Actions

Tor vs. Proxies, Proxy Chains and VPNs

From Whonix



Masks-827730640.jpg

Tor and Proxies Comparison[edit]

Introduction[edit]

Proxies are famous for "anonymity on demand". Acting as an intermediary, proxy servers relay your traffic to the destination and send the answer back to you so that the destination server potentially only sees the proxy and not your IP address: [1]

Instead of connecting directly to a server that can fulfill a requested resource, such as a file or web page for example, the client directs the request to the proxy server, which evaluates the request and performs the required network transactions. This serves as a method to simplify or control the complexity of the request, or provide additional benefits such as load balancing, privacy, or security. Proxies were devised to add structure and encapsulation to distributed systems.

There are two basic types of proxy server: [1]

  • Open proxies: these forward requests from and to anywhere on the Internet and are accessible by any Internet user. [2]
    • Anonymous proxies reveal their identity as a proxy server but do not disclose the client's originating IP address.
    • Transparent proxies also reveal their identity as a proxy server, but the originating IP address is accessible due to factors such as the X-Forwarded-For HTTP header. The benefit of these proxies is the ability to cache websites for faster retrieval.
  • Reverse proxies: these connect the Internet to an internal network. Therefore, users making requests connect to the proxy and may not be aware of the internal network as the response is returned as if it came from the original server.

There are no known HTTP(S) or SOCKS4(a)/5 proxies that offer an encrypted connection between itself and the user. Therefore, the Internet Service Provider or any man-in-the-middle [archive] can see connection details, including the destination IP address. If the destination server is not using SSL/TLS, then the entire content of traffic is vulnerable as well.

As noted above, some open HTTP(S) proxies send the "HTTP forwarded for" header which discloses a user's IP address. HTTP(S) proxies that do not send this header are sometimes called "elite" or "anonymous" proxies. There are no known legitimate and free public HTTP(S) or SOCKS4(a)/5 proxies.

Comparison Tables[edit]

The tables below briefly compare the features offered by proxies found on many proxy sharing websites with various anonymization services.

Table: Proxy Type Feature Comparison

Proxy Type Comment HTTP [3] HTTPS [3] TransPort [4] UDP Remote DNS Hides IP [5] User-to-proxy Encryption
HTTP [6] Yes No No No Yes [7] Depends [8] No
HTTPS [9] Yes Yes No No Yes [7] Depends [8] No
SOCKS4 [10] - Yes Yes No No No Yes No
SOCKS4a [11] - Yes Yes No No Yes Yes No
SOCKS5 [12] - Yes Yes No Yes Yes Yes No
CGI [13] See below Depends [8] Depends [8] No No Yes Depends [8] Depends [8]

Table: Anonymization Service Feature Comparison

Anonymization Service Comment HTTP [3] HTTPS [3] TransPort [4] UDP Remote DNS Hides IP [5] User-to-proxy Encryption
I2P - Yes [14] Yes [14] No Yes [15] Yes Yes Yes
JonDo [16] Yes Yes No Premium only [17] Yes Yes Yes
Tor [18] Yes Yes Yes No [19] Yes Yes Yes

Conclusion[edit]

Proxies are highly susceptible to the misuse and theft of user data: many proxies (HTTP/HTTPS/SOCKS) are computers that have been hijacked by hackers or criminals, or are honeypots exclusively offered for the purpose of user observation. Even if they were legitimate, any single operator can decide to enable logging. In addition, some proxies automatically reveal the user's IP address to the destination server.

At best, proxies only offer weak protection against destination website logging, and they offer no protection against third party eavesdropping. For these reasons their use is strongly discouraged.

Whonix ™, Tails, Tor Browser and CGIproxies Comparison[edit]

Introduction[edit]

This section compares the use of CGIproxies [archive] in Mozilla Firefox on the host without utilizing a platform like Whonix ™ or Tails. A CGI web proxy: [20]

... accepts target URLs using a Web form in the user's browser window, processes the request, and returns the results to the user's browser. Consequently, it can be used on a device or network that does not allow "true" proxy settings to be changed.

This means CGIproxies provide Internet pages with a form field in which the user can input the target address they wish to visit anonymously. The web proxy subsequently delivers the content of the requested website and automatically patches all links to use the web proxy when clicked. When using web proxy services the browser configuration does not need to be changed.

In comparison to network proxies, CGIproxies have the disadvantage of not being able to replace each link correctly, in particular on websites with JavaScript code. This makes it easier for the user's IP address to "leak" to the web server, which the proxy should actually prevent. The https://ip-check.info [archive] anonymity test displays the weakness of some web proxies in the comparison table below.

It is also important to note that CGIproxies can potentially only anonymize browser traffic and not the traffic of other applications; but to be fair, they do not claim more than anonymizing browser traffic.

Comparison Tables[edit]

To interpret the table below, refer the Wikipedia CGIProxy entry [archive] and the following legend.

Legend

  • Broken: The real IP address is revealed.
  • *: The highlighted service does not reach the test site if JavaScript is activated. It parses so poorly that the browser may leave the service silently in some cases.
  • OK: no leak found.
  • ?: Untested and therefore unknown.
  • NI: Not installed by default.
  • DE: Deactivated even if installed.
  • RA: Recommended against by maintainers.
  • 1 Encrypted connection to the CGI proxy (SSL/TLS) 2 or Tor exit relay.
  • 2 Uses a proper SSL/TLS certificate recognized by certificate authorities.

Table: CGIproxies vs. Anonymization Software/Platforms

Software / Provider HTML/CSS/FTP JavaScript Java Encrypted 1
Whonix OK OK NI DE RA OK Yes
Tails OK OK NI DE RA ? Yes
Tor Browser OK OK NI DE RA (Broken) Yes
Anonymouse Broken Broken* Broken Premium only
WebProxy.to OK Broken Broken No
KProxy Broken Broken* Broken Yes
Guardster OK Broken (if allowed)* Broken Premium only
Megaproxy Broken Premium only Premium only Yes
Proxify Premium only ? ? ?

Links to Software / Provider and Tests[edit]

In the following table, "(check manually)" means enter the test link manually in the browser.

Project Link
Whonix click [archive] (check manually)
Tails [archive] click [archive] (check manually)
Tor Browser [archive] click [archive] (check manually)
Anonymouse [archive] click [archive]
webproxy USA [archive] click [archive] (check manually)
KProxy [archive] click [archive] (check manually)
Guardster [archive] click [archive] (check manually)
Megaproxy [archive] click [archive] (check manually)
Proxify [archive] click [archive] (check manually)

Conclusion[edit]

In comparison to Tor, CGIproxies are only one hop proxies. This means they know who is connecting and the details of the requested destination server resource. This makes CGIproxies far inferior to Tor because they could potentially read all transmissions, even if entering SSL/TLS protected domain names.

Due to these serious disadvantages, it is not worthwhile discussing other security features which have been canvassed in other wiki chapters comparing Whonix ™, Tails and Tor Browser (such as UTC timezone and fingerprinting).

Tor and Proxy Chains Comparison[edit]

Introduction[edit]

Isn't seven proxies (proxy chains) better than Tor with only three Hops?

Some readers might be familiar with the Internet meme: "Good luck, I'm behind 7 proxies", which is sarcastic retort sometimes used when somebody threatens to report you to authorities, or claims they can identify your location. [21]

In short, multiple proxies used in combination are not more secure than Tor; many people are unaware of this fact. As outlined above, proxies are not very secure.

In contrast, the Tor design ensures the first hop (Tor relay) is unable to see the IP address of the last hop because it cannot decrypt the message for the second hop. If one hop can be trusted, then the connection is secure; see Which Tor node knows what? [archive] and the onion design to learn more.

Comparison[edit]

The information available to each of the three Tor relays is summarized below.

Table: Tor Node (Relay) Information Awareness [22]

Category User Bridge Node/Entry Guard Middle Node Exit Node
Tor user's IP/location Yes Yes No No
IP of bridge node or entry guard Yes Yes Yes No
Message for bridge node or entry guard Yes Yes No No
IP of middle node Yes Yes Yes Yes
Message for middle node Yes No Yes No
IP of exit node Yes No Yes Yes
Message for exit node Yes No No Yes
IP of destination server Yes No No Yes
Message for destination server Yes No No Yes

In comparison to Tor, proxies have serious weaknesses, even when SOCKS proxies or "elite"/"anonymous" proxies are utilized. Firstly, all connections between the user and all proxies in the chain are unencrypted. This holds true irrespective of the use of SSL/TLS. For demonstration purposes, assume a user is connecting to an SSL/TLS protected web server. In human terms, this is basic sketch of how the package for the first proxy in the proxy chain would appear:

  • Proxy1, please forward "forward to Proxy3; forward to Proxy4; forward to Proxy5; forward to https://encrypted.google.com [archive] 'c8e8df895c2cae-some-garbage-here-(encrypted)-166bad027fdf15335b'" to Proxy2?

Notably, the actual transmission is safely encrypted and can only be decrypted by the HTTPS protected webserver, but every proxy will see its predecessor IP address and all successor IP addresses. There is simply no way to encrypt that information in an attempt to mirror Tor onion functions. The proxy protocols (HTTP(S), SOCKS4(a)/5) do not support encryption.

It is clear that proxy chains require trust to be placed in every successor proxy concerning the IP address. However, placing trust in open proxies is also misguided for the following reasons:

  • Most are a simple misconfiguration; the owners are not aware of the situation and did not intend on public access in the first place.
  • Many are compromised machines (worm infected).
  • Some are honeypots that engage in logging or active exploits (DNS spoofing, protocol spoofing, SSL/TLS spoofing).
  • Few are provided by generous people who only have good intentions in providing the best possible anonymity (similar to most Tor server administrators).

The above factors may not apply for proxy chains of SSH and/or encrypted VPN servers, but this has not been researched yet. Nevertheless, it is not possible to access numerous SSH and/or VPN servers for free (without hacking) and/or anonymous payment.

Tor and VPN Services Comparison[edit]

Comparison[edit]

Overall, there are a number of serious security and anonymity risks in wholly relying on VPNs; objectively speaking, Tor is a far safer configuration.

Table: Tor vs. VPN Comparison

Category Discussion
Browser Fingerprinting Even when a virtual or physical VPN-Gateway is used, browser fingerprinting problems means it is only pseudonymous rather than anonymous.
Clearnet Risk It is trivial to trick client applications behind a VPN to connect in the clear. [23]
Fail Open Risk Most VPNs fail open and do not configure basic cryptography properly -- if they even use a proper cipher at all. [23]
Fingerprinting
  • VPN software normally does not ensure that users have an uniform appearance on the Internet aside from common IP addresses; see Data Collection Techniques. By merging the data, this means users are distinguishable and easily identifiable.
  • Any local observer on the network (ISP, WLAN) can make estimates of websites requested over the VPN by simply analyzing the size and timing of the encrypted VPN data stream (Website Fingerprinting Attacks). In contrast, Tor is quite resilient against this attack; see footnote. [24]
Logging Risk Unlike Tor, VPN hosts can track and save every user action since they control all VPN servers. The administrators and anyone else who has access to their servers, either knowingly or unknowingly, will have access to this information.
Multi-hop VPNs Advertisements for double, triple or multi-hop VPNs are meaningless. Unless the user builds their own custom VPN chain by carefully choosing different VPN providers, operated by different companies, then they are fully trusting only one provider.
Software
  • Some VPN providers require their proprietary closed source software to be used and do not provide an option for other reputable VPN software, such as OpenVPN.
  • Tor code is fully open source.
TCP Timestamps The fundamental design of VPN systems means they do not normally filter or replace the computer's TCP packets. Therefore, unlike Tor they cannot protect against TCP timestamp attacks.
Trust

VPN providers only offer privacy by policy, while Tor offers privacy by design:

  • Any VPN provider can make claims they do not log activity, but this is unverifiable.
  • When using Tor, it is also unknown if any of the three hops is keeping logs. However, one malicious node will have less impact. The entry guard will not know where you are connecting to, thus it is not a fatal problem if they log. The exit relay will not know who you are, but can see any unencrypted traffic -- this is only a problem if sensitive data is sent over this channel (which is unrecommended). Tor's model is only broken in the unlikely (but not impossible) event that an adversary controls all three nodes in the circuit. [25] Tor distributes trust, while using VPN providers places all trust in the policy of one provider.
VPN Configuration If VPN software is run directly on the same machine that also runs client software such as a web browser, then Active Web Contents can read the real IP address. This can be prevented by utilizing a virtual or physical VPN-Gateway or a router. However, be aware that active contents can still reveal a lot of data concerning the computer and network configuration.
VPN Server Security The Snowden documents describe a successful Internet-wide campaign by advanced adversaries for covert access to VPN providers' servers. [26]

Whether it is worth combining Tor with a VPN -- either as pre-Tor-VPN (user → VPN → Tor) or as post-Tor-VPN (user → Tor → VPN) -- is a controversial topic and discussed on the Tor plus VPN [archive] (w [archive]) page. If this configuration is preferred, it is easy to set up with Whonix ™; see Tunnel Support.

Criteria for Reviewing VPN Providers[edit]

  • place of incorporation
  • incorporation verifiable [27]
  • ownership / shareholders
  • usability votes, token system required
  • has a free service or limited use free service
  • accepts Bitcoin payments
  • accepts other anonymous cryptocurrency payments like Monero
  • accepts cash payments
  • JavaScript-free ordering possible
  • anonymous sign-up allowed
  • sign-up does not require email address
  • VPN client software is Freedom Software
  • can be used with Freedom Software like OpenVPN
  • no log policy
  • known spokesperson
  • third party audited
  • popularity in Whonix ™ forums
  • popularity in external VPN reviews
  • overall popularity online
  • known cases of malicious activity
  • long term track record
  • can be connected to by TCP
  • can be connected to by UDP
  • supports tunneling TCP
  • supports tunneling UDP
  • VPN with Remote Port Forwarding (for Hosting Location Hidden Services)
  • Freedom Software server source code

License[edit]

Tor and Proxies Comparison

This was originally posted by adrelanos (proper) to the TorifyHOWTO/proxy [archive] (w [archive]) (license [archive]) (w [archive]). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as the rest of the page.

Gratitude is expressed to JonDos [archive] for permission [archive] to use material from their website. (w [archive]) (w [archive]) [28] The "Tor and Proxies Comparison" chapter of the "Tor vs. Proxies, Proxy Chains and VPNs" wiki page contains content from the JonDonym Other Services [archive] documentation page.


Whonix ™, Tails, Tor Browser and CGIproxies Comparison

Appreciation is expressed to JonDos [archive] (Permission [archive]). The "Whonix ™, Tails, Tor Browser and CGIproxies Comparison" chapter of the "Tor vs. Proxies, Proxy Chains and VPNs" wiki page contains content from the JonDonym documentation Other Services [archive] page.


Tor and Proxy Chains Comparison

This was originally posted by adrelanos (proper) to the TorFAQ [archive] (w [archive]) (license [archive]) (w [archive]). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as the rest of the page.


Tor and VPN Services Comparison

Appreciation is expressed to JonDos [archive] (Permission [archive]). The "Tor and VPN services Comparison" chapter of the "Tor vs. Proxies, Proxy Chains and VPNs" wiki page contains content from the JonDonym documentation Other Services [archive] page.

Footnotes[edit]

  1. 1.0 1.1 https://en.wikipedia.org/wiki/Proxy_server [archive]
  2. Hundreds of thousands are suspected to be in operation.
  3. 3.0 3.1 3.2 3.3 Connection to the destination server, for example to the torproject.org webserver.
  4. 4.0 4.1 Transparent TCP Port.
  5. 5.0 5.1 No X-Forwarded-For HTTP header.
  6. These do not support the connect method (see below). Therefore connections to SSL/TLS protected websites are impossible.
  7. 7.0 7.1 This is true only when being used as proxy settings and not when used as a transparent proxy.
  8. 8.0 8.1 8.2 8.3 8.4 8.5 Depends on the proxy.
  9. The term HTTPS proxy is misleading because the connection to the proxy is not encrypted. The proxy additionally supports the connect method, which is required to access SSL/TLS protected websites and other services other than HTTP.
  10. https://en.wikipedia.org/wiki/SOCKS#SOCKS4 [archive]
  11. https://en.wikipedia.org/wiki/SOCKS#SOCKS4a [archive]
  12. https://en.wikipedia.org/wiki/SOCKS#SOCKS5 [archive]
  13. https://en.wikipedia.org/wiki/CGIProxy [archive]
  14. 14.0 14.1 eepsites only. Connections to clearnet are only possible through outproxies (no SSL/TLS to the destination site).
  15. I2P End-to-end Transport Layer [archive] allows TCP- or UDP-like functionality on top of I2P.
  16. For a more detailed review of the JonDonym network, see: JonDonym.
  17. The SOCKS interface is only available to paying users.
  18. Tor can offer a SocksPort (SOCKS4(a)/5), DnsPort and TransPort. A third party HTTP/2 socks converter (privoxy [archive]) is available.
  19. Tor offers a SOCKS5 interface but the Tor software does not support UDP itself yet [archive]. Whonix ™ provides a limited workaround for using UDP anyway, in the most secure manner available; see Tunnel UDP over Tor.
  20. https://en.wikipedia.org/wiki/CGI_proxy#CGI_proxy [archive]
  21. https://knowyourmeme.com/memes/good-luck-im-behind-7-proxies [archive]
  22. https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#WhichTornodeknowswhat [archive]
  23. 23.0 23.1 https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf [archive]
  24. A scientific article demonstrating the attack is found here [archive]; the success rates are over 90% for VPNs.
  25. Or if they are a global passive adversary capable of monitoring the traffic between all the computers in a network at the same time.
  26. https://search.edwardsnowden.com/docs/VPNandVOIPExploitationWithHAMMERCHANTandHAMMERSTEIN2014-03-12_nsadocs_snowden_doc [archive]
  27. Such as Companies House [archive] for the United Kingdom.
  28. Broken link: https://anonymous-proxy-servers.net/forum/viewtopic.php?p=31220#p31220 [archive]


text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: Twitter.png Facebook.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Have you contributed [archive] to Whonix ™? If so, feel free to add your name and highlight what you did on the Whonix authorship [archive] page.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.