What is Tor and how does it work?

Tor (formerly an acronym for “The Onion Router”) is often touted as a way to browse the web anonymously. From human rights activists evading oppressive governments to drug dealers selling through online marketplaces, Tor is a popular way to gain significantly more anonymity than you would normally have online. At the same time, Tor isn’t perfect, so it can provide a false sense of security if used incorrectly.

In this article, we’ll look at what Tor is and isn’t. Then, we’ll take a look at how it works, how it compares to VPN services, and how to stay safe. You’ll learn all about Tor and be ready to use it with confidence, knowing that you won’t make any beginner mistakes that would compromise your anonymity.

What does Tor do?

Using the Tor Browser is similar to using any other web browser. Although the process of starting up the browser differs slightly from Chrome or Firefox (Tor must configure a connection to the Tor network before the browser can start), actually browsing the web with Tor is pretty intuitive.

The main difference is that when you browse the web with Tor, your real IP address and other system information is obscured from the websites and services you're visiting. Additionally, it also hides what you're doing from your Internet Service Provider.

The primary uses of Tor are the following:

• Bypassing censorship and surveillance
• Visiting websites anonymously
• Accessing Tor hidden services (.onion sites)

Tor: Pros and Cons

Using Tor offers a number of privacy and anonymity protections over directly connecting to a website. That said, it also presents some challenges.

Pros

• If you use Tor correctly, your real IP address cannot be determined by the websites you visit.
• You can access websites without your internet service provider being aware of your browsing history.
• You can bypass many kinds of censorship.

Cons

• Tor is very slow compared to VPNs and regular web browsing, so downloading large files is usually not feasible.
• It’s possible to deanonymize your browsing by making a simple mistake.
• Some governments and network operators can prevent Tor from functioning.
• Although using Tor is legal in and of itself, using Tor may make your activity appear suspicious.
• Websites may refuse to function when you’re using Tor—generally to prevent anonymous spam and abuse.

Who created Tor?

The concepts underpinning Tor — namely, onion routing — were developed by the United States government in the 1990s. It was originally designed to protect the communications of US intelligence agencies across the Internet. The original code for Tor was released under a free and open-source software license by the United States Naval Research Laboratory, allowing other people and organizations to contribute to the project.

Since 2006, a nonprofit called The Tor Project has been responsible for maintaining Tor and the Tor Browser. Financial support comes from corporations like Google, organizations such as Human Rights Watch, and many others.

How does Tor work?

There are two things people may mean when they say “Tor”: the networking system and the Tor Browser.

To anonymize Internet usage, Tor routes traffic through multiple randomly-chosen relay servers before accessing the destination website. There are over 7,000 of these servers, which mostly belong to volunteers. The request is encrypted multiple times, so the relay servers only know the previous relay and the next relay, but not the request contents or the full circuit. The network request finally exits the Tor network at an exit node. From the website’s perspective, you are browsing directly from the exit node.

Tor hidden services, which will be covered below, are accessed in a slightly different way from standard websites — they use .onion domain names and are inaccessible from the regular web.

To actually use Tor to anonymize your communications, you run the Tor Browser on your computer. The Tor Browser is a modified version of Mozilla Firefox that connects to the internet via the Tor network. In addition to the functionality necessary to use Tor, the Tor Browser also bundles a number of extensions that help users maintain their privacy. For example, the NoScript extension is bundled with Tor out of the box, meaning that users have to manually approve individual JavaScript files before they can run—helping to protect against fingerprinting and browser security exploits.

Tor browser security: how safe, anonymous, and secure is it?

Although Tor is frequently used by privacy-conscious people and those looking to avoid surveillance, it isn’t perfect. Simple mistakes can make hours of meticulous privacy protection useless, so it pays to be especially careful when browsing with Tor. Here are some things you should look out for:

• The final part of the communication is unencrypted

Even though Tor encrypts data between the user’s computer and servers in the Tor network and within the Tor network, it does not encrypt the final part of the connection between the exit node and the destination server. As a result, it is possible for a government or internet service provider to eavesdrop on traffic between the exit node and destination servers. Since the full list of Tor exit nodes is publicly available, any unencrypted traffic leaving exit nodes is likely to be monitored closely.

• Your traffic may be deanonymized using timing-based statistical techniques

Another security concern is when the entry relay and exit relay both exist on the same Internet autonomous system (AS)— like if the same network operator owns both IP addresses. If this is the case, it is possible for that network operator to use timing-based statistical techniques to determine that a particular network request originated from a particular computer. This technique is difficult to execute, so it’s usually only possible for governments to pull off. Additionally, it can be expensive, so it is not usually a concern except for high-value targets.

• Tor won't protect you against sophisticated fingerprinting methods

Other signals may also be used to fingerprint users. If you happen to be browsing a compromised website using Tor with JavaScript enabled (or the website you’re browsing uses compromised third-party JavaScript), it’s possible for the attacker to determine who you are based on your mouse movements. Most people move their mouse in a distinct way which can be used to correlate a Tor browsing session with a regular, non-Tor browsing session.

• Even Tor has bugs that can be exploited

As with regular web browsing, it is always possible to have your web browser compromised as a result of a security bug. While modern browsers, including the Firefox-based Tor Browser, include very good exploit protection, the kinds of adversaries that target Tor users also stockpile browser exploits that browser vendors are completely unaware of (known as “zero-day” bugs).

Although most security considerations for Tor are only applicable to the most paranoid users, it’s still a good idea to follow some safety guidelines. Anyone using Tor is automatically enough of a surveillance target that protecting your security is important.

How to protect yourself when using Tor

1. Don’t log into your usual accounts - especially Facebook or Google.
2. Try not to follow any unique browsing patterns that may make you personally identifiable.
3. Turn the Tor Browser’s security level up to the max. This will disable JavaScript on all sites, disable many kinds of fonts and images, and make media like audio and video click-to-play. This level of security significantly decreases the amount of browser code that runs while displaying a web page, protecting you from various bugs and fingerprinting techniques.
4. Use the HTTPS Everywhere extension. This will ensure you're only browsing HTTPS websites and protect the privacy of your data as it goes between the final node and the destination server.
5. As a general rule, never use BitTorrent over Tor. Although people illegally pirating copyrighted content may wish to obscure their real identity, BitTorrent is extraordinarily difficult to use in a way that does not reveal your real IP address. Tor is relatively slow, so BitTorrent is hardly worth using over Tor anyway.
6. Most importantly, always keep Tor Browser (and any extensions) updated, reducing your attack surface.

What are Tor hidden services?

Tor hidden services, “onion services”, or “Tor websites” are websites that are only accessible from within the Tor network. All hidden service domain names end in .onion and consist of a very long of seemingly-random characters. Collectively, Tor hidden services are sometimes referred to as the “dark web.”

These websites are not indexed by and won't appear on search engines like Google. Instead, a number of user-created directories of hidden services allow you to find the sites you’re looking for.

The dark side of Tor

The term “dark web” generally evokes a mental image of criminals selling illegal services through sketchy Tor-based marketplaces. Although much of the news surrounding Tor and Tor hidden services makes it seem as though using them is like walking down a dark alley at night, there are plenty of perfectly legitimate uses for hidden services as well.

Sites like Facebook, DuckDuckGo, and The New York Times run versions of their sites with .onion addresses for journalists and activists living under oppressive regimes.

Some extremely privacy-conscious individuals make their blogs or websites exclusively accessible through Tor hidden services so that their real-life identity cannot be determined.

The US government has steadily improved its technologies for catching and prosecuting criminals who use Tor for illegal purposes. As mentioned above, Tor is vulnerable to timing attacks and other types of advanced compromises that require government-like resources. For that reason, a government with sufficient resources can deanonymize some Tor requests if they control the right internet service providers (which is almost always true of the American government).

While using Tor itself is perfectly legal, there is plenty of illegal activity involving Tor, so be sure to watch out when visiting hidden services so that you don’t accidentally end up on a sketchy .onion site. If you decide to access the Dark or the Deep web, do it in a safe way.

Tor vs. VPN services: what’s the difference?

Virtual private network (VPN) services are frequently marketed as a way to improve privacy or gain anonymity. In reality, VPN services can be hit-and-miss when it comes to privacy. Some are certainly better at protecting data than Tor, whereas others will compromise your privacy more than not using one at all.

VPNs are point-to-point tunnels. Network traffic travels in an encrypted tunnel from the user’s computer all the way to the VPN provider’s network and is forwarded onto the destination server. In that sense, they are similar to Tor.

The most problematic aspect of VPN service marketing is the “no-logging policy." Most VPN providers advertise that they do not log how their services are used, so users can feel confident using the service with no legal ramifications. However, there are few ways this claim can be proven beyond a reasonable doubt. So if you do end up choosing a VPN for privacy, it's best to go with one that has had its no-logs policy tested in the wild due to some police investigation, or at least one that has had the infrastructure audited by a trustworthy, independent third-party.

The biggest advantages of VPNs over Tor include much better connection speeds for downloading videos and other large files. Also, with a VPN, you can choose the server your data is routed through, or at least the country in which that server is located. Finally, it is far easier to use a VPN systemwide than it is to use Tor outside of Tor Browser.

Whether you’re using Tor or a VPN service, be careful not to leak your actual IP address through browser plugins or by logging into an account that would nullify your anonymity.

Read more: Tor over VPN

FAQ

Takeaways

If you want to protect your privacy and anonymity as much as possible while browsing the web, Tor and the Tor Browser may be a good choice. Tor is a widely used and well-studied way to avoid surveillance and censorship from internet service providers and government agencies. It also offers access to .onion hidden services, which are used for avoiding oppressive regimes (and, occasionally, less-noble activities as well).

To use Tor effectively, you must be mindful of a variety of security and privacy concerns, as laid out earlier in this article. Depending on your threat model — which potential threats you want to protect against — you may need to take aggressive measures to keep your browsing anonymous, some of which can make browsing inconvenient.

Virtual private network (VPN) services are marketed similarly to Tor. However, while they offer significantly higher speeds, their protection against surveillance depends on the specific service provider.

In conclusion, Tor is a powerful tool that must be wielded smartly. It can allow you to avoid all kinds of digital oppression—just like journalists and human rights activists do around the world every day. If used incorrectly, it will only provide a false sense of security. By understanding and following the recommendations made in this article, you’ll be ready to make use of Tor correctly and in an effective manner.