Tor and VPN are two IT applications that almost every user has probably heard of. This is due to their high presence in media discourse and, in the case of VPNs, their broad user base. Tor is an anonymity network. Its best-known tool is the Tor browser, which allows users to surf the internet anonymously, explains CISPA researcher Matthias Fassl. VPN is the abbreviation for Virtual Private Network. This is used to set up encrypted data lines between two servers via a virtual network. A recent phenomenon is that users are combining the two applications, technically referred to as "Tor over VPN". "We came across this idea in online forums and were wondering how many people actually use it," says CISPA researcher Matthias Fassl. "First of all, it is the combination of tools that is interesting. As the tools were not developed for this purpose, we don't really know what happens when they are used together. And for our research on Usable Security, it is exciting to learn about the users’ perception of the benefits of combining the tools," continues Fassl. Usable security is a research area of cybersecurity that focuses less on the applications as such, but rather on the way people use them.
In order to find out what the phenomenon "Tor over VPN" is all about, Fassl and his colleagues followed a three-step approach. "We first investigated how many people actually use this combination," the CISPA researcher explains. By taking measurements at the nodes of the Tor network, he and his team were able to find out that 6.23 percent of the connections to the Tor network originate from VPNs. "In a second step, we conducted a survey to find out what people expect from the combination and whether they intend to achieve certain security benefits," Fassl continues. It turned out that there are two different types of users: those who always use VPN, regardless of the context, and those who establish a VPN connection specifically for the Tor network. Particularly the second group was strongly represented, expressing a variety of motivations such as the wish to bypass geo-blocking (that is, blocking access to websites from certain geographical regions) or to hide IP addresses. "Finally, we searched online media, social media etc. for articles and discussions on the topic in order to find out how the combination of the mechanisms is addressed there," the CISPA researcher explains. There were many recommendations in which the combination of Tor and VPN was described, but without explaining the actual benefit. According to Fassl, the belief of many users that access via VPN would protect them from dangers of the Tor network can be attributed to the role of the VPN providers. Those would exaggerate the dangers of the Tor network, like dark net markets for illegal products, in order to promote their own products. "It is evident that a VPN is not required for using the Tor browser securely and anonymously," Fassl says. "Possible security benefits of 'Tor over VPN' remain unclear to this day."
The notion of security folklore as an explanatory model
In order to explain why people use the combination of Tor and VPN anyway, Fassl and his colleagues use the notion of security folklore. By this term Fassl means "the transfer of practices and tips about security and privacy in social groups. This can be explicit, but it also often happens implicitly by stories or demonstrations, and it does not necessarily have to be in writing." If users read a post about the topic on social networks, or if they see in a movie how someone is using this combination, this can solidify their perception that the practice is useful. The tale of the combination of Tor and VPN offering more security would then be a so-called security folklore. This is reinforced by normative beliefs. People are more inclined to apply certain security mechanisms if they have observed them with others.
Takeways for cybersecurity research
For cybersecurity research, the research result is interesting because it shows that not only factual information by experts plays an important role, but also the pop-cultural understanding of security mechanisms and the media discourse about them. But what are the consequences for research? "For us as researchers, this makes it a little more difficult," Fassl explains. "We would, of course, prefer if people were using security mechanisms for the reason that these mechanisms suit their needs and they understand the effects. This is obviously not the case in reality. People do things for all kinds of reasons, even if they don't understand them." However, working against this is a major challenge: "If, for example, we see that security mechanisms are shown on pop-cultural media like TV series, we can work towards better or more generally applicable methods being presented there." Fassl certainly sees a need for more research in this area: "I am fascinated by social dynamics and the influence of social norms. That's why I would like to take a more systematic look at how security mechanisms are addressed in Hollywood movies and TV series." We can look forward to seeing what he brings to light.