Skip to content

Understanding Tor: What It Is, How It Works, and When to Use It

Tor is one of the strongest anonymity tools available to people, and a tool worth understanding even if you rarely need it.

πŸ“– The Basics

What It Is

Tor (The Onion Router) is a network of thousands of volunteer-operated relay servers that anonymizes internet traffic by routing it through multiple hops before it reaches its destination. The Tor Project, a US nonprofit, maintains the software and supports the network, but anyone can run a Tor node to become part of it. The Tor Browser is their most accessible tool, it's a hardened version of Firefox that combines the network piece (Tor) with the software (Browser) to blend users together and make them appear the same to outside observers. The network serves millions of users, and projects like Tails and Whonix build on top of it with additional protections.

How It Works

Onion routing: Step by step

When you connect to Tor, your Tor client selects three nodes: a guard node, a middle relay, and an exit relay. It then builds a circuit through the three nodes, establishing an encrypted connection with each in sequence.

Your traffic is wrapped in three layers of encryption, one for each relay, like layers of an onion πŸ§…. Each layer can only be decrypted by the relay it's addressed to, which then removes its layer and passes the remaining encrypted payload to the next hop. At no point does any single relay see the complete picture. Here's a breakdown:

graph LR
    A["πŸ‘€ You<br/>─────<br/>Wraps traffic in<br/>3 encryption layers"] --> B["πŸ›‘οΈ Guard Node<br/>─────<br/>βœ… Sees your real IP<br/>❌ Sees destination"] --> C["πŸ”€ Middle Relay<br/>─────<br/>❌ Sees your IP<br/>❌ Sees destination"] --> D["πŸšͺ Exit Relay<br/>─────<br/>❌ Sees your IP<br/>βœ… Sees destination"] --> E["🌐 Website<br/>─────<br/>Sees exit node's IP<br/>not yours"]

Diagram: Tor's three-hop circuit. The guard node knows your IP but not your destination. The middle relay knows neither. The exit relay knows the destination but not your IP. No single relay sees the full picture.

  • The guard node (entry relay) knows your real IP address. It's the first hop and receives your connection directly. It can see you're using Tor. It cannot see where you're going or what you're doing.
  • The middle relay knows only that it received encrypted traffic from the guard node and should pass it to the exit relay. It knows neither your real IP nor your destination.
  • The exit relay decrypts the final layer and connects to your actual destination, typically the website or service you're trying to reach. It can see the destination and the content of unencrypted traffic. It cannot see your real IP address; it only knows the middle relay.

Exit nodes and why they matter

The exit relay is the one that connects to the open internet on your behalf. This has two implications:

  1. If you're connecting to a site over plain HTTP (not HTTPS), the exit relay can read that traffic. Always prioritize HTTPS, Tor Browser will warn you when connections are unencrypted.
  2. It's important to remember that exit relays are run by volunteers with varying motivations. A malicious exit relay can observe unencrypted traffic. This is why onion services, where neither party ever exits to the open internet, provide stronger protection for high-stakes communication.

Onion services (.onion addresses)

Tor also supports services that exist entirely within the network.

When you access a .onion address, your traffic never leaves Tor. There's no exit relay reaching the open internet, and the server's IP is never exposed to any outside observer. Both sides remain within the network.

πŸ’‘ Fun fact: colloquially, this is what the 'dark web' refers to: sites hosted as .onion addresses. I like to highlight the organizations that run a .onion site to push back against the negative association.

Bridges and censorship circumvention

In countries where Tor is blocked at the network level, bridges provide an alternative. These are unlisted relay entries not published in the main directory. Several pluggable transports disguise what Tor traffic looks like to network observers. obfs4 makes traffic appear random. WebTunnel disguises Tor traffic as ordinary HTTPS. Snowflake routes through browser-based WebRTC proxies run by volunteers, creating a distributed network that's hard to block at scale. Since July 2025, WebTunnel and Snowflake have seen significantly increased adoption in Russia following obfs4 blocks on major mobile ISPs.

If you want to help, you can run Snowflake yourself as a browser extension.

Tor Browser vs. Brave's Tor mode (and other implementations)

Brave includes a "Private Window with Tor" feature that routes browser traffic through the Tor network. While it routes you through Tor, it's not a Tor Browser equivalent. Tor Browser is specifically designed to anonymize users on the Tor network through hardened fingerprinting resistance, per-site circuit isolation, specific security settings, and protections developed to prevent browser-level deanonymization. Brave's Tor mode provides routing, but without that full software-side hardening.

This isn't a knock on Brave. It's a common pattern with many third-party services, like Orbot or Cake Wallet that use the Tor network without guaranteeing the same anonymity found in tools like the official Tor Browser, Whonix or Tails which are specifically designed for blending users together. So while third-party tools like Brave's Tor Windows still provide protection when they route through Tor, just know it's not the same anonymity guarantees.

What Tor protects against and what it doesn't

Tor protects against your ISP seeing which sites you visit, websites seeing your real IP address, and network-level observers correlating your browsing destinations to your identity. It does not protect against:

  • Your own behavior. Logging into any account linked to your real identity connects that session to you, regardless of the network routing.
  • A compromised device. Malware running before your session sees your activity regardless of which network you use.
  • Traffic correlation or timing analysis attacks by well-resourced adversaries monitoring relay infrastructure over time.

In most countries like the US, UK, Canada, EU, Australia, and othersβ€”using Tor is fully legal. It's used by journalists, researchers, activists, and ordinary people who don't want their browsing tracked. A small number of countriesβ€”China, Iran, Russia, Belarus, Turkmenistan, and a handful of othersβ€”either block Tor or treat its use as suspicious. If you're in one of those jurisdictions, bridges and pluggable transports exist to help support you.

Like many services in this wiki: Tor is a tool, and the legality maps to what you do with it, not to the fact that you opened the browser. In free countries, opening Tor Browser is no different from opening Firefox or Brave.

Downloading safely

Download Tor Browser only from torproject.org as fake versions aren't uncommon. The official project also distributes signed releases for anyone who wants to verify the download cryptographically; the installation guide walks through the process.

If torproject.org itself is blocked where you are, they maintain a GetTor email service that sends signed links to alternate mirrors. Try to avoid installing Tor Browser from an unofficial third party.

🎯 Why It Matters

In 2024, German investigative journalists revealed that the BKA, Germany's federal police, had successfully deanonymized a Tor user through timing analysis. Over two to three years, they monitored specific relay nodes, correlated traffic patterns, obtained ISP subscriber data through legal process, and identified an administrator of a dark web platform. The case prompted a wave of "is Tor broken?" coverage.

The Tor Project's assessment was no. The attack didn't compromise Tor's cryptography or the network's core design. It exploited an outdated version of Ricochet, a messaging application the target was using, which lacked a protection called Vanguards-lite specifically designed to defend against guard discovery attacks. Current versions include that protection.

The reality is it took years of timing analysis by a national police agency against a specific target running outdated software to deanonymize one Tor user. For most of you reading this, that's probably not your threat model. For the small minority where it is, the lesson is to keep your software current and understand your operational security, not abandon the tool.

Tor matters most where other tools fall short. A VPN shifts trust from your ISP to a VPN provider. Tor distributes that trust across three independent relays where no single entity holds enough information to link your identity to your destination. For situations where you genuinely cannot afford to trust any single provider, this architectural difference is extremely important.

But it's not only for advanced threat models...for research on sensitive topics, accessing services without revealing your location, or visiting onion services where neither party's IP is exposed, Tor provides protection that no VPN or private browsing mode can replicate. It's slower, and some sites block Tor exit nodes, but those are the tradeoffs for a powerful tool of free expression.

πŸ’‘ Common Misconceptions

"Tor is broken or compromised."

Every few years a high-profile deanonymization case generates "Tor is broken" coverage, but the actual facts rarely match the headlines. The most recent test case, the 2024 BKA investigation referenced in the previous section, didn't compromise Tor's cryptography or its core network design. That doesn't make Tor a perfect tool, but it does mean the realistic threat model for nearly every Tor user is not the one the headlines imply.

"Tor is only for the dark web, and the dark web is only for criminals."

The phrase "dark web" colloquially means onion services, and the criminal association exists, but the actual makeup of who uses these is broader and less interesting than the framing suggests. The New York Times, The Guardian, ProPublica, the BBC, and SecureDrop all run onion services. Activists in censored regions use Tor to reach the open web. Journalists use it to protect sources. Researchers use it to access information without leaking what they're looking into. The reality is Tor can be used by anyone, and the more of us who step up to use it, the more we break the criminal association.

"Tor is too advanced for everyday users."

Tor has a reputation for being an advanced tool. And while it technically is, the reality is downloading Tor Browser, opening it, and using it to look something up is genuinely a one-step operation. There's no separate VPN to configure, no DNS to change, no extension to install. Both the network anonymization and the local hardening (anti-fingerprinting, no persistent state) are bundled into a single tool that works out of the box. It's slower than a regular browser, and some sites block exit nodes, but the benefit-to-effort ratio is actually quite solidβ€”at least that's my optimistic perspective.

"You should always pair Tor with a VPN for extra anonymity."

This is one of the most persistent debates around Tor, and my take on this is more nuanced than a simple yes or no. For most people, Tor Browser by itself is the right call, and stacking a VPN on top does not make you more anonymous toward the sites you visit. But there can be some positive and negative impacts depending on how you approach this.

  • VPN β†’ Tor (you connect to a VPN first, then Tor runs on top). This has some real potential arguments behind it, if you're using a reputable no-logs provider like Mullvad or IVPN. The potential benefit: your ISP and local network see only an encrypted connection to a VPN, which obfuscates your Tor usage. The cost: you hand a lot of trust to the VPN, who can now see both your real IP and the fact that you're connecting to Tor. This does not improve your anonymity toward the destination, which still only ever sees the Tor exit node. The benefit is purely on the entry side. It's also worth knowing the Tor Project built bridges and pluggable transports for exactly the same goal of hiding Tor use, and those keep the trust inside the Tor network rather than handing it to a commercial company.

  • Tor β†’ VPN (traffic exits Tor and then passes through a VPN before reaching the destination). The narrow pro: it gives you a consistent exit IP and can reach sites that block Tor exit nodes. The cons: it's genuinely tricky to set up correctly, it ties your Tor activity to a VPN account that can often be linked back to you, and done wrong it can undermine the very anonymity Tor gave you.

For the overwhelming majority of people, Tor Browser alone is the answer. A trusted VPN in front of Tor is a reasonable defense-in-depth choice for people who specifically need to hide they're using Tor, and accept that they're shifting trust to the VPN. If you're unsure which camp you're in, you're almost certainly in the "Tor Browser alone" camp.

"The U.S. government created Tor, so it's controlled by the U.S. government."

The first half is true and the second half is harder to follow. Onion routing was researched at the U.S. Naval Research Laboratory in the mid-1990s by David Goldschlag, Mike Reed, and Paul Syverson, with Roger Dingledine joining in the early 2000s and coining the name "Tor." The network launched publicly in October 2002, the code went open source, and the Tor Project became an independent 501(c)(3) nonprofit in 2006. It still receives some U.S. government funding alongside foundations and individual donors, and the project publishes its sponsor list openly.

But here's the thing: Tor is open source. Every line of code is public. The design is meant to distribute trust across 3 relays. Independent cryptographers have been auditing the protocol for over twenty years. More importantly: the U.S. government itself uses Tor for diplomats, intelligence assets, and military communications, which means a backdoor would compromise their own users alongside everyone else. The system only works if it works for everyone.

"A huge percentage of Tor nodes are malicious, so it's not safe."

This one has some truth to it since malicious relays are real, but the numbers vary wildly depending on the moment in time. Outside of large-scale attacks, peer-reviewed measurements have historically found malicious exits in the low single digits. For example, the Chakravarty et al. 2014 study detected 14 malicious exit relays across 30 months of monitoring. But specific Sybil campaigns have done much more damage, like when a single actor running a campaign controlled up to 23% of Tor exit capacity in May 2020 and over 27% in early 2021. The KAX17 actor, discovered in 2021, was running over 900 relays across guard, middle, and exit positions.

These situations are quite alarming! But, deanonymizing a circuit requires the same actor to control multiple hops simultaneously, and even at KAX17's peak the chance of that for any single circuit was quite low. The other important note is the Tor Project actively removes malicious relays as they're found, and the situation is more like an ongoing whack-a-mole than a static "X% are bad" number. So this is worth following, but not currently a reason to outright avoid the tool.

πŸ—£οΈ Henry's Take

I treat Tor as a tool worth keeping installed even if it's rarely used. My case for this is simple: when you need it, you need it immediately! The setup cost of getting it ready in the moment is much higher than the cost of having it sitting in your dock unused.

The other case for using it is the network benefits from healthy traffic, and the more ordinary, low-risk searches that route through it, the better the cover for the people who genuinely depend on it.

For non-critical onion links that friends and viewers send to me, I'll sometimes open them in Brave's Private Window with Tor to quickly preview them instead of using the Tor Browser. But for anything that actually matters, I use Tor Browser.

On mobile, Orbot is genuinely underratedβ€”it routes app traffic through Tor in a way that doubles as a free, trusted VPN for situations where you don't have one configured. And pro tip: If your workflows require an official Tor Browser for mobile, you will need to stay on Android as the Tor Browser options for iOS aren't as powerful.

The closing point I'd make: for as much as people nitpick Tor (and the criticisms can be valid!), I don't think anybody has built anything better at this scale. A VPN concentrates trust in one provider. Tor distributes trust across three independent relays. That architectural property is what makes it irreplaceable. I2P is a wonderful project, but I still think in many ways it's not as mature as Tor for everyday people. So until I find a safer tool, I'll be continuing to use Tor.

βœ… Henry's Picks

Tor Browser: my primary recommendation for any situation where anonymity matters. Combines network routing through Tor with hardened anti-fingerprinting, per-site circuit isolation, and disabled features that would otherwise leak identifying information. Free, available on every major platform except iOS, which uses a less powerful version.

Brave Private Window with Tor: a routing shortcut, not a Tor Browser substitute. Useful for casually opening onion links that aren't mission-critical, or just when you want a bit of extra network privacy on a website. I don't use this for anything where actual deanonymization would matter.

Orbot: for mobile, Orbot routes app traffic through the Tor network without requiring a Tor Browser per app. Doubles as a free, trustworthy VPN on Android and iOS for situations where you don't have a commercial VPN configured. Genuinely underrated, though remember it only offers the network-level protections by default.

Tails: for situations where the local device shouldn't retain any trace of the session. Boots from a USB drive, runs entirely in RAM, routes everything through Tor by default. For higher threat models, it may be a good idea to always travel with a Tails USB ready to go so you can boot into it from any computer.

Whonix: a two-VM setup that isolates your workspace from the Tor gateway, providing strong protection against deanonymization through malware or application leaks. Higher friction than Tor Browser, but appropriate when isolation matters as much as network anonymity. Also can be used in conjunction with Qubes OS.

See the broader recommendation set at Techlore's SPA Tools.

πŸ”— Go Deeper

Related wiki articles:

Techlore content:

  • Go Incognito v2, Lesson 6.6β€”Understanding Tor

External sources:

Found an error? Report it here β†’