what is the tor browser?

Most people think of the dark web when they hear Tor and how criminals use it for illegal stuff but Tor is more than that.

Its main purpose is to provide anonymity and help users circumvent censorship in countries where parts of the internet are restricted. Its free and open source and is being actively developed by the Tor Project. The Tor Browser itself is a specialized version of Firefox (Firefox ESR) that routes your internet traffic through the Tor network.

Firefox ESR means "Extended Support Release" and its a special version of firefox mostly used in organizations that need stability. It is a stable version and doesnt add every newest feature just important security updates.

How does the Tor network work?

It works by connecting to the Tor-Network which is also called the "Onion Router". Your internet traffic is routed through multiple random servers, called nodes or relays. Every Server only knows the server that comes before and after not the whole route of your connection. This is called layered encryption, hence the name "onion" as it also has layers, which encrypts your internet traffic.

The tor browser comes with HTTPS only mode and NoScript preinstalled. In the default mode javascript is still allowed but NoScript limits what it can do. If you raise the security level you can block more features up to disabling javascript completely. This can break many websites as almost all of them rely on javascript, but it also makes it much harder to track or exploit you.

What is a Node/Relay?

A Tor node or relay is a server inside the tor network that routes your internet traffic. Each node is being operated by volunteers that want to support the network. Your traffic gets rerouted through multiple of these servers to make sure you connection is anonymous. There are three types of relays:

1. The Entry or Guard Node

The entry node is your first touchpoint with the tor network and this one can also see your ip address but they dont know where you want to go, they only see the next node. This node sends your traffic to the next node.

2. The Middle Node

The middle node does not know your ip, it just knows from which node you come and which further node you will get connected to.

3. The Exit Node

The exit node is the last one in the chain, this one connects you to the website you wanted to visit. It also doesnt know your ip, just from which last node you came from. Exit nodes are able to read data that is unencrypted so thats why HTTPS is important. This only applies to normal websites, onion websites never leave the tor network so no exit node is involved.

So in conclusion the Tor browser encrypts your traffic through multiple stages or "layers". Each node just takes away one layer, it only sees the bare minimum it needs to see. That way a single node doesnt know who you are or where youre going.

The FBI owns all exit nodes

I always hear people talking about how the FBI owns all exit nodes but thats just not true, its impossible as there are a lot of nodes that exist all around the world, the tor project has a metrics side which displays how many relays there are [https://metrics.torproject.org/](https://metrics.torproject.org/) and its currently around 9000 in total. Most of these nodes are guard or middle nodes and only around 2500 are exit nodes as these do have a higher risk of illegal content. There are also bridges which are hidden nodes that arent public to make sure people can still join if tor is being censored.

But the authorities do run some nodes, mainly exit nodes as these reveal the target website. But just having the exit node is not enough, to really get exposed the authorities would have to have control over entry nodes and exit nodes and then through correlation attack they might be able to find out who you are. So it is possible but unlikely. As long as you use HTTPS you might be relatively safe from mass surveilance but not necessarily from authorities that already targeted you.

Benefits

Using the onion router will hide your ip address and through that your location, which can help you circumvent censoring or geoblocked content. It also saves you from tracking networks that try to monitor your every move and do targeted advertising. The most important thing, which no other browser or no operating system can do is hide your fingerprint. It does this by making every tor user look the same, so it doesnt really hide it just make it look like every other user. There are also special websites called .onion-websites, so instead of going to youtube.com you go to 14bjkasfsc3kl1nf.onion. Also the Tor browser is preconfigured for high security.

Onion Websites

Onion websites also called onion services oder hidden services are websites that run completely in the tor network. In contrast to regular websites, those onion services never leave the tor network so no exit node is needed. The connection is encrypted through the tor protocol itself and anonymous, and many onion websites also add https on top for extra security. The URLs end with .onion instead of .com or .net and the url itself are random letters and numbers. Those onion websites can be used for everything that regular websites can be used for even big companies like facebook or protonmail have an onion website but on these onion websites there can also be illegal stuff hosted like drug markets. The owners of those onion services get the benefit, that their server ip also stays secret so noone knows the exact location of the server.

Are Onion Websites secure?

Onion websites can be safer, because traffic never leaves Tor, but security also depends heavily on server configuration. Here are some vulnerabilites and risks when running an onion service.

If the owner of the server has made some mistakes while configuring his server and it reveals his ip somewhere. Also traffic correlation can be used here, if someone owns a lot of tor nodes, they might be able to find patterns in the traffic and triangulate the real location. An onion server usually runs on linux so if one of the software components has a vulnerability or a zero day hackers might be able to compromise the server, the same goes for the tor browser itself.

The most common mistakes are bad opsec by the server owner, so making mistakes by for example using the same pseudonym on their hidden service and in other forums or in real life that might connect them to personal information or bitcoin payouts.

A famous example is the owner of the silk road, who in the early days asked for helpers for his market website by using his real email address for the forum account, which was later linked to his silk road account.

Risks of using Tor

Because youre rerouting your internet traffic through multiple nodes/relays your connection can become slower than usual. Its not 100% safe, bad opsec can still reveal you, for example if you login to your google account through tor they would immediately connect that account to this tor user.

Some files, plugins and browser extension can deanonymize you. This happens when a downloaded file like a pdf or word document has hidden content that tries to connect to the internet outside of tor, leaking your real ip. Browser extensions like Flash or WebRTC can also leak your ip if enabled.

In some countries using Tor can make you really suspicious or you might get in trouble with authorities. For example in China and Iran Tor is blocked and you can face criminal consequences if you are caught. In Russia it is banned and you can face fines. In Turkey or Egypt Tor has been temporarily blocked and using it can attract unwanted attention. In western countries it is not illegal but authorities might flag Tor usage as suspicious.

There are also other ways you can get deanonymized.

How to get deanonymized using Tor

There are multiple ways to reveal your identity when using tor. Tor makes tracking and surveillance more difficult but if you make mistakes or if a strong attacker targets you, there are still methods to deanonymize you.

Network attacks

The most common type are network attacks. For example traffic correlation, also called timing attacks, if an attacker controls both entry and exit nodes they might be able to compare the time and amount of traffic to figure out which target you want to connect to. This is really complex but for state actors possible. Another risk are so called evil exit nodes, if you dont use https they can read or even manipulate your traffic.

User mistakes

Another big factor are user mistakes. If you log into your personal accounts you basically reveal yourself right away. Also fingerprinting can be an issue if you change the default settings of the tor browser or install plugins. Downloading a file and then opening it outside of tor can also leak your real ip. Javascript is mostly blocked by default through NoScript but if you change these settings it can also be used to deanonymize you.

Exploits and malware

The last big risk are exploits and malware. Tor is just software like anything else and there can be zero days in the tor browser or in firefox itself. If you visit the wrong website you could get infected with malware that bypasses tor completely. A wrong configuration with tor and vpn or proxy can also leak your ip. Also metadata of services like email timestamps or writing style can be used to link you back to your real identity.

Why use Tor?

Tor gives you privacy when you browse the web. You dont get identified by third party cookies, by your fingerprint, by your browsing behaviour as long as you dont log into your personal accounts. Mostly whisteblowsers, activists or journalists use it to securely share data. In some countries they block certain parts of the internet like news sites or certain content, with tor you can circumvent this and still be able to browse the web without any blocks. Some content is also blocked in the clear web (the regular web) this is why most criminals use onion sites as they can freely host their illegal marketplaces.

Practical things about TOR

Dont change the default settings as this might make your more identifiable as it changes your fingerprint. Dont install any browser extensions as this also changes your fingerprint. Make sure what you download or watch doesnt compromise you by leaking your ip or your device by installing malware. Its important to regularly update your browser to reduce vulnerabilites.

You can use TOR with a VPN but it depends on what your goal is. Its not always good to use a VPN with TOR.

Why and how to use a VPN with TOR

Using a VPN with tor can sometimes make sense but it depends on your goal. The most common setup is VPN before Tor, which means you connect to a VPN first and then enter the tor network. The advantage is that your ISP will not see that you are using tor, they only see that you are connected to a VPN. The downside is that you have to trust your VPN provider because he still knows your real ip and can see that you use tor. This setup mainly makes sense if you live in a country where tor is blocked, where the usage of tor itself could get you in trouble or if your ISP throttles or flags Tor traffic. In most other situations you dont really need it.

The other option is Tor → VPN, so you connect to tor first and then route your traffic through a VPN. This does not really give you more anonymity, it even reduces it because the VPN again becomes a single point that sees your traffic. The only real use case for this setup is if a website blocks tor exit nodes and you still want to visit it. In most other cases it does not make sense.

Sources:
itp.nyu.edu (demystifying the dark web)
wikipedia.org (silk road)
wikipedia.org (tor network)
ssd.eff.org (how to use tor)
metrics.torproject.org (relayflags)