Welcome to our What is… series,
where we turn technical jargon into plain English.
You can’t go far these days without hearing about Tor, and opinions about it are sharply divided.
Some people will tell you it’s a bulwark of online privacy, while others consider it a threat to law and order.
But what is it?
Tor is short for The Onion Router, and it gets its name from how it works.
Tor intercepts the network traffic from one or more apps on your computer, usually your web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination.
This disguises your location, and makes it harder for servers to pick you out on repeat visits, or to tie together separate visits to different sites, thus making tracking and surveillance more difficult.
The computers used to do this “onion routing” are known as relays, and are provided by volunteers from all around the world – about 7000 of them at the start of 2016.
Before a network packet starts its journey, your computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion.
Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
Think of it like putting a postcard into multiple envelopes, one after the other, with a different address on each envelope, and then posting the whole package.
The person listed on the outermost envelope can tell that the postcard came from you, and work out where to send it next, but they can’t read the postcard, and they can’t tell where it will end up.
The people in the middle of the chain know nothing more than who sent it to them, and who’s listed as the next recipient, and that’s that until the end of the chain.
The last person gets to open the final envelope, so they can read the postcard and see where it will end up, but not what route it took, and certainly not where it started out.
And that, in a nutshell, is how Tor works.
Pros for Tor
+ Tor disguises your location. This makes it harder for a website to work out where you live.
+ Tor regularly picks a new “onion route.” Every 10 minutes by default, Tor chooses a new list of relays, known as a circuit. This makes you a moving target to tracking software.
+ Tor can make it safer to use untrusted networks. By shielding where your traffic is going, Tor helps to prevent network sniffing software from figuring out what sites you are visiting.
Cons for Tor
– Tor doesn’t add encryption for the final hop. When your traffic leaves the Tor network for the final step to your intended destination, Tor’s last layer of encryption is stripped off. If the website you are visiting doesn’t use HTTPS (secure HTTP), your traffic can be sniffed by the last relay in the Tor chain, known as an exit node.
– Tor doesn’t control the security settings in your browser. As a result, the websites you visit may nevertheless be able to track you precisely, for example if you have cookies set that record your identity.
– Tor doesn’t automatically handle all your network traffic. Only apps that you deliberately configure for Tor will route their traffic “through the onion.” Your computer may therefore still be leaking your identity even if you are using Tor.
– Using Tor may violate your organisation’s IT policy. It may also attract unwanted attention from the authorities in some countries.
- The Tor Browser. This is a software bundle that includes the “onion router” software and a security-conscious build of the Firefox browser to go with it.
- Unscrupulous Tor Exit Nodes. If the last step in a Tor circuit is controlled by adversaries, they can sniff your traffic and leave you with even less security than before you installed Tor.
- Unscrupulous Tor Entry Guards. If the first step in a Tor circuit is controlled by adversaries, they can strip off the anonymity you hoped that Tor would provide.
- Not Just For The Bad Guys. Even though Tor can be used by crooks to avoid law enforcement, it also helps law-abiding users to keep their personal data away from those same crooks.
Additional components can be configured to force all traffic over Tor. The Whonix gateway is one such example.