What Is Tor? Answers to Frequently Asked Questions
Have you ever wanted to browse the Internet anonymously? The truth is that browser settings such as "incognito mode" or "private window" don't quite cut it. If you want real anonymity, you're going to want to use Tor, formerly known as The Onion Router.
What is Tor?
Tor is an Internet networking protocol designed to anonymize the data relayed across it. Using Tor's software will make it difficult, if not impossible, for any snoops to see your webmail, search history, social media posts or other online activity. They also won't be able to tell which country you're in by analyzing your IP address, which can be very useful for journalists, activists, businesspeople and more.
When you run Tor, online data collectors such as Google Ads and the little-known but powerful aggregator Acxiom won't be able to perform traffic analysis and gather data on your Internet habits. Theoretically, surveillance organizations like the NSA won't be able to observe you, either.
How does Tor work?
The Tor network runs through the computer servers of thousands of volunteers (over 4,500 at time of publishing) spread throughout the world. Your data is bundled into an encrypted packet when it enters the Tor network. Then, unlike the case with normal Internet connections, Tor strips away part of the packet's header, which is a part of the addressing information that could be used to learn things about the sender such as the operating system from which the message was sent.
Finally, Tor encrypts the rest of the addressing information, called the packet wrapper. Regular Internet connections don't do this.
The modified and encrypted data packet is then routed through many of these servers, called relays, on the way to its final destination.The roundabout way packets travel through the Tor network is akin to a person taking a roundabout path through a city to shake a pursuer.
Each relay decrypts only enough of the data packet wrapper to know which relay the data came from, and which relay to send it to next. The relay then rewraps the package in a new wrapper and sends it on.
The layers of encrypted address information used to anonymize data packets sent through Tor are reminiscent of an onion, hence the name. That way, a data packet's path through the Tor network cannot be fully traced.
Some regular Internet data packets are encrypted using a protocol called Secure Socket Layer (SSL) or its newer, stronger cousin Transport Layer Security (TLS). For example, if you submit your credit card information to an online store, that information travels across the network in an encrypted state to prevent theft.
However, even when you use SSL or TLS, it's still possible for others to intercept those packets and see the information's metadata — who sent that encrypted information and who received it — because the addressing wrappers in SSL or TLS are not encrypted. In Tor, they are, which hides the sender and receiver of a given transmission.
Further, if you use the Tor Browser to visit a website that does not use encryption to secure users' connections, then your data packet will not be encrypted when it makes the final hop from the last Tor relay to the website's server. That's because the data packet's destination lies outside the Tor network. So it's best to be sure that a website offers some kind of SSL or TLS encryption, usually denoted by an "https" instead of simply "http" in the Web address, before trying to access it anonymously.
Who owns Tor?
The U.S. Naval Research Laboratory sponsored the development of onion routing in the 1990s, and Tor itself was developed by Navy and independent researchers in 2002.
Today, Tor's original creators continue to support and update the protocol under the Tor Project, an independent, nonprofit organization that is partly funded by various arms of the U.S. government.
The Tor protocol is open-source, meaning anyone can view the code and incorporate it into their own software. The Tor protocol and its implementation in the Tor Browser Bundle have also been extensively peer reviewed, which means that many researchers have examined them to make sure they offer the strongest possible security.
How do I use Tor?
To use Tor, you'll need a client, or a piece of software, that interacts with the Tor network.
The basic example is the Tor Browser Bundle, which the Tor Project distributes. The Tor Browser Bundle is preconfigured to send and receive all Web traffic (but not stand-alone email messages or instant-messaging traffic) through the anonymizing Tor network.
You can configure most browsers to work with Tor using the plugins available in the bundle, but if you use Tor's browser to access the Internet, you don't have to worry about the proper setup.
Plenty of other pieces of software, both enterprise and open source, use Tor's protocol to enable anonymous Web browsing, but not all of them have gone through the same rigorous peer review as the Tor Browser Bundle.
In addition, to use Tor properly you should disable all Flash plugins and other scripts on your browser, such as RealPlayer and QuickTime. These provide access points to your Internet activity that an outside snoop could exploit.
Can I do everything on a Tor browser that I do normally?
Many common online activities make it easy for outsiders to snoop on your data. If you do these things through the Tor Browser, your online traffic will not be anonymous. To use Tor correctly, you can't do certain things that you may be accustomed to doing online.
For example, Flash-based plugins can be exploited to reveal your Internet Protocol address, and therefore are automatically disabled in the Tor Browser. That includes YouTube videos. However, YouTube is currently doing an opt-in trial of a video player that uses HTML5 instead of Flash, which you can use with the Tor Browser. (Update: YouTube now uses only HTML5.)
Further, you should be very careful about opening documents downloaded through Tor. For example, if you download a music file through the Tor Browser, that download is anonymous and should be untraceable. However, if you then open the file using Windows Media Player or another music player that searches online for information about music files, then that traffic passes through your non-Tor IP address and can be traced.
The Tor Project recommends using the commercial virtual-machine software Virtual Box or the open-source secure Linux distribution Tails to download and manage documents online, and warns that BitTorrent and the Tor Browser do not work well together and should not be combined.
The project makes a full list of recommendations for using the Tor Browser available on its website.
How do I host a Tor relay?
Volunteering to host a Tor relay means donating some of your computer's bandwidth to send and receive data on the Tor network. According to the Tor Project, the only requirement is having Internet bandwidth of 50 kilobytes (not kilobits) per second — about 10 percent of standard cable-modem bandwidth.
Each Tor relay is one of many possible nodes through which any given data packet can pass. So the more relays there are, the more relays each data packet can pass through and the more secure Tor is.
No data that passes through your relay is stored on your computer, and unless you're the end relay — that is, the receiver of a data packet — you can't know the precise nature of the data going through your server, and any surveillance or investigation won't be able to trace the data packet's path back to your computer.
"Presently, no court has ever considered any case involving theTor technology, and we therefore cannot guarantee that you will never face any legal liability as a result of running a Tor relay," states a FAQ on the Tor Project's website written by the Electronic Frontier Foundation (EFF), a San Francisco-based digital-rights advocacy group. "However, the EFF believes so strongly that those running Tor relays shouldn't be liable for traffic that passes through the relay that we're running our own middle relay."
For more on the legal technicalities of running a Tor relay check the Tor Project's website.
Is Tor secure?
Good question! Security and anonymity go hand in hand on the Internet. As an online anonymizer, Tor was designed to be secure.
However, documents leaked by former National Security Agency (NSA) contractor Edward Snowden show that the NSA has tried to crack, infiltrate or weaken any encryption that the agency does not itself control.
In light of this news, nearly all independent encryption and online communication services have become suspect, including Tor.
MORE: Best Password Managers
"The online anonymity network Tor is a high-priority target for the National Security Agency," cryptography expert Bruce Schneier, who is helping British newspaper The Guardian analyze its archive of leaked Snowden documents, wrote in a piece for the newspaper.
But despite this warning, another Snowden document published by The Guardian suggests that the NSA can't crack Tor after all, although the agency has developed some workarounds.
"We will never be able to de-anonymize all Tor users all the time," reads the document, a PowerPoint presentation used internally at the NSA and its British equivalent GCHQ.
Instead, the NSA exploited a vulnerability in Firefox browsers (on which the Tor Browser is based) to monitor individual users' Tor activity. That vulnerability has since been patched in Firefox and recent Tor Browser Bundle updates.
"The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network," wrote The Tor Project on its blog in response to The Guardian's article.
"Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on."
What's the difference between anonymity and security?
We asked Roger Dingledine, one of Tor's founders, the same question.
"That's a complex question, and it depends who you ask," Dingledine said. "From my perspective, security is a broad class of properties you might want, including confidentiality (what many people call encryption), authentication (do I know whether the website I'm talking to is really the one I meant to reach?), integrity (am I confident that nobody in the middle is changing the content I'm sending or receiving), reliability (is it always available when I want to reach it, maybe even despite an attacker trying to make it unavailable), etc."
Anonymity, Dingledine included, is related but different. ""Anonymity itself can be a wide variety of properties — we might think of source anonymity (can an attacker figure out the IP address that this connection came from?), destination anonymity (can an attacker figure out this connection's destination, e.g. website?), unlinkability (can a website or other attacker figure out that two anonymous connections came from the same person?), etc."
Security and anonymity may be different, but most of the time people who want one want the other.
"Many people use Tor to get anonymity from an external observer while still wanting to authenticate with their destination," Dingledine said. "For example they want to reach Gmail, and know that it's really Gmail, and have Gmail know that it's really them, but they don't want a local observer to learn that they're contacting Gmail, and they don't want Gmail or somebody watching Gmail to be able to learn what country they're in today."
Gmail's security provides the first set of qualifications. Accessing Gmail webmail with Tor assures the second.