Is Tor Browser Safe and Completely Anonymous to Use?
Downloading Tor on your computer is safe and it’s completely legal to do so and to use it. However, keep in mind that you might get extra attention from your ISP if you do this, so it’s a good idea to hide your IP address with a VPN as you’re downloading Tor.
Is Tor browser safe? Not as much as you might think. Tor has certain security vulnerabilities that a skilled hacker or a government agency can exploit. However, there are ways to minimize these risks.
Staying safe and anonymous online is definitely no easy task as there are plenty of bad actors that want your sensitive data. Luckily, using the Tor browser can make your online experience more secure and private.
But to what degree? Is Tor browser safe 100% or are there ways for someone to see your browsing activities, IP address and even hack you?
Unfortunately, the answer is that Tor is not completely safe and anonymous and we’ll show you in this article why, plus what you can do to make it more secure.
Before we delve deeper into Tor’s security issues, it’s important to understand how to use Tor browser and how it works in the first place.
First, you will need to download Tor from the Tor Project website. You can download it for Windows (32 and 64-bit), macOS (64-bit), GNU/Linux (32 and 64-bits and Android. Tor is also available in 32 different languages.
Tor is a free software that allows you to anonymously communicate online. This is done by sending your Internet traffic through “nodes”.
Nodes are run and maintained by Tor volunteers and anyone can run a node (not all nodes are safe, but more on that later).
Essentially, when using Tor, your Internet traffic passes through at least three of these nodes, starting with the entry or guard node, then through the relay or middle node, until it finally goes through the exit or final node before the browser finally opens the webpage or file you were looking for.
As your data passes through each of these nodes, Tor “peels off” a layer of encryption, like you would peel an onion, which is why the service got the name “the onion router”.
Now with that explanation out of the way, let’s see if Tor is all that safe as it claims.
Tor Risks and Security Issues
Unfortunately, like anything else in life (online or offline), Tor is not perfect either and it has its flaws.
We’ll go over the biggest ones here:
- It can leak your IP address
One of the biggest reasons why it’s not a good idea to rely solely on Tor if you want to stay anonymous online is that it can leak your IP address.
In November, 2017, We Are Segment discovered a security vulnerability in Tor that could leak the user’s real IP address.
They named this TorMoil.
TorMoil specifically affected macOS and Linux users because of the way Firefox handles fille:// URLs. This caused the OS to bypass Tor Browser and directly connect to the host if the user clicks on a local file-based address.
Of course, devs quickly patched Tor, but that doesn’t mean there aren’t other ways Tor can leak your IP.
For instance, Windows DRM files can be used to deanonymize Tor users and reveal their IP addresses.
What happens here is that attackers would use DRM-protected files such as Windows Media Player to lure Tor users into “validating their license”. Once the user clicks the “Yes” button, they are redirected to an “authorization URL”, which contains malware and can expose their IP address.
- Your Connection between the Exit Node and the Destination Server is Unencrypted (on non-HTTPS websites)
As your data passes through Tor nodes, it will stay encrypted and Tor will remove a layer of encryption with each “bounce”.
However, once you get to the exit node, there is no more encryption between it and the destination server.
Even worse, according to Tor’s own documentation, whoever is running the exit node will be able to see your data and eavesdrop on your online communication.
Tor is a decentralized network, meaning that anybody can operate a node.
Naturally, this has its good sides, but also its bad sides.
The bad side is that not everybody who runs a Tor node does so for altruistic reasons.
Government agencies and hackers can (and do) operate nodes and that means they can see what you are doing online.
For example, in 2007, Swedish hacker Dan Egerstad managed to collect huge amounts of data, including from embassies, corporate email accounts and NGOs in mere months by setting up nodes on five computers in data centers around the world and simply monitoring them.
That was just one hacker, imagine what a more organized group, like a government agency could do.
For example, in 2014, during “Operation Onymous”, Europol seized several Tor nodes. This led to 400 seized hidden services and 17 arrests.
You can read more about the case on the Tor blog.
- There are Plenty of Malicious Nodes Out There
In a perfect world (and how we assume Tor devs intended it), going through Tor nodes would be completely safe.
However, that's not the case and there are plenty of malicious nodes out there.
In 2016, professor Guevara Noubir and computer science Ph.D. student Amirali Sanatinia of the College of Computer and Information Science at Northeastern University discovered 110 malicious nodes in just 72 hours.
They published their findings in the research paper “HOnions: Toward Detection and Identification of Misbehaving Tor HSDirs”.
Furthermore, in 2014, a Russian hacker was using the Tor network to spread a powerful virus. He did this by modifying the exit nodes he was running to put his own executable in any program that the user would download over Tor.
- Tor Gets Funds from the US Government
While the amount that Tor receives in funding from the US government is dropping year-by-year (it was 85% in 2015 and then 51% in 2017), Tor still gets a good chunk of its funding from government agencies.
And this isn’t even a secret as Tor annually publishes a financial transparency report.
Specifically, throughout the years, Tor received:
- $6.1 million from the US Agency of Global Media (USAGM), formerly Broadcasting Board of Governors (BBG).
- $3.3 million from the US State Department.
- $2.2 million from Pentagon.
Apart from government funding, there are three more ways Tor gets money. These are:
- Individual donations and core organization support; used mainly for Tor’s day-to-day operations.
- R&D funding from DARPA, Radio Free Asia and similar groups; used to build safer tools.
- Research funding from the National Science Foundation and groups like it; used to improve Tor’s privacy and safety.
- Tor Devs Sometimes Work with Government Agencies
If you think all Tor developers are 100% opposed to working closely with government agencies, you are wrong.
In fact, some of them have no qualms about this.
For example, Tor’s co-founder and current director and research director at Tor Project, Roger Dingedine had an interesting email correspondence with the FBI and the Department of Justice, which you can read in full here.
At one point, Dingledine even says that he met with about 50 DoJ and FBI agents in San Diego on 22-23rd October.
To make things even worse, according to the FOIA (Freedom of Information Act) documents Tor privately tips off the government about security vulnerabilities before they alert the public about them.
For example, in an email to Dingledine, Tor developer Steven Murdoch wrote this about a security vulnerability they discovered:
“Currently this document is private, but eventually some or all of it should be public. I’ll leave this discussion for a later date, but essentially my thought is that while we should not rely on secrecy, it might be a good idea to delay the release of anything like “this attack is bad; I hope nobody realizes it before we fix it”.
- It’s Not Safe to Run an Exit Node Either
Of course, we still believe that the vast majority of people who run exit nodes do so out of good motives.
That said, before you decide to do so yourself, you should be aware that there are certain risks involved in operating a Tor exit node.
For instance, let’s say that criminals are using Tor for illegal activities, like distributing child pornography, selling girls into prostitution, or selling drugs. In that case, if the traffic goes through your exit node, the police will be able to track it to your IP address and knock on your door.
This happened in 2012 to a Tor node operator from Graz, Austria William Weber, when he was charged with distributing child pornography simply for running Tor exit nodes that criminals were using.
In another case, that happened a year before, Tor user Clemens Eisserer said that the police seized his hardware because someone was misusing the exit node he was running.
And these are just two cases where people were legally operating exit nodes, but ended up being charged with a crime because actual criminals were using their nodes.
- The FBI Doesn’t Need a Warrant to Spy on Tor Users
The Federal Bureau of Investigation (FBI) and other agencies like it don’t even need a warrant to spy on what you’re doing on Tor.
Government agencies normally do this when they need to catch criminals as they did in Operation Pacifier when they busted no less than 1,500 pedophiles visiting a child pornography site PlayPen on the Dark Web.
A senior US District Court Judge Henry Coke Morgan, Jr. ruled in relation to the case that the FBI does not need a warrant to hack into a US citizen’s computer system”.
Of course, you could say that these were criminals and that the FBI was justified, but a ruling like this opens the door for government agencies to spy on any Tor user without a warrant, regardless if he is a criminal or not.
How to Stay Safe on Tor?
Ok, with all (or at least the biggest) Tor issues laid out before us, how to stay safe on Tor?
There are a couple of things you can do:
- Turn the Safety to “High” in Settings
Note that some websites on Tor won’t work as well, or might even stop working entirely if you crank the safety slider all the way to “High” in the Tor browser settings, but this is a small price to pay to protect against JS hacking and online tracking.
- Boot into portable OS like Tails
This should give you some extra protection against surveillance and ads. The main thing here is that Tails makes it harder to differentiate a Tail user from other Tor users (particularly those not using Tails).
However, since you can be identified as a Tor user inside or outside Tails, this gives more info about you. The more information about you revealed, the less anonymous you are.
- Forget about Extensions on Tor
Keep the Tor browser clean from extensions and add-ons, unless it’s absolutely necessary to add them. This isn’t your Google Chrome that you would fill up with extensions. A bad extension might just add an extra security vulnerability that a hacker could exploit.
Even Tor Project itself warns against installing add-ons or plugins, saying:
“We do not recommend installing additional add-ons or plugins into Tor browser.
Plugins or addons may bypass Tor or compromise your privacy. Tor Browser already comes with HTTPS Everywhere, NoScript and other patches to protect your privacy and security.”
Additionally, extensions can make your fingerprint more unique and lead to cross-website tracking.
4. Don't access your clearnet accounts on Tor
Accessing your clearnet accounts via Tor, entering any PII, or using your phone number for 2FA may link to your real identity.
5. Use Tor with a VPN
Is Tor browser safe without a VPN?
As you can see, Tor actually has quite a few vulnerabilities. Luckily, some of them can be mitigated and sometimes even completely eradicated by using a good VPN.
Namely, using a VPN will do two things: hide your real IP address and encrypt your data. This solves two of the problems - Tor leaking your IP address and the unencrypted connection between the exit node and the destination server.
There are two ways you can connect Tor with a VPN. Both have their advantages, but also some disadvantages you should know about.
The first is to use a VPN over Tor. This requires you to connect via Tor and encrypt the data as it gets routed through the entry node. Thus, it is the more complicated of the two methods.
The advantages of this method are:
- It filters all your traffic through Tor, even programs that aren’t compatible.
- You can choose your server location, or the exit node location, using the "ExitNodes" option in Tor.
- You can avoid blocked exit nodes and reduce the risk of no Internet connection.
- It will encrypt your data before entering or exiting Tor network and that way protects you against malicious exit nodes.
Here are the disadvantages of using a VPN over Tor:
- You’ll be unable to access .onion sites and hidden services on Tor. Unfortunately, this is often the main point of using Tor in the first place.
- Your Internet Service Provider might be able to see that you are using Tor to connect to the Internet. However, you can circumvent this by using a Tor bridge.
The second, easier method, is to use Tor over VPN.
The advantages of this method are:
- The VPN will hide your real IP, which means that your ISP will be oblivious to you using Tor.
- Tor will remain accessible. .Onion sites and hidden services will be inaccessible if you use a VPN over Tor. However, with this method, that’s not the case if you are using a VPN as the entry node.
- It’s much easier to set up. All you need to do is activate the VPN first and then start using Tor.
There are disadvantages of using Tor in combo with a VPN and they are mostly related to the exit nodes:
- You’re vulnerable if the VPN connection drops and your data could be exposed to the ISP.
- It’s also possible to be left unable to connect to the Internet if your exit node is blocked.
- Exit nodes will be unencrypted and you can be tracked by the ISP of the exit node.
As you can see, Tor is not the ultimate online privacy and security solution. It has flaws, but you can address most of them by being smart when you use Tor and especially by using a VPN.
Once you start doing that, the answer to the question we posed “is Tor safe from viruses?” suddenly becomes a more clear “Yes”.