Why you're using Tor wrong

If you're concerned about online security, you may use Tor to access or manage anonymous servers. But you're probably using it wrong. Here's why.
Written by Robin Harris, Contributor

Tor (The onion router) provides a way to anonymize servers on the internet. If there's content you want to publish while you remain anonymous, Tor is your main option. Over 100,000 Tor sessions are used daily.

Onion services

Tor provides end-to-end security and self-certifying domain names. Servers are anonymous to clients, and clients are anonymous to servers.

Onion domain names are based on an RSA key pair, an SHA-1 hash of the public key, truncated, and encoded in a 16 character base32 string. If you know the domain, you know the public key. That's handy, but the unwieldy domain name is hard to write and remember.

The research

In the paper How Do Tor Users Interact With Onion Services? researchers from Princeton University looked at how people understand and use Tor. In addition to an online survey of 517 users, another 17 users completed semi-structured interviews.

Though 60 percent of the respondents had graduate degrees, many of them misunderstood key aspects of Tor. The domain format, for example, is not well understood, leaving users open to phishing attacks or common typos.

Users also have problems discovering onion domains. Finally, users want better performance and easier ways to track and verify onion domains.

Domain names?

If you've never used Tor, the domain name issue may seem like a noob problem. But you try to type in expyuzz4wqqyqhjn.onion without a mistake!


Based on the user problems they found in their interviews and survey, the researchers offer a damning assessment of today's onion services:

Onion services resemble the 1990s web: Pages load slowly, user interfaces are clumsy, and search engines are inadequate.

They go on to suggest a variety of design improvements, from an onion search engine, to features as simple as the public internet's padlock icon to indicate that onion service security is operational.

The Storage Bits take

For all the shortcomings of commercial products - and they are legion - it is sobering to see Tor compared to the 90s web. Few non-commercial products, whose developers are almost always unpaid, have the resources of a commercial firm.

These are 2018's biggest hacks, leaks, and data breaches

The good news is that the Princeton researchers have performed an essential task for Tor developers: market research. By finding what works - and what doesn't - for users, they've given Tor developers valuable insight.

As more users wake up to the fact that their every move online is tracked, demand for privacy will grow. If Tor can become more user friendly and clearly communicate how its services protect privacy, it will play a much more important role in protecting users from unwanted surveillance.

Courteous comments welcome, of course. Can you code? Contribute to the Tor Project.

Editorial standards