A Quick Guide to the Dark Web

You may have heard the “dark web” or the “deep web” before. The dark web is a place where you can find all manner of things that you would not be able to find on the regular web (or “clearnet”).

First, a terminology distinction. “Dark web” and “deep web” are often used interchangeably, but they refer to separate things. The “deep web” refers to any portion of the Internet that is not indexed by a search engine. This includes things like your email and online banking pages. The “dark web”, however, refers to websites that are only accessible through anonymizing networks like Tor and I2P. The deep web encompasses the dark web, but not vice versa.

On the dark web, you probably already know that you can find things like marketplaces that sell drugs, vendors that sell software exploits, and certain less legal types of pornography. However, you may not know that you can also find regular websites that happen to have a hidden service set up, such as DuckDuckGo (a search engine).

There is no Tor equivalent of ICANN that sets the rules for registered domains, and there are no domain registrars where you have to buy a domain. Instead, anyone who runs the Tor software can run a hidden service (or “onion”).

Although Tor can technically be accessed using any browser as long as you proxy through the Tor software, it is strongly recommended that you only use Tor through the Tor Browser. This will maintain your anonymity much better and help prevent fingerprinting.

Downloading and installing Tor Browser is very simple. All you need to do is go to the Tor Browser download page, download the relevant file for your operating system (probably Windows), and then run the installer. You should now have an icon to launch the Tor Browser on your desktop.

Using the Tor Browser is as easy as using any other web browser. In fact, you may even notice that the Tor Browser interface looks familiar. This is because Tor Browser is based on Firefox.

Why you should use Tor

You may think that the only people who need to use Tor are criminals, but you would be wrong. There are many legitimate reasons to use Tor.

Perhaps you live in a country that wants to censor various websites on the Internet. Tor can help you get around these blocks.

Or maybe you live in a country where you don’t have free speech, but you still want to post things the government may not approve of anonymously.

Maybe you just worry about privacy and don’t want your ISP, your employer, and a dozen other companies to be able to see which websites you are browsing.

In any case, it’s not a crime to want to be anonymous. Tor is simply a tool, and how you use it and the websites you browse are completely up to you.

Even if you don’t have much reason to use Tor yourself, consider using it for the sake of other people. One person cannot be anonymous, so if there were only one person using Tor, it would not work. The more people use Tor, the more traffic there is to provide cover for the people who really need anonymity. (See more on this in the next section.) Also, using Tor for everyday browsing helps legitimize it in a world where most people think it is only used to buy illegal drugs.

How Tor works

The concept of Tor is very simple. You have a problem: when you visit a website, that website (and the intermediary networks you connect through, like your ISP) knows what your IP address is, and this can sometimes uniquely identify you. It also gives away your geographical location.

You could use a regular VPN or proxy to hide your IP address, but the problem with these is that the VPN or proxy provider can see what websites you are connecting to as well.

Tor solves this problem by using onion routing. When you connect to a website, the packets are sent through three different nodes and encrypted separately three times. When a packet arrives at the first node, it decrypts the outer layer of encryption. All it knows is the IP address of the second node, and the encrypted data to send to it. The same thing happens at the second node, and finally the packet arrives at the third node where the final layer of encryption is peeled off and your packet is sent to the website you are connecting to.

As you can see, it is called onion routing because layers are peeled off at every point. No single Tor node knows both where the packet is coming from and where it is going. Tor removes the need to trust a single point of failure. This protects your anonymity.

Things to remember for staying anonymous

Using the Tor Browser is not the only thing you need to do in order to stay anonymous. You will need to change your browsing habits as well.

  1. Never login to any account (like Facebook) that you have used on the clearnet. This may tie your browsing session to your identity.
  2. Use a higher security level. Tor Browser comes with 3 security levels: Standard, Safer, and Safest. By default, it is set to Standard. However, you may want to consider using Safest or at least Safer to make you less likely to be deanonymized. See Why You Should Disable JavaScript on Tor for why this helps. This will disable JavaScript, so some websites might break.
  3. Consider using a VPN in addition to Tor. If there is a vulnerability in Tor that reveals your IP address, it is better if you only reveal the IP address of your VPN and not your home network.
  4. Don’t change the size of the browser window. If you attempt to resize the window, Tor Browser should warn you that this is not safe to do. This is because websites can calculate the size of your window (even without JavaScript) and use it to fingerprint you if that size is unique. The default size that Tor Browser opens with is the optimal anonymous size for your screen. This also means you should not fullscreen your window either.
  5. Do not reuse information that you have used on the clearnet. This includes your name, your email address, your password, your photos, and even things like quotes that you might attach to your account. Doing this could tie a link between your real world identity and your Tor identities.
  6. Disconnect devices like microphones and webcams that you may have connected to your computer. In theory, Tor Browser should ask if you a website wants to use these anyway, but if there is a vulnerability in the browser then this prompt might be bypassed.
  7. Consider using Tor Browser on a computer that you only use for browsing dark web sites and nothing else. If there is a vulnerability in the browser and the attacker gains access to your filesystem, they may be able to pull identifying information out of it, like any documents you might have lying around.

Why You Should Disable JavaScript on Tor

JavaScript is a major vector for exploits nowadays. It widens your attack surface significantly.

Consider that enabling JavaScript in your web browser is equivalent to automatically running whatever program a website sends you when you connect to it, and automatically running whatever programs and third-party resources send to you as well.

Though we don’t usually think of them this way, JavaScript scripts are programs. They are Turing-complete. In theory, they are also sandboxed. However, sandboxes are not perfect, and sometimes a vulnerability is discovered that allows an attacker to break out of a sandbox.

Modern JavaScript browser APIs are so complex that they can introduce vulnerabilities without anyone even realizing it. For example, the Spectre vulnerability that was discovered in almost every CPU recently was initially exploitable through JavaScript because browsers provided a high-precision timer API. Simply by allowing the running JavaScript to know the time accurately, an attack vector was opened that allowed any website to read anything open in your browser (including passwords).

You can disable JavaScript in Tor Browser by changing the security settings. On the Safer level, JavaScript is disabled on all non-HTTPS sites. This is important because non-HTTPS sites are not encrypted, and they can therefore be modified in transit. Anyone in between you and the server (including the Tor exit node) could modify and inject JavaScript on the page to do whatever they want.

On the Safest level, all JavaScript is disabled on all websites. This is definitely, as the name implies, the safest option. If you come across a website that breaks with JavaScript disabled, and you decide that you really need to use it (think about this carefully), you can always use NoScript to temporarily allow scripts on that website or tab only.