Understanding HTTPS, VPNs, and Tor

Tor and HTTPS Diagram from https://www.eff.org/pages/tor-and-https

Maximizing Privacy Online

If you have ever taken an interest in retaining your anonymity and privacy online, you have almost certainly seen the acronyms HTTPS, VPN, and Tor come up. While each of these technologies provide a layer of privacy, each has a distinct set of advantages and limitations that you should be aware of. It’s even possible to use all three at the same time to maximize privacy!

We will explain how these technologies can be used together, but first, let’s take a look at each one individually.

HTTPS - Hypertext Transfer Protocol Secure

We’ll start out with everyone’s good friend, HTTPS. HTTPS is an extension to HTTP that uses TLS to encrypt data from your computer before it’s sent to the remote server. Since your data is encrypted locally on your computer before being sent to the server, eavesdroppers sharing your WiFi connection won’t be able to see your traffic. And anyone else sniffing the wire between you and the website you’re accessing won’t be able to decrypt the encrypted data you’re transmitting. Only the server you are communicating with has the necessary keys to decrypt your data and process your request.

Great! At first blush, this seems like a perfect solution, and in many cases, it is sufficient to protect your sensitive data from hackers. However, there are some cases where HTTPS isn’t enough.

For example, even though no one eavesdropping can see what data you’re transmitting, they can still see where data is being sent (for instance, Facebook or Amazon). Also, they can see where the data came from, which in this case is your computer! If you are concerned that your ISP (think Xfinity, Spectrum, AT&T, etc.) can see what websites you’re browsing and how long you are spending on them, then HTTPS won’t be enough.

Because all of your traffic is routed through your ISP, it is especially easy for them to track your usage and collect data about your browsing habits. It also allows them to see if you are accessing any sites that they think you shouldn’t be. Plus, if you happen to go to any websites that use HTTP instead of HTTPS, then your ISP and anyone else sharing a WiFi connection will be able to see that traffic in the clear.

To prevent this data leakage, technologies have been invented to help protect privacy. Both VPNs and Tor can add some additional protection to your Internet browsing.

VPN - Virtual Private Network

VPNs are commonly used by enterprises so that remote employees can access their company’s internal network from afar. This allows remote employees to be “virtually” transported into the office as if they were connecting to their company intranet from inside their company’s building.

VPNs create an encrypted “tunnel” which encrypts all data being sent from the source computer to the server on the other end of the VPN connection.

In addition to companies using this technology, VPN providers like ExpressVPN, NordVPN, and many others maintain a vast number of servers to connect to and establish an encrypted tunnel of your own. This protects data sent from your computer from being:

  1. Viewed by your ISP
  2. Sniffed by the attacker in your coffee shop
  3. Logged by every server along your traffic’s route

This has a downside, though: the VPN server that you connect to must decrypt the data you send and could potentially do something malicious with it. That’s why the VPN service you use must have a “no-log policy,” which guarantees that your data will not be logged once it comes out the other end of the tunnel. Don’t just take a VPN provider’s word for it, make sure the VPN provider has had a third party audit ensuring that no data is being logged.

By combining a VPN and HTTPS, we’ve made our data mostly private while using the Internet. However, we’re still not entirely in the clear because we haven’t made ourselves anonymous.

While our traffic is being routed through a VPN, which enhances our privacy, it’s still only routed through one proxy server who knows that we are on the other end. If someone wanted to track us down, they’d only have to follow us backward one hop.

If we want to be anonymous, we need to hide behind multiple layers of privacy where no one along the way has all of the information necessary to backtrack and identify us.

That brings us to our last topic, The Onion Router.

Tor - The Onion Router

Tor is an implementation of onion routing, which has been around since the 90s. Tor routes your internet traffic through a series of nodes (usually 3) on the Tor network to hide and obfuscate your IP address. By the time your traffic makes it to the target server, it’s extremely difficult to backtrack and determine what your actual IP address is. Your data is encrypted at each stage of the process. Each node in the Tor circuit can’t know all of the information necessary to identify where the original traffic came from. This makes it almost impossible for a website or ISP to determine the original source IP of the traffic and helps keep you anonymous.

Tor isn’t a privacy and anonymity silver bullet; however, because if you aren’t using HTTPS alongside Tor, your data will be in plaintext once it exits the Tor network any data sent over HTTP will be visible to anyone snooping.

For a handy interactive diagram showing you how Tor and HTTPS are used together, please visit https://www.eff.org/pages/tor-and-https.

Also, if you’d like to watch a great video explaining more about how Tor works, please watch https://www.youtube.com/watch?v=QRYzre4bf7I

Putting it All Together

If you really want to maximize your privacy and anonymity online, you can use all three technologies we talked about (a VPN, Tor, and HTTPS) in conjunction. This isn’t really feasible for everyday browsing unless you are abnormally patient, because using the Tor network slows down your connection dramatically. However, if you want to be super private, it’s actually quite easy to set up.

Also, be warned that as soon as you log in to a website, you have identified yourself to the site and are no longer browsing anonymously, even if you’re using Tor.

You can follow these steps to use all three privacy technologies simultaneously:

  1. Download a VPN application like NordVPN and connect to a VPN server
  2. Download the Tor browser bundle or use the Brave browser and click “New Private Tab with Tor”
  3. Navigate to a website that supports HTTPS (like https://pensivesecurity.io)

Another option is to choose the “Onion over VPN” option in NordVPN (and likely available from other VPN providers) and then ensure you are using a website that uses HTTPS.

Using NordVPN&#39s Onion Over VPN Service

Go Try it Out

Now that you have an idea of what these technologies do and the differences between them, you will be able to pick the appropriate privacy technology for your needs. And if you ever need to do something in total secrecy, you can use all three technologies simultaneously.

August 2020: Cybersecurity Roundup July 2020: Cybersecurity Roundup
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now