The dark web is infamous as a dangerous place, where drugs are bought and hitmen hired, but it can be a safe way to browse the internet if your privacy is serious concern. And thanks to the Tor Browser, it’s easy to do.
Indeed, Facebook, The New York Times and now even the CIA have sites on the dark web, hosting “onion” versions of their pages that can be accessed via the Tor browser. The spy agency is hoping to securely and anonymously collect tips, though its entire website, including job listings, are available on the onion service.
Tor refers to “the onion router”, which is a network that bounces your traffic through random nodes, wrapping it in encryption each time, making it difficult to track; it’s managed and accessed via the Tor browser. That may seem an extreme way to browse the web, but such protections are increasingly worth considering, says Sarah Jamie Lewis, executive director of the Open Privacy Research Society. “Web browsing is hostile to privacy and security,” she says. “It has one of the worst security risk profiles – [such as] ‘allow arbitrary third parties to run code on my computer’ – coupled with protocols that were never designed to protect metadata. Tor Browser is the least-worst option for protecting your privacy in a web browsing context, in its highest security mode.”
What is the dark web?
When people go on about the so-called dark web, they’re usually talking about onion sites, which aren’t searchable via Google or accessible via standard browsers. On the regular web, domains such as www.wired.co.uk are translated into their actual IP addresses via the domain name system (DNS).
That central control allows for censorship, as by interrupting that lookup a site can effectively be banned from the web — this is why Turkish protesters were spraypainting IP addresses on walls in 2014, to tell others how to access Google directly without going via a DNS server.
“The whole point of onion addresses – ‘the dark web’, ‘the silk road’ — is that they throw all this stuff away, and with it they dispose of the opportunities for censorship,” says Alec Muffett, a security engineer who’s on the board at the Open Rights Group and has built onion sites for Facebook and The New York Times. “The Tor network is another network which sits on top of the TCP/IP internet, stitching the participating computers together into a wholly new network ‘space’, not IPv4, not IPv6, but ‘Onion Space’.”
If you use the Tor browser to access a standard website, it offers protection and anonymity to users — they pop into the Tor cloud, that “onion space”, and pop back out virtually elsewhere, with their identity and location obscured. But using onion sites via Tor adds to the protection. “If the site invests in setting up a ‘native’ Tor onion-address for their website, then people who use the Tor browser to access that address never step outside the protection of the Tor cloud,” Muffett says.
“This is like the same promise as end-to-end-encrypted messaging, but for web browsing and other forms of communication, but unlike WhatsApp or Signal where it’s definitely your best friend or lover at the other end of the connection, instead it’s your [maybe] favourite website… one that perhaps your peers and/or the Government does not want you to be accessing.”
And that’s why organisations such as the CIA, the New York Times and Facebook have onion versions. “Onion sites are considered to be about anonymity, but really they offer two more features: enforced discretion (your employer or ISP cannot see what you are browsing, not even what site, and you have to be using Tor in the first place to get there) and trust,” Muffett explains. “If you access ‘facebookcorewwwi.onion’ you are definitely connected to Facebook, because of the nature of Onion addressing — no DNS or Certificate Authority censorship mechanisms are applicable.”
Google doesn’t index these sites, but other search engines do, including DuckDuckGo, and there are lists — including one run by Muffett — so you can find what you’re looking for.
What is Tor?
When you use the Tor network, your traffic is layered in encryption and routed via a random relay, where it’s wrapped in another layer of encryption. That’s done three times across a decentralised network of nodes called a circuit — the nodes are run by privacy-focused volunteers; thanks, you lovely people — making it difficult to track you or for sites to see where you’re actually located.
Alongside bouncing encrypted traffic through random nodes, the Tor browser deletes your browsing history and cleans up cookies after each session. But it has other clever tricks to push back against trackers. If someone visits two different sites that use the same tracking system, they’d normally be followed across both. The Tor browser spots such surveillance and opens each via a different circuit making the connections look like two different people, so the websites can’t link the activity or identity if they login on one of the sites.
How to download and use Tor
It’s almost embarrassingly easy thanks to the Tor Browser. Based on Mozilla’s Firefox, this browser hides all that pinging about in the background. “It’s a web browser. Use it like one. It’s that simple,” says Muffett. That’s the desktop edition, but there’s a version for Android and an unsupported onion browsing app for iOS.
While some can simply install and use the Tor browser like any other, there are a few complications for those in countries where Tor is blocked, on corporate or university networks where it’s banned, or where more security is needed. When you start a session, you’ll be shown an option to Connect or Configure. The latter choice is for when access to the Tor network is blocked, and you’ll be shown a variety of circumvention techniques. Those include traffic obfuscation tools called pluggable transports, which make it look like Tor traffic is random or going to major websites such as Amazon, rather than connecting to the onion network. If you’re having trouble connecting to the Tor network, try one of these.
There are different levels of security in the browser that are worth considering. To review security settings, click on the onion logo in the top left and select “Security Settings”, which will bring up a slider offering a choice of the default of standard, or safer and safest. In “safer” mode, JavaScript is disabled on HTTP sites, some fonts are disabled, and all audio and video won’t run automatically, you’ll have to click to play. Slide up to the “safest” level, and as well as those settings, JavaScript is disabled on all sites.
Once you’ve downloaded and installed the Tor browser, you can browse just as you would your usual browser, but Muffett offers a caveat to avoid unencrypted sites — those with only “http” in the URL rather than “HTTPS”. He notes: “This is because plain old HTTP traffic can be tampered with.” Handily, the Tor Browser comes with the HTTPS Everywhere add-on installed by default, which forces a site to serve the secure version if one is available.
How to access the dark web using Tor
Using the Tor browser is simple, but knowing when to fire it up is more complicated. You could do all your browsing with Tor, though it’s slower than a standard browser, something the Tor Project is working hard at to improve, says Stephanie Whited, communications director for the Tor Project. Another challenge is CAPTCHAs; because Tor behaves differently than other browsers, it’s more likely to trigger the bot-hunting system, so be prepared to face more of them than usual.
Whited’s rule of thumb is to use the Tor Browser instead of Private Browsing Mode or Incognito Mode. “Contrary to what most people think, these modes do not actually protect your privacy,” she says. “They do not curtail the collection of your online activity by your ISP, advertisers, and trackers. They don’t prevent someone monitoring your network from seeing what websites you’re visiting. Tor Browser does.”
With any security and privacy issue, it’s about your threat model, which is simply what attacks or invasions you’re actually worried about. “When you want to visit a site and for nobody in-between you and the site to know that you are visiting it,” says Muffett, about when to use the Tor Browser. “Sure, most people think ‘porn’ when someone says that, but it also applies to getting some privacy when you want not to be immediately traceable: sexual health, birth control questions, foreign news, personal identity questions.”
But there’s more to Tor than being nearly anonymous online. “The big win of Tor for me is access — with a sprinkling of anonymity, to be sure — but that I can be stuck behind some hotel firewall, in some airport or restaurant lounge, or in a sketchy cafe is a sketchy country,” Muffett says. “And if I use Tor then I have a good degree of certainty that at least the local weirdos are not looking over my digital shoulder at what I am browsing — and that when I kill my browser (unless I’ve bookmarked something, or saved a file) then all the data is properly cleaned-up and wiped.”
VPNs are often recommended as protection in such cases, but Whited disagrees. “VPNs can be a security bottleneck,” she says. “All of your traffic goes through it, and you have to trust them as if they are your new ISP. Because the backbone of our software is a decentralised network, you don’t have to trust us to browse the internet privately.”
Tor isn’t perfect
There’s no such thing as perfectly private or secure on the internet. It’s still possible to track someone’s traffic pinging through the Tor nodes, though it is difficult.
And, of course, people, websites and third-party trackers will know who you are if you choose to identify yourself online. “People can accidentally give that away just by posting their real name, email address, or other identifying details, in a blog comment,” notes Muffett. If you do log into a site or otherwise identify yourself, the Tor Browser has techniques to limit the spread of who knows. One is “new identity”; select this in the main menu and all open tabs and windows will shut down, clearing cookies, history and Tor circuits. That means that if you’ve logged into a site or otherwise identified yourself, you can avoid that site from following you elsewhere. Another similar tool is the “new Tor circuit” option, which resets the circuit so you look like a new connection, making you harder to track.
There are other ways for spies, hackers or other adversaries to target Tor. Lewis points to the “first contact problem”, when an attacker spots when someone moves from non-private tools to private ones, noting it’s been used to identify whistleblowers. “There are a myriad of other attacks ranging from academic to within the realm of possibility for nation states or large conglomerates, but it is worth remembering that these are attacks which reduce the privacy back down to regular web browsing, and many have to be explicitly (and somewhat expensively) targeted — the more people who use these tools, the greater the cost of surveillance.”
In short, even with Tor, there’s no perfect anonymity online, but there are efforts to claw back our power online, says Lewis. “Understand that the web as we know it today is privacy-hostile and that nothing is foolproof, do research, support organisations and projects — like Tor Project, i2p, and Open Privacy — that are building and maintaining tools that make enforcing your consent easier.”