Tor vs. Proxies, Proxy Chains and VPNs
Tor and Proxies Comparison
Proxies are famous for "anonymity on demand". Acting as an intermediary, proxy servers relay your traffic to the destination and send the answer back to you so that the destination server potentially only sees the proxy and not your IP address: 
Instead of connecting directly to a server that can fulfill a requested resource, such as a file or web page for example, the client directs the request to the proxy server, which evaluates the request and performs the required network transactions. This serves as a method to simplify or control the complexity of the request, or provide additional benefits such as load balancing, privacy, or security. Proxies were devised to add structure and encapsulation to distributed systems.
There are two basic types of proxy server: 
- Open proxies: these forward requests from and to anywhere on the Internet and are accessible by any Internet user. 
- Anonymous proxies reveal their identity as a proxy server but do not disclose the client's originating IP address.
- Transparent proxies also reveal their identity as a proxy server, but the originating IP address is accessible due to factors such as the
X-Forwarded-ForHTTP header. The benefit of these proxies is the ability to cache websites for faster retrieval.
- Reverse proxies: these connect the Internet to an internal network. Therefore, users making requests connect to the proxy and may not be aware of the internal network as the response is returned as if it came from the original server.
There are no known HTTP(S) or SOCKS4(a)/5 proxies that offer an encrypted connection between itself and the user. Therefore, the Internet Service Provider or any man-in-the-middle [archive] can see connection details, including the destination IP address. If the destination server is not using SSL/TLS, then the entire content of traffic is vulnerable as well.
As noted above, some open HTTP(S) proxies send the "HTTP forwarded for" header which discloses a user's IP address. HTTP(S) proxies that do not send this header are sometimes called "elite" or "anonymous" proxies. There are no known legitimate and free public HTTP(S) or SOCKS4(a)/5 proxies.
The tables below briefly compare the features offered by proxies found on many proxy sharing websites with various anonymization services.
Table: Proxy Type Feature Comparison
|Proxy Type||Comment||HTTP ||HTTPS ||TransPort ||UDP||Remote DNS||Hides IP ||User-to-proxy Encryption|
|HTTP||||Yes||No||No||No||Yes ||Depends ||No|
|HTTPS||||Yes||Yes||No||No||Yes ||Depends ||No|
|CGI ||See below||Depends ||Depends ||No||No||Yes||Depends ||Depends |
Table: Anonymization Service Feature Comparison
|Anonymization Service||Comment||HTTP ||HTTPS ||TransPort ||UDP||Remote DNS||Hides IP ||User-to-proxy Encryption|
|I2P||-||Yes ||Yes ||No||Yes ||Yes||Yes||Yes|
|JonDo||||Yes||Yes||No||Premium only ||Yes||Yes||Yes|
Proxies are highly susceptible to the misuse and theft of user data: many proxies (HTTP/HTTPS/SOCKS) are computers that have been hijacked by hackers or criminals, or are honeypots exclusively offered for the purpose of user observation. Even if they were legitimate, any single operator can decide to enable logging. In addition, some proxies automatically reveal the user's IP address to the destination server.
At best, proxies only offer weak protection against destination website logging, and they offer no protection against third party eavesdropping. For these reasons their use is strongly discouraged.
Whonix ™, Tails, Tor Browser and CGIproxies Comparison
... accepts target URLs using a Web form in the user's browser window, processes the request, and returns the results to the user's browser. Consequently, it can be used on a device or network that does not allow "true" proxy settings to be changed.
This means CGIproxies provide Internet pages with a form field in which the user can input the target address they wish to visit anonymously. The web proxy subsequently delivers the content of the requested website and automatically patches all links to use the web proxy when clicked. When using web proxy services the browser configuration does not need to be changed.
It is also important to note that CGIproxies can potentially only anonymize browser traffic and not the traffic of other applications; but to be fair, they do not claim more than anonymizing browser traffic.
- Broken: The real IP address is revealed.
- OK: no leak found.
- ?: Untested and therefore unknown.
- NI: Not installed by default.
- DE: Deactivated even if installed.
- RA: Recommended against by maintainers.
- 1 Encrypted connection to the CGI proxy (SSL/TLS) 2 or Tor exit relay.
- 2 Uses a proper SSL/TLS certificate recognized by certificate authorities.
Table: CGIproxies vs. Anonymization Software/Platforms
|Whonix||OK||OK||NI DE RA OK||Yes|
|Tails||OK||OK||NI DE RA ?||Yes|
|Tor Browser||OK||OK||NI DE RA (Broken)||Yes|
|Guardster||OK||Broken (if allowed)*||Broken||Premium only|
|Megaproxy||Broken||Premium only||Premium only||Yes|
Links to Software / Provider and Tests
In the following table, "(check manually)" means enter the test link manually in the browser.
|Whonix||click [archive] (check manually)|
|Tails [archive]||click [archive] (check manually)|
|Tor Browser [archive]||click [archive] (check manually)|
|Anonymouse [archive]||click [archive]|
|webproxy USA [archive]||click [archive] (check manually)|
|KProxy [archive]||click [archive] (check manually)|
|Guardster [archive]||click [archive] (check manually)|
|Megaproxy [archive]||click [archive] (check manually)|
|Proxify [archive]||click [archive] (check manually)|
In comparison to Tor, CGIproxies are only one hop proxies. This means they know who is connecting and the details of the requested destination server resource. This makes CGIproxies far inferior to Tor because they could potentially read all transmissions, even if entering SSL/TLS protected domain names.
Due to these serious disadvantages, it is not worthwhile discussing other security features which have been canvassed in other wiki chapters comparing Whonix ™, Tails and Tor Browser (such as UTC timezone and fingerprinting).
Tor and Proxy Chains Comparison
Isn't seven proxies (proxy chains) better than Tor with only three Hops?
Some readers might be familiar with the Internet meme: "Good luck, I'm behind 7 proxies", which is sarcastic retort sometimes used when somebody threatens to report you to authorities, or claims they can identify your location. 
In short, multiple proxies used in combination are not more secure than Tor; many people are unaware of this fact. As outlined above, proxies are not very secure.
In contrast, the Tor design ensures the first hop (Tor relay) is unable to see the IP address of the last hop because it cannot decrypt the message for the second hop. If one hop can be trusted, then the connection is secure; see Which Tor node knows what? [archive], File:Tor-without-https.png, How Tor Works [archive] and the onion design to learn more.
Quote The Tor Project, Aren't 10 proxies (proxychains) better than Tor with only 3 hops? [archive]:
Proxychains is a program that sends your traffic through a series of open web proxies that you supply before sending it on to your final destination. Unlike Tor, proxychains does not encrypt the connections between each proxy server. An open proxy that wanted to monitor your connection could see all the other proxy servers you wanted to use between itself and your final destination, as well as the IP address that proxy hop received traffic from.
Because the Tor protocol requires encrypted relay-to-relay connections, not even a misbehaving relay can see the entire path of any Tor user.
While Tor relays are run by volunteers and checked periodically for suspicious behavior, many open proxies that can be found with a search engine are compromised machines, misconfigured private proxies not intended for public use, or honeypots set up to exploit users.
The information available to each of the three Tor relays is summarized below.
Table: Tor Node (Relay) Information Awareness 
|Category||User||Bridge Node/Entry Guard||Middle Node||Exit Node|
|Tor user's IP/location||Yes||Yes||No||No|
|IP of bridge node or entry guard||Yes||Yes||Yes||No|
|Message for bridge node or entry guard||Yes||Yes||No||No|
|IP of middle node||Yes||Yes||Yes||Yes|
|Message for middle node||Yes||No||Yes||No|
|IP of exit node||Yes||No||Yes||Yes|
|Message for exit node||Yes||No||No||Yes|
|IP of destination server||Yes||No||No||Yes|
|Message for destination server||Yes||No||No||Yes|
In comparison to Tor, proxies have serious weaknesses, even when SOCKS proxies or "elite"/"anonymous" proxies are utilized. Firstly, all connections between the user and all proxies in the chain are unencrypted. This holds true irrespective of the use of SSL/TLS. For demonstration purposes, assume a user is connecting to an SSL/TLS protected web server. In human terms, this is basic sketch of how the package for the first proxy in the proxy chain would appear:
- Proxy1, please forward "forward to Proxy3; forward to Proxy4; forward to Proxy5; forward to https://encrypted.google.com [archive] 'c8e8df895c2cae-some-garbage-here-(encrypted)-166bad027fdf15335b'" to Proxy2?
Notably, the actual transmission is safely encrypted and can only be decrypted by the HTTPS protected webserver, but every proxy will see its predecessor IP address and all successor IP addresses. There is simply no way to encrypt that information in an attempt to mirror Tor onion functions. The proxy protocols (HTTP(S), SOCKS4(a)/5) do not support encryption.
It is clear that proxy chains require trust to be placed in every successor proxy concerning the IP address. However, placing trust in open proxies is also misguided for the following reasons:
- Most are a simple misconfiguration; the owners are not aware of the situation and did not intend on public access in the first place.
- Many are compromised machines (worm infected).
- Some are honeypots that engage in logging or active exploits (DNS spoofing, protocol spoofing, SSL/TLS spoofing).
- Few are provided by generous people who only have good intentions in providing the best possible anonymity (similar to most Tor server administrators).
The above factors may not apply for proxy chains of SSH and/or encrypted VPN servers, but this has not been researched yet. Nevertheless, it is not possible to access numerous SSH and/or VPN servers for free (without hacking) and/or anonymous payment.
Tor and VPN Services Comparison
Overall, there are a number of serious security and anonymity risks in wholly relying on VPNs; objectively speaking, Tor is a far safer configuration.
Table: Tor vs. VPN Comparison
|Browser Fingerprinting||Even when a virtual or physical VPN-Gateway is used, browser fingerprinting problems means it is only pseudonymous rather than anonymous.|
|Clearnet Risk||It is trivial to trick client applications behind a VPN to connect in the clear. |
|Fail Open Risk||Most VPNs fail open and do not configure basic cryptography properly -- if they even use a proper cipher at all. |
|Logging Risk||Unlike Tor, VPN hosts can track and save every user action since they control all VPN servers. The administrators and anyone else who has access to their servers, either knowingly or unknowingly, will have access to this information.|
|Multi-hop VPNs||Advertisements for double, triple or multi-hop VPNs are meaningless. Unless the user builds their own custom VPN chain by carefully choosing different VPN providers, operated by different companies, then they are fully trusting only one provider.|
|TCP Timestamps||The fundamental design of VPN systems means they do not normally filter or replace the computer's TCP packets. Therefore, unlike Tor they cannot protect against TCP timestamp attacks.|
VPN providers only offer privacy by policy, while Tor offers privacy by design:
|VPN Configuration||If VPN software is run directly on the same machine that also runs client software such as a web browser, then Active Web Contents can read the real IP address. This can be prevented by utilizing a virtual or physical VPN-Gateway or a router. However, be aware that active contents can still reveal a lot of data concerning the computer and network configuration.|
|VPN Server Security||The Snowden documents describe a successful Internet-wide campaign by advanced adversaries for covert access to VPN providers' servers. |
Whether it is worth combining Tor with a VPN -- either as pre-Tor-VPN (user → VPN → Tor) or as post-Tor-VPN (user → Tor → VPN) -- is a controversial topic and discussed on the Tor plus VPN [archive] (w [archive]) page. If this configuration is preferred, it is easy to set up with Whonix ™; see Tunnel Support.
Criteria for Reviewing VPN Providers
- place of incorporation
- incorporation verifiable 
- ownership / shareholders
- usability votes, token system required
- has a free service or limited use free service
- accepts Bitcoin payments
- accepts other anonymous cryptocurrency payments like Monero
- accepts cash payments
- anonymous sign-up allowed
- sign-up does not require email address
- VPN client software is Freedom Software
- can be used with Freedom Software like OpenVPN
- no log policy
- known spokesperson
- third party audited
- popularity in Whonix ™ forums
- popularity in external VPN reviews
- overall popularity online
- known cases of malicious activity
- long term track record
- can be connected to by TCP
- can be connected to by UDP
- supports tunneling TCP
- supports tunneling UDP
- VPN with Remote Port Forwarding (for Hosting Location Hidden Services)
- Freedom Software server source code
Tor and Proxies Comparison
This was originally posted by adrelanos (proper) to the TorifyHOWTO/proxy [archive] (w [archive]) (license [archive]) (w [archive]). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as the rest of the page.
Gratitude is expressed to JonDos [archive] for permission [archive] to use material from their website. (w [archive]) (w [archive])  The "Tor and Proxies Comparison" chapter of the "Tor vs. Proxies, Proxy Chains and VPNs" wiki page contains content from the JonDonym Other Services [archive] documentation page.
Whonix ™, Tails, Tor Browser and CGIproxies Comparison
Appreciation is expressed to JonDos [archive] (Permission [archive]). The "Whonix ™, Tails, Tor Browser and CGIproxies Comparison" chapter of the "Tor vs. Proxies, Proxy Chains and VPNs" wiki page contains content from the JonDonym documentation Other Services [archive] page.
Tor and Proxy Chains Comparison
This was originally posted by adrelanos (proper) to the TorFAQ [archive] (w [archive]) (license [archive]) (w [archive]). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as the rest of the page.
Tor and VPN Services Comparison
Appreciation is expressed to JonDos [archive] (Permission [archive]). The "Tor and VPN services Comparison" chapter of the "Tor vs. Proxies, Proxy Chains and VPNs" wiki page contains content from the JonDonym documentation Other Services [archive] page.
- https://en.wikipedia.org/wiki/Proxy_server [archive]
- Hundreds of thousands are suspected to be in operation.
- Connection to the destination server, for example to the torproject.org webserver.
- Transparent TCP Port.
- These do not support the connect method (see below). Therefore connections to SSL/TLS protected websites are impossible.
- This is true only when being used as proxy settings and not when used as a transparent proxy.
- Depends on the proxy.
- The term HTTPS proxy is misleading because the connection to the proxy is not encrypted. The proxy additionally supports the connect method, which is required to access SSL/TLS protected websites and other services other than HTTP.
- https://en.wikipedia.org/wiki/SOCKS#SOCKS4 [archive]
- https://en.wikipedia.org/wiki/SOCKS#SOCKS4a [archive]
- https://en.wikipedia.org/wiki/SOCKS#SOCKS5 [archive]
- https://en.wikipedia.org/wiki/CGIProxy [archive]
- eepsites only. Connections to clearnet are only possible through outproxies (no SSL/TLS to the destination site).
- I2P End-to-end Transport Layer [archive] allows TCP- or UDP-like functionality on top of I2P.
- For a more detailed review of the JonDonym network, see: JonDonym.
- The SOCKS interface is only available to paying users.
- Tor can offer a SocksPort (SOCKS4(a)/5), DnsPort and TransPort. A third party HTTP/2 socks converter (privoxy [archive]) is available.
- Tor offers a SOCKS5 interface but the Tor software does not support UDP itself yet [archive]. Whonix ™ provides a limited workaround for using UDP anyway, in the most secure manner available; see Tunnel UDP over Tor.
- https://en.wikipedia.org/wiki/CGI_proxy#CGI_proxy [archive]
- https://knowyourmeme.com/memes/good-luck-im-behind-7-proxies [archive]
- https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#WhichTornodeknowswhat [archive]
- https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf [archive]
- A scientific article demonstrating the attack is found here [archive]; the success rates are over 90% for VPNs.
- Or if they are a global passive adversary capable of monitoring the traffic between all the computers in a network at the same time.
- VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN [archive]
- Such as Companies House [archive] for the United Kingdom.
- Broken link: https://anonymous-proxy-servers.net/forum/viewtopic.php?p=31220#p31220 [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)