Tor (formerly an acronym for “The Onion Router”) is often touted as a way to browse the web anonymously. From human rights activists evading oppressive governments to drug dealers selling through online marketplaces, Tor is a popular way to gain significantly more anonymity than you would normally have online. At the same time, Tor isn’t perfect, so it can provide a false sense of security if used incorrectly.
In this article, we’ll look at what Tor is and isn’t. Then, we’ll take a look at how it works, how it compares to VPN services, and how to stay safe. You’ll learn all about Tor and be ready to use it with confidence, knowing that you won’t make any beginner mistakes that would compromise your anonymity.
What does Tor do?
Using the Tor Browser is similar to using any other web browser. Although the process of starting up the browser differs slightly from Chrome or Firefox (Tor must configure a connection to the Tor network before the browser can start), actually browsing the web with Tor is pretty intuitive.
The main difference is that when you browse the web with Tor, your real IP address and other system information is obscured from the websites and services you're visiting. Additionally, it also hides what you're doing from your Internet Service Provider.
The primary uses of Tor are the following:
- Bypassing censorship and surveillance
- Visiting websites anonymously
- Accessing Tor hidden services (.onion sites)
Tor: Pros and Cons
Using Tor offers a number of privacy and anonymity protections over directly connecting to a website. That said, it also presents some challenges.
- If you use Tor correctly, your real IP address cannot be determined by the websites you visit.
- You can access websites without your internet service provider being aware of your browsing history.
- You can bypass many kinds of censorship.
- Tor is very slow compared to VPNs and regular web browsing, so downloading large files is usually not feasible.
- It’s possible to deanonymize your browsing by making a simple mistake.
- Some governments and network operators can prevent Tor from functioning.
- Although using Tor is legal in and of itself, using Tor may make your activity appear suspicious.
- Websites may refuse to function when you’re using Tor—generally to prevent anonymous spam and abuse.
Who created Tor?
The concepts underpinning Tor — namely, onion routing — were developed by the United States government in the 1990s. It was originally designed to protect the communications of US intelligence agencies across the Internet. The original code for Tor was released under a free and open-source software license by the United States Naval Research Laboratory, allowing other people and organizations to contribute to the project.
Since 2006, a nonprofit called The Tor Project has been responsible for maintaining Tor and the Tor Browser. Financial support comes from corporations like Google, organizations such as Human Rights Watch, and many others.
How does Tor work?
There are two things people may mean when they say “Tor”: the networking system and the Tor Browser.
To anonymize Internet usage, Tor routes traffic through multiple randomly-chosen relay servers before accessing the destination website. There are over 7,000 of these servers, which mostly belong to volunteers. The request is encrypted multiple times, so the relay servers only know the previous relay and the next relay, but not the request contents or the full circuit. The network request finally exits the Tor network at an exit node. From the website’s perspective, you are browsing directly from the exit node.
Tor hidden services, which will be covered below, are accessed in a slightly different way from standard websites — they use .onion domain names and are inaccessible from the regular web.
Tor browser security: how safe, anonymous, and secure is it?
Although Tor is frequently used by privacy-conscious people and those looking to avoid surveillance, it isn’t perfect. Simple mistakes can make hours of meticulous privacy protection useless, so it pays to be especially careful when browsing with Tor. Here are some things you should look out for:
- The final part of the communication is unencrypted
Even though Tor encrypts data between the user’s computer and servers in the Tor network and within the Tor network, it does not encrypt the final part of the connection between the exit node and the destination server. As a result, it is possible for a government or internet service provider to eavesdrop on traffic between the exit node and destination servers. Since the full list of Tor exit nodes is publicly available, any unencrypted traffic leaving exit nodes is likely to be monitored closely.
- Your traffic may be deanonymized using timing-based statistical techniques
Another security concern is when the entry relay and exit relay both exist on the same Internet autonomous system (AS)— like if the same network operator owns both IP addresses. If this is the case, it is possible for that network operator to use timing-based statistical techniques to determine that a particular network request originated from a particular computer. This technique is difficult to execute, so it’s usually only possible for governments to pull off. Additionally, it can be expensive, so it is not usually a concern except for high-value targets.
- Tor won't protect you against sophisticated fingerprinting methods
- Even Tor has bugs that can be exploited
As with regular web browsing, it is always possible to have your web browser compromised as a result of a security bug. While modern browsers, including the Firefox-based Tor Browser, include very good exploit protection, the kinds of adversaries that target Tor users also stockpile browser exploits that browser vendors are completely unaware of (known as “zero-day” bugs).
Although most security considerations for Tor are only applicable to the most paranoid users, it’s still a good idea to follow some safety guidelines. Anyone using Tor is automatically enough of a surveillance target that protecting your security is important.
How to protect yourself when using Tor
- Don’t log into your usual accounts - especially Facebook or Google.
- Try not to follow any unique browsing patterns that may make you personally identifiable.
- Use the HTTPS Everywhere extension. This will ensure you're only browsing HTTPS websites and protect the privacy of your data as it goes between the final node and the destination server.
- As a general rule, never use BitTorrent over Tor. Although people illegally pirating copyrighted content may wish to obscure their real identity, BitTorrent is extraordinarily difficult to use in a way that does not reveal your real IP address. Tor is relatively slow, so BitTorrent is hardly worth using over Tor anyway.
- Most importantly, always keep Tor Browser (and any extensions) updated, reducing your attack surface.
What are Tor hidden services?
Tor hidden services, “onion services”, or “Tor websites” are websites that are only accessible from within the Tor network. All hidden service domain names end in .onion and consist of a very long of seemingly-random characters. Collectively, Tor hidden services are sometimes referred to as the “dark web.”
These websites are not indexed by and won't appear on search engines like Google. Instead, a number of user-created directories of hidden services allow you to find the sites you’re looking for.
The dark side of Tor
The term “dark web” generally evokes a mental image of criminals selling illegal services through sketchy Tor-based marketplaces. Although much of the news surrounding Tor and Tor hidden services makes it seem as though using them is like walking down a dark alley at night, there are plenty of perfectly legitimate uses for hidden services as well.
Sites like Facebook, DuckDuckGo, and The New York Times run versions of their sites with .onion addresses for journalists and activists living under oppressive regimes.
Some extremely privacy-conscious individuals make their blogs or websites exclusively accessible through Tor hidden services so that their real-life identity cannot be determined.
The US government has steadily improved its technologies for catching and prosecuting criminals who use Tor for illegal purposes. As mentioned above, Tor is vulnerable to timing attacks and other types of advanced compromises that require government-like resources. For that reason, a government with sufficient resources can deanonymize some Tor requests if they control the right internet service providers (which is almost always true of the American government).
While using Tor itself is perfectly legal, there is plenty of illegal activity involving Tor, so be sure to watch out when visiting hidden services so that you don’t accidentally end up on a sketchy .onion site. If you decide to access the Dark or the Deep web, do it in a safe way.
Tor vs. VPN services: what’s the difference?
Virtual private network (VPN) services are frequently marketed as a way to improve privacy or gain anonymity. In reality, VPN services can be hit-and-miss when it comes to privacy. Some are certainly better at protecting data than Tor, whereas others will compromise your privacy more than not using one at all.
VPNs are point-to-point tunnels. Network traffic travels in an encrypted tunnel from the user’s computer all the way to the VPN provider’s network and is forwarded onto the destination server. In that sense, they are similar to Tor.
The most problematic aspect of VPN service marketing is the “no-logging policy." Most VPN providers advertise that they do not log how their services are used, so users can feel confident using the service with no legal ramifications. However, there are few ways this claim can be proven beyond a reasonable doubt. So if you do end up choosing a VPN for privacy, it's best to go with one that has had its no-logs policy tested in the wild due to some police investigation, or at least one that has had the infrastructure audited by a trustworthy, independent third-party.
The biggest advantages of VPNs over Tor include much better connection speeds for downloading videos and other large files. Also, with a VPN, you can choose the server your data is routed through, or at least the country in which that server is located. Finally, it is far easier to use a VPN systemwide than it is to use Tor outside of Tor Browser.
Whether you’re using Tor or a VPN service, be careful not to leak your actual IP address through browser plugins or by logging into an account that would nullify your anonymity.
Read more: Tor over VPN
Is using Tor legal?
Yes. In most of the world, using Tor is perfectly legal. However, there are plenty of illegal activities that can be facilitated with Tor hidden services, so Tor usage may be seen as suspicious by many governments or internet service providers.
What search engine Does Tor use?
Tor Browser, the recommended way to use Tor, uses DuckDuckGo by default. That said, you can use any other search engine you choose—but note that DuckDuckGo uses the least tracking of any major search engine.
Can I be tracked if I use Tor?
Yes. While Tor obscures your IP (so long as you don’t accidentally reveal it—see the next section) and Tor Browser includes a variety of anonymizing features that make tracking harder, you still have to be very careful to avoid leaking information that could be used to track you. Don’t log into accounts that you use with other browsers or do anything else that would make your browsing session personally identifiable.
Does Tor hide my IP?
Yes, assuming that you don’t accidentally leak it. Websites you visit while using Tor will see the IP address of the Tor exit node you are using, not your actual IP. However, browser plugins and torrenting applications can easily leak your actual IP address if you aren’t careful. Additionally, there are a number of other ways to track users aside from IP addresses. Be sure not to reveal your identity in any other way, like signing into an account you use from another connection. Tor Browser includes a variety of tracking prevention features that help prevent unique browser and device characteristics from being used to fingerprint you across the web. No matter what, vigilance is always necessary to protect your anonymity.
Does Tor work in China?
Not reliably. The Chinese government’s Great Firewall prevents connections to much of the outside world, including practically all parts of the Tor network. Using Tor in China is significantly more complicated than in most other parts of the world; it generally requires tunneling traffic to another country and then using Tor over that connection. If you already have a VPN that works for getting access to websites that are blocked in mainland China, you may be able to use Tor through that VPN, which can improve your privacy significantly.
If you want to protect your privacy and anonymity as much as possible while browsing the web, Tor and the Tor Browser may be a good choice. Tor is a widely used and well-studied way to avoid surveillance and censorship from internet service providers and government agencies. It also offers access to .onion hidden services, which are used for avoiding oppressive regimes (and, occasionally, less-noble activities as well).
To use Tor effectively, you must be mindful of a variety of security and privacy concerns, as laid out earlier in this article. Depending on your threat model — which potential threats you want to protect against — you may need to take aggressive measures to keep your browsing anonymous, some of which can make browsing inconvenient.
Virtual private network (VPN) services are marketed similarly to Tor. However, while they offer significantly higher speeds, their protection against surveillance depends on the specific service provider.
In conclusion, Tor is a powerful tool that must be wielded smartly. It can allow you to avoid all kinds of digital oppression—just like journalists and human rights activists do around the world every day. If used incorrectly, it will only provide a false sense of security. By understanding and following the recommendations made in this article, you’ll be ready to make use of Tor correctly and in an effective manner.