Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

The Onion Router (TOR)

Overview

Tor is a free, open‑source system that lets people browse the internet with stronger anonymity by sending their traffic through several volunteer‑run servers around the world. It is best known for the “Tor Browser,” which allows access to both the regular web and special “.onion” sites that are only reachable inside the Tor network.

In plain terms: Tor is like routing your internet traffic through a series of secret detours, so it’s much harder for anyone to trace where it came from.

How Tor Works (Plain‑Language)

Tor stands for The Onion Router, named after its “layers” of encryption:

  • When you use Tor, your traffic is sent through multiple hops—typically three different Tor servers (nodes).

  • Each hop only knows where the data came from and where to send it next, but no single hop knows the whole path.

  • At each step, one layer of encryption is removed (like peeling an onion), so no individual node sees both your identity and your final destination at the same time.

The result:

  • Websites see the IP address of the last Tor node (the “exit node”), not your real IP.

  • People watching your local network (for example, on public Wi‑Fi) can see that you’re using Tor, but not what websites you visit through it.

Tor, the Dark Web, and .onion Sites

Tor is closely associated with the Dark Web, but they’re not the same thing:

  • Tor Browser can reach normal websites (surface web), but through the Tor network.

  • It can also reach special “.onion” addresses, which are hidden services only accessible via Tor.

  • Many Dark Web sites are these .onion sites; some are used for legitimate purposes (privacy, activism), others for illegal markets and criminal activity.

So:

  • Tor is a tool and network that provides anonymity.

  • The Dark Web is a part of the internet that often uses Tor and .onion addresses to stay hidden.

Legitimate Uses of Tor

Tor has many legal and constructive uses, especially around privacy and freedom of information, such as:

  • Journalists and whistleblowers sharing information securely.

  • Activists and citizens in restrictive countries bypassing censorship or state surveillance.

  • Privacy‑conscious users who don’t want their browsing easily tracked by ISPs, advertisers, or local networks.

  • Security researchers safely investigating malicious sites or threats.

Risks and Misuse

Because Tor makes tracing harder, it is also used for less legitimate purposes:

  • Criminal marketplaces (for drugs, weapons, stolen data, hacking tools).

  • Extortion and leak sites (for example, ransomware groups publishing stolen data).

  • Fraud and scams that target other Tor users or hide operators’ identities.

Other risks to keep in mind:

  • Malware and scams still exist on Tor just like the rest of the internet (and sometimes more concentrated).

  • The exit node can see unencrypted traffic going out to plain‑HTTP sites (not HTTPS), so sensitive information should still be protected end‑to‑end.

  • Law enforcement agencies monitor known criminal parts of the Tor ecosystem; using Tor for crime is still traceable and illegal.

Security and Privacy Considerations

Using Tor provides anonymity benefits, but:

  • It doesn’t hide everything—sites you log into (for example, with your real name) can still identify you by the account you use.

  • Browser fingerprinting, cookies, and plugins can reduce anonymity if you ignore best practices.

  • Downloading files and opening them outside Tor (for example, in a standard PDF viewer) can leak your real IP.

Tor works best when:

  • You use the Tor Browser as provided, with its default privacy settings.

  • You avoid installing extra plugins or changing settings that weaken its protections.

  • You avoid logging into accounts that tie activity directly to your real‑world identity when you care about anonymity.

Business Relevance

For organizations, Tor matters because:

  • Employees or insiders might use Tor to exfiltrate data, reach banned sites, or hide malicious activity.

  • Attackers often host command‑and‑control servers or leak sites on .onion services to make take‑down and tracking harder.

  • Access to your websites or APIs via Tor may be part of attacks (for example, credential stuffing or scraping).

Typical controls and responses:

  • Monitoring and, where appropriate, limiting or flagging Tor usage from corporate networks.

  • Being aware of Tor‑hosted leak sites where stolen data might appear after a breach.

  • Including Tor and Dark Web considerations in threat‑intelligence and incident‑response plans.