Tor is a highly secure method of sending and receiving information across the Internet. It can be used to access the ‘Dark Web’ as well as browsing the familiar World Wide Web. Tor is widely used by journalists, non-profit agencies as well as crime victims and whistle blowers revealing corporate or government crimes. It is estimated there are about five thousand Tor users online at any one time with more than 30 million total users. The majority of Tor users are in the United States and Western Europe with Italy and Israel being perhaps the biggest users of the technology.
Tor users account for no more than one quarter of one percent of all Internet users. It is slower than conventional web browsers and you might have trouble logging on to certain sites. So why would anyone want to use Tor when there are plenty of web browsers supplied with your computer?
Simple. Tor hides your tracks from anyone who might be watching. There are plenty of places in the world where human rights and political activism are not permitted or are subject to abuse. Trying to organise such activities over the Internet can be easily traced (often using software and hardware supplied by Western democracies to authoritarian regimes) and dissent crushed. The original Internet was never designed to be secure so almost all traffic is labelled with its point of origin and its eventual destination as well as transmitting all of its data in plain view.
Tor uses layers of strong encryption to hide not only the content of messages, but also their origin and destination, from inspection. As best we know, no one in the world, no matter how powerful their computer, can reliably break into Tor. Attempts have been made to subvert Tor, but always by attacking the Tor network rather than by breaking its principles.
The Tor network is a network built on top of the Internet from thousands of computers, belonging to individual users, which are known as nodes. The make-up of the Tor network changes minute-by-minute as users connect and disconnect.
Downloading and using Tor
Joining Tor does not require any special hardware and it is free to use. You will however require the Tor Browser application, which is available for most modern computer operating systems.
You can download the Tor Browser package from the Tor project website.
Installation and setup requires a few minutes after which you can start the Tor Browser. The browser takes a while to start as it connects to the Tor network and checks that it is up to date, but you will eventually see a window like this.
You might be disappointed by first appearances; the Tor Browser looks a little old fashioned; many of the clever features and plugins we take for granted aren’t present; there’s no autocomplete of addresses as you type them in and the search isn’t provided by a familiar search engine such as Google and Bing.
And that’s for a very good reason; much of the functionality we’ve become used to compromises our privacy and sometimes can allow third parties to track our activities online. Removing these features improves security at the expense of a little convenience.
But having said that, the Tor Browser allows you to visit websites, download and upload data and generally it behaves just like a normal browser. It’s only underneath that Tor Browser is wildly different from the browser you’ve been used to.
How does Tor work?
Let’s assume you want to connect over Tor to The Open University. Here your computer is at the top left, the OU is the rather fetching pink computer at the bottom right. In between the two is the Tor network made up from dozens of computers belonging to other Tor users.
When you start Tor Browser it first reaches out to one of a number of special nodes on the Tor network known as directory nodes, which are responsible for keeping track of all the computers currently connected to the network. Your browser selects a number of available nodes from the directory to create a chain of Tor nodes between it and The Open University.
For argument’s sake, let’s say your browser selects Nodes 2, 5, 8, 17 and 22.
As its name suggests, the chain will send data from your browser to The Open University by means of the intermediary nodes; first to Node 2; then in turn to Nodes 5, 8, 17 and 22; and only then to the OU.
The next step is to secure the transfer of data. Every node in the Tor network protects data using a pair of public encryption keys, so your browser asks each node in the chain to send it a copy of its public encryption key. The browser then wraps the message to The Open University in layers of encryption. The data for the University is first encrypted with the public key from Node 22. That encrypted data is then successively encrypted with the key from Node 17, and then with keys from Nodes 8, 5 and 2. By the end of the process, the message is wrapped, (in this case), in no fewer than five layers of encryption. So this message:
The data is now ready to send. Your browser establishes a secure link to the first node in the chain (Node 2) and sends the encrypted data to it. When the data arrives, Node 2 uses its private key to decrypt the outermost layer of encryption. Node 2 then creates a link to the next node in the chain (Node 5) and sends the data onward. The process is repeated with layer upon layer of encryption being removed, gradually unpeeling the data itself; a process known as onion routing.
When your data reaches Node 22, the final layer of encryption is removed and the request for data from The Open University is revealed. The data is now ready to exit the Tor network (Node 22 is known as an exit node). Node 22 makes a connection to the OU over the conventional Internet; anyone watching at the OU will see a connection from Node 22 rather than from your browser.
Replies from The Open University are directed back through the Tor network along the same chain as the requests; so the OU communicates with Node 22. During the return journey, the message is repeated and re-encryption is reapplied by each node in the chain before the message is returned to the node which sent the original request. So Node 22 encrypts the data from the OU, then passes it on to Node 17, which applies its own encryption and so on. Only when the data reaches your browser is it completely decrypted and the OU’s response can be seen.
It might seem incredible that this works at all – but in fact it works so reliably and quickly that you can use Tor to access the Internet almost as quickly as a normal unencrypted link.
How safe is Tor?
Tor protects data in transit using the same well-established public key encryption techniques used in a huge number of unrelated services. As far as anyone knows, public key cryptography is highly secure even when attacked by the most powerful computers in the world.
Tor users could in theory be vulnerable if a network is monitored using a technique called traffic analysis which can, given sufficient time and data, identify users and their location by backtracking data to its origin. Tor greatly reduces this risk to its users by routinely discarding chains and creating new ones every ten minutes.
Tor has also been written in a manner that encourages confidence in its security. The program is an open source project where anyone can examine every line of the original program typed in by its authors. Any bugs, or deliberate weaknesses in the design can be exposed and rectified. If you don’t trust the download, you can even (with the proper software tools) generate your own version of the Tor Browser and compare it to the original.
Tor is not perfect. There have been some serious software bugs that could have compromised personal data and there are a number of potential weaknesses that may be exploited by hostile users. The most significant weakness is the exit node itself; by definition it sends data back on the Internet, so if that data has not been encrypted by the sender before placing it on to Tor, the data is visible to the exit node. A hostile user could run an exit node and copy all data passing through it.
Edward Snowden disclosed that both the United States National Security Agency (NSA) and the United Kingdom’s Government Communications Headquarters (GCHQ) had attempted to infiltrate Tor communications, albeit with only marginal success. Clearly this was a source of frustration to the Government; a confidential NSA document entitled Tor Stinks contained the confession, "We will never be able to de-anonymize all Tor users all the time," it did however reveal that, "with manual analysis we can de-anonymize a very small fraction of Tor users."
We now have a situation where one part of the US government is funding improvements to Tor just as another is trying to break it open! The US and UK are not alone in targeting Tor; in 2014, the Russian government offered more than $100,000 to investigate techniques for identifying users of the Tor network. So far no one has collected the money.
Should I use Tor?
Tor has attracted an unfavourable reputation because it made illegal operations such as The Silk Road possible. However, without Tor there would have been no WikiLeaks and no Snowden revelations. It is a profoundly powerful piece of technology. The US government continue to pay more than 80% of Tor’s ongoing development costs, it also recommends its use to political dissidents. The FBI even admitted in its complaint against Ross Ulbricht that Tor has "known legitimate uses".
But like most technology, Tor has downsides, and for Tor they are real threats to our wellbeing. It can be used to aid criminality, it allows for illegal content, such as child pornography and terrorist material, to spread beyond the reach of law enforcement and it can make tracking criminals much harder.
At the end of the day, Tor promises us private communications but perhaps at a very high cost. And we have to decide if that is a price worth paying.