More anonymity with Tor and VPN?

Tor (The Onion Router) is one of the most important tools for anonymity on the Internet. The Tor network, protocol and client, make it extremely complicated to trace user activity. However, Tor users are not completely invisible. Firstly, only the connection to the exit node – the last server before traffic leaves the Tor network – is encrypted. Whoever controls the exit node can see data traffic in plain text. Meanwhile attacks and statistical analysis methods are known which can allow an organization with access to large parts of global Internet traffic to de-anonymize users in some cases. Nevertheless, Tor can protect users against the curiosity of most unauthorized parties if it is configured correctly. And a better solution is currently not available – at least not for the average computer user.

The beginnings of Tor date back to 2000, the first alpha version was released at the end of 2002. Roger Dingledine, Nick Mathewson and Paul Syverson have been named as the inventors of Tor. Today almost 2 million people use the Tor network daily and approximately 7200 servers provide an available bandwidth of 70 Gb/s to the network. Tor, which is considered unofficially as a threat by the intelligence services, is funded to a large extent by US government organizations. In 2012 the project received about 60% of its funding from the US government and 40% from private donors. Tor is as popular with the intelligence services as it is with people who want remain anonymous from them. As of October 2014 even Facebook has its own address on the Tor network. This is to make access easier for people who are struggling with censorship by government organizations.

Tor works by routing the incoming connection of the client via three nodes in the server network. Each of the three nodes are only aware of the next node and the last server (exit node) does not know who the client is. Packets inside the Tor network are always encrypted. Only when the exit node releases the packets to the regular Internet, may data be unencrypted in certain circumstances. Tor decides randomly which exit node to use for a connection. It is believed that a not insignificant portion of the exit nodes are operated by government organizations or institutions controlled by the government. It is a safe bet that data leaving the Tor network is analyzed and collected. A VPN can protect against this. If the VPN tunnel is terminated after the exit node, the data is not visible to the operator of the exit node. End-to-end encryption, for example, only using SSL connections for email and web pages also offers protection.

In general, the combination of VPN and Tor is a controversial topic in discussion forums. A VPN would in fact only provide more anonymity if the VPN operator can not draw any conclusions about the identity of the VPN user. This requires either a free VPN without registration, or a non-trackable method of payment, such as Bitcoins. In addition, various security measures must be observed and strictly adhered to, for example, the order the connection is made to the VPN and gateway. The necessary discipline is perhaps feasible in a high-security environment, however it is too much effort for the average computer user. A business user, for example, a sales person who is traveling in a country considered to be insecure will usually connect to the corporate network via a VPN. Tor could provide additional security if it is started before the VPN, which means that the ISP cannot see that a VPN tunnel is established. VPNs may be seen as potentially interesting data connections and draw increased attention. However, using Tor will probably be regarded with just as much suspicion, if it is not already blocked. Those who are interested in this tunnel-in-tunnel approach can find a useful and detailed guide here.