Tor, What Is It Good For

In early December, Radio Free Europe reported that Russia blocked the Tor service. Is that an effort to fight online crime and illegal content, or is there something deeper? Spoiler alert - I won't give you a conspiratorial answer, but instead, I'll give you more information so that you can make your conclusion. This blog post will explain what Tor is and how it works. The blog post is divided into three sections - one covering Tor and its use, another focusing on the technical implementation and how the Tor network functions, and the final one covering Tor browser setup.

Tor stands for The Onion Router. Its structure resembles the layers of an onion where only two adjacent layers touch each other. Similarly, in the Tor network, each connection goes through several layers. Each layer is a Tor node connected to only two adjacent nodes and does not know anything about the rest part of the connection. Depending on the type of connection, there may be three or six intermediate nodes. Sounds confusing? I bet! Now let's unwind this. But before we do, let's explain some of the terminologies.

What are the Clear Web, Dark Web, and Hidden Services?

Clear Web is what we usually call the Internet. And while there is no need for a particular term, this one is chosen to oppose the publicly accessible Internet content, and the one offered on Tor, aka the Dark Web, which generally refers to websites in the Tor network. The websites provided on the Dark Web are called Hidden Services and have addresses like this: http://nytimes3xbfgragh.onion, which is the Dark Web address of a site known as New York Times on the Clear Web. Many companies with sizeable Clear Web presence also have Dark Web entry points. This presence is particularly true for news outlets, pro-privacy, social media, and human rights sites. Wikipedia maintains a somewhat outdated list.

Occasionally, although incorrectly, the term Dark Web refers to websites usually accessible over the Internet but having a closed membership. This term is also confused with the term Dark Net, and colloquially they are used interchangeably. To be exhaustive, the real meaning of the Dark Net is IP network space which is not advertised over BGP, meaning it is not "lit up" or not functional and is heavily used by advanced information security researchers to glean what's happening on the Internet.

Tor applications

First, let's see who is using Tor and what its applications are. There is an urban legend that Tor is used only by people who want to access illicit content, buy illegal drugs, or generally by criminals. A study from 2020 shows that merely 6.7% of the Tor network users visit Dark Web sites (aka Hidden Services) that are primarily used for illicit purposes. This means that on average, 93.3% of the users of Tor use the network for legitimate purposes, namely to preserve their privacy.

Furthermore, this number varies by country, depending on censorship and oppression. Totalitarian government countries show 3% higher use for non-illicit purposes bringing the illicit use percent down to 4.8. While this is a small number, it does show a correlation with the need for privacy when conducting tasks that are not illicit. The study also shows that on average, the vast majority of sites visited are on the Clear Web, so they are easily accessible over the Internet without Tor. Therefore, it is the person needing the protection, not the website. Based on the discussion above, one can easily conclude that in over 90% of the cases, the service is mainly used for the user's privacy.

So if Tor is not used primarily for illicit purposes, what is it used for? Tor was initially created by the US Naval Research Lab in 2002 and was used to protect US intelligence communications online. Two years later, in 2004, it was released as an open-source tool, and a major fiscal supporter of the project, at the time, was the Electronic Frontier Foundation (EFF). Furthermore, Tor has been repeatedly blocked in countries with oppressive regimes like Iran, China, and Russia.

It is becoming clear there is strong opposition to Tor from countries that have tighter control on information flow, and there is strong support for the platform by nonprofits working on protecting freedom of speech.

This, in turn, gives us the profile of the majority of its users, as confirmed by the study above. In other words, many people use the Tor service as a VPN to avoid government-imposed controls on certain types of content in their countries. It is interesting to note that Russia also blocked many VPN providers recently, presumably for the same reasons as Tor. The list includes US household names like Nord VPN, Proton VPN, Cloudflare WARP, and Opera VPN.

As discussed above, there are two use cases of Tor. The first is to connect to Dark Web sites (aka Hidden Services), and the second, which is by far more popular, is to use it as a VPN to connect to Clear Web sites while preserving one's anonymity.

Now that we know what Tor's applications are, and who is using it, let's see how it works.

How does Tor work?

The Tor network consists of nodes. Each node is a computer or other device on the Internet running the Tor software.

If an end-user wants to connect to a regular website, the system will create connections through three Tor nodes before it relates to the target website. Those three nodes are called entry (guard), relay, and exit nodes. It becomes apparent that the entry node sees the end-user client and the relay node, so it does not know the user's destination. Similarly, the exit node sees the site being visited and the relay node, but it cannot determine the end-user. In addition, the entry and exit nodes for a connection cannot be related.

Hidden Services

So far, we looked at the use case where the consumer of information wants to be private. As noted, there is a second use case, where both the end-user and the Dark Web site desire to be anonymous. In this case, the Dark Web website will have to use a Hidden Service to distribute their information. As an example of such a website will have an address of the following format: http://nytimes3xbfgragh.onion - which is the Tor Hidden Service address of The New Tork Times. To keep this site anonymous, Tor needs to take a few steps before users connect to such a site.

First, the Hidden Service will pick three relay nodes to be introduction points. It will connect to each of those nodes using two other relay nodes, in a way similar to what I described above. Those three introduction points are published in the hidden services catalog, which itself is a distributed hash table, where each entry is signed to ensure its authenticity.

Second, when a user wants to connect to the Hidden Service, they will use its address to retrieve the introduction points information from the catalog. Then they will connect to one of the introduction points using two other relay nodes, and then the client will pick a random rendezvous point which is yet another Tor relay. This node will be communicated to the Hidden Service. Both the client and the Hidden Service will establish multi-hop connections to the rendezvous point.

How to setup Tor client

There are a number of online tutorials about setting up Tor a client and browsing anonymously. I think the Tor Project one does an excellent job explaining how to run the Tor browser for the first time. In summary, you need to download for your platform, optionally configure entry and exit node country code, and connect.

There are some caveats that I wanted to mention. Tor works similarly to VPN, so some VPN services may interfere. Furthermore, it is recommended not to layer both VPN and Tor unless you have experience, as a misconfiguration may compromise your privacy. If you are adamant about using both, the Tor project has a good wiki page on the topic.

In addition, some antivirus or malware protection software may flag the Tor browser as malicious. See Tor's support forum for more details, including a list of antivirus programs that cause problems.

Another consideration is how Tor concentrates all of your traffic into a virtual pipe that can be monitored by an exit node. Theoretically, a compromised or malicious exit node can track what sites are accessed. Furthermore, it can easily inject traffic into HTTP (non-HTTPS) connections.

Tor also does not protect the user from inband attacks. For example, if your browser is vulnerable, it can be remotely exploited over the private, secure Tor communications channel. Similarly, if you download a malicious file, your system can be infected. In the latter case, Tor will also prevent legitimate security detection devices on the network from potentially blocking the malicious content. For that reason, flash is automatically disabled, as it provides many ways to attack your privacy. Similarly, BitTorrent is not anonymous over Tor.

Last but not least, if you are traveling, some networks, especially internationally, may not be well configured and may cause problems with your Tor connectivity. The Tor creators have anticipated this, and their solution is the so-called bridges. Some examples of bridges are obfs4, meek, or snowflake. Those bridge types are utilized by the so-called pluggable transports carrying the same names.

Conclusion

As you can see, Tor is mainly used for legitimate purposes by law-abiding citizens, and the majority of uses serve as a VPN as they are connecting to publicly available Clear Web websites. Although people use the Tor network to browse illicit content on a rare occasion (under 7%), the network overall has a legitimate use. Furthermore, it is used by dissidents in countries imposing strong Internet censorship on their population, which goes a long way towards building a stronger society.