Is Tor safe? Learn how secure Tor is

Posted on February 20th, 2019 by in Privacy & Security.

 

Tor is a free, global network that lets you browse the Internet and the dark web anonymously. There are, however, a few things you need to keep in mind to use Tor securely.

As online surveillance becomes more and more prevalent, tools that can help you stay private and secure online are critical. While VPNs are one such tool (learn why you should use a VPN), there are other options. Tor (which stands for “The Onion Router”) is a powerful tool for online anonymity.

However, there is no such thing as 100% security, and even Tor has some vulnerabilities. It is essential to consider its threat model and make sure that you understand what Tor can and can’t protect you against. Furthermore, if you do not adhere to certain best practices when using Tor, you could expose yourself to vulnerabilities and exploits that could compromise your privacy or your device.

This article will explain the factors to consider before using Tor and what you can do to mitigate its weaknesses.  

Is Tor illegal?

This is often the first question users ask because Tor and the “dark web” have become associated with illegal enterprises like the Silk Road marketplace. The answer is no. It is not illegal to be anonymous, and Tor has many legitimate uses. The dark web itself is a powerful tool to protect privacy and free speech.

Tor is an open network of servers run by volunteers and free software (the Tor Browser) that is guided by the non-profit Tor Project. Both the network and the software can be used to browse the “clearweb” (the Internet most of us are familiar with) like any other browser. According to the Tor Project, neither the network nor the browser is illegal anywhere in the world, and using Tor is not a criminal act.

Tor vulnerabilities

Like any technology, Tor is not 100% secure, and attackers can still compromise Tor’s security. In 2014, a research team from Carnegie Mellon University gained control of enough servers in the Tor network to observe the relays on both ends of the Tor circuit and compare the traffic timing, volume, and other unique characteristics to identify which other Tor relays were part of which circuits. By putting the entire circuit together, the researchers were able to see the IP address of the user on the first relay and the final destination of their web traffic on the last relay, allowing them to match users to their online activity. (For those interested in a more technical explanation, the Tor Project analyzed the attack.) The FBI then used this attack to round up a number of criminals on the dark web as part of their Operation Onymous. Tor upgraded their relays to deal with the specific protocol used by the researchers, but correlation attacks (identifying users through the timing and volume of their traffic) are still possible.

Recently, Zerodium, an exploit vendor, discovered a new flaw in the Tor Browser that allowed attackers to run malicious JavaScript code. The Zerodium hack took advantage of a bug in the NoScript add-on to the Tor Browser. Both NoScript and the Tor Browser have been updated, and in Tor Browser v. 8.0 and later, the flaw is fixed.

These instances should not dissuade you from using Tor; rather they illustrate that even Tor is not 100% secure.

How to use Tor safely

Like with any privacy tool, proper usage is critical. Misusing Tor can compromise your online privacy in unexpected ways.

  • Tor will encrypt your data as it passes through the Tor network, but the encryption of your traffic between the final Tor relay and your destination site depends upon that website. Only visit websites that use the Hypertext Transfer Protocol Secure, or HTTPS. This protocol establishes an encrypted link between the final Tor relay and your destination website. Any site that has a URL that begins with “https://” uses HTTPS, and the Tor Browser comes with the HTTPS Everywhere add-on. The Electronic Frontier Foundation has a great diagram that illustrates how Tor and HTTPS work together to protect your data.
  • The Tor Browser blocks many plugins, such as Flash, RealPlayer, and QuickTime. These plugins can be manipulated into exposing your IP address in ways that Tor cannot prevent.
  • If you are using the Tor Browser, be aware that only the Tor Browser’s Internet traffic will be routed through Tor. Other apps on your device will still connect normally to the Internet and may expose your real IP address.
  • You should not maximize the Tor Browser window. If you maximize the Tor Browser, websites can determine the size of your device’s screen, which can narrow down which device you are using and help those sites track your activity. Tor recommends you always use the Tor Browser’s default screen size.
  • You should not open documents downloaded through the Tor Browser while you are online. These documents could contain Internet resources that would reveal your true IP address. If you need to view a .doc or .pdf file, you should disconnect your computer from the Internet first, or you should use the Tor OS, Tails.
  • Similarly, you cannot use BitTorrent over Tor. Torrenting will send out your real IP address in the tracker GET request, deanonymizing your torrent and web traffic. It will also slow down the entire Tor network.
  • It is also important to note that Tor will not protect your privacy from a website you must sign in to. Once you sign in, you have identified yourself to that website — and anyone who might be observing the activity on that site.
  • Finally, if you are using Tor to access the dark web, you must be extremely cautious. Only use dark web URLs you know to be accurate. Do not click on any ads on any site on the dark web. Inspect every link on the dark web before you click it. Visiting unknown sites on the dark web is a quick way to infect your device. Trusted sites on the dark web, such as Proton Mail’s Tor email portal, usually will have a valid SSL certificate.

Secure alternatives to Tor

Tor provides an excellent way to anonymize online activity, but certain limitations, particularly its slow browsing speeds, can be quite limiting for the average Internet user.

Proton VPN

For users who find Tor too complex or need higher performance, a trustworthy VPN like Proton VPN is a good alternative. A VPN will encrypt your online traffic and prevent attackers from monitoring your browsing activity. It is also much faster and easier to use than Tor. Once you install the VPN app, all it takes is a single click to establish an encrypted VPN connection. Switching your connection between countries is also much easier with a VPN than with Tor. The Proton VPN feature Tor over VPN also lets you access onion sites without having to download and set up the Tor Browser. However, VPNs, like Tor, also have their limitations when it comes to security and privacy, so it is important to understand the VPN threat model.

While not 100% secure, for those in dire need of online anonymity, Tor is the best option, provided you follow the guidelines. For everybody else who wants to be able to stream Netflix or use BitTorrent while also hiding your IP address and location from advertisers and trackers, Proton VPN is a more practical option.

Best Regards,
The Proton VPN Team

You can get a free Proton VPN account here.

Follow us on social media to stay up to date on the latest Proton VPN releases:  Twitter Facebook | Reddit

To get a free Proton Mail encrypted email account, visit: proton.me/mail


Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

24 comments

  1. Mark

    Hi!

    I can connect to your VPN network. And then connect to the TOR network ??

    I mean, use both methods at the same time.

    For a more secure, private and anonymous connection?

    Thanks.

  2. Pater kakema

    How Tor related to uplink ?? Thus way ..how does it’s done they’re work??

  3. Douglas Crawford

    Hi Pater. I’m sorry, but can you clarify your question, please?

  4. THOMAS JONES

    Recent changes in the facebook, twitter, etc management since the political change in the usa brought me to research TOR and VPN for the first time, not because I have much to hide but because I defend the first amendment guarantee (right). The discussions among democrat congress critters about outlawing VPN really got my attention enough to find out what they were talking about. Thanks for your information.

  5. Rick

    I was wondering if using ProtonVPN in conjunction with TOR would be a potent privacy measure, or is it one over the other?

  6. Douglas Crawford

    Hi Rick. We do offer a Tor though VPN feature, but note the main advantage of this is convenience, rather than security.

  7. Saimanikanta

    I have a doubt, many people says tor is illegal and baned by government but why it is in the play store

  8. Douglas Crawford

    Hi Saimanikanta. Tor is not illegal in most places. It is often blocked by restrictive governments, though.

  9. kootzie

    I am curious whether there is any initiative in the direction of preserving a graceful-degradation / low-energy version of the internet ?
    At some point, when the energy shit hits the fan, maintaining energy-intensive data centres will drop in priority compared with growing food and heating shelter.
    I’m curious whether there are any initiatives to preserve the basic functionality of email and perhaps Lynx-web access – stripped of graphics and ads and BigData access. A kind of extension to TorNet. Should we be building out meshnets to at least maintain local connectivity ? Certainly all the long-haul lines and the comms gear are owned by corpirations which may not prioritize us unwashed hordes.
    Perhaps that is not even a realistic part of a Degrowth Resilient future ?

  10. Curtis

    The TOR does encrypt your internet and your IP if only if you are inside the web browser and stayed on and stuff so I got to say that it’s not completely safe but if you are using ProtonVPN then you are very safe but not 100% safe but anyhow it depends on what websites that you’re visiting.

  11. muhammed

    Bruh tor is safe just you can get in trouble if you go to a dark web server
    I’m reporting this to google

  12. Someone

    If only ProtonVPN had a browser extension. I only need browser level protection, which is why I use TOR, otherwise I need all traffic to go through my network normally. Adding each application to ProtonVPN’s bypass filter is tedious to say the least.

  13. Alan Kevedo

    Combinar navegador DuckDuckGO com a protonVPN seria o ideal?
    Grato

  14. Ben Wolford

    Hi Alan! Yes, using DDG and ProtonVPN would greatly increase your online privacy.

  15. Romualdus

    Thanks for your article! I have a question. If you use TOR browser over a corporate VPN, could the company where the VPN is installed track what you browse the internet?

  16. Roxana Zega

    Hi Romualdus,

    The connection would be encrypted between the Tor browser and the Tor exit, hence what the corporate VPN sees is only encrypted tor traffic.

    Thanks

  17. Louis de la Charrette

    I truly have nothing to hide, but I read a lot about Tor browser, darknet, I am just curious.

  18. Richie Koch

    Nothing to be ashamed of Louis :)

  19. activate espn

    I went over this site and I think you have a lot of good information, great webpage. thanks for shering

  20. Richie Koch

    Thank you!

  21. henry thomas

    I just recently started using Tor because of firefox critical error starts often appearing while browsing I feel unsafe so I started using Tor in place of Mozilla firefox.

  22. Webster

    I use TOR to visit my WordPress blog. As of about a year ago, WordPress recognizes my PC, as if TOR is completely transparent. I know this because my site visit in no longer counted. I have tried Bear Tunnel VPN, also with no luck.
    In what way is ProtonVPN different?

  23. Mr Green

    Privacy: The ability to live without monitoring by government. ProtonVPN is the new black, I’m not flush financially at the moment but invested in a yearly subscription after doing the research. Deleting my gmail accounts and dependancy on google. I love this company and its services, happy to endorse it without any incentive to do so. Bravo!

  24. Jon

    Thanks for a great article on TOR and ProtonVPN. I’ve used TOR for years but have always worried that I might do something dumb to link me to a site. Your explanation of TOR over ProtonVPN Core makes a lot of sense. Sign up coming shortly! Keep up the good work.
    Jon

Comments are closed.

Secure
your internet

Get Proton VPN
Get Proton VPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN