The VPN industry is worth several billion dollars and is sustained largely by marketing that conflates "privacy" with "security" with "anonymity." Tor is a research project that has been misunderstood in both directions — dismissed by people who think it's only for criminals, and over-trusted by people who believe it makes them invisible. Neither characterization is accurate.
Before comparing them, it helps to be precise about what problem each is designed to solve.
What a VPN Actually Does
A VPN (Virtual Private Network) encrypts traffic between your device and a VPN server, then routes it to the destination. From the destination's perspective, your traffic appears to come from the VPN server's IP address, not yours.
This solves a specific problem: your ISP, or anyone on the network between you and the VPN server, cannot see the content of your traffic or which sites you visit. On a hostile local network — a hotel, airport, or coffee shop — a VPN prevents a local attacker from reading your unencrypted traffic or performing SSL stripping attacks.
It also shifts trust: instead of trusting your ISP not to surveil you, you're trusting the VPN provider. This is only an improvement if the VPN provider is more trustworthy than your ISP and less subject to legal compulsion — an assumption that deserves scrutiny for each provider. We discussed the limits of this model in VPN Limitations: What a VPN Actually Protects.
A VPN does not make you anonymous. The VPN provider knows your real IP address. Websites can still fingerprint you. Your activity patterns — sites visited, session timing, volume — remain visible to the VPN provider. If the provider logs and is compelled, or lies about logging, your activity is exposed.
What Tor Actually Does
Tor (The Onion Router) routes your traffic through a circuit of three volunteer-operated relays. Each relay knows only the previous hop and the next hop — not both the source and destination simultaneously. Traffic is encrypted in layers: the entry node (guard) knows your IP but not the destination; the exit node knows the destination but not your IP; the middle relay knows neither. This is onion routing.
The security property this provides is categorically different from a VPN: no single party in the chain knows both who you are and where you're going. A VPN provider knows both. Tor is designed so that no relay does.
This makes Tor meaningfully stronger for anonymity against a passive observer, including your ISP and network-level adversaries. It does not make it perfect.
Tor's Known Weaknesses
The most significant attack against Tor is traffic correlation — also called a global passive adversary attack. If an attacker can observe traffic entering the Tor network at your end and traffic exiting at the destination end, they can correlate timing and volume patterns to link your identity to your activity, without breaking any encryption. This is computationally feasible for nation-state intelligence agencies that can observe large portions of internet infrastructure.
Other practical limitations:
- Exit node visibility — The exit relay sees unencrypted traffic to non-HTTPS destinations. For HTTPS destinations, the exit relay sees the destination domain but not the content. Use HTTPS; Tor Browser enforces this.
- Browser fingerprinting — If you use Tor Browser (which is designed to resist fingerprinting with a consistent fingerprint across all users), this is managed. If you route another browser through Tor, your browser fingerprint may still identify you. We covered browser fingerprinting in depth.
- Malicious exit nodes — Exit nodes can be operated by anyone, including adversaries. They can observe, modify, and block traffic. SSL stripping on non-HTTPS connections is a known attack.
- Speed — Three relay hops with volunteer bandwidth produces latency. Tor is not suitable for latency-sensitive applications.
How They Compare Against Different Threats
| Threat | VPN | Tor |
|---|---|---|
| ISP traffic surveillance | ✓ Effective | ✓ Effective |
| Hostile local network (café, hotel) | ✓ Effective | ✓ Effective |
| IP address hidden from destination | ✓ Yes (VPN IP shown) | ✓ Yes (exit IP shown) |
| VPN/relay provider can identify you | ✗ Provider knows all | ~ No single relay does |
| Legal compulsion / subpoena | ✗ Provider can comply | ~ Harder; guard node only |
| Nation-state traffic correlation | ✗ VPN IP easily correlated | ✗ Vulnerable to global adversary |
| Browser fingerprinting | ✗ Neither tool helps | ~ Tor Browser mitigates |
When to Use Each
Use a VPN when you want to protect traffic from your ISP or local network, bypass geographic content restrictions, or reduce the amount of metadata your ISP collects about your browsing. Choose a provider with a credible no-log policy and a jurisdiction that doesn't compel surveillance cooperation with your government. VPNs are also appropriate for accessing a corporate or home network remotely.
Use Tor when anonymity against a broader set of observers is more important than speed — accessing .onion sites, communicating as a source to a journalist, or circumventing censorship in a regime that observes internet traffic. Use Tor Browser specifically, not just the Tor proxy, to get the fingerprint normalization and HTTPS enforcement.
Use both (VPN + Tor) in specific configurations: routing Tor over a VPN (VPN → Tor) hides your Tor use from your ISP, which matters in countries where Tor use itself is suspicious. Routing a VPN over Tor (Tor → VPN) hides your real IP from the VPN provider — useful if you want to use a VPN without trusting the provider. The latter is complex and most users don't need it.
No tool provides anonymity against an adversary with unlimited resources and network visibility. The goal of operational security is to raise the cost of deanonymization above what your adversary is willing or able to pay — not to achieve theoretical perfection.
What Neither Protects Against
Both tools protect network-layer identity: who is communicating. Neither addresses:
- Application-layer identity — If you log into your Google account over Tor, Google knows who you are. The network path doesn't matter.
- Device compromise — Malware on your device can exfiltrate traffic before it reaches the VPN or Tor. Neither tool prevents local surveillance.
- Metadata in content — Documents and photos contain metadata (EXIF, authorship, tracked fonts in PDFs) that can identify you regardless of how anonymously you transmitted them.
- Behavioral patterns — Writing style, posting schedule, and content can identify users across sessions even when the network identity is obscured.
End-to-end encrypted communication — as discussed here — protects message content even from the service provider, but it doesn't replace network-level anonymity tools when both properties are needed. The two concerns operate at different layers and must be addressed independently.