Is Tor safe? Learn how secure Tor is

Posted on February 20th, 2019 by in Privacy deep dives.

 

Tor is a free, global network that lets you browse the Internet and the dark web anonymously. There are, however, a few things you need to keep in mind to use Tor securely.

As online surveillance becomes more and more prevalent, tools that can help you stay private and secure online are critical. While VPNs are one such tool (learn why you should use a VPN), there are other options. Tor (which stands for “The Onion Router”) is a powerful tool for online anonymity.

However, there is no such thing as 100% security, and even Tor has some vulnerabilities. It is essential to consider its threat model and make sure that you understand what Tor can and can’t protect you against. Furthermore, if you do not adhere to certain best practices when using Tor, you could expose yourself to vulnerabilities and exploits that could compromise your privacy or your device.

This article will explain the factors to consider before using Tor and what you can do to mitigate its weaknesses.  

Is Tor illegal?

This is often the first question users ask because Tor and the “dark web” have become associated with illegal enterprises like the Silk Road marketplace. The answer is no. It is not illegal to be anonymous, and Tor has many legitimate uses. The dark web itself is a powerful tool to protect privacy and free speech.

Tor is an open network of servers run by volunteers and free software (the Tor Browser) that is guided by the non-profit Tor Project. Both the network and the software can be used to browse the “clearweb” (the Internet most of us are familiar with) like any other browser. According to the Tor Project, neither the network nor the browser is illegal anywhere in the world, and using Tor is not a criminal act.

Tor vulnerabilities

Like any technology, Tor is not 100% secure, and attackers can still compromise Tor’s security. In 2014, a research team from Carnegie Mellon University gained control of enough servers in the Tor network to observe the relays on both ends of the Tor circuit and compare the traffic timing, volume, and other unique characteristics to identify which other Tor relays were part of which circuits. By putting the entire circuit together, the researchers were able to see the IP address of the user on the first relay and the final destination of their web traffic on the last relay, allowing them to match users to their online activity. (For those interested in a more technical explanation, the Tor Project analyzed the attack.) The FBI then used this attack to round up a number of criminals on the dark web as part of their Operation Onymous. Tor upgraded their relays to deal with the specific protocol used by the researchers, but correlation attacks (identifying users through the timing and volume of their traffic) are still possible.

Recently, Zerodium, an exploit vendor, discovered a new flaw in the Tor Browser that allowed attackers to run malicious JavaScript code. The Zerodium hack took advantage of a bug in the NoScript add-on to the Tor Browser. Both NoScript and the Tor Browser have been updated, and in Tor Browser v. 8.0 and later, the flaw is fixed.

These instances should not dissuade you from using Tor; rather they illustrate that even Tor is not 100% secure.

How to use Tor safely

Like with any privacy tool, proper usage is critical. Misusing Tor can compromise your online privacy in unexpected ways.

  • Tor will encrypt your data as it passes through the Tor network, but the encryption of your traffic between the final Tor relay and your destination site depends upon that website. Only visit websites that use the Hypertext Transfer Protocol Secure, or HTTPS. This protocol establishes an encrypted link between the final Tor relay and your destination website. Any site that has a URL that begins with “https://” uses HTTPS, and the Tor Browser comes with the HTTPS Everywhere add-on. The Electronic Frontier Foundation has a great diagram that illustrates how Tor and HTTPS work together to protect your data.
  • The Tor Browser blocks many plugins, such as Flash, RealPlayer, and QuickTime. These plugins can be manipulated into exposing your IP address in ways that Tor cannot prevent.
  • If you are using the Tor Browser, be aware that only the Tor Browser’s Internet traffic will be routed through Tor. Other apps on your device will still connect normally to the Internet and may expose your real IP address.
  • You should not maximize the Tor Browser window. If you maximize the Tor Browser, websites can determine the size of your device’s screen, which can narrow down which device you are using and help those sites track your activity. Tor recommends you always use the Tor Browser’s default screen size.
  • You should not open documents downloaded through the Tor Browser while you are online. These documents could contain Internet resources that would reveal your true IP address. If you need to view a .doc or .pdf file, you should disconnect your computer from the Internet first, or you should use the Tor OS, Tails.
  • Similarly, you cannot use BitTorrent over Tor. Torrenting will send out your real IP address in the tracker GET request, deanonymizing your torrent and web traffic. It will also slow down the entire Tor network.
  • It is also important to note that Tor will not protect your privacy from a website you must sign in to. Once you sign in, you have identified yourself to that website — and anyone who might be observing the activity on that site.
  • Finally, if you are using Tor to access the dark web, you must be extremely cautious. Only use dark web URLs you know to be accurate. Do not click on any ads on any site on the dark web. Inspect every link on the dark web before you click it. Visiting unknown sites on the dark web is a quick way to infect your device. Trusted sites on the dark web, such as Proton Mail’s Tor email portal, usually will have a valid SSL certificate.

Secure alternatives to Tor

Tor provides an excellent way to anonymize online activity, but certain limitations, particularly its slow browsing speeds, can be quite limiting for the average Internet user.

Proton VPN

For users who find Tor too complex or need higher performance, a trustworthy VPN like Proton VPN is a good alternative. A VPN will encrypt your online traffic and prevent attackers from monitoring your browsing activity. It is also much faster and easier to use than Tor. Once you install the VPN app, all it takes is a single click to establish an encrypted VPN connection. Switching your connection between countries is also much easier with a VPN than with Tor. The Proton VPN feature Tor over VPN also lets you access onion sites without having to download and set up the Tor Browser. However, VPNs, like Tor, also have their limitations when it comes to security and privacy, so it is important to understand the VPN threat model.

While not 100% secure, for those in dire need of online anonymity, Tor is the best option, provided you follow the guidelines. For everybody else who wants to be able to stream Netflix or use BitTorrent while also hiding your IP address and location from advertisers and trackers, Proton VPN is a more practical option.

Best Regards,
The Proton VPN Team

You can get a free Proton VPN account here.

Follow us on social media to stay up to date on the latest Proton VPN releases:  Twitter Facebook | Reddit

To get a free Proton Mail encrypted email account, visit: proton.me/mail


Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Back to Blog

Secure
your internet

Get Proton VPN
Get Proton VPN

Contact us

Support form

Tell us about the problem and we'll get back to you as soon as we can.

Open support form

Live chat

Get help from a support agent in real time. Available with a paid VPN subscription.

Chat with us

Secure email

Send us an encrypted message at contact@protonvpn.com. It may take us longer to respond.

Email us