Tor Frequently Asked Questions

  1. What are onions?

    1. What is all the "v2" and "v3" talk?

    2. Why can't I access X onion service?

  2. What does "deep web"/"dark web" mean?

  3. How do I use Raddle with Tor?

  4. What's all the fuss about JavaScript?

  5. How do I use Tor on my mobile device?

  6. What are bridges, and do I need one?

  7. Should I use a VPN with Tor?

  8. Are proxy sites like Tor2web safe?

  9. Should I use sites like Facebook and Gmail from Tor?

  10. How can I pick what country I want to exit from?

What are onions?

Onion services are services like websites. The big difference is that they all end with .onion and are only accessible through the Tor network by using application like Tor Browser. Despite some of the horror stories and creepy pastas you may have read on the internet, there is nothing inherently "scary" or "dangerous" about onion services. The vast majority of onion services are websites like blogs, mirrors to major sites, etc. meant to allow users to circumvent things like State censorship like the "Great Firewall" of China.

What is all the "v2" and "v3" talk?

As the Tor network has developed over the years, so have the way that onion addresses are generated. v2 and v3 are simply versions of these addresses. The way to tell the difference between the two is the number of characters in the address - v2 addresses were 16 characters, and v3 addresses are 56 characters, and all end with a "d".

As of July 2021, v2 addresses are no longer supported, and can no longer be accessed.

Why can't I access X onion service?

The brutal truth is that a lot of onion services are run by amateurs who aren't very well-versed in maintaining a website or a webserver. As such, the availability of many onions will be unreliable.

Make sure that you have entered the 56-character onion address correctly. If you are sure that you have the correct address entered and still cannot connect to the onion service, you can check whether you're able to access other onion services by connecting to DuckDuckGo's onion service or by visiting https://check.torproject.org.

What does "deep web"/"dark web" mean?

Depends who you ask. The terms are so often conflated and misused that they've essentially lost any meaningful context over the years. There is no solid technical definition of either term. However, "deep web" most often just sites which are not reachable by standard search engines, including web content that sits behind a login page, or content requires the user to be on a particular network to access, like a VPN. Your email inbox is "the deep web". Pretty boring, right?

The term "dark web" is more often meant to refer to content that requires a specific software to access - by using overlay networks like Tor for onion services or like I2P for eepsites. The term itself tends to paint a mental picture of these sites being "spooky" or illegal, but as stated above, the vast majority of this content is pretty benign and even boring.

A great depiction of the lack of meaning is shown in this Reddit post: Why the "deep" or "dark" web as popularly depicted doesn't exist, as explained in a few short slides. Let's stop using these imprecise terms to describe Tor onion services, thereby perpetuating their undeserved reputation. (slides from Dr. Paul Syverson)

How do I use Raddle with Tor?

Raddle has an onion address! Simply paste this into your address bar in Tor Browser, and you're set to go:

http://c32zjeghcp5tj3kb72pltz56piei66drc63vkhn5yixiyk4cmerrjtid.onion/

What's all the fuss about JavaScript?

JavaScript (not to be confused with Java) is a scripting language used by many websites that has the potential to be used to de-anonymize you. Many people on the internet like to throw out blanket recommendations that users disable JavaScript completely and/or set Tor Browser to its highest security setting without taking an individual's adversary model into account. Matt Traudt, a privacy and security expert who performed research and development on Tor until 2020, says the following:

This is unnecessary for the majority of adversary models and will make the web significantly less usable.

The only people who have had significant JavaScript exploits used against them in Tor Browser were pedophiles using Windows. This suggests to me (and security experts in general, AKA not people that read "tech news" and parrot everything they read) that these exploits are rare, expensive, and hard to replace. Thus they aren't going to be used against random people because the risk of the exploit being discovered and fixed is too great.

Setting the security slider to its highest setting does remove JavaScript as a possible attack vector. So as long as you set it there consciously, are aware much of the web may break, I support your choice to disable it. I especially support it if you have legitimate concerns that JavaScript exploits may be used against you, not just dumb paranoia.

TL;DR: Whether or not to disabling JavaScript is the "correct" thing to do is up to you and your personal threat/adversary model. Just be aware that a lot of the internet will be unusable if you do so. You could also consider using NoScript to control JavaScript on individual webpages.

If you are still concerned about JavaScript de-anonymization, consider utilizing Whonix. If the browser gets exploited and an attacker somehow manages to obtain root access in the VM, they still can't get your real IP address.

How do I use Tor on my mobile device?

See this section of the Tor Basics wiki page.

What are bridges, and do I need one?

Tor bridges are specially configured entry points that were created for when a country or ISP decides to block access to all public Tor entry points. Using a bridge does not increase your personal security or anonymity.

If you require a bridge to access Tor, you can request some through the Tor project's website, or by sending an email (from a Gmail or Riseup email address) to [email protected] with the line "get bridges" by itself in the body of the email.

Should I use a VPN with Tor?

Generally, no. The Tails FAQ wiki has further explanation.

Are proxy sites like Tor2web safe?

Sites such as Tor2web allow users to access onion sites without using Tor itself, while still protecting publishers. While this may seem handy, it is generally not advised to use these sites. The operators of these sites can know what sites you accessed, what your IP address is, etc. If one of these sites were compelled by law enforcement to hand over your information, your activity could easily be monitored.

You should have no expectation of anonymity when using these services. As Tor2web's site officially states:

WARNING: Tor2web only protects publishers, not readers. As a reader installing Tor Browser will give you much greater anonymity, confidentiality, and authentication than using Tor2web. Using Tor2web trades off security for convenience and usability.

Should I use sites like Facebook and Gmail from Tor?

Since both of these services make use of TLS (HTTPS) the Tor exit node will not be able to see the information that you are viewing. However if you are concerned about Google or Facebook knowing that you use Tor, you could connect to Tor before a VPN/proxy, provided you paid for the VPN service anonymously and only connect to it over Tor, note that there are risks to doing this, and it gives you a permanent exit node, which aids the VPN/proxy in profiling you.

In October 2014, Facebook announced that users could connect through a Tor hidden service using the Tor browser. This provides better privacy for people in countries like China where Facebook is banned but using also means that you are volunteering to tell Facebook that you use Tor.

How can I pick what country I want to exit from?

This is generally NOT recommended. One of the main benefits of using Tor is that it helps you blend in with all other Tor users. Restricting the possibilities of exit nodes accomplishes the opposite, and makes it easier for an adversary to "fingerprint" or uniquely identify you and monitor your traffic.

See also: ExitNodes, ExcludeNodes and GeoIP. The basics boil down to:

  • IPs aren't tied to a location.
  • Reducing circuit paths harms your anonymity and makes you easier to fingerprint
  • If you have reason to believe a node is behaving badly, report it to protect ALL Tor users, rather than just excluding them to protect yourself. If you don't have good reason to believe it, you're more than likely acting out of baseless paranoia.

With all that said, if you insist upon doing this:

  1. Open your torrc file using a text editor

  2. Add the following to the bottom of the file:

    ExitNodes {us},{ie} StrictNodes 1

The above would allow you to only use exit nodes in the US and Ireland. You can find a list of country codes used by Tor on this website.