Tor is one of the easiest ways to browse the web anonymously. But now that we’ve said the “a” word, we need to put a big ol’ asterisk next to it, because using Tor to conceal your online activities comes with a bunch of caveats. Let’s take a look at what Tor does, who uses it, and most importantly, what Tor won’t do if you’re looking to hide online.
How Tor works
Tor is short for The Onion Router (thus the logo) and was initially a worldwide network of servers developed with the U.S. Navy that enabled people to browse the internet anonymously. Now, it’s a non-profit organization whose main purpose is the research and development of online privacy tools.
The Tor network disguises your identity by encrypting your traffic and moving it across different Tor relays within the network. Software engineer Robert Heaton has a great summary of how this keeps you (theoretically) anonymous:
When you visit a website using a normal web browser, your computer makes a direct TCP connection with the website’s server. Anyone monitoring your internet connection (or that of the server) could trivially inspect your IP packet headers, discover the IP addresses of both you and the server, and deduce that you were communicating with each other. So long as you and the server were communicating using encrypted HTTPS, the snooper wouldn’t be able to read the actual contents of your messages. But – as Person X knows all too well – sometimes even just knowing who you are communicating with is all the information an adversary needs.
By contrast, when you visit a website using the Tor browser, your computer never communicates with the website’s server directly. Instead, the Tor browser constructs a twisty path through a random set of 3 Tor nodes, and sends your data via this circuit. The browser starts by sending your data to the first (or guard) node in the circuit. The guard node sends your data on to the second (or middle) node. The middle node sends your data on to the third (or exit) node, and finally the exit node sends your data to the website’s server. The server sends its response back to the exit node, which takes care of propagating the response back to you, via the rest of the circuit.
All you have to do to access Tor is download the Tor browser. Launch it, and everything you do in the browser will go through the Tor network. Most people won’t need to adjust any settings; it just works. That said, since your data is going to hop through a lot of relays, your experience on Tor might be more sluggish than your normal internet browsing.
What Tor is good for
Tor is useful for anyone who wants to keep their internet activities out of the hands of advertisers, ISPs, and websites. That includes people getting around censorship restrictions in their country, people looking to hide their IP address, or anyone else who doesn’t want their browsing habits linked to them.
The Tor network can also host websites that are only accessible by other Tor users. In other words, you’ve now entered the world of the Dark Web, or sites that aren’t indexed by the regular crawlers you use to search for cute animals, things to buy, and trivia answers. You can find everything from free textbooks to drugs on the Dark Web—and worse—so long as you know the special URL that takes you to these sites. Tread carefully.
What Tor doesn’t do
Tor sounds perfect on paper—a free, easy system you can use to live a clandestine life online. But it’s far from that. There are plenty of ways to give up your security and anonymity if you’re using Tor. For example, consider this scenario from Naked Security’s Paul Ducklin:
Although Tor’s exit nodes can’t tell where you are, thanks to the anonymising effects of the entry guard and middle relay (which changes frequently), they do get to see your final, decrypted traffic and its ultimate destination, because it’s the exit node that strips off Tor’s final layer of mix-and-mystery encryption.
In other words, if you use Tor to browse to a non-HTTPS (unencrypted) web page, then the Tor exit node that handles your traffic can not only snoop on and modify your outgoing web requests but also mess with any replies that come back.
While Tor might help conceal that it was your computer that made an initial request to, say, visit some sketchy internet forum and do all sorts of horrible things, it’s not going to do anything to help you out if you make an account on that website. And if that account is ever associated with illegal activities, payments, and/or real-world addresses, it doesn’t really matter what browser or anonymizing technique you use to visit the site. You won’t be very hidden after all.
That’s not all. Many of the ways you’d use a normal web browser could also cough up your identity on Tor—or, at least, leave enough breadcrumbs for a dedicated entity to more easily figure out who you are. As the Tor Project describes:
Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy.
Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files, unless you use the PDF viewer that’s built into Tor Browser) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with files downloaded via Tor, we strongly recommend either using a disconnected computer, or using dangerzone to create safe PDF files that you can open. Under no circumstances is it safe to use BitTorrent and Tor together, however.
And if an entity is determined to find out who you are, and are willing to serve you up some malware to get there, the simple fact that you’re using Tor isn’t going to stop them. A Tor-themed FBI bust shows how this might work, as reported by Motherboard back in 2013:
The FBI’s big child porn bust this summer also raised some suspicion from privacy advocates over how easy it is for the Feds to infiltrate Tor. The FBI managed to crack the anonymous network by injecting malware into the browser, in order to identify what it called “the “largest child porn facilitator on the planet.” In the process, the malware revealed the IP addresses of hundreds of users.
So, should you use Tor?
If you’re an average user looking at cat GIFs and browsing Facebook, you probably don’t need to worry about the government spying on your activity. Tor is just going to slow down your connection. It’s more likely that you need to secure your internet rather than anonymize it, say, when you’re using public wifi. In that case, you’d want to make sure you’re using HTTPS on all sites that support it, and possibly even a VPN to encrypt all your traffic when you’re away from home.
If you don’t have a VPN, Tor is better than nothing, but I wouldn’t use it to sign into any services—especially financial ones. You still don’t know who controls the various nodes in your relay, including that all-important exit node; I’d rather trust my connection over a single-source VPN (even though, theoretically, you’re still passing your data through another entity).
In other words, if you don’t really need to be anonymous, don’t worry about Tor.
And if you want to stay anonymous because you’re downloading large files and don’t want people to see what you’re downloading—say, on BitTorrent—Tor is not a good solution. Don’t be that jerk that slows down everyone else’s traffic for no reason. Just as important, you might not actually be anonymous at all. In this case, you’ll want a VPN instead.
Remember, Tor is not simply a “free VPN.” Both can help you have some kind of anonymity online, but the approaches are wildly different.
This article was original published in February 2014 by Thorin Klosowski. It was updated in December 2020 by David Murphy, who added new information about Tor, quoted additional sources, updated hyperlinks, and updated images.