Tor is a free, global network that lets you browse the Internet and the dark web anonymously. There are, however, a few things you need to keep in mind to use Tor securely.
As online surveillance becomes more and more prevalent, tools that can help you stay private and secure online are critical. While VPNs are one such tool (learn why you should use a VPN), there are other options. Tor (which stands for “The Onion Router”) is a powerful tool for online anonymity.
However, there is no such thing as 100% security, and even Tor has some vulnerabilities. It is essential to consider its threat model and make sure that you understand what Tor can and can’t protect you against. Furthermore, if you do not adhere to certain best practices when using Tor, you could expose yourself to vulnerabilities and exploits that could compromise your privacy or your device.
This article will explain the factors to consider before using Tor and what you can do to mitigate its weaknesses.
Is Tor illegal?
This is often the first question users ask because Tor and the “dark web” have become associated with illegal enterprises like the Silk Road marketplace. The answer is no. It is not illegal to be anonymous, and Tor has many legitimate uses. The dark web itself is a powerful tool to protect privacy and free speech.
Tor is an open network of servers run by volunteers and free software (the Tor Browser) that is guided by the non-profit Tor Project. Both the network and the software can be used to browse the “clearweb” (the Internet most of us are familiar with) like any other browser. According to the Tor Project, neither the network nor the browser is illegal anywhere in the world, and using Tor is not a criminal act.
Tor vulnerabilities
Like any technology, Tor is not 100% secure, and attackers can still compromise Tor’s security. In 2014, a research team from Carnegie Mellon University gained control of enough servers in the Tor network to observe the relays on both ends of the Tor circuit and compare the traffic timing, volume, and other unique characteristics to identify which other Tor relays were part of which circuits. By putting the entire circuit together, the researchers were able to see the IP address of the user on the first relay and the final destination of their web traffic on the last relay, allowing them to match users to their online activity. (For those interested in a more technical explanation, the Tor Project analyzed the attack.) The FBI then used this attack to round up a number of criminals on the dark web as part of their Operation Onymous. Tor upgraded their relays to deal with the specific protocol used by the researchers, but correlation attacks (identifying users through the timing and volume of their traffic) are still possible.
Recently, Zerodium, an exploit vendor, discovered a new flaw in the Tor Browser that allowed attackers to run malicious JavaScript code. The Zerodium hack took advantage of a bug in the NoScript add-on to the Tor Browser. Both NoScript and the Tor Browser have been updated, and in Tor Browser v. 8.0 and later, the flaw is fixed.
These instances should not dissuade you from using Tor; rather they illustrate that even Tor is not 100% secure.
How to use Tor safely
Like with any privacy tool, proper usage is critical. Misusing Tor can compromise your online privacy in unexpected ways.
- Tor will encrypt your data as it passes through the Tor network, but the encryption of your traffic between the final Tor relay and your destination site depends upon that website. Only visit websites that use the Hypertext Transfer Protocol Secure, or HTTPS. This protocol establishes an encrypted link between the final Tor relay and your destination website. Any site that has a URL that begins with “https://” uses HTTPS, and the Tor Browser comes with the HTTPS Everywhere add-on. The Electronic Frontier Foundation has a great diagram that illustrates how Tor and HTTPS work together to protect your data.
- The Tor Browser blocks many plugins, such as Flash, RealPlayer, and QuickTime. These plugins can be manipulated into exposing your IP address in ways that Tor cannot prevent.
- If you are using the Tor Browser, be aware that only the Tor Browser’s Internet traffic will be routed through Tor. Other apps on your device will still connect normally to the Internet and may expose your real IP address.
- You should not maximize the Tor Browser window. If you maximize the Tor Browser, websites can determine the size of your device’s screen, which can narrow down which device you are using and help those sites track your activity. Tor recommends you always use the Tor Browser’s default screen size.
- You should not open documents downloaded through the Tor Browser while you are online. These documents could contain Internet resources that would reveal your true IP address. If you need to view a .doc or .pdf file, you should disconnect your computer from the Internet first, or you should use the Tor OS, Tails.
- Similarly, you cannot use BitTorrent over Tor. Torrenting will send out your real IP address in the tracker GET request, deanonymizing your torrent and web traffic. It will also slow down the entire Tor network.
- It is also important to note that Tor will not protect your privacy from a website you must sign in to. Once you sign in, you have identified yourself to that website — and anyone who might be observing the activity on that site.
- Finally, if you are using Tor to access the dark web, you must be extremely cautious. Only use dark web URLs you know to be accurate. Do not click on any ads on any site on the dark web. Inspect every link on the dark web before you click it. Visiting unknown sites on the dark web is a quick way to infect your device. Trusted sites on the dark web, such as Proton Mail’s Tor email portal, usually will have a valid SSL certificate.
Secure alternatives to Tor
Tor provides an excellent way to anonymize online activity, but certain limitations, particularly its slow browsing speeds, can be quite limiting for the average Internet user.
Proton VPN
For users who find Tor too complex or need higher performance, a trustworthy VPN like Proton VPN is a good alternative. A VPN will encrypt your online traffic and prevent attackers from monitoring your browsing activity. It is also much faster and easier to use than Tor. Once you install the VPN app, all it takes is a single click to establish an encrypted VPN connection. Switching your connection between countries is also much easier with a VPN than with Tor. The Proton VPN feature Tor over VPN also lets you access onion sites without having to download and set up the Tor Browser. However, VPNs, like Tor, also have their limitations when it comes to security and privacy, so it is important to understand the VPN threat model.
While not 100% secure, for those in dire need of online anonymity, Tor is the best option, provided you follow the guidelines. For everybody else who wants to be able to stream Netflix or use BitTorrent while also hiding your IP address and location from advertisers and trackers, Proton VPN is a more practical option.
Best Regards,
The Proton VPN Team
You can get a free Proton VPN account here.
Follow us on social media to stay up to date on the latest Proton VPN releases: Twitter | Facebook | Reddit
To get a free Proton Mail encrypted email account, visit: proton.me/mail
Hi!
I can connect to your VPN network. And then connect to the TOR network ??
I mean, use both methods at the same time.
For a more secure, private and anonymous connection?
Thanks.
How Tor related to uplink ?? Thus way ..how does it’s done they’re work??
Hi Pater. I’m sorry, but can you clarify your question, please?
Recent changes in the facebook, twitter, etc management since the political change in the usa brought me to research TOR and VPN for the first time, not because I have much to hide but because I defend the first amendment guarantee (right). The discussions among democrat congress critters about outlawing VPN really got my attention enough to find out what they were talking about. Thanks for your information.
I was wondering if using ProtonVPN in conjunction with TOR would be a potent privacy measure, or is it one over the other?
Hi Rick. We do offer a Tor though VPN feature, but note the main advantage of this is convenience, rather than security.
I have a doubt, many people says tor is illegal and baned by government but why it is in the play store
Hi Saimanikanta. Tor is not illegal in most places. It is often blocked by restrictive governments, though.
I am curious whether there is any initiative in the direction of preserving a graceful-degradation / low-energy version of the internet ?
At some point, when the energy shit hits the fan, maintaining energy-intensive data centres will drop in priority compared with growing food and heating shelter.
I’m curious whether there are any initiatives to preserve the basic functionality of email and perhaps Lynx-web access – stripped of graphics and ads and BigData access. A kind of extension to TorNet. Should we be building out meshnets to at least maintain local connectivity ? Certainly all the long-haul lines and the comms gear are owned by corpirations which may not prioritize us unwashed hordes.
Perhaps that is not even a realistic part of a Degrowth Resilient future ?
The TOR does encrypt your internet and your IP if only if you are inside the web browser and stayed on and stuff so I got to say that it’s not completely safe but if you are using ProtonVPN then you are very safe but not 100% safe but anyhow it depends on what websites that you’re visiting.
Bruh tor is safe just you can get in trouble if you go to a dark web server
I’m reporting this to google
If only ProtonVPN had a browser extension. I only need browser level protection, which is why I use TOR, otherwise I need all traffic to go through my network normally. Adding each application to ProtonVPN’s bypass filter is tedious to say the least.
Combinar navegador DuckDuckGO com a protonVPN seria o ideal?
Grato
Hi Alan! Yes, using DDG and ProtonVPN would greatly increase your online privacy.
Thanks for your article! I have a question. If you use TOR browser over a corporate VPN, could the company where the VPN is installed track what you browse the internet?
Hi Romualdus,
The connection would be encrypted between the Tor browser and the Tor exit, hence what the corporate VPN sees is only encrypted tor traffic.
Thanks
I truly have nothing to hide, but I read a lot about Tor browser, darknet, I am just curious.
Nothing to be ashamed of Louis :)
I went over this site and I think you have a lot of good information, great webpage. thanks for shering
Thank you!
I just recently started using Tor because of firefox critical error starts often appearing while browsing I feel unsafe so I started using Tor in place of Mozilla firefox.
I use TOR to visit my WordPress blog. As of about a year ago, WordPress recognizes my PC, as if TOR is completely transparent. I know this because my site visit in no longer counted. I have tried Bear Tunnel VPN, also with no luck.
In what way is ProtonVPN different?
Privacy: The ability to live without monitoring by government. ProtonVPN is the new black, I’m not flush financially at the moment but invested in a yearly subscription after doing the research. Deleting my gmail accounts and dependancy on google. I love this company and its services, happy to endorse it without any incentive to do so. Bravo!
Thanks for a great article on TOR and ProtonVPN. I’ve used TOR for years but have always worried that I might do something dumb to link me to a site. Your explanation of TOR over ProtonVPN Core makes a lot of sense. Sign up coming shortly! Keep up the good work.
Jon