Tor is an essential tool to use when the sender needs to disseminate information and anonymity is essential. "It is the perfect tool for political dissidents who don't want their names attached to information," says Robert Hansen, a security researcher and director of product management at the vendor WhiteHat Security. (Tor also appeals to organized crime and other people who don't want the law to catch up with their activities.)
But, there's a cost to using it. "It's a hassle," and it can degrade a person's Web experience, says Casey Oppenheim, CEO at anti-tracking software vendor Disconnect.
Tor consists of an open source browser you can download and a network that acts on your behalf to conceal your identity by preventing others from tracing network traffic back to you.
"Tor tunnels your traffic through a volunteer network of 5,000 relays spread around the world. Tor protects your content in transit by wrapping layers of encryption around your data without modifying or touching your data in transit," explains Andrew Lewman, executive director of the Tor Project.
Your data keeps hopping from one node to another until a limit is reached. At that point it exits the Tor network and continues on to its destination. (The last node to handle the data is called the exit node). "Tor is essentially a very large, distributed VPN that's free," and it works well when used properly, Hansen says.
But it can also be dangerous if you don't understand how to use it properly, as the Tor Project's warnings make clear. "Tor can help you remain anonymous -- if the account you logged into on the other end isn't tied back to your real identity," Hansen says.
"That last machine, the exit node, knows who you are if you submit your information in plain text, and that can break your privacy." Users should understand that all of the nodes in the Tor network are operated by volunteers, Hansen says. If you're logged into a service such as an online loan application, the owner of the exit node may be privy to all of that information.
It's also not a good idea to use Tor to download an executable unless you can verify it hasn't been tampered with, Hansen says, because the owners of the exit node could, if they wanted to, modify the content and change it to a malicious binary. But, Lewman points out, "Tor exit nodes are no more risky than your ISP's caching proxy servers and other points along the path."
Hansen's recommendation: "Use Tor only over HTTPS, and only when you don't want your name associated with whatever is going to happen over HTTPS."
Even then, he says, it is important to remember that some entities out there, such as certain government agencies, may still be able to decrypt the message and identify you.
-- Robert L. Mitchell