Jump to: navigation, search

Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN Services

Comparison of Tor and Proxies[edit]

Proxies are famous for "anonymity on demand". Acting as an intermediary, they relay your traffic to the destination and send the answer back to you so that the destination only sees the proxy and not your IP address.

We are not aware of any http(s) or socks4(a)/5 proxies that offer an encrypted connection between itself and the user. Therefore, your internet service provider or any man-in-the-middle can see connection details, including destination IP. If the destination is not using SSL, the entire content of your traffic is vulnerable as well.

Some http(s) proxies send the "http forwarded for" header which discloses your IP. Http(s) proxies that do not send this header are sometimes called "elite" or "anonymous" proxies.

We are unaware of any legitimate and free public http(s) or socks4(a)/5 proxies.

Comparison[edit]

This is a brief comparison of the features of proxies found on many proxy sharing websites.

proxy type comment http [1] https [1] TransPort [2] UDP Remote DNS Hides IP [3] user-to-proxy encryption
http [4] Yes No No No Yes [5] depends [6] No
https [7] Yes Yes No No Yes [5] depends [6] No
socks4 - Yes Yes No No No Yes No
socks4a - Yes Yes No No Yes Yes No
socks5 - Yes Yes No Yes Yes Yes No
CGI see below depends [6] depends [6] No No Yes depends [6] depends [6]
anonymization service comment http [1] https [1] TransPort [2] UDP Remote DNS Hides IP [3] user-to-proxy encryption
I2P - [8] [8] No Yes [9] Yes Yes Yes
JonDo [10] Yes Yes No premium only [11] Yes Yes Yes
Tor [12] Yes Yes Yes No [13] Yes Yes Yes

Conclusion[edit]

Proxies have a high susceptibility of misusing and stealing user data: Many proxies (HTTP/HTTPS/SOCKS) are PCs hijacked by hackers or criminals, or honeypots exclusively offered for the purpose of user observation. Even if they were legitimate, a single operator can decide to enable logging. Additionally, some proxies automatically give your IP address away to the destination server.

Proxies offer, at best, only weak protection against destination website logging, and they offer no protection from third party eavesdropping. Their use is discouraged.

Footnotes[edit]

License of "Comparison of different proxy types": This was originally posted by adrelanos (proper) to the TorifyHOWTO/proxy (w) (license) (w). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as the rest of the page.

Thanks to JonDos (Permission). (w) (w) [14] The "Comparison of different proxy types" chapter of the "Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services" page contains content from the JonDonym documentation Other Services page.

  1. 1.0 1.1 1.2 1.3 Connection the destination server, for example to the webserver torproject.org.
  2. 2.0 2.1 Transparent TCP Port
  3. 3.0 3.1 no http forwarded for header
  4. Do not support the connect method (see below). Therefore connections to SSL protected websites is impossible.
  5. 5.0 5.1 Not when being used as a transparent proxy. Only when being used as proxy settings.
  6. 6.0 6.1 6.2 6.3 6.4 6.5 Depends on proxy.
  7. https proxy is misleading, as the connection to the proxy is not encrypted. The proxy additionally supports the connect method, which is required to access SSL protected websites and other services than http.
  8. 8.0 8.1 eepsites only. Connections to clearnet only possible through outproxies (no SSL to destination site).
  9. I2P End-to-end Transport Layer allows TCP- or UDP-like functionality on top of I2P.
  10. For a more detailed review of the JonDonym network, see JonDonym page.
  11. Socks interface only available to paying users.
  12. Tor can offer a SocksPort (socks4(a)/5), DnsPort and TransPort. Third party http 2 socks converter (privoxy) available.
  13. Tor offers a socks5 interface but, the Tor software does not support UDP itself yet. Whonix provides a limited workaround for using UDP anyway, in the best possible secure manner, see Tunnel_UDP_over_Tor.
  14. Broken link: https://anonymous-proxy-servers.net/forum/viewtopic.php?p=31220#p31220

Comparison of Whonix, Tails, Tor Browser Bundle and CGIproxies[edit]

Introduction[edit]

Point of view: using them in Mozilla Firefox on the host without using something such as Whonix or Tails.

CGIproxies are webproxy services, Internet pages with a form field in which the user can input the target address that he want's to visit anonymously. The webproxy subsequently delivers the content of the requested website and automatically patches all links to use the webproxy when clicked. For using webproxy services the browser configuration does not have to be changed.

Compared to network proxies, they have the disadvantage not to be able to replace each link correctly, in particular on web sites with JavaScript code. This makes it easier that the user IP address gets "leaked" to the web server, which the proxy should actually prevent. The https://ip-check.info anonymity test displays the weakness of some web proxies in the comparison table.

They could only anonymize browser traffic and not other applications, but to be fair, they don't claim more than anonymizing browser traffic.

Comparison[edit]

Required knowledge:

  • CGIProxy
  • Legend:
    • Broken: Real IP address gets uncovered.
    • *: The thereby marked service does not even reach the test site if JavaScript is activated. It parses so bad, that the browser just leaves the service silently in some cases...
    • Ok: no leak found.
    •  ?: Not tested and therefore unknown.
    • NI: Not installed by default.
    • DE: Deactivated even if installed.
    • RA: recommended against by maintainers.
    • 1 encrypted connection to the CGI proxy (SSL) 2 or Tor exit relay
    • 2 with proper SSL certificate recognized by certificate authorities
Software / Provider HTML/CSS/FTP JavaScript Java encrypted 1
Whonix Ok Ok NI DE RA Ok Yes
Tails Ok Ok NI DE RA ? Yes
Tor Browser Bundle Ok Ok NI DE RA (Broken) Yes
Anonymouse Broken Broken* Broken premium only
Hide My Ass! Ok Broken* Broken Yes
WebProxy.ca Ok Broken Broken No
KProxy Broken Broken* Broken Yes
Guardster Ok Broken (if allowed)* Broken premium only
Megaproxy Broken premium only premium only Yes
Proxify premium only  ?  ?  ?
Ebumna PHProxy Broken Broken* Broken No

Links to Software / Provider and Test[edit]

"(check manually)" in the following table means, enter the test link manually in the browser.

Project Link
Whonix click (check manually)
Tails click (check manually)
Tor Browser Bundle click (check manually)
Anonymouse click
Hide My Ass! click
WebProxy.ca click (check manually)
KProxy click (check manually)
Guardster click
Megaproxy click (check manually)
Proxify click (check manually)
P2P Proxies Network click (check manually)
Ebumna PHProxy click

Conclusion[edit]

In comparison to Tor, CGIproxies are only a one hop proxies, thus they know who is connecting and where the user connects to. They could read all transmissions, even if entering SSL protected domain names. This makes them much inferior to Tor.

Due to these disadvantages, other security features, which have been discussed above in chapter comparison of Whonix, Tails and Tor Browser bundle, such as UTC timezone, fingerprinting didn't appear worthwhile to compare.

License[edit]

[1]

  1. Thanks to JonDos (Permission). The "Whonix Comparison of Whonix, Tails, Tor Browser Bundle and CGIproxies" chapter of the "Whonix Comparision with Others wiki page" contains content from the JonDonym documentation Other Services page.

Comparison of Tor and Proxy Chains[edit]

Aren't 10 proxies (proxychains) better than Tor with only 3 hops? - proxychains vs Tor[edit]

Maybe you've seen the funny picture "I am behind 10 proxies, so what?". Nevermind.

10 open proxies are not as secure as Tor. Many people are not aware of that.

As outlined above, proxies are not very secure.

With Tor the first hop won't see the IP of the last hop because it can't decrypt the message for the second hop. If one hop can be trusted, the connection is secure. (See Which Tor node knows what? and the onion design.)

Even if you are using "elite" or "anonymous" proxies... Or even Socks Proxies...

  • All connections between you and all proxies are unencrypted.
  • This has nothing to do with SSL, but for demonstration, let's assume you are connecting to an SSL protected web server.
  • In human understandable form, this is a sketch how the package for the first proxy in your chain of 5 would look like:
  • Hey Proxy1, can you please forward "forward to Proxy3; forward to Proxy4; forward to Proxy5; forward to https://encrypted.google.com 'c8e8df895c2cae-some-garbage-here-(encrypted)-166bad027fdf15335b'" to Proxy2? Thanks!
  • You see, your actual transmission will be safely encrypted and can be only decrypted by the https protected webserver, but every proxy will see it's predecessor IP and all successor IP's.
  • There is no way to encrypt that information, no way to make your own onion. The proxy protocols (http(s), socks4(a)/5) do not support encryption.

As you would have to trust any of them the IP of all it's successors... The second question about open proxies is, who hosts them?

  • most of them are a simple misconfiguration, the owners are not aware of it and do not want the public to use them
  • many of them are compromised machines (worm infected)
  • some are honeypots, logging or exploiting (dns spoofing, protocol spoofing, ssl spoofing)
  • few of them are are from generous people who just want your best and give you anonymity (similar to most Tor server admins)

This must not apply for proxychains of SSH and/or encrypted VPN servers - has not been researched yet. But you can not get so many SSH and/or VPN servers for free (without hacking of course) and/or anonymous payment anyway.

License[edit]

[1]

  1. License of "Comparison of Tor and proxychains": This was originally posted by adrelanos (proper) to the TorFAQ (w) (license) (w). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as the rest of the page.

Comparison of Tor and VPN services[edit]

Comparison[edit]

If you run the VPN software directly on the same machine as also the client software such as web browser runs, Active Web Contents can read your real IP address. This can be prevented, if you use a virtual or physical VPN-Gateway or your router. However, please note that active contents may still read a lot of data about your computer and network configuration.

  • Some providers force the user to use their proprietary closed source software and have no option to allow being used by reputable VPN software, such as OpenVPN.
  • On one hand, their software usually does not ensure, that users also have an uniform appearance on the Web aside their IP address (see Data Collection Techniques). The users are thus distinguishable and easily identifiable by merging the data.
  • And on the other hand, a local observer on your network (ISP, WLAN) could guesstimate websites requested over VPN simply by analyzing size and timing of the encrypted VPN data stream (Website Fingerprinting Attacks). Tor is quite resilient against this attack (a scientific article which demonstrates the attack is found here; the success rates are over 90% for VPNs).
  • Moreover, VPN systems, as inherent to their functional principle, normally do not filter or replace your computer's TCP packets. They thereby do not protect you from TCP timestamp attacks as Tor does.
  • Even when using a virtual or physical VPN-Gateway, due to browser fingerprinting problems it's only pseudonymous rather than anonymous.
  • Its trivial to trick client applications behind a VPN to connect in the clear. [1]
  • Most VPNs fail open and don't configure basic crypto properly - if they even use a proper cipher at all.[2]
  • The Snowden Documents describes a successful internet-wide campaign by Intelligence Agencies for covert access to VPN providers' servers.[3]
  • You should also keep in mind that VPN hosts can, unlike Tor, track and save every step of yours, since they control all servers in the VPN. They and anyone else who has access to their servers, either knowingly or unknowingly, will have this information as well.
  • VPN providers only offer privacy by policy, while Tor offers privacy by design. A VPN provider can claim not to log, but you'll never know until it's too late. When using Tor, you also never know, if any of the three hops keeps logs. One malicious node will have less impact. The entry guard will not know where you are connecting to, thus it's not a fatal problem if they log. The exit relay won't know who you are, but can see your unencrypted traffic, which can be a problem if you send sensitive data (which you are advised not to do), but if you act accordingly, it isn't a problem. It's unlikely (thus not impossible), that you choose a circuit where an adversary controls all three nodes. However, while using VPN providers you're putting all trust into the policy of one provider, using Tor distributes trust.
  • Don't get fooled by advertisements for Double, Triple or Multi Hop VPNs. Unless it's the user, who builds it's own custom VPN chain by carefully choosing different VPN providers, owned by different companies, you're still fully trusting only one provider.

Whether it's worth to combine Tor with a VPN, either as pre-Tor-VPN (user -> VPN -> Tor) or as post-Tor-VPN (user -> Tor -> VPN) is quite a controversial topic and discussed on the Tor plus VPN (w) page. In case you decide to do so, it's easy with Whonix, see VPN/Tunnel Support.

License[edit]

[4]

  1. https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf
  2. https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf
  3. https://search.edwardsnowden.com/docs/VPNandVOIPExploitationWithHAMMERCHANTandHAMMERSTEIN20140312
  4. Thanks to JonDos (Permission). The "Comparison of Tor and VPN services" chapter of the "Whonix Comparision with Others wiki page" contains content from the JonDonym documentation Other Services page.

Random News:

Please help to improve Whonix's Wikipedia Page. See also feedback thread.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.