Tor Browser: What It Protects Against and What It Doesn’t

Tor Browser exists to solve a specific problem: unlinking your network identity (IP address) from your browsing activity while also preventing the sites you visit from building a persistent fingerprint of your browser. It does this with three relays that each know only the previous and next hop, combined with standardized browser characteristics shared by all Tor Browser users. No other widely available tool provides the same combination of network anonymity and fingerprint resistance for ordinary browsing. It is also slow, breaks some websites, and is inappropriate for many things people assume it’s good for.

The browser is maintained by the Tor Project and is available for Windows, macOS, Linux, and Android (as Tor Browser for Android; iOS uses Onion Browser, a separately maintained third-party app). The source is open, the project is a 501(c)(3), and the funding comes from US government grants, foundations, and individual donors — a mix that surprises people who expect a shadowy organization and find a non-profit filing public financials.

How Tor Routing Actually Works

When you connect through Tor, your traffic is encrypted in multiple layers (the “onion” metaphor) and routed through three relays selected from the thousands of volunteer-operated Tor relays worldwide:

  1. Guard node (entry relay). Knows your IP. Does not know the destination.
  2. Middle relay. Knows the guard node’s IP and the exit relay’s IP. Does not know you or the destination.
  3. Exit relay. Connects to the destination on your behalf. Knows the destination. Does not know your IP.

The destination site sees the exit relay’s IP address, not yours. The guard node knows your IP but not where you’re going. No single relay has both pieces. This is the anonymity property.

The circuit is rebuilt every 10 minutes. New tab windows in Tor Browser use new circuits, so different tabs (and thus different sites) see different apparent IP addresses.

One critical caveat: the exit relay sees your unencrypted traffic if the destination is not HTTPS. All major sites are HTTPS now, but the exit relay still sees the domain name (via SNI) and can observe encrypted-but-metadata-visible patterns. Exit relays are a partial trust point. Malicious exit relays exist; the Tor network monitors for them and they’re removed when detected.

Fingerprint Resistance: The Standardization Approach

Tor Browser is based on Firefox ESR with substantial patches. The privacy modifications include privacy.resistFingerprinting at the engine level, but more importantly, Tor Browser is designed so that all users look identical to fingerprinting techniques:

  • Canvas returns a blank or perturbed result
  • WebGL is limited
  • Fonts are restricted to a standard set
  • User agent reports a generic Firefox version
  • Screen dimensions are bucketed to standard sizes
  • Time zone is forced to UTC
  • WebRTC is disabled (no local IP leaks)

The goal is to put every Tor Browser user in a “crowd of identical browsers.” A fingerprinting script cannot distinguish one Tor Browser user from another. This only works if users don’t break out of the standardization — installing plugins, changing window sizes manually, or enabling features that are disabled by default can make you distinguishable even on Tor.

This is why Tor Browser’s default “Standard” security level and strongly recommend against modifying default settings. The Tor Browser design document explains the fingerprinting model in detail.

What Tor Protects Against

Network-level observation. An observer on your network (ISP, employer, surveillance infrastructure) can see that you’re connecting to Tor, but cannot see the destination. This is the strongest protection Tor provides and is the reason journalists, dissidents, and people in censored networks use it.

Destination-level identification. The website you visit sees an exit relay IP, not yours. It cannot link the visit to your identity unless you provide identifying information.

Cross-site linkability. Since each new window gets a new Tor circuit, different sites get different apparent IPs. Cross-site tracking via IP correlation is prevented.

Fingerprint-based tracking. The standardized browser profile prevents fingerprinting from identifying you across sessions.

What Tor Does Not Protect Against

Your own behavior. If you log into your email in Tor Browser, the email provider knows who you are. If you buy something with your credit card, the merchant knows. Tor anonymizes the network layer; it doesn’t anonymize the application layer. This is the most common misuse pattern.

Confirmation attacks by a global adversary. If an attacker controls or observes both the entry relay (knowing your IP and the timing of packets entering Tor) and the destination server (knowing the timing of packets arriving), they can correlate the two streams through traffic analysis and de-anonymize you. This requires substantial surveillance infrastructure but is within the capability of nation-state actors. The Tor Project acknowledges this limitation.

Malware. If you download and run malware in Tor Browser, the malware can make direct network connections that bypass Tor, revealing your real IP. Tor Browser can only anonymize traffic that goes through the browser.

Browser exploits. A zero-day in Firefox ESR that’s exploited while you’re browsing on Tor can reveal your IP directly. Tor Browser’s “Safer” and “Safest” security levels disable JavaScript and other risky features to reduce this surface, at the cost of breaking many sites.

Slow speeds and unavailable services. Tor circuits add hundreds of milliseconds of latency. Streaming video is impractical. Some sites block Tor exit relay IP ranges.

Security Levels

Tor Browser has three security levels (Settings → Security):

Standard. All browser features enabled. Maximum site compatibility, least protection against browser exploits.

Safer. Disables JavaScript on non-HTTPS sites. Disables some potentially dangerous features.

Safest. Disables JavaScript everywhere. Disables SVG and MathML. Most secure against active exploits; breaks a large fraction of modern sites.

For casual privacy browsing, Standard is acceptable. For high-risk use (journalists, dissidents, accessing content that could be dangerous if attributed), Safer or Safest with trusted .onion sites reduces the browser-exploit surface substantially.

When to Use Tor Browser

Tor Browser is the right tool for:

  • Accessing the web from a surveillance-heavy network context (repressive regimes, active monitoring)
  • Research where you genuinely need to prevent the destination from linking the visit to your identity
  • Accessing .onion services (only reachable through Tor by design)
  • Circumventing censorship at the network level

Tor Browser is overkill or inappropriate for:

  • Everyday browsing where speed and site compatibility matter
  • Anything where you’ll log in to your real accounts
  • Preventing commercial behavioral tracking (Firefox + uBlock Origin is sufficient and faster)
  • Protecting your privacy “from hackers” in a generic sense

The .onion Network

Tor’s hidden service (.onion) protocol lets servers operate without revealing their IP address. Both the client and the server are anonymous to each other at the network level. Major services that operate .onion versions for their users: The New York Times, ProPublica, the Tor Project itself. Some users access these because the .onion route is faster than the normal route through their region’s internet infrastructure.

FAQ

Does using Tor make me a target? In most contexts, no. Millions of people use Tor daily for legitimate purposes. In some countries, the use of Tor itself is suspicious or illegal — check your local context. ISPs can see you’re connecting to Tor, which may be notable in adversarial environments. Tor bridges (unlisted relays) or pluggable transports like obfs4 can obfuscate the Tor connection pattern.

Should I use a VPN with Tor? The “VPN over Tor” vs. “Tor over VPN” distinction matters. Most guides suggest “Tor over VPN” (connect VPN first, then Tor) hides your Tor use from your ISP. The Tor Project’s position is that a VPN adds a new trust party without meaningfully improving security and can hurt it in some configurations. The case for it is narrowly “hiding that you use Tor from your ISP.” If you don’t need that, it adds complexity without benefit.

Why is Tor Browser based on Firefox and not Chrome? Firefox’s open-source license and Mozilla’s cooperative relationship with security researchers make it easier to apply the extensive patches Tor Browser requires. Chromium-based browsers have historically been harder to modify in the ways needed for Tor Browser’s fingerprinting resistance.

Is Brave’s Tor Private Window as private as Tor Browser? No. Brave’s Tor Window routes traffic through Tor but does not apply Tor Browser’s fingerprinting standardization. Brave users’ fingerprints vary; Tor Browser users all look the same. For high-stakes anonymity, use actual Tor Browser.