Tor creates anonymity through a clever system called onion routing. Your internet traffic passes through multiple computers before reaching its destination, with each computer only knowing the previous and next step. This structure makes it extremely difficult to trace your activity back to you. Understanding how this works helps you use Tor more effectively and recognize its limitations.

The Basic Concept

When you browse normally, your computer connects directly to websites. Your internet service provider sees every site you visit. The websites see your IP address and location. This direct connection exposes your activity to multiple observers.

Tor inserts layers of encryption and multiple relay computers between you and the destination. Think of it like sending a letter inside multiple envelopes, each addressed to a different person. Each person opens one envelope, sees instructions for the next person, and passes it along. Nobody except you knows the final destination until the last envelope is opened.

This is onion routing - layers of encryption like layers of an onion. Each relay peels off one layer but can't see through the remaining layers. Your connection bounces through at least three relays before reaching the destination.

The Three Types of Nodes

Entry Guards

The entry guard (also called guard node) is your first connection to the Tor network. Your computer connects directly to this node, so the guard knows your real IP address. However, it doesn't know what you're doing or where you're going because everything is encrypted.

Tor Browser uses the same entry guards for several months. This consistency prevents certain attacks. If you used random entry nodes each time, an attacker running many nodes would eventually become your entry and exit node simultaneously, compromising your anonymity.

Anyone can volunteer to run an entry guard. The Tor network has thousands of these nodes. Your Tor Browser automatically selects guards from this pool based on bandwidth, reliability, and security properties.

Middle Relays

The middle relay sits between your entry and exit nodes. It knows the previous node (your entry guard) and the next node (your exit node) but nothing else. It can't see your IP address, your destination, or your actual traffic because everything remains encrypted.

Middle relays provide the crucial separation between your real identity and your destination. They make correlation attacks much harder by adding another layer that an adversary must compromise.

These relays handle the bulk of Tor's traffic capacity. Running a middle relay is safer than running an exit node because middle relays never connect directly to destination websites.

Exit Nodes

The exit node makes the final connection to your destination website. It removes the last layer of encryption and sends your request to the actual server. The website sees the exit node's IP address, not yours.

Exit nodes can see unencrypted traffic. If you visit a site without HTTPS, the exit operator can see everything - passwords, messages, personal information. This is why using HTTPS is critical even on Tor.

Running exit nodes carries more risk because the exit node's IP address appears to be making requests. Abuse complaints go to exit operators. Many people run middle relays but few run exit nodes due to this exposure.

Key Point: Your entry guard knows who you are but not what you're doing. Your exit node knows what you're doing but not who you are. Middle relays know neither. This separation creates anonymity.

Building a Circuit

Circuit Creation

When you start Tor Browser, it builds a circuit (a path through the network) before you can browse. The browser randomly selects three nodes from the available pool: one entry, one middle, one exit.

The selection isn't completely random. Tor prioritizes faster nodes to improve performance. It avoids putting nodes in the same country in your circuit. It ensures your entry and exit nodes aren't operated by the same organization.

Circuit creation happens through a series of encrypted handshakes. Your computer establishes an encrypted connection to the entry guard, then through that encrypted connection establishes another encrypted connection to the middle relay, then another to the exit node. This creates three layers of encryption.

Encryption Layers

Think of your data like a package wrapped in three boxes. Each relay has the key to one box. Your entry guard removes the outer box and sees instructions to send the remaining boxes to the middle relay. The middle relay removes the next box and forwards to the exit node. The exit node removes the final box and sees your actual request.

Each relay only decrypts enough to know where to send the package next. Nobody except you and the exit node can see the actual data being transmitted. The entry and middle relays just see encrypted blob passing through.

Circuit Lifetime

Circuits aren't permanent. Tor Browser creates new circuits every ten minutes. This prevents long-term tracking through timing analysis. Different websites get different circuits, preventing one site from knowing you visited another.

You can manually request a new circuit by clicking the onion icon and selecting "New Circuit for this Site." This changes your exit node and makes it appear you're connecting from a different location.

How Hidden Services Work

The Challenge

Regular websites have public IP addresses. You can look up example.com and find its server. But .onion sites need to hide their server location while still being reachable. Tor solves this with rendezvous points.

The Solution

A hidden service operator creates a website and generates cryptographic keys. The .onion address comes from these keys - it's not registered anywhere, just mathematically derived from the public key.

The hidden service builds circuits to several introduction points - regular Tor relays that agree to introduce clients to the service. The service publishes its introduction points to a distributed hash table on the Tor network.

When you want to visit the .onion site, your Tor Browser looks up the introduction points in the hash table. Your browser builds a circuit to one introduction point and asks it to introduce you to the hidden service.

Both you and the hidden service then build circuits to a randomly selected rendezvous point. The rendezvous point connects your circuits together without knowing either party's identity. All communication happens through this rendezvous point, with both sides staying anonymous.

Why This Works

Neither you nor the hidden service know each other's real location. The introduction points only know the service, not clients. The rendezvous point connects two encrypted circuits but can't see the data or identify either party. Multiple layers of encryption and indirection protect both sides.

Fascinating Detail: When you visit an .onion site, your traffic goes through six relays total - three from you to the rendezvous point, and three from the hidden service to the rendezvous point. This makes .onion sites slower but more anonymous.

What Tor Hides

Your IP Address

Websites see your exit node's IP address, not yours. Your ISP sees you're using Tor but not which websites you visit. This protects your physical location and makes tracking difficult.

Your Browsing Patterns

Different sites see different exit nodes. They can't easily determine that the same person visited both sites. Tracking cookies and other fingerprinting methods still work, but Tor Browser includes protections against these.

Metadata Protection

Tor hides who is communicating with whom. Even if someone monitors both ends of a connection, linking the two sides requires sophisticated traffic analysis across multiple nodes.

What Tor Doesn't Hide

Unencrypted Content

Exit nodes see anything you send without HTTPS encryption. Use HTTPS for all sensitive communications. Tor Browser tries to upgrade connections to HTTPS automatically but can't force it if the site doesn't support it.

Behavioral Patterns

If you log into personal accounts or reveal identifying information, Tor can't protect you from yourself. The technology provides anonymity, but maintaining it requires careful behavior.

Traffic Confirmation

An adversary who can monitor both your internet connection and the destination website might correlate traffic timing and volume. This requires massive surveillance capabilities but is theoretically possible.

Network Architecture

Distributed Structure

Tor has no central servers. About 6,000-7,000 relays run by volunteers worldwide make up the network. Anyone can run a relay. This decentralization makes Tor resistant to shutdown or control by any single entity.

Directory authorities are the exception - about ten trusted servers that keep track of all relays. They maintain the consensus about which relays exist and their properties. These authorities are run by respected members of the Tor community and use consensus voting to prevent individual compromise.

Bandwidth Distribution

Not all relays are equal. Some volunteers run relays on fast servers with high bandwidth. Others run relays on home connections. Tor prioritizes faster relays when building circuits to improve performance.

The network handles billions of connections daily. Performance depends on available bandwidth. During high-usage periods, speeds slow down. This is normal for a volunteer network.

Attacks and Defenses

Traffic Analysis

Sophisticated attackers monitor traffic entering and leaving the Tor network, looking for patterns that correlate. If the same amount of data leaves your house and arrives at a website with matching timing, an observer watching both points might infer a connection.

Tor defends against this by using circuits through multiple countries. An attacker needs surveillance capabilities across many jurisdictions. Tor also uses padding and timing adjustments to make correlation harder.

Malicious Nodes

Attackers could run many Tor nodes hoping to control your entire circuit. If they operate your entry and exit nodes simultaneously, they could correlate traffic and compromise anonymity.

Tor defends against this by using persistent entry guards. You connect through the same entry guards for months. An attacker must compromise those specific guards, not just run lots of nodes hoping for random selection.

Exit Node Sniffing

Malicious exit operators can monitor unencrypted traffic. Some have been caught doing exactly this. Tor can't prevent this - it's why HTTPS is crucial even on Tor.

The Tor community maintains a bad exit list. Exits caught misbehaving get flagged and removed from the network. This reactive approach isn't perfect but reduces the threat.

Timing Attacks

Measuring when data enters and exits Tor circuits can reveal correlations. These attacks require significant resources and sophisticated analysis but are possible for well-funded adversaries.

Tor mitigates timing attacks through various techniques but can't eliminate them completely. Against nation-state adversaries with global surveillance, Tor provides strong but not absolute protection.

Performance Considerations

Why Tor Is Slow

Your traffic travels through at least three computers instead of going directly to the destination. Each hop adds latency. Tor relays are run by volunteers, not commercial data centers, so bandwidth varies.

Encryption and decryption at each relay requires processing time. The network prioritizes security over speed. This is an intentional trade-off - faster would mean less security.

Improving Speed

Tor Browser automatically selects faster relays when possible. You can't manually choose relays, as this would reduce security. The best way to improve Tor speed is to help by running your own fast relay.

Some activities work better on Tor than others. Browsing text-heavy websites works reasonably well. Streaming video is slow and not recommended. Large downloads take much longer than on the regular internet.

Trust and Security Model

Distributed Trust

Tor doesn't require trusting any single party. As long as at least one relay in your circuit is honest, your anonymity survives. The distributed nature makes compromise difficult.

However, you must trust the Tor developers who write the software. Open source code allows independent security audits. The Tor Project has a good security track record, but no software is perfect.

Limitations

Tor was designed to resist surveillance by single organizations. Against global adversaries with unlimited resources who can monitor large portions of internet traffic, Tor provides reduced but not zero protection.

Most users don't face nation-state adversaries. For protecting against commercial tracking, ISP surveillance, and most law enforcement, Tor provides strong protection when used correctly.

The Mathematics Behind It

Cryptographic Keys

Tor uses public key cryptography. Each relay has a key pair. The public key is, well, public. The private key stays secret. Data encrypted with the public key can only be decrypted with the matching private key.

When building a circuit, your Tor Browser uses each relay's public key to encrypt data that only that relay can decrypt. This creates the layers of encryption that protect your traffic.

Perfect Forward Secrecy

Tor creates new temporary encryption keys for each session. If an attacker records all your encrypted Tor traffic and later steals a relay's long-term private keys, they still can't decrypt that old traffic because the session keys were discarded.

Why This Design Works

Tor's architecture addresses specific threats. It protects against traffic analysis by distributing trust across multiple independent parties. It defends against various attacks through cryptographic techniques and network topology rules.

The system isn't perfect. Determined adversaries with massive resources can sometimes compromise Tor users through sophisticated attacks. But for most threat models - avoiding tracking, protecting privacy, circumventing censorship - Tor provides excellent protection.

Understanding these technical details helps you use Tor effectively. You know why using HTTPS matters. You understand why Tor is slow. You recognize what Tor protects and what it doesn't. This knowledge makes you a safer, more effective Tor user.

Ongoing Development

The Tor Project continuously improves the network. New features get added, vulnerabilities get patched, and performance improves. The network evolves to counter new threats and surveillance techniques.

Recent developments include better mobile support, improved censorship resistance through pluggable transports, and faster onion service connections. The underlying onion routing concept remains, but implementation details constantly improve.

Contributing to Tor

Running a relay helps everyone. More relays mean better performance and stronger anonymity. Middle relays are safe to run and help significantly. Exit relays need more consideration due to legal exposure but are valuable.

Even if you can't run a relay, using Tor helps. More users create more traffic, making it harder to analyze. By using Tor for legitimate purposes, you provide cover traffic for people who need anonymity for critical reasons.