The Onion Router (Tor): How It Works

calendar Oct 25, 2025 · 8 min read

Overview

Introduction

When privacy‑savvy internet users talk about “the onion,” they’re usually referring to Tor, the open‑source network that routes traffic through multiple encrypted layers—much like the layers of an actual onion. Tor’s primary goal is to hide who is talking to where, making it extremely difficult for anyone (ISPs, governments, or malicious actors) to trace a user’s online activity back to their physical location.

History and Development of the Onion Router

  • 1995 – Early Concepts: The idea of layered encryption for anonymous communication was first explored by researchers at the U.S. Naval Research Laboratory (NRL). Their “onion routing” paper described a method of wrapping messages in successive layers of encryption, each peeled away by a different router.
  • 2002 – First Public Prototype: The NRL released a prototype called The Onion Routing (TOR) project. It was initially intended for secure communications among government agencies and diplomatic missions.
  • 2004 – Open‑Source Release: After the original funding ended, the project’s code was handed over to a group of volunteers led by computer scientists Roger Dingledine and Nick Mathewson. They released Tor as free, open‑source software under a BSD license, inviting the broader community to contribute.
  • 2006 – Non‑Profit Formation: The Tor Project was founded as a non‑profit organization to steward development, fund research, and promote the network’s growth.
  • 2009 – First Major Funding Boost: The U.S. State Department’s Bureau of Democracy, Human Rights, and Labor provided a multi‑year grant, allowing the team to expand the network, improve usability, and launch the first official Tor Browser Bundle.
  • 2014 – Mass Adoption & Scrutiny: High‑profile events such as the Snowden revelations and the rise of online censorship drove a surge in users. Simultaneously, law‑enforcement agencies began scrutinizing exit nodes, prompting ongoing debates about abuse mitigation.
  • 2020 – Modern Enhancements: The network introduced guard nodes (stable entry relays) to reduce exposure to malicious entry points, and pluggable transports to evade deep‑packet inspection.
  • 2023 – Performance Improvements: The introduction of v3 onion services and circuit padding helped improve both security and latency, making Tor more viable for everyday browsing.

Today, Tor runs on thousands of volunteer‑operated relays worldwide, handling millions of daily connections while remaining a cornerstone of internet anonymity.

The Anatomy of a Tor Circuit

A typical Tor circuit consists of three hops:

Hop Official name Role in the circuit What it sees
1️⃣ Guard / Entry node (sometimes called “guide node”) The first point of contact for the client. It receives the user’s traffic, encrypts it once, and forwards it to the second hop. Knows the client’s IP address but does not know the final destination because the payload is still wrapped in two additional layers of encryption.
2️⃣ Middle relay (also called “relay node”) Acts as a bridge between the entry and exit. It strips away one layer of encryption and passes the traffic onward. Sees neither the client’s IP nor the final destination; it only knows the previous hop and the next hop.
3️⃣ Exit node The final hop that decrypts the last layer and sends the traffic out onto the regular internet. Knows the destination server (e.g., a website) but not the original client’s IP. Any unencrypted data exiting here can be observed by the exit operator.

Guard (Entry) Node

  • Selection: Tor clients pick a small set of stable, high‑bandwidth guards and stick with them for weeks or months. This reduces exposure to potentially malicious entry nodes.
  • Security purpose: By limiting the number of entry points a client ever contacts, Tor mitigates correlation attacks where an adversary tries to link incoming and outgoing traffic patterns.

Middle Relay

  • Function: Purely a forwarding service. It adds latency but also provides anonymity by breaking the direct link between entry and exit.
  • Diversity: There are thousands of relays worldwide, run by volunteers, universities, and NGOs. Their sheer number makes it hard for any single entity to control a large portion of the network.

Exit Node

  • Visibility: Since the exit node delivers traffic to the destination, it can see any unencrypted data (HTTP, DNS queries, etc.). That’s why many exit operators run strict policies against abuse and why users are encouraged to use HTTPS whenever possible.
  • Legal considerations: Some jurisdictions treat exit node operators as if they were the source of the traffic, so running an exit node can involve legal risk.

Tor vs. Standard VPNs

Aspect Tor (Onion Routing) Traditional VPN
Encryption layers Multiple layers (typically three) that are peeled off hop‑by‑hop. Single end‑to‑end tunnel between client and VPN server.
Trust model You trust no single node to see both who you are and where you’re going. Each node only sees a slice of the path. You place trust in the VPN provider to protect both your identity and your traffic.
Performance Generally slower due to multiple hops and volunteer bandwidth limits. Faster; traffic goes through a single server, often with high‑capacity infrastructure.
IP masking Your apparent IP is that of the exit node, which changes each circuit. Your apparent IP is the VPN server’s IP, which stays constant for the session.
Geolocation flexibility Exit nodes are scattered globally; you can’t reliably choose a country (though you can select “exit nodes in a specific region” via configuration). Most providers let you pick a server in a specific country, useful for geo‑restricted content.
Resistance to censorship Because traffic is distributed across many relays, blocking the entire network is difficult; censors must block thousands of IPs. A single VPN IP range can be blocked relatively easily.
Potential for data leakage Unencrypted traffic leaving the exit node is exposed to the exit operator. All traffic remains encrypted until it reaches the VPN server; the provider could still inspect it.
Legal exposure Running a relay is generally legal, but operating an exit node can attract scrutiny. Using a VPN is legal in most countries, but some regimes ban or restrict VPN services.

When to Choose One Over the Other

  • Tor shines when you need strong anonymity (e.g., whistleblowing, investigative journalism, evading pervasive surveillance). Its multi‑hop design makes it resistant to correlation attacks, but the trade‑off is speed.
  • VPNs excel for privacy + performance—streaming geo‑blocked media, securing public Wi‑Fi, or bypassing modest censorship where anonymity isn’t the primary concern.

Many power users combine the two: they route their traffic through a VPN before it enters the Tor network (VPN‑over‑Tor) or vice versa (Tor‑over‑VPN), adding layers of protection depending on threat models.

Tor and the Dark Web

The term “dark web” commonly refers to websites whose addresses end in .onion and are only reachable through the Tor network. These sites are hosted as Tor hidden services (now called onion services) and differ from the “surface web” in several key ways:

  1. No Public DNS Resolution

    • .onion addresses are generated cryptographically; they do not resolve via traditional DNS. The Tor client resolves them internally, keeping the location of the server hidden from anyone outside the network.

  2. End‑to‑End Encryption Within Tor

    • Traffic between a Tor user and an onion service stays inside the Tor network for its entire journey, providing both client and server anonymity. Unlike normal sites accessed via an exit node, there is no exit hop that could observe the plaintext.

  3. Use Cases Beyond Illicit Content

    • While the dark web is often associated with illegal marketplaces, it also hosts valuable resources: whistleblower platforms (e.g., SecureDrop), political dissident blogs, privacy‑focused forums, and research repositories that benefit from strong anonymity.

  4. Risks and Precautions

    • Malware & Phishing: Dark‑web sites are not vetted, so users should treat downloads with extreme caution.
    • Law Enforcement Monitoring: Although Tor hides IP addresses, sophisticated correlation attacks or compromised nodes can sometimes deanonymize participants. Using the latest Tor Browser, keeping it updated, and employing additional safeguards (e.g., a VPN before Tor) reduces risk.
    • Exit‑Node Exposure Not Applicable: Because onion services never leave the Tor network, the exit‑node privacy issue discussed earlier does not apply.

  5. Technical Evolution

    • V3 Onion Services (2021+): Introduced longer, more secure .onion addresses (56 characters) and stronger cryptographic primitives, making modern dark‑web services harder to hijack.

In short, Tor is the gateway to the dark web, but the dark web is merely a subset of what Tor can reach—a collection of hidden services that leverage Tor’s anonymity guarantees for a variety of (often legitimate) purposes.

Key Takeaways

  1. Guard, middle relay, and exit node each see only a fragment of the whole picture, which is the core strength of Tor’s onion routing.
  2. Tor offers anonymity at the cost of latency, whereas VPNs provide faster, location‑specific privacy but rely on trusting a single provider.
  3. Both technologies have legitimate, complementary use cases; understanding their differences helps you pick the right tool for the job.

Whether you’re a journalist protecting sources, a researcher navigating censored sites, or just a privacy‑conscious citizen, knowing how these networks function empowers you to make informed decisions about your digital footprint.

Want to dive deeper? Check out the official Tor Project documentation, explore the list of public relays, or experiment with a Tor‑enabled browser to see the onion in action.