Comparison of Tor with CGI Proxies, Proxy Chains and VPN Services
- 1 Comparison of Tor and Proxies
- 2 Comparison of Whonix ™, Tails, Tor Browser and CGIproxies
- 3 Comparison of Tor and Proxy Chains
- 4 Comparison of Tor and VPN services
Comparison of Tor and Proxies
Proxies are famous for "anonymity on demand". Acting as an intermediary, they relay your traffic to the destination and send the answer back to you so that the destination only sees the proxy and not your IP address.
We are not aware of any http(s) or socks4(a)/5 proxies that offer an encrypted connection between itself and the user. Therefore, your internet service provider or any man-in-the-middle can see connection details, including destination IP. If the destination is not using SSL, the entire content of your traffic is vulnerable as well.
Some http(s) proxies send the "http forwarded for" header which discloses your IP. Http(s) proxies that do not send this header are sometimes called "elite" or "anonymous" proxies.
We are unaware of any legitimate and free public http(s) or socks4(a)/5 proxies.
This is a brief comparison of the features of proxies found on many proxy sharing websites.
|proxy type||comment||http ||https ||TransPort ||UDP||Remote DNS||Hides IP ||user-to-proxy encryption|
|http||||Yes||No||No||No||Yes ||depends ||No|
|https||||Yes||Yes||No||No||Yes ||depends ||No|
|CGI||see below||depends ||depends ||No||No||Yes||depends ||depends |
|anonymization service||comment||http ||https ||TransPort ||UDP||Remote DNS||Hides IP ||user-to-proxy encryption|
|I2P||-||Yes ||Yes ||No||Yes ||Yes||Yes||Yes|
|JonDo||||Yes||Yes||No||premium only ||Yes||Yes||Yes|
Proxies have a high susceptibility of misusing and stealing user data: Many proxies (HTTP/HTTPS/SOCKS) are PCs hijacked by hackers or criminals, or honeypots exclusively offered for the purpose of user observation. Even if they were legitimate, a single operator can decide to enable logging. Additionally, some proxies automatically give your IP address away to the destination server.
Proxies offer, at best, only weak protection against destination website logging, and they offer no protection from third party eavesdropping. Their use is discouraged.
License of "Comparison of different proxy types": This was originally posted by adrelanos (proper) to the TorifyHOWTO/proxy [archive] (w [archive]) (license [archive]) (w [archive]). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as the rest of the page.
Gratitude is expressed to JonDos [archive] for permission [archive] to use material from their website. (w [archive]) (w [archive])  The "Comparison of different proxy types" chapter of the "Comparison_Of_Tor_with_CGI_Proxies,_Proxy_Chains,_and_VPN_Services" page contains content from the JonDonym documentation Other Services [archive] page.
- Connection the destination server, for example to the webserver torproject.org.
- Transparent TCP Port
- no http forwarded for header
- Do not support the connect method (see below). Therefore connections to SSL protected websites is impossible.
- Not when being used as a transparent proxy. Only when being used as proxy settings.
- Depends on proxy.
- https proxy is misleading, as the connection to the proxy is not encrypted. The proxy additionally supports the connect method, which is required to access SSL protected websites and other services than http.
- eepsites only. Connections to clearnet only possible through outproxies (no SSL to destination site).
- I2P End-to-end Transport Layer [archive] allows TCP- or UDP-like functionality on top of I2P.
- For a more detailed review of the JonDonym network, see JonDonym page.
- Socks interface only available to paying users.
- Tor can offer a SocksPort (socks4(a)/5), DnsPort and TransPort. Third party http 2 socks converter (privoxy) available.
- Tor offers a socks5 interface but, the Tor software does not support UDP itself yet. [archive] Whonix ™ provides a limited workaround for using UDP anyway, in the best possible secure manner, see Tunnel_UDP_over_Tor.
- Broken link: https://anonymous-proxy-servers.net/forum/viewtopic.php?p=31220#p31220 [archive]
Comparison of Whonix ™, Tails, Tor Browser and CGIproxies
Point of view: using them in Mozilla Firefox on the host without using something such as Whonix ™ or Tails.
CGIproxies are webproxy services, Internet pages with a form field in which the user can input the target address that he want's to visit anonymously. The webproxy subsequently delivers the content of the requested website and automatically patches all links to use the webproxy when clicked. For using webproxy services the browser configuration does not have to be changed.
They could only anonymize browser traffic and not other applications, but to be fair, they don't claim more than anonymizing browser traffic.
- CGIProxy [archive]
- Broken: Real IP address gets uncovered.
- Ok: no leak found.
- ?: Not tested and therefore unknown.
- NI: Not installed by default.
- DE: Deactivated even if installed.
- RA: recommended against by maintainers.
- 1 encrypted connection to the CGI proxy (SSL) 2 or Tor exit relay
- 2 with proper SSL certificate recognized by certificate authorities
|Whonix||Ok||Ok||NI DE RA Ok||Yes|
|Tails||Ok||Ok||NI DE RA ?||Yes|
|Tor Browser||Ok||Ok||NI DE RA (Broken)||Yes|
|Hide My Ass!||Ok||Broken*||Broken||Yes|
|Guardster||Ok||Broken (if allowed)*||Broken||premium only|
|Megaproxy||Broken||premium only||premium only||Yes|
Links to Software / Provider and Test
"(check manually)" in the following table means, enter the test link manually in the browser.
|Whonix||click [archive] (check manually)|
|Tails [archive]||click [archive] (check manually)|
|Tor Browser [archive]||click [archive] (check manually)|
|Anonymouse [archive]||click [archive]|
|Hide My Ass! [archive]||click [archive]|
|WebProxy.ca [archive]||click [archive] (check manually)|
|KProxy [archive]||click [archive] (check manually)|
|Guardster [archive]||click [archive]|
|Megaproxy [archive]||click [archive] (check manually)|
|Proxify [archive]||click [archive] (check manually)|
|P2P Proxies Network [archive]||click [archive] (check manually)|
|Ebumna PHProxy [archive]||click [archive]|
In comparison to Tor, CGIproxies are only a one hop proxies, thus they know who is connecting and where the user connects to. They could read all transmissions, even if entering SSL protected domain names. This makes them much inferior to Tor.
Due to these disadvantages, other security features, which have been discussed above in chapter comparison of Whonix ™, Tails and Tor Browser, such as UTC timezone, fingerprinting didn't appear worthwhile to compare.
Comparison of Tor and Proxy Chains
Aren't 10 proxies (proxychains) better than Tor with only 3 hops? - proxychains vs Tor
Maybe you've seen the funny picture "I am behind 10 proxies, so what?". Nevermind.
10 open proxies are not as secure as Tor. Many people are not aware of that.
As outlined above, proxies are not very secure.
With Tor the first hop won't see the IP of the last hop because it can't decrypt the message for the second hop. If one hop can be trusted, the connection is secure. (See Which Tor node knows what? [archive] and the onion design.)
Even if you are using "elite" or "anonymous" proxies... Or even Socks Proxies...
- All connections between you and all proxies are unencrypted.
- This has nothing to do with SSL, but for demonstration, let's assume you are connecting to an SSL protected web server.
- In human understandable form, this is a sketch how the package for the first proxy in your chain of 5 would look like:
- Hey Proxy1, can you please forward "forward to Proxy3; forward to Proxy4; forward to Proxy5; forward to https://encrypted.google.com [archive] 'c8e8df895c2cae-some-garbage-here-(encrypted)-166bad027fdf15335b'" to Proxy2? Thanks!
- You see, your actual transmission will be safely encrypted and can be only decrypted by the https protected webserver, but every proxy will see its predecessor IP and all successor IP's.
- There is no way to encrypt that information, no way to make your own onion. The proxy protocols (http(s), socks4(a)/5) do not support encryption.
As you would have to trust any of them the IP of all its successors... The second question about open proxies is, who hosts them?
- most of them are a simple misconfiguration, the owners are not aware of it and do not want the public to use them
- many of them are compromised machines (worm infected)
- some are honeypots, logging or exploiting (dns spoofing, protocol spoofing, ssl spoofing)
- few of them are from generous people who just want your best and give you anonymity (similar to most Tor server admins)
This must not apply for proxychains of SSH and/or encrypted VPN servers - has not been researched yet. But you can not get so many SSH and/or VPN servers for free (without hacking of course) and/or anonymous payment anyway.
Comparison of Tor and VPN services
If you run the VPN software directly on the same machine as also the client software such as web browser runs, Active Web Contents can read your real IP address. This can be prevented, if you use a virtual or physical VPN-Gateway or your router. However, please note that active contents may still read a lot of data about your computer and network configuration.
- Some providers force the user to use their proprietary closed source software and have no option to allow being used by reputable VPN software, such as OpenVPN.
- On one hand, their software usually does not ensure, that users also have an uniform appearance on the Web aside their IP address (see Data Collection Techniques). The users are thus distinguishable and easily identifiable by merging the data.
- And on the other hand, a local observer on your network (ISP, WLAN) could guesstimate websites requested over VPN simply by analyzing size and timing of the encrypted VPN data stream (Website Fingerprinting Attacks). Tor is quite resilient against this attack (a scientific article which demonstrates the attack is found here [archive]; the success rates are over 90% for VPNs).
- Moreover, VPN systems, as inherent to their functional principle, normally do not filter or replace your computer's TCP packets. They thereby do not protect you from TCP timestamp attacks as Tor does.
- Even when using a virtual or physical VPN-Gateway, due to browser fingerprinting problems it is only pseudonymous rather than anonymous.
- Its trivial to trick client applications behind a VPN to connect in the clear. 
- Most VPNs fail open and don't configure basic crypto properly - if they even use a proper cipher at all.
- The Snowden Documents describes a successful internet-wide campaign by advanced adversaries for covert access to VPN providers' servers.
- You should also keep in mind that VPN hosts can, unlike Tor, track and save every step of yours, since they control all servers in the VPN. They and anyone else who has access to their servers, either knowingly or unknowingly, will have this information as well.
- VPN providers only offer privacy by policy, while Tor offers privacy by design. A VPN provider can claim not to log, but you'll never know until it is too late. When using Tor, you also never know, if any of the three hops keeps logs. One malicious node will have less impact. The entry guard will not know where you are connecting to, thus it is not a fatal problem if they log. The exit relay won't know who you are, but can see your unencrypted traffic, which can be a problem if you send sensitive data (which you are advised not to do), but if you act accordingly, it is not a problem. It is unlikely (thus not impossible), that you choose a circuit where an adversary controls all three nodes. However, while using VPN providers you're putting all trust into the policy of one provider, using Tor distributes trust.
- Don't get fooled by advertisements for Double, Triple or Multi Hop VPNs. Unless it is the user, who builds its own custom VPN chain by carefully choosing different VPN providers, owned by different companies, you're still fully trusting only one provider.
Whether it is worth to combine Tor with a VPN, either as pre-Tor-VPN (user → VPN → Tor) or as post-Tor-VPN (user → Tor → VPN) is quite a controversial topic and discussed on the Tor plus VPN [archive] (w [archive]) page. In case you decide to do so, it is easy with Whonix ™, see VPN/Tunnel Support.
Criteria for Reviewing VPN Providers
- place of incorporation
- incorporation verifiable 
- ownership / shareholders
- usability voes, token system required
- has a free service or limited use free service
- accepts payments by Bitcoin
- accepts payments anonymous crypto currencies such as Monero
- accepts payments by cash
- java-script free ordering possible
- anonymous sign up allowed
- sign-up does not require e-mail address
- VPN client software is Freedom Software
- can be used with Freedom Software such as OpenVPN
- no log policy
- known spokesperson
- third party audited
- popularity in Whonix ™ forums
- popularity in external VPN reviews
- popularity online generally
- known cases of malicious
- long term track record
- can be connected to by TCP
- can be connected to by UDP
- supports tunneling TCP
- supports tunneling UDP
- VPN with Remote Port Forwarding (for Hosting Location Hidden Services)
- Freedom Software server source code
- https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf [archive]
- https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf [archive]
- https://search.edwardsnowden.com/docs/VPNandVOIPExploitationWithHAMMERCHANTandHAMMERSTEIN20140312 [archive]
- Such as Companies House [archive] for United Kingdom.
- Thanks to JonDos [archive] (Permission [archive]). The "Comparison of Tor and VPN services" chapter of the "Whonix ™ Comparision with Others wiki page" contains content from the JonDonym documentation Other Services [archive] page.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)