Revisiting TOR
Is it still the gold standard for privacy online? Nathan Taylor finds out.
There was a time when Tor (formerly known as The Onion Router) was everybody’s go-to solution for online anonymity. These days VPNs tend to be the more popular option than Tor – they’re simple, have vastly better performance, work for everything, and provide a similar level of online anonymity… assuming you can trust your VPN provider.
And that remains the kicker, and the big difference between
Tor and a VPN (apart from the fact that Tor is free). Using a VPN service for online anonymity requires complete trust in your VPN provider, since that provider can see all the traffic coming to and from your PC and knows exactly what your IP address is. Most VPN providers say that they record no logs and keep no records, so there’s no need to worry – but fundamentally you have to take them at their word.
Tor requires no such faith. It provides complete IP address anonymity (though not foolproof anonymity, as we’ll discuss in a bit) without a requirement to trust a third party. That’s a pretty compelling reason to use it, though there are also compelling reasons not to – including the aforementioned performance, which is highly variable and occasionally abominable. Just performing a random quick test on it as we write this, it turned our 50mbps connection into a 7.37mbps connection with massive (500ms) latency – and this is a pretty good result for Tor. But that’s not the only reason you might want to consider your choices with Tor, and we’ll go into more below.
How Tor works
The principle behind Tor is actually fairly simple to grasp. Before sending it on to its destination, Tor routes your data through several other Tor users, turning them into relays for you. This means you don’t have a “direct” connection to the destination, but instead use these other devices as proxies. Having routed through other users, your IP address is completely obscured from web sites you visit. Of course, your data is encrypted beforehand, so that the relays can’t open and read it.
Typically, Tor uses three hops between Tor users before being sent on to its destination. Three hops means that one single device in that chain cannot possibly know the full chain.
In Tor parlance, each device on the network is called a node. And the performance of Tor is dependent on those nodes – you’re essentially routing through three or more other users, and you’re going to get lowest common denominator performance. You’re also going to get massive latency, as your data is bounced around the world.
Tor hidden services
In addition to hiding the IP addresses of its users, Tor also has its own websites, accessible only when you’re using Tor. Formally known as Tor hidden services or “onion services” and informally known as the dark web or deep web, these sites are, as the name indicates, hidden from regular domain name discovery.
Instead of the standard domain
name system (DNS), Tor has its own system that looks, from a user perspective a lot like DNS – you type or click on a web address (which will end in .onion) and your browser goes out and grabs the site. But behind the scenes it’s a very different and very clever system.
Instead of having a database that links domain names to IP addresses (which essentially what DNS is), when you try and connect to a .onion site, your browser will essentially send out what is an expression of interest. The target website will respond with a neutral address where they and you can meet up and exchange data – a virtual parking garage for an illicit meeting where no party knows the identity or location of the other.
That way, Tor hidden services remain hidden. They don’t expose their IP address to you; you don’t reveal your identity to them. Obviously that makes Tor hidden services a haven for criminal activity, from massive drug exchanges to child pornography.
Using Tor
Using Tor is actually remarkably simple: just download the Tor browser and use it.
The Tor browser can be downloaded from www. torproject.net, and all you have to do to run it is download it. You can have it on your system as a second browser that you use when you want privacy, or you can use it all the time.
When you start it up, you’ll see a popup box, explaining that it’s connecting you to the Tor network. In a few seconds it should connect, and then the main browser window will open. Only the browser itself is routed over Tor – all other traffic on your system still goes over the regular internet. It is technically possible to have other applications, like chat apps or BitTorrent, routed over Tor, but it’s challenging – typically requiring the use of a SOCKS5 proxy—and not recommended.
The browser itself is quite standard, being based on Mozilla, but with some notable changes. By default, the security settings are cranked up to Paranoid, with the option to turn them up even further in the Options. It has the security add-ons NoScript and HTTPS Everywhere installed by default and operates in permanent private browsing mode. DuckDuckGo is the default search engine (since it doesn’t log searches).
Is Tor really anonymous?
The answer to that question is yes and no. As far as we know, in spite of considerable effort, nobody has yet managed to “crack” Tor and identify the IP address of Tor users. In that sense, it is genuinely anonymous.
But there are things you still need to be cognisant of. One is fingerprinting and target knowledge. Although sites you visit can’t identify your IP address, they may be able to identify you in other ways – through cookie tracking, or information you give them that they can use to fingerprint you. There’s a reason why the Tor browser operates in private mode – it’s to prevent that as much as possible.
The other big weakness is exit nodes. When you try and access a regular (non-Tor) website with
Tor, you have an issue – those sites don’t speak “Tor”. So we have what are called exit nodes. These are nodes at the edge of the Tor network that strip away Tor encryption and send the data on to their final destination, and relay back the response from the website. To the website, it will look as if they’re communicating with the exit node.
Those exit nodes are a huge vulnerability, since your data – now unencrypted – passes through them on their way to the destination. In fact, it’s widely known that many intelligence services actually operate these exit nodes in order to monitor the traffic going in and out or Tor.
They may not be able to determine the IP address of the users, but they can still see all their nonencrypted communications!
The solution is to use HTTPS on everything – which is why HTTPS Everywhere is installed by default in the browser. HTTPS provides end-to-end encryption, so that even the exit nodes can’t read the data as it passes through. If a site does not have HTTPS (if the URL just has HTTP:// instead), don’t use it.
With those caveats in mind, however, you should be fairly comfortable using Tor. Is a project built by engineers with absolute privacy in mind, and, in spite of the availability of VPN services, it remains the best way to stay truly anonymous online.