What is Tor and how does it work?
It isn’t just VPNs that let you stay anonymous online
If you're keen to keep your online activities to yourself then Tor is a great option and well worth adding to your privacy toolkit.
Tor is a custom browser, which comes complete with clever open-source technology that uses some very smart tricks to protect your web anonymity.
The software accesses both regular websites and the dark web, which is the hidden area of the internet that you won't find indexed on Google. Better still, it's also free to use. There’s no registration required, no data limits, no annoying advertising, and no constant demands to upgrade to a paid product either.
For many then, it’s a perfect fit, especially if you’re keen to keep your browsing tracks hidden from view. Is Tor the perfect web anonymity tool? Not quite, but it can work very well in some situations. During the course of this article we'll explain how Tor works, when to use it, and how you can combine Tor with a VPN to get the best possible protection.
How does Tor work?
Tor is an open-source package based around a principle called Onion Routing.
This involves encrypting your data multiple times, then passing it through a network of volunteer-run servers (or 'relays') from around the world.
The first (or 'guard') relay receives your data and peels off the first layer of encryption, like the layer of an onion. In fact, Tor stands for 'The Onion Router', and takes its name from this layering idea.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The guard relay knows your IP address, but has no other clues to your identity. It can't see which site you're trying to access either, which means there's no way to log what you're doing. The only information it has is the address of the next relay.
The subsequent relays don't have your IP address or know which site you're trying to visit. All they do is remove a layer of encryption and pass the data to the next relay.
When your data reaches the last relay, also called the exit node, it removes the final layer of encryption and routes your web request to its real destination.
Your target website sees the IP address of the Tor exit node rather than yours, so has even less idea of who you are. It passes its response back to the exit node, which routes it through the Tor network and back to you.
Is Tor a VPN?
Tor uses the same core principle as a VPN service: it hides your IP address from websites by routing your traffic through another server. However, there are several differences in how the process works, which differentiates it somewhat from a conventional VPN arrangment.
For example, while VPNs typically use a single server, Tor routes your data through at least three.
VPNs have a single layer of encryption, which protects you from end-to-end. Tor, on the other hand, uses multiple layers, but these are peeled off as you travel from server to server.
What’s more, VPNs require you to log into a server, which then sees every website you visit and that, theoretically at least, could mean your data is logged as a result. Tor separates the knowledge of who you are (your incoming IP address) and the website you're visiting, which makes it much more difficult to record your activities.
How can I use Tor?
Despite Tor's powerful tech and many privacy-protecting features, it's very easy to use and you can be up and running in no time if you feel it’s well suited to your needs.
First up, you’ll need to visit the official Tor website and download the right version of Tor for your platform. While there's no iOS version, the site does have downloads for Windows, Mac, Linux and Android, so most folks are catered for.
Running the installer sets your device up with Tor Browser, which is a special version of Firefox. This includes the extra software necessary to make Tor work, but another advantage is that it also bundles the excellent NoScript and HTTPS Everywhere extensions for even more protection.
When you launch Tor Browser it will ask if you'd like to connect to Tor. Click Connect and Tor Browser connects to a Tor guard relay. That's basically all there is to it. You can get on with running searches, browsing websites and generally using the web as normal, right off the bat. The only difference is your traffic is now routed via the Tor network, rather than your regular connection.
It's worth noting though that, unlike a VPN, Tor Browser only protects its own traffic. Other apps and your system will still use your standard internet connection.
How can I use Tor to browse the dark web?
Tor Browser doesn't just support accessing regular websites. It also allows you to browse .onion sites, which is part of the hidden area of the internet often referred to as the dark web. The good news is that to do this there's no extra work involved, you simply type the site URL into the address bar.
While the dark web frequently gets a bad rap and is often linked to sites selling guns, drugs, stolen data and all kinds of other horrifying content, that’s not the whole story. Of course, there's some truth about the negative aspects of the dark web, but it's only a tiny part of the story.
It's worth remembering that .onion sites aren't only used by people looking to hide something. In fact, they're also a way to bypass censorship, perhaps to get around country-level website blocks. For example, Facebook has an .onion site. Meanwhile, the BBC uses https://www.bbcnewsv2vjtpsuy.onion, and the DuckDuckGo search engine is at https://3g2upl4pq6kufc4m.onion (note that these .onion links won't work unless you're using Tor).
It's not always easy to find .onion sites, but there are plenty of resources that can help. The Hidden Wiki is a huge .onion site directory, DuckDuckGo's engine indexes .onion sites, and Reddit has plenty of chat and recommendations about the latest .onion discoveries too.
Is Tor illegal?
Tor has a similar legal status to VPNs across much of the world.
The technology won't cause you any legal problems in most countries. Just as long as you don't use it to order illicit items from deep web sites, of course.
Naturally, there are some countries that ban the use of VPNs, such as China, Belarus and the UAE, and they generally also disapprove of Tor too. That doesn't mean you'll be arrested for downloading it - China is more interested in blocking the technology, so it just won't work. Nevertheless, it does mean you should be more careful. If you're using a VPN anyway, combining it with Tor might prevent the authorities seeing what you're doing, which we’ll cover in more detail shortly.
What are the disadvantages of Tor?
Encrypting your traffic and routing it through multiple servers does a lot to protect your privacy, but there is also something of a downside. The fact of the matter is that using Tor will really slow you down.
How slow that might be depends on a few variables. However, we ran a speed test on a mobile device connected via Wi-Fi. This managed downloads of 50Mbps using our regular connection, and 2Mbps with Tor. So, like we said... you’ll want to be prepared for the slowdown in your browsing activities.
There's another potential problem, too. Many hackers abuse Tor, often using it as a way to protect their identity when they launch attacks. Platforms understand this very well, and many display warnings or block access entirely if they detect you're using Tor.
PayPal gave us a couple of extra security checks and still blocked our login attempts, for instance. Amazon let us in, but only after we'd approved a notification sent to our mobile. And Google blocked us out of YouTube entirely, because 'our systems have detected unusual traffic from your computer network', it complained.
In that respect, Tor probably isn't going to be a good choice for your regular browsing, simply because it can tend to add another level of hassle to otherwise everyday online activities.
Is Tor really secure?
Tor's big anonymity advantage is that it's decentralized. The Tor network isn't run by a single company, which gets to see every connection and data path. In fact, those relays are run by thousands of volunteers from around the world. There's no one point anyone can use to watch your logins, record your traffic or otherwise monitor what you're doing online. That can be a very good thing for some people who want to remain anonymous.
Your own network can see you're accessing Tor, though, which might be a problem in a country which doesn't like web privacy. And although the first Tor relay doesn't need any logon credentials, it has a little knowledge about you in the shape of your IP address.
There is a potential vulnerability in the Tor exit node too. This is the server which both removes the final layer of encryption and gets to see the URL you're trying to visit. If you're using an unencrypted HTTP, rather than an HTTPS connection, the node may be able to log sensitive information about your activities. It’s worth bearing that in mind.
Exit nodes can also use an exploit called SSL stripping to access unencrypted HTTP communications on what you think is an encrypted site. Back in August of 2020, security researcher nusenu unveiled research suggesting up to 23% of all Tor exit nodes were engaged in a malicious campaign targeting accesses to cryptocurrency sites, altering traffic and redirecting transactions into their own virtual wallets.
What's the safest way to use Tor?
So, to recap, while Tor goes a long way to preserving your web privacy, but it has some issues. If you're looking for maximum protection, the best approach is to combine Tor with a VPN, but you’ll also need to be prepared for the slowdown in service.
The simplest route is to connect to your VPN, then Tor (a technique called 'Onion over VPN'). Now your home network only sees your VPN IP, so it doesn't know you're accessing Tor. The first Tor relay only sees your VPN IP address, giving it no information on who you are. And your VPN can't see which sites you're browsing as they're handled by Tor. That means even if a server is breached by hackers, there's no way to access your browsing history.
Tor over VPN can't protect you from malicious exit nodes, which is why some users prefer connecting to Tor first, then the VPN ('VPN over Onion'). But that allows the VPN to see your traffic again, giving you little privacy benefit overall.
You can use Tor with most VPNs, but some have better support than others. It’s therefore worthwhile doing a little bit of checking up before you proceed.
ExpressVPN has its own .onion site at http://expressobutiolem.onion, for instance, making it easier to access the service in countries where it's blocked. Another bonus in this case is that it has a great Tor guide, too.
Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.