Indefatigable techie. I'll work on real-world problems until I find the solution.
For the last three years, if you've been paying attention to all of the talks about encryption and internet security you'll probably have heard of Tor. And if you have you'll have heard lots of jargon like "anonymity network" and "Onion Routing" and we agree that can be very confusing. But we're going to try and bring some clarity to Tor. In this article, I'm going to explain what Tor is and a little bit about how it works. We've taken a few liberties in our explanation of how Tor works to simplify it, but it will give you the basic idea and help you use Tor more effectively.
Tor: The Onion Router
"Tor" stands for The Onion Router. That's why the icon for Tor is an onion, and it's not a random name. There's a reason Tor uses an onion metaphor which I will explain soon. The problem Tor was built to address is this: When you use the Internet everything you do gives away your IP address. Your IP address is just a sequence of digits. Every device that connects to the Internet is given an IP address. They are how the devices that make up the Internet communicate with each other. When you browse a website your computer is sending a stream of data to that website's IP address and including with each packet of data your own IP address so that the website can send data back to your computer which can then be displayed on your browser screen as a web page. Because of the way the internet is set up, your IP address can be used to determine your location and to identify you and tie everything you do on the Internet to you personally. And that's bad news if you're a journalist documenting abuses in powerful organizations, an activist or dissident in a repressive surveillance state, a whistleblower or journalistic source, or just someone who cares about privacy. And that's why Tor exists.
How Tor works?
Tor hides your real IP address and gives you a different one so that it appears that you're somewhere else entirely, maybe even in a different country. Tor is not just a piece of software that runs on your computer. Tor is also a network of thousands of computers all running the same software connected to each other and creating the Tor network. Many of these computers are Tor nodes: run by volunteers, they serve as relays for information sent over the Tor network. When you run the Tor software it first downloads a list of all of the nodes on the Tor network. It then chooses a path or circuit through the Tor network involving several of these nodes. Using what's called "public key cryptography" Tor is able to choose any node on the Tor network and then encrypt data so that only that node can decrypt and read it. No other node can decrypt something that's been encrypted to a specific node. When you then use the internet for instance when you type in a web address Tor takes each packet of data and encrypts it to each of the nodes in your Tor circuit. It's basically encrypting the data to one node and then encrypting the encrypted data again to a second node and over again. In this way, it wraps your data up in layer after layer of encryption, like a kind of onion! And that's where the term "Onion Router" comes from! The data is then sent and it travels across the internet but instead of going directly to the website you want to visit, it first enters the Tor network.
More about the nodes
The first node knows that your data comes from your computer but has no idea about the final destination. That information is hidden beneath unbreakable encryption. This node can only decrypt the first layer of encryption - unwrap the first layer of the onion. When it does so it finds the address of the second node in your circuit and forwards the data packet on to that. The second node knows that the data comes from the first node but has no idea where it came from before that. It also has no idea where the data is ultimately headed. It peels off the next layer of the onion and finds the address of the third node and forwards the data packet on again. The third node knows that the data came from the second node but nothing about the first node or before that it peels off the final layer of the onion and finds the address of the website you're visiting and the data leaves the Tor network as it is forwarded to the website. The website receives the data and knows it came from the third node. The IP address of the request is the address of the third node or "exit node": so-called because that is where the data leaves the Tor network. As far as the website is concerned that's your IP address.
Guaranteed Anonymous Browsing
The real IP address of your computer is hidden and the website can't see where or who you are. And a similar procedure is followed for the return path of the data back to your computer. Throughout the whole procedure, no one node has knowledge of the whole circuit. The only real way to undermine Tor is for an adversary to take control over the whole or a significant part of the Tor network or to analyze all of the traffic entering and leaving the Tor network and try to correlate that traffic. These are technically difficult things to do so for all but the most resourceful adversaries - such as intelligence agencies - Tor offers a strong guarantee of anonymity.
There is one risk that comes from using Tor that you should really know about. Tor nodes are run by volunteers. Anyone can run a Tor node and not everyone is trustworthy. With most nodes this doesn't matter: when your data travels over the Tor network it is wrapped up in encryption and none of the nodes can see your data. But when it leaves the Tor network, at the Tor exit node, the last layer of Tor encryption has been removed this means that potentially, if the person who runs your tor exit node is malicious, they could spy on your data as it leaves. They might see identifying information you sent to the site or if you have to log in, they might be able to steal your login details.
How to stay away from these threats?
To protect yourself against this, only use websites that use what's called HTTPS. This adds another extra layer of encryption so that nobody in between your browser and the website can read any of the data. Many major websites like your bank, Google, Facebook, and many news organizations, use HTTPS. You can tell if a website uses HTTPS when the address of the website in the address bar begins with HTTPS. On most major browsers this is also accompanied by a padlock symbol. With these websites, you can safely login and your login data cannot be stolen. But if a website you visit doesn't have that crucial 'S' - just an 'HTTP' - it's not secure. If you must visit an insecure website while using Tor, remember the possibility of a malicious exit note and don't log in or enter any identifying information.
More about Tor
Tor allows you to run all kinds of programs over the Tor network, such as chat programs or email clients, but that can be a complicated operation which requires lots of configuration and it's easy to get wrong. And if you do get it wrong Tor might not work properly and you could give away who you are without knowing. To make it more simple the developers of Tor have released a program called Tor Browser. This is a browser which is specifically set up to run only over Tor. All of the settings are taken care of and it works out of the box this means that the most likely thing that people want to do: browse the web, they can do over Tor easily and safely. If you live in a country where your ISPs are obliged to retain your browsing history, Tor protects you against this. It also protects you against various other tracking technologies and insecure web technologies such as website cookies or browser fingerprinting.
Be careful though. Using Tor doesn't make you invincible. For instance, Tor Browser only gives you anonymity for browsing that happens within the Tor Browser. If you've Tor Browser open but then use a different browser like Firefox, or if you use a chat app on your computer, the data from those apps will not be sent over the Tor network and you're not protected. Also, there are a bunch of things that Tor won't protect you from. If you log into a website that is in your name, for instance, your Gmail account while using Tor, even though your IP address is different, that activity is still tied to you because the account is in your name. Furthermore in some countries using Tor itself might draw attention to you. You should check whether it is legal to use Tor in your country before you use it, just to make sure that the mere fact of using it won't place you in harm's way. So it's important to think a little about how Tor protects you and how it doesn't. To find out more about this, visit the Tor website at torproject.org and read the documentation before you use Tor. There are plenty of other features and details to Tor, but that's the basic story of how Tor works.