On the path to achieving a higher level of online privacy and security, many people consider using Tor through the standard Tor browser.

While Tor is used by people throughout the world, and also recommended by various groups, opinions on its effectiveness as a privacy tool can vary.

Tor truly is like an onion. The more you examine it and the deeper you go into the layers, the more questions arise. In this guide we will be peeling back the layers of the onion and looking at Tor from a number of different angles. Here's what we'll cover:

  1. What is Tor
  2. How Tor works
  3. Is Tor safe?
  4. 8 interesting/alarming facts about Tor
  5. Does Tor effectively work?
  6. Tor user errors and bad OPSEC
  7. Tor vs VPN
  8. Using Tor with VPNs
  9. Final verdict on Tor

What is Tor?

Tor is free and open-source software that is used by various people and agencies for online anonymity. The name “Tor” originally stood for “The Onion Router” because of how traffic is encrypted and directed across different relays (layers of anonymity).

Today, Tor is a browser (the Tor browser) that runs on the Tor network. Tor helps to anonymize users by encrypting traffic over multiple hops in the Tor network using TLS encryption, before arriving at the destination server.

Tor was originally funded and created by the US government’s Office of Naval Research (ONR) and the Defense Advanced Research Projects Agency (DARPA) in Washington, DC. Tor has received most of its funding from the US government, which we’ll cover in detail below.

How does Tor work?

To use Tor you will need to download the Tor browser bundle (here). For explanation purposes, there are basically two components to using Tor:

  1. Tor browser – The Tor browser is a built on Firefox 60 ESR (Extended Support Release). It is hardened by default to protect your privacy and also includes the NoScript and HTTPS Everywhere extensions.
  2. Tor network – The Tor browser is automatically configured to run on the Tor network. The Tor network encrypts your traffic over a series of relays, or nodes. The network is decentralized, with Tor nodes being run by volunteers.

In the graphic below, Alice is connecting to a server called “Bob” using the Tor network. Note that Bob could be any server, including a random website. Alice’s traffic is encrypted over three different Tor relays, before leaving the Tor network to Bob’s server. Traffic between the Tor exit node and Bob’s server is unencrypted (red arrows,) but everything before the exit node is encrypted (green arrows.)

When you use Tor, your traffic will be routed through three different nodes, or relays. As a general rule, traffic is routed to prioritize speed, as explained by Tor developers, with most traffic passing through a small number of high-bandwidth relays. There are Tor nodes located all over the world, and the exact routing path will vary depending on your location and the server you are accessing.

These Tor nodes, or relays, are run on a volunteer basis, which means any random person can setup a Tor node, through which your internet traffic may be routed (more of a discussion on this below.)

From an online anonymity standpoint, Tor offers some interesting benefits. Each node will re-encrypt your data, while also adding a new layer of anonymity between the unencrypted internet and your originating IP address. This makes it challenging for an adversary to determine the path and identity of the user.

Tor bridges – A Tor bridge, or Tor bridge relay, is simply an alternative entry point into the Tor network that is not publicly listed. A bridge may be useful if Tor is getting blocked in your region, or if you do not want your internet service provider or network admin to know you are using Tor. You can see the current number of active Tor relays and bridges here.

Tip: The safest way to use the Tor network is through the default Tor browser bundle. Re-configuring and or modifying the default Tor browser is generally not recommended because this could easily de-anonymize the user if misconfigured.

Is Tor safe?

Tor is well regarded in the privacy community and most people would consider it safe to use.

The Electronic Frontier Foundation (EFF,) a well-respected online privacy advocacy group, is a major supporter and advocate of Tor. Edward Snowden and other high-profile privacy advocates also recommend Tor.

While Tor has a number of strong advocates, it also has its detractors, for various reasons. In fact, the closer you look into the history, connections, and funding of Tor, the more questions arise.

As with all privacy tools, however, only you can decide if Tor is a safe and effective solution for your unique needs. When deciding whether or not Tor is a good fit for your particular needs and threat model, be sure to consider all the facts.

After researching Tor over the past few years, I’ve come across lots of interesting information that has been dug up by various journalists, bloggers, and news sites. To help you decide if Tor is a good fit, we’ll summarize some of these findings below.

No “conspiracy theories”! There is a lot of information (and mis-information) about the history and connections of the Tor Project. In this guide we are going to strictly stick to the facts and focus on information that is well-sourced. While there are different journalists who draw provocative conclusions from this information, we will avoid speculation and just focus on the facts.

Note: None of this is new or exclusive information – everything is already out there, published by various sources, with citations provided below.

1. Tor was created by the US government

I forgot to mention earlier, probably something that will make you look at me in a new light. I contract for the United States Government to build anonymity technology for them and deploy it. They don't think of it as anonymity technology, though we use that term. They think of it as security technology. They need these technologies so that they can research people they're interested in, so that they can have anonymous tip lines, so that they can buy things from people without other countries figuring out what they are buying, how much they are buying and where it is going, that sort of thing.

— Roger Dingledine, co-founder of Tor, 2004 speech

The history of Tor goes back to the 1990s when the Office of Naval Research and DARPA were working to create an online anonymity network in Washington, DC. This network was called “onion routing” and bounced traffic across different nodes before exiting to the final destination.

In 2002, the Alpha version of Tor was developed and released by Paul Syverson (Office of Naval Research,) and Roger Dingledine and Nick Mathewson, who were both on contract with DARPA. This three-person team, working for the US government, developed Tor into what it is today.

After Tor was developed and released for public use, it was eventually spun off as its own non-profit organization, with guidance coming from the Electronic Frontier Foundation:

At the very end of 2004, with Tor technology finally ready for deployment, the US Navy cut most of its Tor funding, released it under an open source license and, oddly, the project was handed over to the Electronic Frontier Foundation.

Despite being its own unique entity, however, Tor continues to benefit from US government funding, even today.

2. Tor is funded by the US government

It’s no secret that Tor is funded by various US government agencies – and the Tor Project is open about this. The key question is whether US government funding negatively affects Tor’s independence and trustworthiness as a privacy tool.

One journalist, Yasha Levine, closely examined the financial relationship between Tor and the US government. While I don’t agree with all of Levine’s conclusions, his analysis of Tor funding is interesting:

Tor had always maintained that it was funded by a “variety of sources” and was not beholden to any one interest group. But I crunched the numbers and found that the exact opposite was true: In any given year, Tor drew between 90 to 100 percent of its budget via contracts and grants coming from three military-intel branches of the federal government: the Pentagon, the State Department and an old school CIA spin off organization called the BBG.
Put simply: the financial data showed that Tor wasn’t the indie-grassroots anti-state org that it claimed to be. It was a military contractor. It even had its own official military contractor reference number from the government.

Here are some of the different government funding sources for the Tor Project over the years:

Broadcasting Board of Governors:

“Broadcasting Board of Governors (BBG), a federal agency that was spun off from the CIA and today oversees America’s foreign broadcasting operations, funded Tor to the tune of $6.1 millionin the years from 2007 through 2015.”  (source)

State Department:

“The State Department funded Tor to the tune of $3.3 million, mostly through its regime change arm — State Dept’s “Democracy, Human Rights and Labor” division.” (source)

The Pentagon:

“From 2011 through 2013, the Pentagon funded Tor to the tune of $2.2 million, through a U.S. Department of Defense / Navy contract — passed through a defense contractor called SRI International.” (source)

The grant is called: “Basic and Applied Research and Development in Areas Relating to the Navy Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance.”

Some people argue that these financial ties to the US government compromise Tor. Others suggest that Tor has always been open about funding and the ties to US government agencies are not concerning or problematic.

We can also see what the Tor project has to say about the matter. When soliciting funds in 2005, Tor claimed that donors would be able to “influence” the direction of the project:

We are now actively looking for new contracts and funding. Sponsors of Tor get personal attention, better support, publicity (if they want it), and get to influence the direction of our research and development!

There you have it: Tor claims donors influence the direction of research and development.

On a positive note, however, Tor celebrated a milestone in December 2018 when it reported that roughly half of its funding came from the private sector. This is a major improvement over previous years.

3. Tor is a tool for the US government

The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, “Oh, it’s another CIA agent looking at my website,” if those are the only people using the network. So you need to have other people using the network so they blend together.

—Roger Dingledine, co-founder of the Tor Network, 2004 speech

Echoing what Roger Dingledine said in the quote above, Levine also argues that Tor is fundamentally a tool for the US government:

Tor’s original — and current — purpose is to cloak the online identity of government agents and informants while they are in the field: gathering intelligence, setting up sting operations, giving human intelligence assets a way to report back to their handlers — that kind of thing. This information is out there, but it’s not very well known, and it’s certainly not emphasized by those who promote it.

The Tor Project’s website discusses how Tor is actively used by government agencies for different purposes:

A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

Michael Reed, one of the early developers of Tor, explained how it is a tool for US government intelligence agencies:

The original *QUESTION* posed that led to the invention of Onion Routing was, “Can we build a system that allows for bi-directional communications over the Internet where the source and destination cannot be determined by a mid-point?” The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries. Not assisting criminals in covering their electronic tracks. Not helping bit-torrent users avoid MPAA/RIAA prosecution. Not giving a 10 year old a way to bypass an anti-porn filter. Of course, we knew those would be other unavoidable uses for the technology, but that was immaterial to the problem at hand we were trying to solve (and if those uses were going to give us more covertraffic to better hide what we wanted to use the network for, all the better…I once told a flag officer that much to his chagrin.)

Just as Roger Dingledine asserted in the opening quote to this section, Paul Syverson also emphasized the importance of getting other people to use Tor, thereby helping government agents perform their work and not stand out as the only Tor users:

If you have a system that’s only a Navy system, anything popping out of it is obviously from the Navy. You need to have a network that carries traffic for other people as well.

Tor is branded by many different individuals and groups as a grassroots project to protect people from government surveillance. In reality, however, it is a tool for government agents and it requires other random people using the network to help mix traffic.

Tor’s utility for the military-surveillance apparatus is explained by Levine in the following quote:

Tor was created not to protect the public from government surveillance, but rather, to cloak the online identity of intelligence agents as they snooped on areas of interest. But in order to do that, Tor had to be released to the public and used by as diverse a group of people as possible: activists, dissidents, journalists, paranoiacs, kiddie porn scum, criminals and even would-be terrorists — the bigger and weirder the crowd, the easier it would be for agents to mix in and hide in plain sight.

Quotes from early Tor developers clearly seem to contradict the brand image that Tor has cultivated in the privacy community.

4. Tor developers cooperate with US government agencies

Some Tor users may be surprised to know there is extensive cooperation between the US government and the developers of Tor. Levine was able to clarify this cooperation through FOIA requests, which revealed many interesting exchanges.

Here is one email correspondence in which Roger Dingledine discusses cooperation with the DOJ (Department of Justice) and FBI (Federal Bureau of Investigation,) while also referencing “backdoors” being installed.

You can see more details from this correspondence here.

In another exchange below, Tor developer Steven Murdoch discovered a vulnerability with the way Tor was handling TLS encryption. This vulnerability made it easier to de-anonymize Tor users, and as such, it would be valuable to government agencies. Knowing the problems this could cause, Steven suggested keeping the document internal: “it might be a good to delay the release of anything like ‘this attack is bad; I hope nobody realizes it before we fix it’.”

Eight days later, based on the emails below, Roger Dingledine tipped off two agents at the BBG about this vulnerability:

It appears the issue was publicly released approximately four years after Roger Dingledine provided the information to US authorities in 2007.

You can see numerous exchanges between Tor developers and US government agencies here.

And if you really want to dive in, see the full FOIA cache here.

Regarding the above correspondence, Levine also explains there were many documents he requested that were blocked and not attainable through FOIA requests:

The thing to remember is that Tor’s BBG correspondence only reveals a sliver of Tor’s full interaction with the feds. Much of the funding for Internet Freedom tech takes place under Radio Free Asia’s umbrella, a private government corporation that claims it does not fall under FOIA mandate and so refuses to comply with journalists’ FOIA requests. We also do not know what Tor reveals to its other two backers, the State Department and the U.S. Navy. Nor do we know what Roger Dingledine or other Tor managers reveal in their regular meetings with U.S. intelligence and law enforcement agencies. And there are many such meetings.

Foul play?

Whether or not there is something nefarious going on here is anyone’s guess, and I’m not sure I would jump to the same conclusions as Levine. Nonetheless, the documents and emails he uncovered definitely raise some questions.

5. Anybody can operate Tor nodes, including governments, hackers, and spies

Many proponents of Tor argue that its decentralized nature is a major benefit. While there are indeed advantages to decentralization, there are also risks – namely, that anybody can operate the Tor nodes through which your traffic is passing.

There have been numerous examples of people setting up Tor nodes to collect data from gullible Tor users who thought they would be safe and secure.

Take for example Dan Egerstad, a 22-year-old Swedish hacker. Egerstad set up a few Tor nodes around the world and collected vast amounts of private data in just a few months:

In time, Egerstad gained access to 1000 high-value email accounts. He would later post 100 sets of sensitive email logins and passwords on the internet for criminals, spies or just curious teenagers to use to snoop on inter-governmental, NGO and high-value corporate email.
The question on everybody’s lips was: how did he do it? The answer came more than a week later and was somewhat anti-climactic. The 22-year-old Swedish security consultant had merely installed free, open-source software – called Tor – on five computers in data centres around the globe and monitored it. Ironically, Tor is designed to prevent intelligence agencies, corporations and computer hackers from determining the virtual – and physical – location of the people who use it.
People think they’re protected just because they use Tor. Not only do they think it’s encrypted, but they also think ‘no one can find me’.

Commenting on this case, security consultant Sam Stover emphasized the risks of someone snooping traffic through Tor nodes:

Domestic, or international . . . if you want to do intelligence gathering, there’s definitely data to be had there. (When using Tor) you have no idea if some guy in China is watching all your traffic, or some guy in Germany, or a guy in Illinois. You don’t know.

Egerstad also suggests Tor nodes may be controlled by powerful agencies (governments) with vast resources:

In addition to hackers using Tor to hide their origins, it’s plausible that intelligence services had set up rogue exit nodes to sniff data from the Tor network.
“If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they’re using lots of bandwidth, they’re heavy-duty servers and so on,” Egerstad says. “Who would pay for this and be anonymous?”

So are governments operating Tor nodes for data collection?

Back in 2014, government agencies seized a number of different Tor relays in what is known as “Operation Onymous”. From the Tor Project blog:

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator.

Commenting on this case, ARS Technica noted:

On July 4, the Tor Project identified a group of Tor relays that were actively trying to break the anonymity of users by making changes to the Tor protocol headers associated with their traffic over the network.
The rogue relays were set up on January 30, 2014—just two weeks after Blake Benthall allegedly announced he had taken control of Silk Road 2.0 and shortly after the Homeland Security undercover officer who infiltrated Silk Road 2.0 began getting paid to be a site administrator. The relays not only could have de-anonymized some users, but they also “probably tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” Tor project leader Roger Dingledine wrote in a July 30 blog post.

No quality control!

The fundamental issue here is there is no real quality control mechanism for vetting Tor relay operators. Not only is there no authentication mechanism for setting up relays, but the operators themselves can also remain anonymous.

Assuming that Tor nodes are indeed data collection tools, as many have suggested, it would also be safe to assume that many different governments are involved in data collection, such as the Chinese, Russian, and US governments. This actually makes it less likely that you have the same entity controlling all three nodes in the Tor circuit.

See also: Tor network exit nodes found to be sniffing passing traffic

6. Malicious Tor nodes do exist

If government-controlled Tor nodes weren’t bad enough, you also have to consider malicious Tor nodes.

In 2016 a group of researchers presented a paper titled “HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs“, which described how they identified 110 malicious Tor relays:

Over the last decade privacy infrastructures such as Tor proved to be very successful and widely used. However, Tor remains a practical system with a variety of limitations and open to abuse. Tor’s security and anonymity is based on the assumption that the large majority of the its relays are honest and do not misbehave. Particularly the privacy of the hidden services is dependent on the honest operation of Hidden Services Directories (HSDirs). In this work we intro- duce, the concept of honey onions (HOnions), a framework to detect and identify misbehaving and snooping HSDirs. After the deployment of our system and based on our ex- perimental results during the period of 72 days, we detect and identify at least 110 such snooping relays. Furthermore, we reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback.

The malicious HSDirs identified by the team were mostly located in the United States, Germany, France, United Kingdom and the Netherlands.

Just a few months after the HSDir issue broke, a different researcher identified a malicious Tor node injecting malware into file downloads.

Tor is known to be insecure against an adversary that can observe a user’s traffic easily when entering and exiting the anonymity network.

As stated by the U.S. Naval Research Laboratory:

Clients choose and maintain three active guards and use them as the entry relay for all of their circuits to reduce the chance of directly connecting to an adversary. Clients rotate each guard at a random time between 30 and 60 days.

The entry guards are an extreme point of failure if one of them is malicious, they're very long lived for each session. The entry node set Tor picks from the list. It tries not to change the entry nodes it uses too often, because picking completely random circuits is actually worse security wise than picking a subset entry nodes at client bootstrap and then using those as the start of the circuits - if you pick completely at random there's more of a chance that you'll pick two correlated nodes. The selection is also weighted by relay bandwidth, so you're more likely to be connected to fast nodes, there are also some rules that try not to choose nodes in the same /6 for a circuit, not reusing nodes in specific ways, etc... So if you want to increase your MITM attack chances, you will have an easier time doing so with Tor.

Ever used Tor? Then your computer might be riddled with malware

According to ITProPortal:

Authorities are advising all users of the Tor network to check their computers for malware after it emerged that a Russian hacker has been using the network to spread a powerful virus. The malware is spread by a compromised node in the Tor network.
…It has emerged that one of these exit nodes had been modified to alter any program downloaded over the network. This allowed the attacker to put his own executable code in such programs, and potentially take control of victims’ computers.
Due to the altered node, any Windows executable downloaded over the network was wrapped in malware, and worryingly even files downloaded over Windows Update were affected.

Use at your own risk.

See also: OnionDuke APT Malware Distributed Via Malicious Tor Exit Node

7. No "expectation of privacy" when using Tor

Another interesting case highlighting the flaws of Tor comes form 2016 when the FBI was able to infiltrate Tor to bust a pedophile group.

The FBI Can Still Spy On You Even If You're Using Tor And Don't Ask Why

According to Tech Times:

The U.S. Federal Bureau of Investigation (FBI) can still spy on users who use the Tor browser to remain anonymous on the web.
Senior U.S. District Court Judge Henry Coke Morgan, Jr. has ruled that the FBI does not need a warrant to hack into a U.S. citizen’s computer system. The ruling by the district judge relates to FBI sting called Operation Pacifier, which targeted a child pornography site called PlayPen on the Dark web.
The accused used Tor to access these websites. The federal agency, with the help of hacking tools on computers in Greece, Denmark, Chile and the U.S., was able to catch 1,500 pedophiles during the operation.

While it’s great to see these types of criminals getting shut down, this case also highlights the severe vulnerabilities of Tor as a privacy tool that can be trusted by journalists, political dissidents, whistleblowers, etc.

The judge in this case officially ruled that Tor users lack “a reasonable expectation of privacy” in hiding their IP address and identity. This essentially opens the door to any US government agency being able to spy on Tor users, without obtaining a warrant or going through any legal channels.

This, of course, is a serious concern when you consider that journalists, activists, and whistleblowers are encouraged to use Tor to hide from government agencies and mass surveillance.

8. IP address leaks when using Tor

Another recurring problem with Tor is IP address leaks – a serious issue that will de-anonymize Tor users, even if the leak is brief.

In November 2017 a major flaw was discovered that exposed the real IP address of Tor users if they clicked on a local file-based address, such as file://., rather than http:// or https://.

This issue illustrates a larger problem with Tor: it only encrypts traffic through the Tor browser, thereby leaving all other (non-Tor browser) traffic exposed.

This design leaves Tor users vulnerable to leaks which will expose their identity in many different situations:

  • Tor offers no protection when torrenting and will leak the user’s IP address with torrent clients. (Never use Tor for torrenting.)
  • Tor may leak IP addresses when accessing files, such as PDFs or other documents, which will likely bypass proxy settings.
  • Windows users are also vulnerable to different types of leaks that will expose the user’s real IP address.

It’s important to note, however, that oftentimes de-anonymization is due to user error or misconfiguration. Therefore blame does not lie with Tor itself, but rather with people not using Tor correctly.

Dan Eggerstad emphasized this issue as well when he stated:

People think they’re protected just because they use Tor. Not only do they think it’s encrypted, but they also think ‘no one can find me’. But if you’ve configured your computer wrong, which probably more than 50 per cent of the people using Tor have, you can still find the person (on) the other side.

Important note: Tor gives specific instructions to help Tor users avoid de-anonymization due to “operator error”:

  • Use Tor Browser
  • Don’t torrent over Tor
  • Don’t enable or install browser plugins
  • Use HTTPS versions of websites
  • Don’t open documents downloaded through Tor while online
  • Use bridges and/or find company

I would also recommend not using Tor on Windows, for privacy reasons (use Linux instead).

See their website for additional tips.

Now that we have covered some different facts about the history, funding, and government connections of Tor, we will examine a few other important questions.

Does Tor effectively work?

Perhaps the million-dollar question we should all be asking is, Does Tor work?

Once again, the answer is not clear-cut and opinions are sure to be divergent, depending on who you ask. Regardless of where you fall on that answer, there are numerous cases which suggest that Tor may not be working as well as most Tor users expect…

In 2013 the Washington Post broke an article citing reports that the NSA had figured out how to de-anonymize Tor users on a “wide scale”. From the Washington Post:

Since 2006, according to a 49-page research paper titled simply “Tor,” the agency has worked on several methods that, if successful, would allow the NSA to uncloak anonymous traffic on a “wide scale” — effectively by watching communications as they enter and exit the Tor system, rather than trying to follow them inside. One type of attack, for example, would identify users by minute differences in the clock times on their computers.

Of course, this would render Tor essentially useless to all those who use it to hide from mass government surveillance. And keep in mind this leaked report was from 2006. Surely, the NSA’s power and capability has only grown in the the past 13 years.

There are also various reports of government agencies cooperating with researchers to “break” or somehow exploit Tor to de-anonymize users:

Then in July, a much anticipated talk at the Black Hat hacking conference was abruptly canceled. Alexander Volynkin and Michael McCord, academics from Carnegie Mellon University (CMU), promised to reveal how a $3,000 piece of kit could unmask the IP addresses of Tor hidden services as well as their users.
Its description bore a startling resemblance to the attack the Tor Project had documented earlier that month. Volynkin and McCord’s method would deanonymize Tor users through the use of recently disclosed vulnerabilities and a “handful of powerful servers.” On top of this, the pair claimed they had tested attacks in the wild.

Judge confirms what many suspected: Feds hired CMU to break Tor

ARS Technica also discussed this case in February 2016 where they noted:

A federal judge in Washington has now confirmed what has been strongly suspected: that Carnegie Mellon University (CMU) researchers at its Software Engineering Institute were hired by the federal government to do research into breaking Tor in 2014.

These cases raise questions as to how much trust people should put into Tor as a tool for achieving online anonymity.

Tor user errors and bad OPSEC

There are many cases of Tor users getting busted or de-anonymized, but the most common reason for this is user error and/or bad OPSEC. Once again, this has nothing to do with Tor, but rather, Tor users falling short.

One example of this was the Harvard student, Eldo Kim, who decided to email a bomb threat in order to get out of a final exam. Of course, he didn’t stop to consider that using Tor on the university network would make him stand out from the crowd (all Tor nodes are public!). When authorities then linked the IP address embedded in the email header to a Tor node, with Kim being the lone Tor user at the same time, it was case closed.

There are many other examples of user errors, bad OPSEC, and general stupidity de-anonymizing various Tor users. Tor will not protect you against these pitfalls.

Tor vs VPN

In the case of Tor, you would probably be better off with a VPN.

I talked about the value a VPN brings to the table in a previous article and that free VPN services should be avoided. In any case the best solution is to host your own VPN on a cheap VPS plan.

In essence a VPN will encrypt all traffic between your device (computer, tablet, router, smartphone etc.) and the VPN provider (they can still monitor your activity if you don't host your own VPN.) This makes traffic (your online activities) unreadable to third parties, such as your internet provider, cyber-thieves, and any other snoopers.

Note: If your VPN provider use their own DNS server or have a DNS or worse use a third parties DNS server then your activity may still be leaked to your ISP or snooper. Always encrypt your DNS, as the DNS is the anonymity part of a VPN service, the VPN only encrypts the contents what you are viewing.

One benefit of Tor is that traffic is always routed over three different nodes before exiting to the destination. This offers geographic diversity (different jurisdictions) while also providing a high level of protection against a compromised Tor relay.

In contrast to Tor, most VPN services route traffic over a single VPN server (single hop.) For the vast majority of users, this setup provides enough security, privacy, and online anonymity for most VPN use cases. A service such as Mysterium or Sentinnel would suffice.

For those who are seeking an even higher level of anonymity, beyond a single hope setup, one can use what is called a Multi-hop setup.

Similar to the Tor network, there are also a few VPN services that will route traffic across multiple VPN servers, or “hops” in the network. When a VPN routes traffic over two or more servers, this is often called a “cascade” or multi-hop VPN setup.

Finally, virtual machines are also a useful tool when combined with VPNs. In this setup, you could one run VPN on your host machine and then a second VPN within a virtual machine. This would double-encapsulate your traffic (a VPN within a VPN) while also distributing trust over two different VPN providers.

Of course, you could create as virtual machines within virtual machines, depending on system resources.

This concept is sometimes called a “nested VPN chain” and it will provide the highest levels of online anonymity.. Performance can also be excellent with the setup, provided you have the system resources.

VirtualBox is free and works very well for setting up VMs on your host operating system. You can install various Linux virtual machines for free and use these for different purposes, then simply delete the VM when you no longer need it.

VPN with Tor

Lastly, you can also combine a VPN with Tor. There are generally two simple ways to use Tor with a VPN:

  1. Connect to a VPN server through a VPN client (app) on your operating system, then open up the Tor browser and use Tor as normal.
  2. Use a VPN service that has servers exiting onto the Tor network.

There are, of course, different ways to use Tor and a VPN together, but the two methods above are simple and most common.

One big advantage of using a VPN with Tor is that it further protects your identity in the event that one of the Tor nodes, or the entire Tor circuit, is compromised. This is because there will be an encrypted VPN server between you and the Tor network, adding another layer of protection. However, this setup still won’t protect you from rogue Tor relays that may be snooping your traffic (collecting data) or injecting malware into your downloads.

Final verdict on Tor: You Decide

As noted at the beginning of the article, Tor is widely respected in the privacy community and it has many loyal fans.

Opinions on Tor continue to vary, and online discussions can become divisive, but at the end of the day, Tor has both advantages and disadvantages for different users.

One key factor with everything is trust. Do you trust Tor to keep you safe? Only you can decide the answer to that question.

For those who really want to use Tor, I would recommend accessing Tor through a VPN. This will add an additional layer of encryption between you and the Tor network.

Choosing the right privacy tools is a very subjective process that relies on your own unique needs, uses, and threat model. When deciding whether Tor is a fit for you, be sure to consider everything and draw your own conclusions.