's hypocritical to then talk about "anonymity guarantees of Tor". Tor Project can't, never has, and never will guarantee anything. The use of the word "guarantee" suggests a false sense of security - which, ironically, was supposed to be the author's main argument. Certainly, Tor has many valuable properties that VPNs can't offer, but not a single one of them is "guaranteed" - the author might want to remember what happened to Silk Road 2:


Tor Project security advisory:


On July 4 2014 we found a group of relays that we assume were trying to deanonymize users.

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4.


Later that year, FBI/DHS affidavit:


From January 2014 to July 2014, a FBI NY Source of Information (SOI) provided reliable IP addresses for TOR and hidden services such as SR2


The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address


Coincidence? I think not!


3. Whether or not VPNs make sense for someone depends on their threat model.

Tor is excellent but not the right tool for every job - or every person.

all of my content is released under CC-BY-SA 2.0

Share this post

Link to post

I think there is a lot of confusion in that article.

Tor and VPN are different products.

And it's not correct to list features where Tor can 'beat' VPN and overlook features where Tor loses the comparison:

- Tor is TCP only

- Port forwarding is not possible in Tor

- Tor is not protocol agnostics: Torrent/P2P is not recommended.

- VPN has good speed with P2P

- VPN has good latency in games

- Several Tor exit-nodes block so many ports and are so overcrowded that Tor usage is viable only for moderate web browsing and very few other protocols.


It is assumed that VPN services are used for anonymity. There are also other reasons:

- bypass throttling

- bypass censorship

- need of port forwarding or in general a public IP

- wrap UDP in TCP (ISPs which block outgoing UDP are not so rare)


Some providers force the user to use their proprietary closed source software and have no option to allow being used by reputable VPN software, such as OpenVPN.


True. But not AirVPN, that allows OpenVPN usage and has also an open-source client (Eddie).


On one hand, their software usually does not ensure, that users also have an uniform appearance on the Web aside their IP address (see Data Collection Techniques). The users are thus distinguishable and easily identifiable by merging the data.


It's really Tor that avoid this kind of Data Collection Techniques? Or it's the firefox extensions in Tor Browser Bundle?

This is by design, as a neutral VPN provider, AirVPN never alter customers traffic.


And on the other hand, a local observer on your network (ISP, WLAN) could guesstimate websites requested over VPN simply by analyzing size and timing of the encrypted VPN data stream (Website Fingerprinting Attacks). Tor is quite resilient against this attack (a scientific article which demonstrates the attack is found here; the success rates are over 90% for VPNs).


Honestly I did not study the paper deeply.

But, after a first quick reading, the targets are guesstimate websites requested (NOT viewing traffic data), and there are a lot of assumptions in the paper, like The attacker knows all the pages the victim is going to retrieve.


Moreover, VPN systems, as inherent to their functional principle, normally do not filter or replace your computer's TCP packets. They thereby do not protect you from TCP timestamp attacks as Tor does.


Same as point 2.


Even when using a virtual or physical VPN-Gateway, due to browser fingerprinting problems it's only pseudonymous rather than anonymous.


Same as point 2.


Its trivial to trick client applications behind a VPN to connect in the clear.


I don't understand.


Most VPNs fail open and don't configure basic crypto properly - if they even use a proper cipher at all.[2]


A shot in the dark.


The Snowden Documents describes a successful internet-wide campaign by Intelligence Agencies for covert access to VPN providers' servers.[3]


This campaign shows how much NSA and intelligence agencies fears VPN services and how NSA is impotent against their ciphers. That's why NSA needed a campaign to steal directly keys.


You should also keep in mind that VPN hosts can, unlike Tor, track and save every step of yours, since they control all servers in the VPN. They and anyone else who has access to their servers, either knowingly or unknowingly, will have this information as well.


True, inevitable.

The attacker needs the access to the VPN node, and can only sniff the running sessions traffic on that node.

AirVPN servers are clean/plain, dedicated Linux Debian stable machine with OpenVPN daemon. There isn't any database of customers, any log (not even by the OS).



VPN providers only offer privacy by policy, while Tor offers privacy by design. A VPN provider can claim not to log, but you'll never know until it's too late. When using Tor, you also never know, if any of the three hops keeps logs. One malicious node will have less impact. The entry guard will not know where you are connecting to, thus it's not a fatal problem if they log. The exit relay won't know who you are, but can see your unencrypted traffic, which can be a problem if you send sensitive data (which you are advised not to do), but if you act accordingly, it isn't a problem. It's unlikely (thus not impossible), that you choose a circuit where an adversary controls all three nodes. However, while using VPN providers you're putting all trust into the policy of one provider, using Tor distributes trust.


True by design. Tor and VPN are different product.

Remember, customers can run VPN and Tor -inside- the VPN, and gain advantage of both.


Don't get fooled by advertisements for Double, Triple or Multi Hop VPNs. Unless it's the user, who builds it's own custom VPN chain by carefully choosing different VPN providers, owned by different companies, you're still fully trusting only one provider.


True, multi-hopping in the same VPN provider can be useless, for this reason AirVPN doesn't support it (but you can do it easily for didactic purposes).

Share this post

Link to post

They are relevant, but in agreement with rainmakerraw, I would say they're poorly argued:


The first point doesn't apply to all VPN providers and is therefore irrelevant.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...