Using Tor Browser and the Tor Network is legal, but its volunteer-maintained model creates some risks. You can avert those risks by combining it with a VPN. I recommend ExpressVPN, which you can try for free a 30-day money-back guarantee.
For over 15 years, Tor (The Onion Router) has led the charge for a more private, anonymous internet. It’s a key figure in online security, but is Tor safe for the average person to use?
I first learned about Tor as a means of accessing the Dark Web. Tor is a security technology that aims to keep internet users safe by concealing their identities behind layers of encryption. But to my tech-illiterate mind, it seemed more like a dark grimoire that unlocked realms of shadowy internet sorcery.
Of course, I know better now. But I also know that a lot of other people started out with similar impressions that Tor was somehow shady, criminal or only used by hackers. Tor — and its main technical vehicle, the Tor Browser — reminds a lot of people of a downtown bus station: It gets you where you’re going, but in a way that makes you feel vaguely dirty.
- Best VPN for Tor Browser
But how much merit is there in that first impression? Is Tor Browser actually illicit, or is it just another kind of VPN? Is it only useful for unspeakable acts on the dark web, or can law-abiding internet citizens use Tor in the daylight?
In this article, I’ll do my best to definitively answer the question “is Tor safe?” along with any other questions you might have about this common but often-mysterious security solution. Get your flashlight — we’re going to the dark side.
Can you be tracked on Tor?Yes, it is possible to track someone’s IP address and location even if they use Tor. Using any other online app will reveal your real IP if you’re not using a VPN.
Is Tor safe and legal?Tor is 100% legal almost everywhere on Earth, except for a few censorious regimes like China and Turkey. It’s safe to use, or at least not actively harmful, but combining it with a VPN will get you the best results.
Can you get hacked using Tor?Yes, you can still be hacked while using Tor. The most common way this happens is for a hacker to get control of a node that your connection passes through. This is rare, as most Tor volunteers are honest, but you can use a VPN to protect yourself if you’re worried.
Should I use a VPN or Tor?You should use both. They complement each other to provide unmatched security. However, if you’re only going to use one, I recommend using a trustworthy VPN. Learn more in the guide VPN vs Tor vs Proxy.
Is Tor Safe? First Consider How Tor Works
To start, it’s important to distinguish between the Tor network and the Tor Browser app. The Tor network is the actual method of securing an internet connection; the Tor Browser is a web browser that uses that network. It’s the same as the difference between a VPN protocol and the ExpressVPN desktop app.
So what is Tor? And what does it have to do with onions? As Shrek taught us long ago, onions have layers.
What Is Tor?
Like any network, Tor is made up of interlinked servers that send information to each other. Like any public network on the World Wide Web, those servers can be accessed by anyone with a modem and router. Each individual Tor server is known as a relay or node.
When you connect to the internet using Tor, your connection runs through several randomly selected relays. The final relay, or exit relay, sends it to your requested website. From then on, your connection appears to have the IP address of the exit node.
The “onion” imagery really comes into play with Tor’s approach to encryption. Every time your connection visits a new node, it’s encrypted, resulting in at least three layers of encryption. The exit node then “peels back” the layers of encryption, so the final destination server can read it.
There is no point during the process when both the origin and destination IP addresses are decrypted at the same time. Theoretically, that makes it impossible to track any communication that runs through Tor Browser.
How does the Tor Project maintain such a high-volume network without charging fees? Through its system of volunteer operators.
Tor Volunteer Operators
Every Tor relay is run by a volunteer — an individual or group operating their computer as a server to help Tor Browser do its job. The decentralized volunteer system makes Tor very hard to trace, but it also causes problems.
See, there’s no vetting process for being a Tor node manager. The vast majority of volunteers are helpful, privacy-loving people, but there are about 10,000 Tor nodes operating at any one time.
If 99% of them are upstanding, that still leaves about 100 servers that could be adding malware or compromising user anonymity. Any of them could be extra-sensitive entry and exit nodes.
This is far more than an academic concern. In December 2021, a Tor volunteer and security analyst codenamed Nusenu revealed that an entity named KAX17 had operated up to 900 malicious relays over four years.
According to Nusenu, KAX17 is a professional-level threat whose goal is gathering information rather than scamming, which suggests government-caliber resources.
That’s not necessarily a surprise. Multiple government agencies openly fund Tor and Tor Browser, including the United States via the State Department and the Department of Defense. But it’s a clear sign that Tor’s all-volunteer system is open to exploitation.
Tor deserves a lot of credit for how it handled the situation. In response to Nusenu’s reports, it spent months removing all servers associated with KAX17 and is now pretty sure it’s got them all. Due to the diligence of its managers, the Tor volunteer system isn’t as big a risk as it could be. But it remains a calculated risk.
How Tor Browser Works
Tor Browser is the main product that gets average users online via the Tor network. Based on Mozilla Firefox, it automatically applies onion-routing procedures to everything the user does, granting near-total anonymity and protection at all times. That makes Tor Browser safe, mostly, and it’s almost certainly the most user-friendly way to get a slice of onion routing power.
Like the underlying Tor system, Tor Browser comes with some drawbacks. Due to fears about malware injected via volunteer nodes, many popular websites have a blanket block on all Tor exit nodes. For example, you can’t access BBC iPlayer from Tor Browser. Other sites that block all Tor usage include Cloudflare and Wikipedia’s editing tools. You can find a full list here.
Tor Onion Services
Onion services allow web hosts to use Tor protective powers for an individual site or server. Think of it as the backend equivalent of the Tor Browser frontend. It’s onions all the way down.
Most servers are accessed via their IP address. Onion servers have an “onion address” instead, an encrypted address known only to Tor, which is undiscoverable by an internet provider. An onion service website, which will usually have a .onion URL, is even more secure than a Tor Browser safe connection because traffic doesn’t have to be decrypted to access it.
Users of conventional web browsers can access .onion websites, though this generally requires a special service. Some websites are accessible via public and onion web services, although that’s a security risk most hosts will try to avoid.
Tor and the Dark Web
Tor services are the backbone of the dark web. It’s impossible to talk about Tor without touching on this highly mythologized and oft-misunderstood aspect of internet security.
Most people I talk to drift toward one of two camps: Either the dark web is a seedy hellscape that no non-criminal would ever visit, or it’s the last bastion of freedom from censorship.
Both of those are partly true, partly wrong. Here’s the reality.
Dark Web vs Deep Web
First off, the dark web is not the same as the deep web. “Deep web” refers to any website that search engines can’t index. That’s not only a huge amount of content, but it doesn’t imply anything about legality — there are plenty of reasons for a site to be unlisted. Just because your family dinners aren’t open to all comers doesn’t mean you’re doing crimes at them.
The dark web describes sites that are accessible through browsers but can only be accessed through special security measures. Tor Browser is the most popular of those, so it’s commonly associated with dark net activities and you can use it to access the dark web.
So what’s actually happening on the dark web? Not nearly as much as goes on topside. Estimates suggest there are about 76,000 dark web sites, of which about 18,000 are original. Many of these sites only exist for a short time, especially since the 40 busiest sites were all botnet hosts used for hacking, spam and DDoS attacks.
Now, it’s impossible to ignore that the dark web is a haven for criminals and despicable activities. Illegal pornography — including images of child sexual abuse — forms a significant part of the traffic.
Fewer than 3% of .onion sites host porn, but more than 75% of dark web traffic passes through them (though the authors of the study caution that some of those visitors likely weren’t human).
Other illegal activities the dark web hosts include illicit markets for drugs and weapons, counterfeiting, gambling and fraud.
But the other side also has a point when they call the dark web a necessary bastion of free speech. Some .onion sites support whistleblowing activities or hosting anonymous forums for political dissidents. It’s a critical lifeline for citizens of China to post content that goes against the Xi regime.
Like the surface web, the dark web is a tool used for good, evil and neutral activities. In my opinion, it shouldn’t reflect on Tor itself, especially since dark web traffic forms about 3% of overall Tor Browser use on any given day.
Is Tor Legal?
Yes, for the vast majority of you reading this. A good rule of thumb is that if it’s legal to use a VPN where you are, it’s also legal to use Tor, Tor Browser and related services.
There’s nothing inherently illegal about Tor Browser. I mentioned above that many governments openly use and support it. Nor is it one of those things that’s only legal if politicians do it, like insider trading.
Most governments consider Tor Browser safe. They don’t penalize its use because they respect free speech and accept that individuals should have tools to protect themselves online. However, a few countries crack down on Tor for their own reasons, and it’s pretty much all the usual suspects.
Tor vs Government Surveillance & Censorship
The Erdogan regime in Turkey and the Xi regime in China ban all Tor traffic and consider it a crime to be caught with any Tor service. Like with VPN use, it’s rare to see them enforce these laws against foreigners, but Germany recently warned its citizens against using VPNs in Turkey.
China and Turkey employ similar metadata inspection methods, which are the only effective way to stop people from using Tor. Other countries have signaled that they’d love to ban Tor but don’t have technology in place that equals the Great Firewall. These include Russia, Venezuela, Belarus and Iran.
Tor can circumvent nationwide bans using bridge connections, which add an extra security layer to obfuscate the user’s country code.
Is Tor Really Anonymous?
It’s very, very close, but the sad truth is that there’s no such thing as the perfect technology for online anonymity.
Tor shares one of the biggest weaknesses of VPNs: It can’t protect you against people who already know your real IP address or any other personal data. If you want to be truly anonymous on the internet — safe from scammers, stalkers and vindictive gamers — technology isn’t enough. You have to be smart, skeptical and tight-fisted with your sensitive information.
Tor also has certain problems that stem from its unique design. I’ve already talked about KAX17 and the dangers of malicious exit nodes. The last node before the destination peels back the layers of the onion; after that, using Tor encryption won’t protect you.
Do I Trust Tor?
You might have gotten the impression by now that I don’t like or use Tor, but that’s not true. I admire how Tor solves the main problem of VPNs — having to trust the VPN itself with your secrets — through its decentralized network.
It’s just important not to use Tor as an excuse to let your guard down. As the next section will show you, it’s absolutely possible to crack the Tor network.
Tor Security Breaches
Beyond KAX17, a few other Tor vulnerabilities show that it’s not the alpha and omega of online security.
Tor & the FBI
In 2014, the FBI launched a “scorched-earth purge” of criminal dark web businesses, seizing servers of Silk Road 2.0 and other sites protecting themselves using Tor. At the time, it wasn’t clear how the FBI had found the physical locations of the dark web servers, which would have required knowing their real IP addresses.
Part of it was done through police informants, but in hindsight, it seems the FBI used KAX17-style methods — control enough Tor exit nodes, and you can break anonymity.
How does that work? Simple math. All Tor users are randomly assigned to an exit node. If you own 10% of those nodes (equal to about 1,000 servers, which US intelligence can definitely afford to run), and a Silk Road admin uses Tor for 10 days, they’re statistically likely to hit one of your nodes. Once they do, FBI agents have their real IP address. Rinse and repeat.
Another critical leak, known as TorMoil (lol), arose in 2017. TorMoil worked on the well-known flaw that Tor Browser only provides security at points where the browser accesses the network. If any other app connects in a way that wouldn’t normally involve a browser, the direct connection can reveal the user’s IP address.
Tor deployed a temporary fix that entirely broke file:// URLs for macOS and Linux users. I looked to see if a more stable TorMoil patch was ever completed but couldn’t find anything.
The Krawetz Accusations
The Tor network and its apps continued to face trouble in 2020, when ZDNet published details of two new vulnerabilities.
Dr. Neal Krawetz argued that Tor connections had an identifiable packet signature and that multi-hop bridge nodes are still vulnerable to such interference. These claims are corroborated by the fact that China’s Great Firewall can kick Tor users off the internet (though it can’t see what they’re actually doing).
Tor replied to Krawerz’s accusations in a tweet that addressed several other common, persistent Tor criticisms. Without going into each one, the essence is that Tor is a huge, decentralized project that has to decide what flaws are worth addressing. In my experience, it does a better job going after the serious ones — those that could threaten user lives and livelihoods.
The Tor Method
At the root of all Tor’s problems, there’s the fact that it really is the only service that does what it does. It’s a key ingredient in many security stacks, with a reputation to match. Tor is like an aging Old West gunfighter: constantly tested by hackers from all directions, all looking for the glory of taking down the best.
But even if Tor is still a useful measure, as I’ve been insisting this whole time, you still need to know how to use it safely.
How To Use Tor Safely
Imagine a complement to Tor that perfectly covered all the holes used to breach Tor’s security. Something that could keep your connection encrypted even on a compromised exit node.
Something that hides your IP address seamlessly on every online app, not just your browser. Something almost as cheap as Tor Browser itself (which is free).
That solution is to use Tor in conjunction with a virtual private network (VPN).
Tor Over VPN
Also called “onion over VPN,” the phrase “Tor over VPN” refers to using Tor Browser with an active VPN for optimal security.
It’s the “Swiss cheese” method. Individual slices of Swiss cheese have holes, but if you lay one on top of another, most of the holes will be covered up.
You’re safer on the road in a car with both seatbelts and airbags. You’re safer from the flu if you get your vaccine and wear a mask. No security solution is perfect, but combine two, and your chances go way up.
In the same way, Tor over VPN gets you more benefits from both tools.
VPN+Tor: Safe to Use?
Websites and countries can’t block internet traffic from Tor exit nodes because the VPN prevents them from seeing that you’re using Tor at all.
Likewise, malicious third parties operating as Tor relay managers will not be able to eavesdrop on all your traffic or see your real IP address: All they’ll see is the proxy address from the VPN, encrypted, so they can’t follow it any further.
In the opposite direction, Tor solves the one big problem of a VPN, preventing the VPN provider from using its servers to snoop on your traffic. Tor ensures that anything seen by an unscrupulous VPN service will be onioned out the wazoo.
Using Tor over VPN is incredibly simple. Just choose your favorite VPN, connect to a server, then launch Tor Browser. Kaboom: you’re now the safest person on the internet.
The online world is a better place for the existence of the Tor project.
It can’t solve every security problem nor protect everybody on its own; it can also only do so much to keep people from using its platform for evil. But Tor’s unique structure and unflinching commitment to online privacy and anonymity form one of the average person’s best weapons against surveillance.
Using Tor along with a VPN is safe and legal. Beyond that, it’s a good idea. It’s not always necessary — a VPN alone will keep you safe enough — but Tor helps you feel more control over your privacy online.
What do you think of Tor and Tor browser? Do you trust Tor’s safety record? Will you use it with a VPN connection? Let me know in the comments, and thanks for reading.