Peeling back the layers of the onion
The Tor anonymity network receives no small amount of attention from the mainstream press – not least for its purported association with cybercrime and darknet drug dealings.
But what is Tor? And how secure is it? The Daily Swig asked several security and privacy experts to answer all of your questions, and many more.
What is Tor?
Tor is an internet communication method for enabling online anonymity. The same term is commonly used to refer to both the anonymity network and the open source software that supports it.
The Tor name derives from The Onion Router – the name of a pioneering privacy project run by the US Naval Research Lab.
How does Tor work?
Tor directs internet traffic through a network of thousands of relays, many of which are set up and maintained by volunteers.
Messages are encapsulated in layers of encryption, comparable to the layers of an onion. Inside the Tor network are .onion sites, or ‘hidden services’.
Tor facilitates anonymized browsing by allowing traffic to pass onto or through the network through nodes that only know the immediately preceding and following node in a relay.
The source and destination of messages is obscured by encryption.
Tor directs internet traffic through a network of thousands of relays
How can I access Tor?
The easiest way to access the Tor network is through the Tor Browser. The Tor Browser is automatically connected to the Tor network and will place all your requests through it, while ensuring anonymity.
The Tor Browser bundle is developed by the Tor Project, a non-profit organisation that carries out research as well as maintaining the software used by the Tor anonymity network.
The Tor Browser is currently available for Windows, Linux, and macOS. There’s also a version of Tor Browser for Android but not, as yet, an official version for iOS.
What is Tor used for?
The Tor Browser is just a web browser, and you can still view the ‘surface’ internet – or ‘clear web’ – using the software.
However, the Tor Browser offers an extra level of privacy for normal web use or as a way to bypass government surveillance and censorship.
Some sites on the so-called dark web can only be accessed using Tor.
Vince Warrington, managing director of Protective Intelligence, explained: “The dark web – primarily those sites that can only be accessed via Tor – is still generally the host to the illegal and illicit.
“Whilst there are some legitimate sites (for example, the BBC now has a .onion version of the BBC News website) our research indicates that over 95% of .onion sites contain illegal or illicit material,” he added.
Who uses Tor and why?
While most people are only familiar with Tor’s use for illegal activities – such as accessing online markets that sell drugs – many other users access the Tor network.
- Political activists
- The US military
- Law enforcement
- Those living in repressive regimes
- Anyone who does not want a third-party to observe their online activities
Tor uses vary from bypassing censorship and avoiding online spying and profiling, to disguising the origin of traffic and hiding sensitive communications.
What expectation of anonymity can people have when they use Tor?
Tor offers anonymity, but only up to a point.
Those using the technology, and looking to keep their identity secret, also need to apply best practices in operational security (OpSec).
Charity Wright, a cyber threat intelligence advisor at IntSights and former NSA Chinese espionage expert, explained: “Tor is a browser that can anonymize your network connection and your IP address that you are logging on from.
“However, once you venture into illicit spaces, it is important to use pseudonyms and to hide your real name and never reveal your true location, nationality, or identifying pieces of information.
“Any small clue can be used for people to find out who you are. Even more, federal agencies and law enforcement will use every detail about an online persona to find a wanted suspect,” she added.
Tor is easily accessible via the Tor Browser
How anonymous is Tor?
Tor is aimed at providing anonymous communication, but there have been numerous examples of people whose identities have been unmasked despite using Tor.
For example, The FBI recently closed a criminal case against the owner of Freedom Hosting, a dark web service that ran on the Tor network.
In addition, several research projects have shown varying levels of successful attacks that either attempted to eavesdrop on Tor-encrypted traffic or identify users.
Protective Intelligence’s Warrington commented: “It’s a myth to think that using Tor (even with a VPN) gives you total anonymity. With the tools we are using nowadays we can slowly strip back the layers of anonymity to find out who is behind the computer.
“By using specialist software combined with open source intelligence – basically searching the surface, deep, and dark web for small snippets of information – we can build up a picture of a Tor user who is involved in illegal activity.”
The era where Tor was a thorn in the side of law enforcement seems to be coming to an end.
Warrington explained: “In the UK, the police and intelligence agencies have access to these tools, and the only limitation on identifying users of the dark web is resources. There’s simply not enough police dedicated to these kinds of investigations.”
What are the limitations of Tor, and how can these be overcome?
Tor has its limitations. Maintaining online anonymity is much more far reaching an exercise than simply using Tor.
Israel Barak, chief information security officer at Cybereason, told The Daily Swig: “Tor, at its core, only gives you network level anonymity. It won't help you with applications on your computer that retain your identity and provide your identity to the internet service providers.
“As an example, when an individual connects to Gmail, the computer or device you are using saves your identity, so you don't have to log on in the future.
“Tor will not protect your anonymity from this,” he warned.
While the Tor network is designed to keep browsing habits away from service providers or webpage trackers, the most privacy-conscious users can go even further.
Boris Cipot, senior security engineer at Synopsys, added: “To achieve the highest level of anonymity, one would need to get rid of any installation of OS or software with tracking, thus allowing the user to enter the Tor network with a clean slate.
“This can be achieved with the use of Tails or Qubes OS, which run from a USB stick. They run fully in memory, so it is safe to use on existing hardware, but once activated, there is no trace of you.”
The Tails operating system can be combined with Tor to help improve users’ anonymity online
Why does Tor take so long to load sites?
Using Tor to browse the web involves accepting trade-offs.
The Tor Browser gives a user considerable anonymity advantages over other web browsers, such as Edge, Firefox, and Chrome.
While standard browsers can leak data that goes a long way to identifying the user – even in ‘private’ mode – Tor was designed with anonymity in mind.
Tor does, however, saddle the user some significant limitations when browsing the internet.
For starters, browsing with Tor can be very slow, and so many people are unlikely to want to swap out their current browser.
Sluggish traffic speeds arise because data packets take a circuitous route through Tor, bouncing between various volunteers’ computers to reach their destinations.
Network latency is always going to be a problem in this scenario – even if you’re fortunate enough to avoid bottlenecks.
Tor also makes websites look like they were built 20 years ago, as much of the presentation and customization content of websites is stripped away by Tor, since these technologies can be used to identify the computer that’s being used.
What have software developers learned from Tor?
Opinions among experts are split over whether or not Tor has done much to directly affect browser development, but at a minimum the technology has done a great deal to raise awareness about privacy.
Chad Anderson, senior security researcher at DomainTools, commented: “I don’t know how much we can attribute back to modern browser improvements due to Tor, but I think privacy issues have certainly become more focused.
“The browser shift to DNS-over-HTTPS, commonly called DoH, is a boost for user privacy and where DNS didn’t work over Tor before, and in fact was an attack vector for de-anonymizing users, DoH fixes that,” he added.
Anderson continued: “It used to be you could listen to traffic on a Tor exit node… but now that SSL is near ubiquitous thanks to free certificates [from the likes of Let’s Encrypt] that’s less of an issue.”
Arthur Edelstein, senior product manager for Firefox Privacy and Security, gave The Daily Swig a list of projects involving collaborations between Mozilla and Tor:
- First-Party Isolation – This feature was developed jointly by Tor and Mozilla and is now fully integrated into Firefox, although currently disabled by default. It fully prevents users from being tracked across websites via cookies.
- Fingerprinting Resistance – Also developed jointly between Tor and Mozilla, when Fingerprinting Resistance is enabled in Firefox, it modifies the behavior of a large collection of browser features so they can’t be used to fingerprint users and track them across websites.
- Proxy bypass protection – Tor contributed a number of patches to Firefox to tighten up proxy usage, so that the browser doesn’t leak the user's IP address when a proxy is in use.
How is Tor’s technology itself being further developed?
Current examples of Tor’s development projects include proof-of-concept work on human-memorable names, a collaboration with SecureDrop, the open source whistleblowing system based on Tor, among other examples.
Tor Project representative Al Smith told The Daily Swig: “Currently, we only partnered with Freedom of the Press Foundation (FPF), but we want to continue expanding the proof-of-concept with other media and public health organizations in the future.”
How is the Tor Project coping with the coronavirus pandemic?
The Tor Project was recently obliged to lay off a third of its core staff in response to the coronavirus pandemic. The Daily Swig asked how the non-profit has sought to minimize the effect of this on development pipelines.
A representative of the Tor Project responded: “Because we are now a smaller organization, we are creating more projects where different teams (e.g., Browser, Network, UX, Community, Anti-Censorship) come together and work on the same issue, instead of working in isolated groups on disparate pieces of work.
“This is the approach we took to improve onion services for the Tor Browser 9.5 release,” they added.
Is Tor safe?
Despite the many and varied caveats about Tor the security experts we spoke to raised, none made any suggestion that the technology was ‘unsafe’.
In a typical response, Charles Ragland, a security engineer at threat intel agency Digital Shadows, explained: “Generally speaking, as long as security updates are in place, and users are following privacy and anonymity best practices, yes, Tor is safe to use.”