support.torproject.org Open in urlscan Pro
2a01:4f8:fff0:4f:266:37ff:feae:3bbc  Public Scan

Submitted URL: https://www.torproject.org/docs/hidden-services.html.en
Effective URL: https://support.torproject.org/
Submission: On August 29 via api from US — Scanned from FI

Form analysis 1 forms found in the DOM

GET https://duckduckgo.com/

<form class="form-inline form-wide justify-content-md-center" id="searchForm" action="https://duckduckgo.com/" method="GET">
  <div class="col-md-5">
    <div class="col-12 input-group p-0">
      <input id="q" class="form-control form-wide rounded-left border-0" type="text" name="q" placeholder="Search using DuckDuckGo ..." aria-label="Search">
      <input type="hidden" name="sites" value="support.torproject.org">
      <span class="input-group-btn">
        <button class="btn btn-light" type="submit"><span class="fa fa-magnifying-glass text-secondary"></span></button>
      </span>
    </div>
  </div>
</form>

Text Content

Tor Logo Donate Now Menu
 * About
 * Support
 * Community
 * Blog
 * Donate
   

English (en)
العربية (ar) Deutsch (de) Español (es) فارسی (fa) Français (fr) Indonesia (id)
Italiano (it) 한국어(ko) Português Br. (pt-BR) Română (ro) Русский (ru) Kiswahili
(sw) Türkçe (tr) українська (uk) Tiếng Việt (vi) 简体中文 (zh-CN) 正體中文 (zh-TW)
Download Tor Browser


HOW CAN WE HELP?


Topics
 * Most Frequently Asked Questions
 * About Tor
 * Tor Browser
 * Tor Mobile
 * Connecting To Tor
 * Censorship
 * HTTPS
 * Relay Operators
 * Onion Services
 * Tor Metrics
 * Debian Repository
 * RPM Repository
 * Misc
 * Abuse FAQs
 * Get in Touch
 * Glossary
 * Alternate Designs
 * little-t-tor
 * Mullvad Browser

--------------------------------------------------------------------------------

TOPICS

 * Most Frequently Asked Questions
 * About Tor
 * Tor Browser
 * Tor Mobile
 * Connecting To Tor
 * Censorship
 * HTTPS
 * Relay Operators
 * Onion Services
 * Tor Metrics
 * Debian Repository
 * RPM Repository
 * Misc
 * Abuse FAQs
 * Get in Touch
 * Glossary
 * Alternate Designs
 * little-t-tor
 * Mullvad Browser

GET IN TOUCH

Chat with us live!

Join us on IRC
expand

MOST FREQUENTLY ASKED QUESTIONS

WHEN I USE TOR BROWSER, WILL ANYONE BE ABLE TO TELL WHICH WEBSITES I VISIT?

Tor Browser prevents people from knowing the websites you visit. Some entities,
such as your Internet Service Provider (ISP), may be able to see that you're
using Tor, but they won't know where you're going when you do.

   
 * Edit this page - Suggest Feedback - Permalink

AM I TOTALLY ANONYMOUS IF I USE TOR?

Generally it is impossible to have perfect anonymity, even with Tor. Though
there are some things you can practice to improve your anonymity while using Tor
and offline.


USE TOR BROWSER AND SOFTWARE SPECIFICALLY CONFIGURED FOR TOR

Tor does not protect all of your computer's Internet traffic when you run it.
Tor only protects applications that are properly configured to send their
Internet traffic through Tor.

Web browsing:

 * Safe: Tor Browser
 * Unsafe: Any other browser configured to use Tor as a proxy

File sharing:

 * Safe: OnionShare
 * Unsafe: BitTorrent over Tor


CONTROL WHAT INFORMATION YOU PROVIDE THROUGH WEB FORMS

If you visit a website using Tor Browser, they don't know who you are or your
true location. Unfortunately many sites ask for more personal information than
they need through web forms. If you sign in to that website, they still don't
know your location but they know who you are. Further, if you provide: name,
email, address, phone number, or any other personal information, you are no
longer anonymous to that website. The best defense is to be vigilant and
extremely cautious when filling out web forms.


DON'T TORRENT OVER TOR

Torrent file-sharing applications have been observed to ignore proxy settings
and make direct connections even when they are told to use Tor. Even if your
torrent application connects only through Tor, you will often send out your real
IP address in the tracker GET request, because that's how torrents work. Not
only do you deanonymize your torrent traffic and your other simultaneous Tor web
traffic this way, you also slow down the entire Tor network for everyone else.


DON'T ENABLE OR INSTALL BROWSER PLUGINS

Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and
others: they can be manipulated into revealing your IP address. Similarly, we do
not recommend installing additional addons or plugins into Tor Browser, as these
may bypass Tor or otherwise harm your anonymity and privacy.


USE HTTPS VERSIONS OF WEBSITES

Tor will encrypt your traffic to and within the Tor network, but the encryption
of your traffic to the final destination website depends on that website. To
help ensure private encryption to websites, Tor Browser includes HTTPS-Only Mode
to force the use of HTTPS encryption with websites that support it. However, you
should still watch the browser URL bar to ensure that websites you provide
sensitive information to display a padlock or onion icon in the address bar,
include https:// in the URL, and display the proper expected name for the
website. Also see EFF's interactive graphic explaining how Tor and HTTPS relate.


DON'T OPEN DOCUMENTS DOWNLOADED THROUGH TOR WHILE ONLINE

Tor Browser will warn you before automatically opening documents that are
handled by external applications. DO NOT IGNORE THIS WARNING. You should be very
careful when downloading documents via Tor (especially DOC and PDF files, unless
you use the PDF viewer that's built into Tor Browser) as these documents can
contain Internet resources that will be downloaded outside of Tor by the
application that opens them. This will reveal your non-Tor IP address. If you
must work with files downloaded via Tor, we strongly recommend either using a
disconnected computer, or using dangerzone to create safe PDF files that you can
open. Under no circumstances is it safe to use BitTorrent and Tor together,
however.


USE BRIDGES AND/OR FIND COMPANY

Tor tries to prevent attackers from learning what destination websites you
connect to. However, by default, it does not prevent somebody watching your
Internet traffic from learning that you're using Tor. If this matters to you,
you can reduce this risk by configuring Tor to use a bridge rather than
connecting directly to the Tor network. Ultimately the best protection is a
social approach: the more Tor users there are near you and the more diverse
their interests, the less dangerous it will be that you are one of them.
Convince other people to use Tor, too!

Be smart and learn more. Understand what Tor does and does not offer. This list
of pitfalls isn't complete, and we need your help identifying and documenting
all the issues.

   
 * Edit this page - Suggest Feedback - Permalink

WHICH PLATFORMS IS TOR BROWSER AVAILABLE FOR?

Tor Browser is currently available on Windows, Linux, macOS, and Android.

On Android, The Guardian Project also provides the Orbot app to route other apps
on your Android device over the Tor network.

There is no official version of Tor Browser for iOS yet, as explained in this
blog post. Our best available recommendation is Onion Browser.

   
 * Edit this page - Suggest Feedback - Permalink

SHOULD I INSTALL A NEW ADD-ON OR EXTENSION IN TOR BROWSER, LIKE ADBLOCK PLUS OR
UBLOCK ORIGIN?

It's strongly discouraged to install new add-ons in Tor Browser, because they
can compromise your privacy and security.

Installing new add-ons may affect Tor Browser in unforeseen ways and potentially
make your Tor Browser fingerprint unique. If your copy of Tor Browser has a
unique fingerprint, your browsing activities can be deanonymized and tracked
even though you are using Tor Browser.

Each browser's settings and features create what is called a "browser
fingerprint". Most browsers inadvertently create a unique fingerprint for each
user which can be tracked across the internet. Tor Browser is specifically
engineered to have a nearly identical (we're not perfect!) fingerprint across
its users. This means each Tor Browser user looks like many other Tor Browser
users, making it difficult to track any individual user.

There's also a good chance a new add-on will increase the attack surface of Tor
Browser. This may allow sensitive data to be leaked or allow an attacker to
infect Tor Browser. The add-on itself could even be maliciously designed to spy
on you.

Tor Browser already comes installed with one add-on — NoScript — and adding
anything else could deanonymize you.

Want to learn more about browser fingerprinting? Here's an article on The Tor
Blog all about it.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I USE A VPN WITH TOR?

Generally speaking, we don't recommend using a VPN with Tor unless you're an
advanced user who knows how to configure both in a way that doesn't compromise
your privacy.

You can find more detailed information about Tor + VPN at our wiki.

   
 * Edit this page - Suggest Feedback - Permalink

OUR WEBSITE IS BLOCKED BY A CENSOR. CAN TOR BROWSER HELP USERS ACCESS OUR
WEBSITE?

Tor Browser can certainly help people access your website in places where it is
blocked. Most of the time, simply downloading the Tor Browser and then using it
to navigate to the blocked site will allow access. In places where there is
heavy censorship we have a number of censorship circumvention options available,
including pluggable transports.

For more information, please see the Tor Browser User Manual section on
censorship circumvention.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I DONATE FOR A RELAY RATHER THAN RUN MY OWN?

Sure! We have a list of organizations that run Tor relays that are happy to turn
your donations into better speed and anonymity for the Tor network.

These organizations are not the same as The Tor Project, Inc, but we consider
that a good thing. They're run by nice people who are part of the Tor community.

Note that there can be a tradeoff here between anonymity and performance. The
Tor network's anonymity comes in part from diversity, so if you are in a
position to run your own relay, you will be improving Tor's anonymity more than
by donating. At the same time though, economies of scale for bandwidth mean that
combining many small donations into several larger relays is more efficient at
improving network performance. Improving anonymity and improving performance are
both worthwhile goals, so however you can help is great!

   
 * Edit this page - Suggest Feedback - Permalink

ABOUT TOR

WHAT ATTACKS REMAIN AGAINST ONION ROUTING?

As mentioned above, it is possible for an observer who can view both you and
either the destination website or your Tor exit node to correlate timings of
your traffic as it enters the Tor network and also as it exits. Tor does not
defend against such a threat model.

In a more limited sense, note that if a censor or law enforcement agency has the
ability to obtain specific observation of parts of the network, it is possible
for them to verify a suspicion that you talk regularly to your friend by
observing traffic at both ends and correlating the timing of only that traffic.
Again, this is only useful to verify that parties already suspected of
communicating with one another are doing so. In most countries, the suspicion
required to obtain a warrant already carries more weight than timing correlation
would provide.

Furthermore, since Tor reuses circuits for multiple TCP connections, it is
possible to associate non anonymous and anonymous traffic at a given exit node,
so be careful about what applications you run concurrently over Tor. Perhaps
even run separate Tor clients for these applications.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT PROTECTIONS DOES TOR PROVIDE?

Internet communication is based on a store-and-forward model that can be
understood in analogy to postal mail: Data is transmitted in blocks called IP
datagrams or packets. Every packet includes a source IP address (of the sender)
and a destination IP address (of the receiver), just as ordinary letters contain
postal addresses of sender and receiver. The way from sender to receiver
involves multiple hops of routers, where each router inspects the destination IP
address and forwards the packet closer to its destination. Thus, every router
between sender and receiver learns that the sender is communicating with the
receiver. In particular, your local ISP is in the position to build a complete
profile of your Internet usage. In addition, every server in the Internet that
can see any of the packets can profile your behavior.

The aim of Tor is to improve your privacy by sending your traffic through a
series of proxies. Your communication is encrypted in multiple layers and routed
via multiple hops through the Tor network to the final receiver. More details on
this process can be found in this visualization. Note that all your local ISP
can observe now is that you are communicating with Tor nodes. Similarly, servers
in the Internet just see that they are being contacted by Tor nodes.

Generally speaking, Tor aims to solve three privacy problems:

First, Tor prevents websites and other services from learning your location,
which they can use to build databases about your habits and interests. With Tor,
your Internet connections don't give you away by default -- now you can have the
ability to choose, for each connection, how much information to reveal.

Second, Tor prevents people watching your traffic locally (such as your ISP or
someone with access to your home wifi or router) from learning what information
you're fetching and where you're fetching it from. It also stops them from
deciding what you're allowed to learn and publish -- if you can get to any part
of the Tor network, you can reach any site on the Internet.

Third, Tor routes your connection through more than one Tor relay so no single
relay can learn what you're up to. Because these relays are run by different
individuals or organizations, distributing trust provides more security than the
old one hop proxy approach.

Note, however, that there are situations where Tor fails to solve these privacy
problems entirely: see the entry below on remaining attacks.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT IS TOR?

The name "Tor" can refer to several different components.

Tor is a program you can run on your computer that helps keep you safe on the
Internet. It protects you by bouncing your communications around a distributed
network of relays run by volunteers all around the world: it prevents somebody
watching your Internet connection from learning what sites you visit, and it
prevents the sites you visit from learning your physical location. This set of
volunteer relays is called the Tor network.

The way most people use Tor is with Tor Browser, which is a version of Firefox
that fixes many privacy issues. You can read more about Tor on our about page.

The Tor Project is a non-profit (charity) organization that maintains and
develops the Tor software.

   
 * Edit this page - Suggest Feedback - Permalink

WHY IS IT CALLED TOR?

Tor is the onion routing network. When we were starting the new next-generation
design and implementation of onion routing in 2001-2002, we would tell people we
were working on onion routing, and they would say "Neat. Which one?" Even if
onion routing has become a standard household term, Tor was born out of the
actual onion routing project run by the Naval Research Lab.

(It's also got a fine meaning in German and Turkish.)

Note: even though it originally came from an acronym, Tor is not spelled "TOR".
Only the first letter is capitalized. In fact, we can usually spot people who
haven't read any of our website (and have instead learned everything they know
about Tor from news articles) by the fact that they spell it wrong.

   
 * Edit this page - Suggest Feedback - Permalink

DOES TOR REMOVE PERSONAL INFORMATION FROM THE DATA MY APPLICATION SENDS?

No, it doesn't. You need to use a separate program that understands your
application and protocol and knows how to clean or "scrub" the data it sends.
Tor Browser tries to keep application-level data, like the user-agent string,
uniform for all users. Tor Browser can't do anything about the text that you
type into forms, though.

   
 * Edit this page - Suggest Feedback - Permalink

HOW IS TOR DIFFERENT FROM OTHER PROXIES?

A typical proxy provider sets up a server somewhere on the Internet and allows
you to use it to relay your traffic. This creates a simple, easy to maintain
architecture. The users all enter and leave through the same server. The
provider may charge for use of the proxy, or fund their costs through
advertisements on the server. In the simplest configuration, you don't have to
install anything. You just have to point your browser at their proxy server.
Simple proxy providers are fine solutions if you do not want protections for
your privacy and anonymity online and you trust the provider to not do bad
things. Some simple proxy providers use SSL to secure your connection to them,
which protects you against local eavesdroppers, such as those at a cafe with
free wifi Internet.

Simple proxy providers also create a single point of failure. The provider knows
both who you are and what you browse on the Internet. They can see your traffic
as it passes through their server. In some cases, they can even see inside your
encrypted traffic as they relay it to your banking site or to ecommerce stores.
You have to trust the provider isn't watching your traffic, injecting their own
advertisements into your traffic stream, or recording your personal details.

Tor passes your traffic through at least 3 different servers before sending it
on to the destination. Because there's a separate layer of encryption for each
of the three relays, somebody watching your Internet connection can't modify, or
read, what you are sending into the Tor network. Your traffic is encrypted
between the Tor client (on your computer) and where it pops out somewhere else
in the world.


DOESN'T THE FIRST SERVER SEE WHO I AM?

Possibly. A bad first of three servers can see encrypted Tor traffic coming from
your computer. It still doesn't know who you are and what you are doing over
Tor. It merely sees "This IP address is using Tor". You are still protected from
this node figuring out both who you are and where you are going on the Internet.


CAN'T THE THIRD SERVER SEE MY TRAFFIC?

Possibly. A bad third of three servers can see the traffic you sent into Tor. It
won't know who sent this traffic. If you're using encryption (like HTTPS), it
will only know the destination. See this visualization of Tor and HTTPS to
understand how Tor and HTTPS interact.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I DISTRIBUTE TOR?

Yes.

The Tor software is free software. This means we give you the rights to
redistribute the Tor software, either modified or unmodified, either for a fee
or gratis. You don't have to ask us for specific permission.

However, if you want to redistribute the Tor software you must follow our
LICENSE. Essentially this means that you need to include our LICENSE file along
with whatever part of the Tor software you're distributing.

Most people who ask us this question don't want to distribute just the Tor
software, though. They want to distribute Tor Browser. This includes Firefox
Extended Support Release and the NoScript extension. You will need to follow the
license for those programs as well. Both of those Firefox extensions are
distributed under the GNU General Public License, while Firefox ESR is released
under the Mozilla Public License. The simplest way to obey their licenses is to
include the source code for these programs everywhere you include the bundles
themselves.

Also, you should make sure not to confuse your readers about what Tor is, who
makes it, and what properties it provides (and doesn't provide). See our
trademark FAQ for details.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT PROGRAMS CAN I USE WITH TOR?

There are plenty of other programs you can use with Tor, but we haven't
researched the application-level anonymity issues on all of them well enough to
be able to recommend a safe configuration. Our wiki has a community-maintained
list of instructions for Torifying specific applications. Please add to this
list and help us keep it accurate!

Most people use Tor Browser, which includes everything you need to browse the
web safely using Tor. Using Tor with other browsers is dangerous and not
recommended.

   
 * Edit this page - Suggest Feedback - Permalink

IS THERE A BACKDOOR IN TOR?

There is absolutely no backdoor in Tor.

We know some smart lawyers who say that it is unlikely that anybody will try to
make us add one in our jurisdiction (United States). If they do ask us, we will
fight them, and (the lawyers say) probably win.

We will never put a backdoor in Tor. We think that putting a backdoor in Tor
would be tremendously irresponsible to our users, and a bad precedent for
security software in general. If we ever put a deliberate backdoor in our
security software, it would ruin our professional reputation. Nobody would trust
our software ever again - for excellent reasons!

But that said, there are still plenty of subtle attacks people might try.
Somebody might impersonate us, or break into our computers, or something like
that. Tor is open source, and you should always check the source (or at least
the diffs since the last release) for suspicious things. If we (or the
distributors that gave you Tor) don't give you access to the source code, that's
a sure sign something funny might be going on. You should also check the PGP
signatures on the releases, to make sure nobody messed with the distribution
sites.

Also, there might be accidental bugs in Tor that could affect your anonymity. We
periodically find and fix anonymity-related bugs, so make sure you keep your Tor
versions up-to-date.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT ARE ENTRY GUARDS?

Tor (like all current practical low-latency anonymity designs) fails when the
attacker can see both ends of the communications channel. For example, suppose
the attacker controls or watches the Tor relay you choose to enter the network,
and also controls or watches the website you visit. In this case, the research
community knows no practical low-latency design that can reliably stop the
attacker from correlating volume and timing information on the two sides.

So, what should we do? Suppose the attacker controls, or can observe, C relays.
Suppose there are N relays total. If you select new entry and exit relays each
time you use the network, the attacker will be able to correlate all traffic you
send with probability around (c/n)2. But profiling is, for most users, as bad as
being traced all the time: they want to do something often without an attacker
noticing, and the attacker noticing once is as bad as the attacker noticing more
often. Thus, choosing many random entries and exits gives the user no chance of
escaping profiling by this kind of attacker.

The solution is "entry guards": each Tor client selects a few relays at random
to use as entry points, and uses only those relays for their first hop. If those
relays are not controlled or observed, the attacker can't win, ever, and the
user is secure. If those relays are observed or controlled by the attacker, the
attacker sees a larger fraction of the user's traffic - but still the user is no
more profiled than before. Thus, the user has some chance (on the order of
(n-c)/n) of avoiding profiling, whereas they had none before.

You can read more at An Analysis of the Degradation of Anonymous Protocols,
Defending Anonymous Communication Against Passive Logging Attacks, and
especially Locating Hidden Servers.

Restricting your entry nodes may also help against attackers who want to run a
few Tor nodes and easily enumerate all of the Tor user IP addresses. (Even
though they can't learn what destinations the users are talking to, they still
might be able to do bad things with just a list of users.) However, that feature
won't really become useful until we move to a "directory guard" design as well.

   
 * Edit this page - Suggest Feedback - Permalink

TELL ME ABOUT ALL THE KEYS TOR USES

Tor uses a variety of different keys, with three goals in mind: 1) encryption to
ensure privacy of data within the Tor network, 2) authentication so clients know
they're talking to the relays they meant to talk to, and 3) signatures to make
sure all clients know the same set of relays.

Encryption: first, all connections in Tor use TLS link encryption, so observers
can't look inside to see which circuit a given cell is intended for. Further,
the Tor client establishes an ephemeral encryption key with each relay in the
circuit; these extra layers of encryption mean that only the exit relay can read
the cells. Both sides discard the circuit key when the circuit ends, so logging
traffic and then breaking into the relay to discover the key won't work.

Authentication: Every Tor relay has a public decryption key called the "onion
key". Each relay rotates its onion key every four weeks. When the Tor client
establishes circuits, at each step it demands that the Tor relay prove knowledge
of its onion key. That way the first node in the path can't just spoof the rest
of the path. Because the Tor client chooses the path, it can make sure to get
Tor's "distributed trust" property: no single relay in the path can know about
both the client and what the client is doing.

Coordination: How do clients know what the relays are, and how do they know that
they have the right keys for them? Each relay has a long-term public signing key
called the "identity key". Each directory authority additionally has a
"directory signing key". The directory authorities provide a signed list of all
the known relays, and in that list are a set of certificates from each relay
(self-signed by their identity key) specifying their keys, locations, exit
policies, and so on. So unless the adversary can control a majority of the
directory authorities (as of 2022 there are 8 directory authorities), they can't
trick the Tor client into using other Tor relays.


HOW DO CLIENTS KNOW WHAT THE DIRECTORY AUTHORITIES ARE?

The Tor software comes with a built-in list of location and public key for each
directory authority. So the only way to trick users into using a fake Tor
network is to give them a specially modified version of the software.


HOW DO USERS KNOW THEY'VE GOT THE RIGHT SOFTWARE?

When we distribute the source code or a package, we digitally sign it with GNU
Privacy Guard. See the instructions on how to check Tor Browser's signature.

In order to be certain that it's really signed by us, you need to have met us in
person and gotten a copy of our GPG key fingerprint, or you need to know
somebody who has. If you're concerned about an attack on this level, we
recommend you get involved with the security community and start meeting people.

   
 * Edit this page - Suggest Feedback - Permalink

HOW OFTEN DOES TOR CHANGE ITS PATHS?

Tor will reuse the same circuit for new TCP streams for 10 minutes, as long as
the circuit is working fine. (If the circuit fails, Tor will switch to a new
circuit immediately.)

But note that a single TCP stream (e.g. a long IRC connection) will stay on the
same circuit forever. We don't rotate individual streams from one circuit to the
next. Otherwise, an adversary with a partial view of the network would be given
many chances over time to link you to your destination, rather than just one
chance.

   
 * Edit this page - Suggest Feedback - Permalink

TOR BROWSER

HOW CAN I VERIFY TOR BROWSER'S SIGNATURE?

Digital signature is a process ensuring that a certain package was generated by
its developers and has not been tampered with. Below we explain why it is
important and how to verify that the Tor Browser you download is the one we have
created and has not been modified by some attacker.

Each file on our download page is accompanied by a file labelled "signature"
with the same name as the package and the extension ".asc". These .asc files are
OpenPGP signatures. They allow you to verify the file you've downloaded is
exactly the one that we intended you to get. This will vary by web browser, but
generally you can download this file by right-clicking the "signature" link and
selecting the "save file as" option.

For example, tor-browser-windows-x86_64-portable-13.0.1.exe is accompanied by
tor-browser-windows-x86_64-portable-13.0.1.exe.asc. These are example file names
and will not exactly match the file names that you download.

We now show how you can verify the downloaded file's digital signature on
different operating systems. Please notice that a signature is dated the moment
the package has been signed. Therefore every time a new file is uploaded a new
signature is generated with a different date. As long as you have verified the
signature you should not worry that the reported date may vary.


INSTALLING GNUPG

First of all you need to have GnuPG installed before you can verify signatures.

FOR WINDOWS USERS:

If you run Windows, download Gpg4win and run its installer.

In order to verify the signature you will need to type a few commands in windows
command-line, cmd.exe.

FOR MACOS USERS:

If you are using macOS, you can install GPGTools.

In order to verify the signature you will need to type a few commands in the
Terminal (under "Applications").

FOR GNU/LINUX USERS:

If you are using GNU/Linux, then you probably already have GnuPG in your system,
as most GNU/Linux distributions come with it preinstalled.

In order to verify the signature you will need to type a few commands in a
terminal window. How to do this will vary depending on your distribution.


FETCHING THE TOR DEVELOPERS KEY

The Tor Browser team signs Tor Browser releases. Import the Tor Browser
Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):

gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org


This should show you something like:

gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
pub   rsa4096 2014-12-15 [C] [expires: 2025-07-21]
      EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid           [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub   rsa4096 2018-05-26 [S] [expires: 2020-12-19]


If you get an error message, something has gone wrong and you cannot continue
until you've figured out why this didn't work. You might be able to import the
key using the Workaround (using a public key) section instead.

After importing the key, you can save it to a file (identifying it by its
fingerprint here):

gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290


This command results in the key being saved to a file found at the path
./tor.keyring, i.e. in the current directory. If ./tor.keyring doesn't exist
after running this command, something has gone wrong and you cannot continue
until you've figured out why this didn't work.


VERIFYING THE SIGNATURE

To verify the signature of the package you downloaded, you will need to download
the corresponding ".asc" signature file as well as the installer file itself,
and verify it with a command that asks GnuPG to verify the file that you
downloaded.

The examples below assume that you downloaded these two files to your
"Downloads" folder. Note that these commands use example file names and yours
will be different: you will need to replace the example file names with exact
names of the files you have downloaded.

FOR WINDOWS USERS (CHANGE X86_64 TO I686 IF YOU HAVE THE 32-BIT PACKAGE):

gpgv --keyring .\tor.keyring Downloads\tor-browser-windows-x86_64-portable-13.0.1.exe.asc Downloads\tor-browser-windows-x86_64-portable-13.0.1.exe


FOR MACOS USERS:

gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-macos-13.0.1.dmg.asc ~/Downloads/tor-browser-macos-13.0.1.dmg


FOR GNU/LINUX USERS (CHANGE X86_64 TO I686 IF YOU HAVE THE 32-BIT PACKAGE):

gpgv --keyring ./tor.keyring ~/Downloads/tor-browser-linux-x86_64-13.0.1.tar.xz.asc ~/Downloads/tor-browser-linux-x86_64-13.0.1.tar.xz


The result of the command should contain:

gpgv: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"


If you get error messages containing 'No such file or directory', either
something went wrong with one of the previous steps, or you forgot that these
commands use example file names and yours will be a little different.

REFRESHING THE PGP KEY

Run the following command to refresh the Tor Browser Developers signing key in
your local keyring from the keyserver. This will also fetch the new subkeys.

gpg --refresh-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290


WORKAROUND (USING A PUBLIC KEY)

If you encounter errors you cannot fix, feel free to download and use this
public key instead. Alternatively, you may use the following command:

curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -


Tor Browser Developers key is also available on keys.openpgp.org and can be
downloaded from
https://keys.openpgp.org/vks/v1/by-fingerprint/EF6E286DDA85EA2A4BA7DE684E2C6E8793298290.
If you're using MacOS or GNU/Linux, the key can also be fetched by running the
following command:

gpg --keyserver keys.openpgp.org --search-keys EF6E286DDA85EA2A4BA7DE684E2C6E8793298290


You may also want to learn more about GnuPG.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I INSTALL TOR BROWSER?

Please see the Installation section in the Tor Browser Manual.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I UNINSTALL TOR BROWSER?

Please see the Uninstalling section in the Tor Browser Manual.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I UPDATE TOR BROWSER?

Please see the Updating section in the Tor Browser Manual.

   
 * Edit this page - Suggest Feedback - Permalink

I DOWNLOADED AND INSTALLED TOR BROWSER FOR WINDOWS, BUT NOW I CAN'T FIND IT.

The file you download and run prompts you for a destination. If you don't
remember what this destination was, it's most likely your Downloads or Desktop
folder.

The default setting in the Windows installer also creates a shortcut for you on
your Desktop, though be aware that you may have accidentally deselected the
option to create a shortcut.

If you can't find it in either of those folders, download it again and look for
the prompt that asks you to choose a directory to download it in. Choose a
directory location that you'll remember easily, and once the download finishes
you should see a Tor Browser folder there.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT ARE THE MOST COMMON ISSUES WITH THE LATEST STABLE VERSION OF TOR BROWSER?

Whenever we release a new stable version of Tor Browser, we write a blog post
that details its new features and known issues. If you started having issues
with your Tor Browser after an update, check out blog.torproject.org for a post
on the most recent stable Tor Browser to see if your issue is listed. If your
issue is not listed there, please check first Tor Browser's issue tracker and
create a GitLab issue about what you're experiencing.

   
 * Edit this page - Suggest Feedback - Permalink

I NEED TOR BROWSER IN A LANGUAGE THAT'S NOT ENGLISH.

We want everyone to be able to enjoy Tor Browser in their own language. Tor
Browser is now available in multiple languages, and we are working to add more.

Our current list of supported languages is:

Language العربية (ar) Català (ca) česky (cs) Dansk (da) Deutsch (de) Ελληνικά
(el) English (en) Español (es) ﻑﺍﺮﺴﯾ (fa) Suomi (fi) Français (fr) Gaeilge
(ga-IE) עברית (he) Magyar nyelv (hu) Indonesia (id) Islenska (is) Italiano (it)
日本語 (ja) ქართული (ka) 한국어 (ko) lietuvių kalba (lt) македонски (mk) ﺐﻫﺎﺳ ﻡﻼﻳﻭ
(ms) မြမစ (my) Norsk Bokmål (nb-NO) Nederlands (nl) Polszczyzna (pl) Português
Brasil(pt-BR) Română (ro) Русский (ru) Shqip (sq) Svenska (sv-SE) ภาษาไทย (th)
Türkçe (tr) Український (uk) Tiếng Việt (vi) 简体中文 (zh-CN) 正體字 (zh-TW)

Want to help us translate? Become a Tor translator!

You can also help us in testing the next languages we will release, by
installing and testing Tor Browser Alpha releases.

   
 * Edit this page - Suggest Feedback - Permalink

ARE THERE ANY PAID VERSIONS OF TOR BROWSER?

No, Tor Browser is an open source software and it is free. Any browser forcing
you to pay and is claiming to be Tor Browser is fake. To make sure you are
downloading the right Tor Browser visit our download page. After downloading,
you can make sure that you have the official version of Tor Browser by verifying
the signature. If you are not able to access our website, then visit censorship
section to get information about alternate way of downloading Tor Browser.

If you have paid for a fake app claiming to be Tor Browser, you can try to
request a refund from the Apple or Play Store, or you can contact your bank to
report a fraudulent transaction. We cannot refund you for a purchase made to
another company.

You can report fake Tor Browsers on frontdesk@torproject.org

   
 * Edit this page - Suggest Feedback - Permalink

WHICH PLATFORMS IS TOR BROWSER AVAILABLE FOR?

Tor Browser is currently available on Windows, Linux, macOS, and Android.

On Android, The Guardian Project also provides the Orbot app to route other apps
on your Android device over the Tor network.

There is no official version of Tor Browser for iOS yet, as explained in this
blog post. Our best available recommendation is Onion Browser.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I DOWNLOAD TOR BROWSER FOR CHROME OS?

Unfortunately, we don't yet have a version of Tor Browser for Chrome OS. You
could run Tor Browser for Android on Chrome OS. Note that by using Tor Mobile on
Chrome OS, you will view the mobile (not desktop) versions of websites. However,
because we have not audited the app in Chrome OS, we don't know if all the
privacy features of Tor Browser for Android will work well.

   
 * Edit this page - Suggest Feedback - Permalink

IS THERE SUPPORT FOR *BSD?

Sorry, but there is currently no official support for running Tor Browser on
*BSD. There is something called the TorBSD project, but their Tor Browser is not
officially supported.

   
 * Edit this page - Suggest Feedback - Permalink

HOW CAN I MAKE TOR RUN FASTER? IS TOR BROWSER SLOWER THAN OTHER BROWSERS?

Using Tor Browser can sometimes be slower than other browsers. The Tor network
has over a million daily users, and just over 6000 relays to route all of their
traffic, and the load on each server can sometimes cause latency. And, by
design, your traffic is bouncing through volunteers' servers in various parts of
the world, and some bottlenecks and network latency will always be present. You
can help improve the speed of the network by running your own relay, or
encouraging others to do so. For the much more in-depth answer, see Roger's blog
post on the topic and Tor's Open Research Topics: 2018 edition about Network
Performance. You can also checkout our recent blog post Tor Network Defense
Against Ongoing Attacks, which discusses the Denial of Service (DoS) attacks on
the Tor Network. Furthermore, we have introduced a Proof-of-Work Defense for
Onion Services to help mitigate some of these attacks. That said, Tor is much
faster than it used to be and you may not actually notice any change in speed
from other browsers.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT IS THE DIFFERENCE BETWEEN USING TOR BROWSER AND 'INCOGNITO MODE' OR PRIVATE
TABS?

While the names may imply otherwise, 'Incognito mode' and 'private tabs' do not
make you anonymous on the Internet. They erase all the information on your
machine relating to the browsing session after they are closed, but have no
measures in place to hide your activity or digital fingerprint online. This
means that an observer can collect your traffic just as easily as any regular
browser.

Tor Browser offers all the amnesic features of private tabs while also hiding
the source IP, browsing habits and details about a device that can be used to
fingerprint activity across the web, allowing for a truly private browsing
session that's fully obfuscated from end-to-end.

For more information regarding the limitations of Incognito mode and private
tabs, see Mozilla's article on Common Myths about Private Browsing.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I SET TOR BROWSER AS MY DEFAULT BROWSER?

There are methods for setting Tor Browser as your default browser, but those
methods may not work always or in every operating system. Tor Browser works hard
to isolate itself from the rest of your system, and the steps for making it the
default browser are unreliable. This means sometimes a website would load in Tor
Browser, and sometimes it would load in another browser. This type of behavior
can be dangerous and break anonymity.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I USE TOR WITH A BROWSER BESIDES TOR BROWSER?

We strongly recommend against using Tor in any browser other than Tor Browser.
Using Tor in another browser can leave you vulnerable without the privacy
protections of Tor Browser.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I STILL USE ANOTHER BROWSER, LIKE CHROME OR FIREFOX, WHEN I AM USING TOR
BROWSER?

You can certainly use another browser while you are also using Tor Browser.
However, you should know that the privacy properties of Tor Browser will not be
present in the other browser. Be careful when switching back and forth between
Tor and a less safe browser, because you may accidentally use the other browser
for something you intended to do using Tor.

   
 * Edit this page - Suggest Feedback - Permalink

IS IT SAFE TO RUN TOR BROWSER AND ANOTHER BROWSER AT THE SAME TIME?

If you run Tor Browser and another browser at the same time, it won't affect
Tor's performance or privacy properties.

However, be aware that when using Tor and another browser at the same time, your
Tor activity could be linked to your non-Tor (real) IP from the other browser,
simply by moving your mouse from one browser into the other.

Or you may simply forget and accidentally use that non-private browser to do
something that you intended to do in Tor Browser instead.

   
 * Edit this page - Suggest Feedback - Permalink

DOES USING TOR BROWSER PROTECT OTHER APPLICATIONS ON MY COMPUTER?

Only Tor Browser's traffic will be routed over the Tor network. Any other
application on your system (including other browsers) will not have their
connections routed over the Tor network, and will not be protected. They need to
be configured separately to use Tor. If you need to be sure that all traffic
will go through the Tor network, take a look at the Tails live operating system
which you can start on almost any computer from a USB stick or a DVD.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I RUN MULTIPLE INSTANCES OF TOR BROWSER?

We do not recommend running multiple instances of Tor Browser, and doing so may
not work as anticipated on many platforms.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DOES MY TOR BROWSER SAY SOMETHING ABOUT FIREFOX NOT WORKING?

Tor Browser is built using Firefox ESR, so errors regarding Firefox may occur.
Please be sure no other instance of Tor Browser is already running, and that you
have extracted Tor Browser in a location that your user has the correct
permissions for. If you are running an anti-virus, please see My
antivirus/malware protection is blocking me from accessing Tor Browser, it is
common for anti-virus/anti-malware software to cause this type of issue.

   
 * Edit this page - Suggest Feedback - Permalink

WHY IS TOR BROWSER BUILT FROM FIREFOX AND NOT SOME OTHER BROWSER?

Tor Browser is a modified version of Firefox specifically designed for use with
Tor. A lot of work has been put into making Tor Browser, including the use of
extra patches to enhance privacy and security. While it is technically possible
to use Tor with other browsers, you may open yourself up to potential attacks or
information leakage, so we strongly discourage it. Learn more about the design
of Tor Browser.

   
 * Edit this page - Suggest Feedback - Permalink

HOW CAN I EXPORT AND IMPORT BOOKMARKS IN TOR BROWSER?

Bookmarks in Tor Browser for Desktop can be exported, imported, backed up,
restored as well as imported from another browser. The instructions are similar
on Windows, macOS and Linux. In order to manage your bookmarks in Tor Browser,
go to:

 * Hamburger menu >> Bookmarks >> Manage bookmarks (below the menu)
 * From the toolbar on the Library window, click on the option to 'Import and
   Backup'.

If you wish to export bookmarks

 * Choose Export Bookmarks to HTML
 * In the Export Bookmarks File window that opens, choose a location to save the
   file, which is named bookmarks.html by default. The desktop is usually a good
   spot, but any place that is easy to remember will work.
 * Click the Save button. The Export Bookmarks File window will close.
 * Close the Library window.

> Your bookmarks are now successfully exported from Tor Browser. The bookmarks
> HTML file you saved is now ready to be imported into another web browser.

If you wish to import bookmarks

 * Choose Import Bookmarks from HTML
 * Within the Import Bookmarks File window that opens, navigate to the bookmarks
   HTML file you are importing and select the file.
 * Click the Open button. The Import Bookmarks File window will close.
 * Close the Library window.

> The bookmarks in the selected HTML file will be added to your Tor Browser
> within the Bookmarks Menu directory.

If you wish to backup

 * Choose Backup
 * A new window opens and you have to choose the location to save the file. The
   file has a .json extension.

If you wish to restore

 * Choose Restore and then select the bookmark file you wish to restore.
 * Click okay to the pop up box that appears and hurray, you just restored your
   backup bookmark.

Import bookmarks from another browser

> Bookmarks can be transferred from Firefox to Tor Browser. There are two ways
> to export and import bookmarks in Firefox: HTML file or JSON file. After
> exporting the data from the browser, follow the above steps to import the
> bookmark file into your Tor Browser.

Note: Currently, on Tor Browser for Android, there is no good way to export and
import bookmarks. Bug #31617

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I VIEW TOR BROWSER MESSAGE LOG?

When you have Tor Browser open, you can navigate to the hamburger menu ("≡"),
then click on "Settings", and finally on "Connection" in the side bar. At the
bottom of the page, next to the "View the Tor logs" text, click the button "View
Logs...". You should see an option to copy the log to your clipboard, which you
will be able to paste it into a text editor or an email client.

Alternatively, on GNU/Linux, to view the logs right in the terminal, navigate to
the Tor Browser directory and launch Tor Browser from the command line by
running:

‪./start-tor-browser.desktop --verbose

or to save the logs to a file (default: tor-browser.log)

‪./start-tor-browser.desktop --log [file]

   
 * Edit this page - Suggest Feedback - Permalink

WHAT ARE GREY BARS ON RESIZED TOR BROWSER WINDOW?

Tor Browser in its default mode is starting with a content window rounded to a
multiple of 200px x 100px to prevent fingerprinting of the screen dimensions.
This is an anti-fingerprinting feature in Tor Browser called Letterboxing.

   
 * Edit this page - Suggest Feedback - Permalink

OUR WEBSITE IS BLOCKED BY A CENSOR. CAN TOR BROWSER HELP USERS ACCESS OUR
WEBSITE?

Tor Browser can certainly help people access your website in places where it is
blocked. Most of the time, simply downloading the Tor Browser and then using it
to navigate to the blocked site will allow access. In places where there is
heavy censorship we have a number of censorship circumvention options available,
including pluggable transports.

For more information, please see the Tor Browser User Manual section on
censorship circumvention.

   
 * Edit this page - Suggest Feedback - Permalink

A WEBSITE I AM TRYING TO REACH IS BLOCKING ACCESS OVER TOR.

Sometimes websites will block Tor users because they can't tell the difference
between the average Tor user and automated traffic. The best success we've had
in getting sites to unblock Tor users is getting users to contact the site
administrators directly. Something like this might do the trick:

"Hi! I tried to access your site xyz.com while using Tor Browser and discovered
that you don't allow Tor users to access your site. I urge you to reconsider
this decision; Tor is used by people all over the world to protect their privacy
and fight censorship. By blocking Tor users, you are likely blocking people in
repressive countries who want to use a free internet, journalists and
researchers who want to protect themselves from discovery, whistleblowers,
activists, and ordinary people who want to opt out of invasive third party
tracking. Please take a strong stance in favor of digital privacy and internet
freedom, and allow Tor users access to xyz.com. Thank you."

In the case of banks, and other sensitive websites, it is also common to see
geography-based blocking (if a bank knows you generally access their services
from one country, and suddenly you are connecting from an exit relay on the
other side of the world, your account may be locked or suspended).

If you are unable to connect to an onion service, please see I cannot reach
X.onion!.

   
 * Edit this page - Suggest Feedback - Permalink

A WEBSITE (BANK, EMAIL PROVIDER, ETC.) LOCKS ME OUT WHENEVER I USE TOR, WHAT CAN
I DO?

Tor Browser often makes your connection appear as though it is coming from an
entirely different part of the world. Some websites, such as banks or email
providers, might interpret this as a sign that your account has been
compromised, and lock you out.

The only way to resolve this is by following the site's recommended procedure
for account recovery, or contacting the operators and explaining the situation.

You may be able to avoid this scenario if your provider offers 2-factor
authentication, which is a much better security option than IP-based
reputations. Contact your provider and ask them if they provide 2FA.

   
 * Edit this page - Suggest Feedback - Permalink

I'M HAVING TROUBLE USING FEATURES ON FACEBOOK, TWITTER, OR SOME OTHER WEBSITE
WHEN I'M USING TOR BROWSER.

Sometimes JavaScript-heavy websites can have functional issues over Tor Browser.
The simplest fix is to click on the Security icon (the small gray shield at the
top-right of the screen), then click "Settings..." Set your security level to
"Standard".

   
 * Edit this page - Suggest Feedback - Permalink

MY ANTIVIRUS OR MALWARE PROTECTION IS BLOCKING ME FROM ACCESSING TOR BROWSER.

Most antivirus or malware protection allows the user to "allowlist" certain
processes that would otherwise be blocked. Please open your antivirus or malware
protection software and look in the settings for an "allowlist" or something
similar. Next, include the following processes:

 * For Windows
   * firefox.exe
   * tor.exe
   * lyrebird.exe (if you use bridges)
   * snowflake-client.exe

 * For macOS
   * TorBrowser
   * tor.real
   * lyrebird (if you use bridges)
   * snowflake-client

Finally, restart Tor Browser. This should fix the issues you're experiencing.
Please note that some antivirus clients, like Kaspersky, may also be blocking
Tor at the firewall level.

   
 * Edit this page - Suggest Feedback - Permalink

TOR BROWSER AND ANTIVIRUS FALSE POSITIVE WARNINGS

Some antivirus software will pop up malware and/or vulnerability warnings when
Tor Browser is launched. If you downloaded Tor Browser from our main website or
used GetTor, and verified it, these are false positives and you have nothing to
worry about. Some antiviruses consider that files that have not been seen by a
lot of users as suspicious. To make sure that the Tor program you download is
the one we have created and has not been modified by some attacker, you can
verify Tor Browser's signature. You may also want to permit certain processes to
prevent antiviruses from blocking access to Tor Browser.

   
 * Edit this page - Suggest Feedback - Permalink

TOR BROWSER CAN'T CONNECT. IS MY NETWORK CENSORED?

If you have exhausted general troubleshooting steps, it's possible that your
connection to Tor is censored. In that case, connecting with one of the built-in
censorship circumvention methods in Tor Browser can help. Connection Assist can
automatically choose one for you using your location.

If Connection Assist is unable to facilitate the connection to Tor, you can
configure Tor Browser to use one of the built-in circumvention methods manually.
To use bridges and access other censorship circumvention related settings, click
"Configure Connection" when starting Tor Browser for the first time. In the
"Bridges" section, locate the option "Choose from one of Tor Browser's built-in
bridges" and click on the "Select a built-In bridge" option. From the menu,
select a censorship circumvention method you would like to use.

Or, if you have Tor Browser running, click on "Settings" in the hamburger menu
(≡) and then on "Connection" in the sidebar. In the "Bridges" section, locate
the option "Choose from one of Tor Browser's built-in bridges" and click on the
"Select a built-In bridge" option. Choose whichever censorship circumvention
method you would like to use from the menu. Your settings will automatically be
saved once you close the tab.

If you need other bridges, you can get them from our Bridges website. For more
information about bridges, please refer to the Tor Browser user manual.

   
 * Edit this page - Suggest Feedback - Permalink

TOR BROWSER WON'T CONNECT, BUT IT DOESN'T SEEM TO BE AN ISSUE WITH CENSORSHIP.

One of the most common issues that causes connection errors in Tor Browser is an
incorrect system clock. Please make sure your system clock and timezone are set
accurately. If this doesn't fix the problem, see the Troubleshooting page on the
Tor Browser manual.

   
 * Edit this page - Suggest Feedback - Permalink

GMAIL WARNS ME THAT MY ACCOUNT MAY HAVE BEEN COMPROMISED

Sometimes, after you've used Gmail over Tor, Google presents a pop-up
notification that your account may have been compromised. The notification
window lists a series of IP addresses and locations throughout the world
recently used to access your account.

In general, this is a false alarm: Google saw a bunch of logins from different
places, as a result of running the service via Tor, and decided it was a good
idea to confirm the account was being accessed by its rightful owner.

Even though this may be a byproduct of using the service via Tor, that doesn't
mean you can entirely ignore the warning. It is probably a false positive, but
it might not be since it is possible for someone to hijack your Google cookie.

Cookie hijacking is possible by either physical access to your computer or by
watching your network traffic. In theory, only physical access should compromise
your system because Gmail and similar services should only send the cookie over
an SSL link. In practice, alas, it's way more complex than that.

And if somebody did steal your Google cookie, they might end up logging in from
unusual places (though of course they also might not). So the summary is that
since you're using Tor Browser, this security measure that Google uses isn't so
useful for you, because it's full of false positives. You'll have to use other
approaches, like seeing if anything looks weird on the account, or looking at
the timestamps for recent logins and wondering if you actually logged in at
those times.

More recently, Gmail users can turn on 2-Step Verification on their accounts to
add an extra layer of security.

   
 * Edit this page - Suggest Feedback - Permalink

GOOGLE MAKES ME SOLVE A CAPTCHA OR TELLS ME I HAVE SPYWARE INSTALLED

This is a known and intermittent problem; it does not mean that Google considers
Tor to be spyware.

When you use Tor, you are sending queries through exit relays that are also
shared by thousands of other users. Tor users typically see this message when
many Tor users are querying Google in a short period of time. Google interprets
the high volume of traffic from a single IP address (the exit relay you happened
to pick) as somebody trying to "crawl" their website, so it slows down traffic
from that IP address for a short time.

You can try 'New Circuit for this Site' to access the website from a different
IP address.

An alternate explanation is that Google tries to detect certain kinds of spyware
or viruses that send distinctive queries to Google Search. It notes the IP
addresses from which those queries are received (not realizing that they are Tor
exit relays), and tries to warn any connections coming from those IP addresses
that recent queries indicate an infection.

To our knowledge, Google is not doing anything intentionally specifically to
deter or block Tor use. The error message about an infected machine should clear
up again after a short time.

   
 * Edit this page - Suggest Feedback - Permalink

CAN YOU GET RID OF ALL THE CAPTCHAS?

Unfortunately, some websites deliver Captchas to Tor users, and we are not able
to remove Captchas from websites. The best thing to do in these cases is to
contact the website owners, and inform them that their Captchas are preventing
users such as yourself from using their services.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DOES GOOGLE SHOW UP IN FOREIGN LANGUAGES?

Google uses "geolocation" to determine where in the world you are, so it can
give you a personalized experience. This includes using the language it thinks
you prefer, and it also includes giving you different results on your queries.

If you really want to see Google in English you can click the link that provides
that. But we consider this a feature with Tor, not a bug --- the Internet is not
flat, and it in fact does look different depending on where you are. This
feature reminds people of this fact.

Note that Google search URLs take name/value pairs as arguments and one of those
names is "hl". If you set "hl" to "en" then Google will return search results in
English regardless of what Google server you have been sent to. The changed link
might look like this:

https://encrypted.google.com/search?q=online%20anonymity&hl=en

Another method is to simply use your country code for accessing Google. This can
be google.be, google.de, google.us and so on.

   
 * Edit this page - Suggest Feedback - Permalink

WILL MY NETWORK ADMIN BE ABLE TO TELL I'M USING TOR BROWSER?

When using Tor Browser, no one can see the websites that you visit. However,
your service provider or network admins may be able to see that you're
connecting to the Tor network, though they won't know what you're doing when you
get there.

   
 * Edit this page - Suggest Feedback - Permalink

WHEN I USE TOR BROWSER, WILL ANYONE BE ABLE TO TELL WHICH WEBSITES I VISIT?

Tor Browser prevents people from knowing the websites you visit. Some entities,
such as your Internet Service Provider (ISP), may be able to see that you're
using Tor, but they won't know where you're going when you do.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT SEARCH ENGINE COMES WITH TOR BROWSER AND HOW DOES IT PROTECT MY PRIVACY?

DuckDuckGo is the default search engine in Tor Browser. DuckDuckGo does not
track its users nor does it store any data about user searches. Learn more about
DuckDuckGo privacy policy.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DID MY SEARCH ENGINE SWITCH TO DUCKDUCKGO?

With the release of Tor Browser 6.0.6, we switched to DuckDuckGo as the primary
search engine. For a while now, Disconnect, which was formerly used in Tor
Browser, has had no access to Google search results. Since Disconnect is more of
a meta search engine, which allows users to choose between different search
providers, it fell back to delivering Bing search results, which were basically
unacceptable quality-wise. DuckDuckGo does not log, collect or share the user's
personal information or their search history, and therefore is best positioned
to protect your privacy. Most other search engines store your searches along
with other information such as the timestamp, your IP address, and your account
information if you are logged in.

   
 * Edit this page - Suggest Feedback - Permalink

I'M HAVING A PROBLEM WITH DUCKDUCKGO.

Please see the DuckDuckGo support portal. If you believe this is a Tor Browser
issue, please report it on our issue tracker.

   
 * Edit this page - Suggest Feedback - Permalink

IS THERE A WAY TO CHANGE THE IP ADDRESS THAT TOR BROWSER ASSIGNS ME FOR A
PARTICULAR SITE?

Tor Browser has two ways to change your relay circuit — "New Identity" and "New
Tor Circuit for this Site". Both options are located in the hamburger menu
("≡"). You can also access the New Circuit option inside the site information
menu in the URL bar, and the New Identity option by clicking the small sparky
broom icon at the top-right of the screen.

NEW IDENTITY

This option is useful if you want to prevent your subsequent browser activity
from being linkable to what you were doing before.

Selecting it will close all your tabs and windows, clear all private information
such as cookies and browsing history, and use new Tor circuits for all
connections.

Tor Browser will warn you that all activity and downloads will be stopped, so
take this into account before clicking "New Identity".



NEW TOR CIRCUIT FOR THIS SITE

This option is useful if the exit relay you are using is unable to connect to
the website you require, or is not loading it properly. Selecting it will cause
the currently-active tab or window to be reloaded over a new Tor circuit.

Other open tabs and windows from the same website will use the new circuit as
well once they are reloaded.

This option does not clear any private information or unlink your activity, nor
does it affect your current connections to other websites.



   
 * Edit this page - Suggest Feedback - Permalink

DOES RUNNING TOR BROWSER MAKE ME A RELAY?

Running Tor Browser does not make you act as a relay in the network. This means
that your computer will not be used to route traffic for others. If you'd like
to become a relay, please see our Tor Relay Guide.

   
 * Edit this page - Suggest Feedback - Permalink

WHY IS THE FIRST IP ADDRESS IN MY RELAY CIRCUIT ALWAYS THE SAME?

That is normal Tor behavior. The first relay in your circuit is called an "entry
guard" or "guard". It is a fast and stable relay that remains the first one in
your circuit for 2-3 months in order to protect against a known
anonymity-breaking attack. The rest of your circuit changes with every new
website you visit, and all together these relays provide the full privacy
protections of Tor. For more information on how guard relays work, see this blog
post and paper on entry guards.

   
 * Edit this page - Suggest Feedback - Permalink

DOES TOR BROWSER USE A DIFFERENT CIRCUIT FOR EACH WEBSITE?

In Tor Browser, every new domain gets its own circuit. The Design and
Implementation of Tor Browser document further explains the thinking behind this
design.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I PICK WHICH COUNTRY I'M EXITING FROM?

Modifying the way that Tor creates its circuits is strongly discouraged. You get
the best security that Tor can provide when you leave the route selection to
Tor; overriding the entry/exit nodes can compromise your anonymity. If the
outcome you want is simply to be able to access resources that are only
available in one country, you may want to consider using a VPN instead of using
Tor. Please note that VPNs do not have the same privacy properties as Tor, but
they will help solve some geolocation restriction issues.

   
 * Edit this page - Suggest Feedback - Permalink

I'M SUPPOSED TO "EDIT MY TORRC". WHAT DOES THAT MEAN?

WARNING: Do NOT follow random advice instructing you to edit your torrc! Doing
so can allow an attacker to compromise your security and anonymity through
malicious configuration of your torrc.

Tor uses a text file called torrc that contains configuration instructions for
how Tor should behave. The default configuration should work fine for most Tor
users (hence the warning above.)

To find your Tor Browser torrc, follow the instructions for your operating
system below.

On Windows or Linux:

 * The torrc is in the Tor Browser Data directory at Browser/TorBrowser/Data/Tor
   inside your Tor Browser directory.

On macOS:

 * The torrc is in the Tor Browser Data directory at ~/Library/Application
   Support/TorBrowser-Data/Tor.
 * Note the Library folder is hidden on newer versions of macOS. To navigate to
   this folder in Finder, select "Go to Folder..." in the "Go" menu.
 * Then type ~/Library/Application Support/ in the window and click Go.

Close Tor Browser before you edit your torrc, otherwise Tor Browser may erase
your modifications. Some options will have no effect as Tor Browser overrides
them with command line options when it starts Tor.

Have a look at the sample torrc file for hints on common configurations. For
other configuration options you can use, see the Tor manual page. Remember, all
lines beginning with # in torrc are treated as comments and have no effect on
Tor's configuration.

   
 * Edit this page - Suggest Feedback - Permalink

SHOULD I INSTALL A NEW ADD-ON OR EXTENSION IN TOR BROWSER, LIKE ADBLOCK PLUS OR
UBLOCK ORIGIN?

It's strongly discouraged to install new add-ons in Tor Browser, because they
can compromise your privacy and security.

Installing new add-ons may affect Tor Browser in unforeseen ways and potentially
make your Tor Browser fingerprint unique. If your copy of Tor Browser has a
unique fingerprint, your browsing activities can be deanonymized and tracked
even though you are using Tor Browser.

Each browser's settings and features create what is called a "browser
fingerprint". Most browsers inadvertently create a unique fingerprint for each
user which can be tracked across the internet. Tor Browser is specifically
engineered to have a nearly identical (we're not perfect!) fingerprint across
its users. This means each Tor Browser user looks like many other Tor Browser
users, making it difficult to track any individual user.

There's also a good chance a new add-on will increase the attack surface of Tor
Browser. This may allow sensitive data to be leaked or allow an attacker to
infect Tor Browser. The add-on itself could even be maliciously designed to spy
on you.

Tor Browser already comes installed with one add-on — NoScript — and adding
anything else could deanonymize you.

Want to learn more about browser fingerprinting? Here's an article on The Tor
Blog all about it.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I USE FLASH IN TOR BROWSER?

Flash is disabled in Tor Browser, and we recommend you to not enable it. We
don't think Flash is safe to use in any browser — it's a very insecure piece of
software that can easily compromise your privacy or serve you malware.
Fortunately, most websites, devices, and other browsers are moving away from the
use of Flash.

   
 * Edit this page - Suggest Feedback - Permalink

MY INTERNET CONNECTION REQUIRES AN HTTP OR SOCKS PROXY

If you're using Tor Browser, you can set your proxy's address, port, and
authentication information in the Connection Settings.

If you're using Tor another way, you can set the proxy information in your torrc
file. Check out the HTTPSProxy config option in the manual page. If your proxy
requires authentication, see the HTTPSProxyAuthenticator option. Example with
authentication:

  HTTPSProxy 10.0.0.1:8080
  HTTPSProxyAuthenticator myusername:mypass


We only support Basic auth currently, but if you need NTLM authentication, you
may find this post in the archives useful.

For using a SOCKS proxy, see the Socks4Proxy, Socks5Proxy, and related torrc
options in the manual page. Using a SOCKS 5 proxy with authentication might look
like this:

  Socks5Proxy 10.0.0.1:1080
  Socks5ProxyUsername myuser
  Socks5ProxyPassword mypass


If your proxies only allow you to connect to certain ports, look at the entry on
Firewalled clients for how to restrict what ports your Tor will try to access.

   
 * Edit this page - Suggest Feedback - Permalink

I'M HAVING A PROBLEM WITH HTTPS EVERYWHERE.

Please see the HTTPS Everywhere FAQ. If you believe this is a Tor Browser for
Android issue, please report it on our issue tracker.

Since Tor Browser 11.5, HTTPS-Only Mode is enabled by default for desktop, and
HTTPS Everywhere is no longer bundled with Tor Browser.

   
 * Edit this page - Suggest Feedback - Permalink

I WANT TO RUN MY TOR CLIENT ON A DIFFERENT COMPUTER THAN MY APPLICATIONS

By default, your Tor client only listens for applications that connect from
localhost. Connections from other computers are refused. If you want to torify
applications on different computers than the Tor client, you should edit your
torrc to define SocksListenAddress 0.0.0.0 and then restart (or hup) Tor. If you
want to get more advanced, you can configure your Tor client on a firewall to
bind to your internal IP but not your external IP.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I INSTALL TOR ON A CENTRAL SERVER, AND HAVE MY CLIENTS CONNECT TO IT?

Yes. Tor can be configured as a client or a relay on another machine, and allow
other machines to be able to connect to it for anonymity. This is most useful in
an environment where many computers want a gateway of anonymity to the rest of
the world. However, be forewarned that with this configuration, anyone within
your private network (existing between you and the Tor client/relay) can see
what traffic you are sending in clear text. The anonymity doesn't start until
you get to the Tor relay. Because of this, if you are the controller of your
domain and you know everything's locked down, you will be OK, but this
configuration may not be suitable for large private networks where security is
key all around.

Configuration is simple, editing your torrc file's SocksListenAddress according
to the following examples:

SocksListenAddress 127.0.0.1


SocksListenAddress 192.168.x.x:9100


SocksListenAddress 0.0.0.0:9100


You can state multiple listen addresses, in the case that you are part of
several networks or subnets.

SocksListenAddress 192.168.x.x:9100 #eth0
SocksListenAddress 10.x.x.x:9100 #eth1


After this, your clients on their respective networks/subnets would specify a
socks proxy with the address and port you specified SocksListenAddress to be.
Please note that the SocksPort configuration option gives the port ONLY for
localhost (127.0.0.1). When setting up your SocksListenAddress(es), you need to
give the port with the address, as shown above. If you are interested in forcing
all outgoing data through the central Tor client/relay, instead of the server
only being an optional proxy, you may find the program iptables (for *nix)
useful.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DOES TOR BROWSER SHIP WITH JAVASCRIPT ENABLED?

We configure NoScript to allow JavaScript by default in Tor Browser because many
websites will not work with JavaScript disabled. Most users would give up on Tor
entirely if we disabled JavaScript by default because it would cause so many
problems for them. Ultimately, we want to make Tor Browser as secure as possible
while also making it usable for the majority of people, so for now, that means
leaving JavaScript enabled by default.

For users who want to have JavaScript disabled on all HTTP sites by default, we
recommend changing your Tor Browser's Security Level option. This can be done by
clicking on the Security icon (the small gray shield at the top-right of the
screen) and then clicking on "Settings...". The "Standard" level allows
JavaScript, the "Safer" level blocks JavaScript on HTTP sites and the "Safest"
level blocks JavaScript altogether.

   
 * Edit this page - Suggest Feedback - Permalink

I'M HAVING A PROBLEM WITH NOSCRIPT.

Please see the NoScript FAQ. If you believe this is a Tor Browser issue, please
report it on our bug tracker.

   
 * Edit this page - Suggest Feedback - Permalink

HOW CAN I CHECK WHAT VERSION OF TOR BROWSER I HAVE INSTALLED?

It is often important to know what version of Tor Browser you are using, to help
you troubleshoot a problem or just to know if Tor Browser is up to date. This is
important information to share when raising a support ticket.


TOR BROWSER DESKTOP

 * When you have Tor Browser running, click on "Settings" in the hamburger menu
   (≡).
 * Scroll down to the "Tor Browser Updates" section where the version number is
   listed.


TOR BROWSER FOR ANDROID

FROM THE APP

 * When you have Tor Browser for Android running, tap on 'Settings'.
 * Scroll to the bottom of the page.
 * Tap on 'About Tor Browser'.
 * The version number should be listed on this page.

FROM ANDROID MENU

 * Navigate to Android's Settings.
 * Tap on 'Apps' to open the list of apps installed on your device.
 * Find 'Tor Browser' from the list of apps.
 * Tap on 'Tor Browser'.
 * Scroll down to the very bottom of the page where the version number will be
   listed.

   
 * Edit this page - Suggest Feedback - Permalink

TOR MOBILE

WHAT HAPPENED TO ORFOX?

With the release of Tor Browser for Android, Orfox has been retired.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I RUN TOR BROWSER ON WINDOWS PHONE?

There is currently no supported method for running Tor Browser on older Windows
Phones but in case of the newer Microsoft-branded/promoted phones, same steps as
in Tor Browser for Android can be followed.

   
 * Edit this page - Suggest Feedback - Permalink

WHO IS THE GUARDIAN PROJECT?

The Guardian Project maintains Orbot (and other privacy applications) on
Android. More info can be found on the Guardian Project's website.

   
 * Edit this page - Suggest Feedback - Permalink

IS TOR BROWSER AVAILABLE ON F-DROID?

It will be, soon. In the meantime you can use F-Droid to download Tor Browser
for Android by enabling the Guardian Project's Repository.

Learn how to add a repository to F-Droid.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I RUN TOR BROWSER ON AN IOS DEVICE?

We recommend iOS apps Onion Browser and Orbot for a secure connection to Tor.
Onion Browser and Orbot are open source, use Tor routing, and are developed by
someone who works closely with the Tor Project. However, Apple requires browsers
on iOS to use something called Webkit, which prevents Onion Browser from having
the same privacy protections as Tor Browser.

Learn more about Onion Browser. Download Onion Browser and Orbot from the App
Store.

   
 * Edit this page - Suggest Feedback - Permalink

DO I NEED BOTH TOR BROWSER FOR ANDROID AND ORBOT, OR ONLY ONE?

While both Tor Browser for Android and Orbot are great, they serve different
purposes. Tor Browser for Android is like the desktop Tor Browser, but on your
mobile device. It is a one stop browser that uses the Tor network and tries to
be as anonymous as possible. Orbot on the other hand is a proxy that will enable
you to send the data from your other applications (E-Mail clients, instant
messaging apps, etc.) through the Tor network; a version of Orbot is also inside
of Tor Browser for Android, and is what enables it to connect to the Tor
network. That version, however, does not enable you to send other apps outside
of Tor Browser for Android through it. Depending on how you want to use the Tor
network, either one or both of these could be a great option.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I RUN TOR BROWSER ON AN ANDROID DEVICE?

Yes, there is a version of Tor Browser available specifically for Android.
Installing Tor Browser for Android is all you need to run Tor on your Android
device.

The Guardian Project provides the app Orbot which can be used to route other
apps on your Android device over the Tor network, however only Tor Browser for
Android is needed to browse the web with Tor.

   
 * Edit this page - Suggest Feedback - Permalink

WHY TOR BROWSER FOR ANDROID IS BEING REPORTED TO HAVE TRACKERS?

The tracking code being reported is carried over from Firefox for Android as Tor
Browser is based on Firefox. Exodus and other analysis tools have conducted
static analysis of this tracking code, which does not verify whether the
tracking code is active or disabled. All of the tracking code is disabled in Tor
Browser for Android. Additionally, a complete removal of the tracking code is
planned.

   
 * Edit this page - Suggest Feedback - Permalink

CONNECTING TO TOR

TOR BROWSER WON'T CONNECT, BUT IT DOESN'T SEEM TO BE AN ISSUE WITH CENSORSHIP.

One of the most common issues that causes connection errors in Tor Browser is an
incorrect system clock. Please make sure your system clock and timezone are set
accurately. If this doesn't fix the problem, see the Troubleshooting page on the
Tor Browser manual.

   
 * Edit this page - Suggest Feedback - Permalink

I AM HAVING TROUBLE CONNECTING TO TOR, AND I CAN'T FIGURE OUT WHAT'S WRONG.

If you're having trouble connecting, an error message may appear and you can
select the option to "copy Tor log to clipboard". Then paste the Tor log into a
text file or other document.

If you don't see this option and you have Tor Browser open, you can navigate to
the hamburger menu ("≡"), then click on "Settings", and finally on "Connection"
in the side bar. At the bottom of the page, next to the "View the Tor logs"
text, click the button "View Logs...".

Alternatively, on GNU/Linux, to view the logs right in the terminal, navigate to
the Tor Browser directory and launch Tor Browser from the command line by
running:

‪./start-tor-browser.desktop --verbose

or to save the logs to a file (default: tor-browser.log)

‪./start-tor-browser.desktop --log [file]

You should see one of these common log errors (look for the following lines in
your Tor log):

COMMON LOG ERROR #1: PROXY CONNECTION FAILURE

2017-10-29 09:23:40.800 [NOTICE] Opening Socks listener on 127.0.0.1:9150
2017-10-29 09:23:47.900 [NOTICE] Bootstrapped 5%: Connecting to directory server
2017-10-29 09:23:47.900 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
2017-10-29 09:24:08.900 [WARN] Proxy Client: unable to connect to xx..xxx..xxx.xx:xxxxx ("general SOCKS server failure")


If you see lines like these in your Tor log, it means you are failing to connect
to a SOCKS proxy. If a SOCKS proxy is required for your network setup, then
please make sure you've entered your proxy details correctly. If a SOCKS proxy
is not required, or you're not sure, please try connecting to the Tor network
without a SOCKS proxy.

COMMON LOG ERROR #2: CAN'T REACH GUARD RELAYS

11/1/2017 21:11:43 PM.500 [NOTICE] Opening Socks listener on 127.0.0.1:9150
11/1/2017 21:11:44 PM.300 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
11/1/2017 21:11:44 PM.300 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit.
11/1/2017 21:11:44 PM.500 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop
11/1/2017 21:11:45 PM.300 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit.


If you see lines like these in your Tor log, it means your Tor failed to connect
to the first node in the Tor circuit. This could mean that you're on a network
that's censored.

Please try connecting with bridges, and that should fix the problem.

COMMON LOG ERROR #3: FAILED TO COMPLETE TLS HANDSHAKE

13-11-17 19:52:24.300 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
13-11-17 19:53:49.300 [WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 10; recommendation warn; host [host] at xxx.xxx.xxx.xx:xxx) 
13-11-17 19:53:49.300 [WARN] 10 connections have failed: 
13-11-17 19:53:49.300 [WARN]  9 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
13-11-17 19:53:49.300 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object)


If you see lines like this in your Tor log, it means that Tor failed to complete
a TLS handshake with the directory authorities. Using bridges will likely fix
this.

COMMON LOG ERROR #4: CLOCK SKEW

19.11.2017 00:04:47.400 [NOTICE] Opening Socks listener on 127.0.0.1:9150 
19.11.2017 00:04:48.000 [NOTICE] Bootstrapped 5%: Connecting to directory server 
19.11.2017 00:04:48.200 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
19.11.2017 00:04:48.800 [WARN] Received NETINFO cell with skewed time (OR:xxx.xx.x.xx:xxxx): It seems that our clock is behind by 1 days, 0 hours, 1 minutes, or that theirs is ahead. Tor requires an accurate clock to work: please check your time, timezone, and date settings.


If you see lines like this in your Tor log, it means your system clock is
incorrect. Please make sure your clock is set accurately, including the correct
timezone. Then restart Tor.

   
 * Edit this page - Suggest Feedback - Permalink

"PROXY SERVER IS REFUSING CONNECTION" ERROR

Proxy server errors can occur for a variety of reasons. You may try one or more
of the following activities in case you encounter this error:

 * If you have an antivirus, it may be interfering with the Tor service. Disable
   the antivirus and restart the browser.
 * You should not move the Tor Browser folder from its original location to a
   different location. If you did this, revert the change.
 * You should also check the port that you are connecting with. Try a different
   port from the one currently in use, such as 9050 or 9150.
 * When all else fails, reinstall the browser. This time, make sure to install
   Tor Browser in a new directory, not over a previously installed browser.

If the error persists, please get in touch with us.

   
 * Edit this page - Suggest Feedback - Permalink

I CANNOT REACH X.ONION!

If you cannot reach the onion service you desire, make sure that you have
entered the 56-character onion address correctly; even a small mistake will stop
Tor Browser from being able to reach the site. If you are still unable to
connect to the onion service, please try again later. There may be a temporary
connection issue, or the site operators may have allowed it to go offline
without warning.

You can also ensure that you're able to access other onion services by
connecting to DuckDuckGo's onion service.

   
 * Edit this page - Suggest Feedback - Permalink

CENSORSHIP

HOW DO I DOWNLOAD TOR BROWSER IF THE TORPROJECT.ORG IS BLOCKED?

If you can't download Tor Browser through our website, you can get a copy of Tor
Browser delivered to you via GetTor. GetTor is a service that automatically
responds to messages with links to the latest version of Tor Browser, hosted at
a variety of locations that are less likely to be censored, such as Dropbox,
Google Drive, and GitHub. You can request via email or Telegram bot
https://t.me/gettor_bot. You can also download Tor Browser from
https://tor.eff.org or from https://tor.calyxinstitute.org/.

   
 * Edit this page - Suggest Feedback - Permalink

TO USE GETTOR VIA EMAIL

Send an email to gettor@torproject.org In the body of the mail, write the name
of your operating system (such as Windows, macOS, or Linux). GetTor will respond
with an email containing links from which you can download Tor Browser, the
cryptographic signature (needed for verifying the download), the fingerprint of
the key used to make the signature, and the package's checksum. You may be
offered a choice of "32-bit" or "64-bit" software: this depends on the model of
the computer you are using; consult documentation about your computer to find
out more.

   
 * Edit this page - Suggest Feedback - Permalink

I SUSPECT I MAY BE FACING INTERNET CENSORSHIP. HOW CAN I VERIFY THIS?

If you suspect that your government or Internet Service Provider (ISP) has
implemented some form of Internet censorship or filtering, you can test whether
the Tor network is being blocked by using OONI Probe. OONI Probe is a free and
open source application developed by the Open Observatory of Network
Interference (OONI). It is designed to test and measure which websites,
messaging apps, and circumvention tools may be blocked.

Before you run these measurement tests, please carefully read OONI's security
recommendations and risk assessment. As any other testing tool, please be aware
of false positive tests with OONI.

To check if Tor is blocked, you can install OONI Probe on your mobile device or
on your desktop, and run the "Circumvention Test". An OONI Tor Test can serve as
an indication of a potential block of the Tor network, but a thorough analysis
by our developers is crucial for a conclusive evaluation.

   
 * Edit this page - Suggest Feedback - Permalink

OUR WEBSITE IS BLOCKED BY A CENSOR. CAN TOR BROWSER HELP USERS ACCESS OUR
WEBSITE?

Tor Browser can certainly help people access your website in places where it is
blocked. Most of the time, simply downloading the Tor Browser and then using it
to navigate to the blocked site will allow access. In places where there is
heavy censorship we have a number of censorship circumvention options available,
including pluggable transports.

For more information, please see the Tor Browser User Manual section on
censorship circumvention.

   
 * Edit this page - Suggest Feedback - Permalink

I AM HAVING TROUBLE CONNECTING TO TOR, AND I CAN'T FIGURE OUT WHAT'S WRONG.

If you're having trouble connecting, an error message may appear and you can
select the option to "copy Tor log to clipboard". Then paste the Tor log into a
text file or other document.

If you don't see this option and you have Tor Browser open, you can navigate to
the hamburger menu ("≡"), then click on "Settings", and finally on "Connection"
in the side bar. At the bottom of the page, next to the "View the Tor logs"
text, click the button "View Logs...".

Alternatively, on GNU/Linux, to view the logs right in the terminal, navigate to
the Tor Browser directory and launch Tor Browser from the command line by
running:

‪./start-tor-browser.desktop --verbose

or to save the logs to a file (default: tor-browser.log)

‪./start-tor-browser.desktop --log [file]

You should see one of these common log errors (look for the following lines in
your Tor log):

COMMON LOG ERROR #1: PROXY CONNECTION FAILURE

2017-10-29 09:23:40.800 [NOTICE] Opening Socks listener on 127.0.0.1:9150
2017-10-29 09:23:47.900 [NOTICE] Bootstrapped 5%: Connecting to directory server
2017-10-29 09:23:47.900 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
2017-10-29 09:24:08.900 [WARN] Proxy Client: unable to connect to xx..xxx..xxx.xx:xxxxx ("general SOCKS server failure")


If you see lines like these in your Tor log, it means you are failing to connect
to a SOCKS proxy. If a SOCKS proxy is required for your network setup, then
please make sure you've entered your proxy details correctly. If a SOCKS proxy
is not required, or you're not sure, please try connecting to the Tor network
without a SOCKS proxy.

COMMON LOG ERROR #2: CAN'T REACH GUARD RELAYS

11/1/2017 21:11:43 PM.500 [NOTICE] Opening Socks listener on 127.0.0.1:9150
11/1/2017 21:11:44 PM.300 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
11/1/2017 21:11:44 PM.300 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit.
11/1/2017 21:11:44 PM.500 [NOTICE] Bootstrapped 85%: Finishing handshake with first hop
11/1/2017 21:11:45 PM.300 [WARN] Failed to find node for hop 0 of our path. Discarding this circuit.


If you see lines like these in your Tor log, it means your Tor failed to connect
to the first node in the Tor circuit. This could mean that you're on a network
that's censored.

Please try connecting with bridges, and that should fix the problem.

COMMON LOG ERROR #3: FAILED TO COMPLETE TLS HANDSHAKE

13-11-17 19:52:24.300 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
13-11-17 19:53:49.300 [WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 10; recommendation warn; host [host] at xxx.xxx.xxx.xx:xxx) 
13-11-17 19:53:49.300 [WARN] 10 connections have failed: 
13-11-17 19:53:49.300 [WARN]  9 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE 
13-11-17 19:53:49.300 [WARN]  1 connections died in state connect()ing with SSL state (No SSL object)


If you see lines like this in your Tor log, it means that Tor failed to complete
a TLS handshake with the directory authorities. Using bridges will likely fix
this.

COMMON LOG ERROR #4: CLOCK SKEW

19.11.2017 00:04:47.400 [NOTICE] Opening Socks listener on 127.0.0.1:9150 
19.11.2017 00:04:48.000 [NOTICE] Bootstrapped 5%: Connecting to directory server 
19.11.2017 00:04:48.200 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
19.11.2017 00:04:48.800 [WARN] Received NETINFO cell with skewed time (OR:xxx.xx.x.xx:xxxx): It seems that our clock is behind by 1 days, 0 hours, 1 minutes, or that theirs is ahead. Tor requires an accurate clock to work: please check your time, timezone, and date settings.


If you see lines like this in your Tor log, it means your system clock is
incorrect. Please make sure your clock is set accurately, including the correct
timezone. Then restart Tor.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT IS A BRIDGE?

Bridge relays are Tor relays that are not listed in the public Tor directory.

That means that ISPs or governments trying to block access to the Tor network
can't simply block all bridges. Bridges are useful for Tor users under
oppressive regimes, and for people who want an extra layer of security because
they're worried somebody will recognize that they are contacting a public Tor
relay IP address.

A bridge is just a normal relay with a slightly different configuration. See How
do I run a bridge for instructions.

Several countries, including China and Iran, have found ways to detect and block
connections to Tor bridges. Obfsproxy bridges address this by adding another
layer of obfuscation. Setting up an obfsproxy bridge requires an additional
software package and additional configurations. See our page on pluggable
transports for more info.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT IS SNOWFLAKE?

Snowflake is a pluggable transport available in Tor Browser to defeat internet
censorship. Like a Tor bridge, a user can access the open internet when even
regular Tor connections are censored. To use Snowflake is as easy as to switch
to a new bridge configuration in Tor Browser.

This system is composed of three components: volunteers running Snowflake
proxies, Tor users that want to connect to the internet, and a broker, that
delivers snowflake proxies to users.

Volunteers willing to help users on censored networks can help by spinning
short-lived proxies on their regular browsers. Check, how can I use Snowflake?

Snowflake uses the highly effective domain fronting technique to make a
connection to one of the thousands of snowflake proxies run by volunteers. These
proxies are lightweight, ephemeral, and easy to run, allowing us to scale
Snowflake more easily than previous techniques.

For censored users, if your Snowflake proxy gets blocked, the broker will find a
new proxy for you, automatically.

If you're interested in the technical details and specification, see the
Snowflake Technical Overview and the project page. For other discussions about
Snowflake, please visit the Tor Forum and follow up the Snowflake tag.

   
 * Edit this page - Suggest Feedback - Permalink

HOW CAN I USE SNOWFLAKE?

Snowflake is available in Tor Browser stable for all platforms: Windows, macOS,
GNU/Linux, and Android. You can also use Snowflake with Onion Browser on iOS.

If you're running Tor Browser for desktop for the first time, you can click on
'Configure Connection' on the start-up screen. Under the "Bridges" section,
locate the option "Choose from one of Tor Browser's built-in bridges" and click
on "Select a Built-In Bridge" option. From the menu, select 'Snowflake'. Once
you've selected Snowflake, scroll up and click 'Connect' to save your settings.

From within the browser, you can click on the hamburger menu ("≡"), then go to
'Settings' and go to 'Connection'. Alternatively, you can also type
about:preferences#connection in the URL bar. Under the "Bridges" section, locate
the option "Choose from one of Tor Browser's built-in bridges" and click on
"Select a Built-In Bridge" option. From the menu, select 'Snowflake'.

   
 * Edit this page - Suggest Feedback - Permalink

HOW TO HELP RUNNING SNOWFLAKE PROXIES?

If your internet access is not censored, you should consider installing the
Snowflake extension to help users in censored networks. When you run Snowflake
on your regular browser, you will proxy traffic between censored users and an
entry node in the Tor network, and that's all.

Due to censorship of VPN servers in some countries, we kindly ask you to not run
a snowflake proxy while connected to a VPN.

ADD-ON

Firstly make sure you have WebRTC enabled. Then you can install this extension
for Firefox or the extension for Chrome which will let you become a Snowflake
proxy. It can also inform you about how many people you have helped in the last
24 hours.

WEB PAGE

In a browser where WebRTC is enabled: If you don't want to add Snowflake to your
browser, you can go to https://snowflake.torproject.org/embed and toggle the
button to opt in to being a proxy. You shouldn't close that page if you want to
remain a Snowflake proxy.

   
 * Edit this page - Suggest Feedback - Permalink

TOR BROWSER CAN'T CONNECT. IS MY NETWORK CENSORED?

If you have exhausted general troubleshooting steps, it's possible that your
connection to Tor is censored. In that case, connecting with one of the built-in
censorship circumvention methods in Tor Browser can help. Connection Assist can
automatically choose one for you using your location.

If Connection Assist is unable to facilitate the connection to Tor, you can
configure Tor Browser to use one of the built-in circumvention methods manually.
To use bridges and access other censorship circumvention related settings, click
"Configure Connection" when starting Tor Browser for the first time. In the
"Bridges" section, locate the option "Choose from one of Tor Browser's built-in
bridges" and click on the "Select a built-In bridge" option. From the menu,
select a censorship circumvention method you would like to use.

Or, if you have Tor Browser running, click on "Settings" in the hamburger menu
(≡) and then on "Connection" in the sidebar. In the "Bridges" section, locate
the option "Choose from one of Tor Browser's built-in bridges" and click on the
"Select a built-In bridge" option. Choose whichever censorship circumvention
method you would like to use from the menu. Your settings will automatically be
saved once you close the tab.

If you need other bridges, you can get them from our Bridges website. For more
information about bridges, please refer to the Tor Browser user manual.

   
 * Edit this page - Suggest Feedback - Permalink

HOW TO CIRCUMVENT THE GREAT FIREWALL AND CONNECT TO TOR FROM CHINA?

Users in China need to take a few steps to circumvent the Great Firewall and
connect to the Tor network.

To get an updated version of Tor Browser, try the Telegram bot first:
@gettor_bot. If that doesn't work, you can send an email to
gettor@torproject.org with the subject "windows", "macos", or "linux" for the
respective operating system.

After the installation, Tor Browser will try to connect to the Tor network. If
Tor is blocked in your location, Connection Assist will try to automatically
connect using a bridge or Snowflake. But if that doesn't work, the second step
will be to obtain a bridge that works in China.

There are three options to unblock Tor in China:

 1. Snowflake: uses ephemeral proxies to connect to the Tor network. It's
    available in Tor Browser and other Tor powered apps like Orbot. You can
    select Snowflake from Tor Browser's built-in bridge menu.
 2. Private and unlisted obfs4 bridges: contact our Telegram Bot @GetBridgesBot
    and type /bridges. Or send an email to frontdesk@torproject.org with the
    phrase "private bridge cn" in the subject of the email. If you are
    tech-savvy, you can run your own obfs4 bridge from outside China. Remember
    that bridges distributed by BridgeDB, and built-in obfs4 bridges bundled in
    Tor Browser most likely won't work.
 3. meek-azure: makes it look like you are browsing a Microsoft website instead
    of using Tor. However, because it has a bandwidth limitation, this option
    will be quite slow. You can select meek-azure from Tor Browser's built-in
    bridges dropdown.

If one of these options above is not working, check your Tor logs and try
another option.

If you need help, you can contact our support team on Telegram Tor Project
Support and Signal.

   
 * Edit this page - Suggest Feedback - Permalink

HOW TO CONNECT TO TOR FROM RUSSIA?

Find up-to-date instructions on how to circumvent censorship and connect to Tor
from Russia on our forum guide: Tor blocked in Russia - how to circumvent
censorship.

If you need help, contact us via Telegram, WhatsApp, Signal, or by email
frontdesk@torproject.org. For censorship circumvention instructions, use
"private bridge ru" as the subject line of your email.

   
 * Edit this page - Suggest Feedback - Permalink

A WEBSITE I AM TRYING TO REACH IS BLOCKING ACCESS OVER TOR.

Sometimes websites will block Tor users because they can't tell the difference
between the average Tor user and automated traffic. The best success we've had
in getting sites to unblock Tor users is getting users to contact the site
administrators directly. Something like this might do the trick:

"Hi! I tried to access your site xyz.com while using Tor Browser and discovered
that you don't allow Tor users to access your site. I urge you to reconsider
this decision; Tor is used by people all over the world to protect their privacy
and fight censorship. By blocking Tor users, you are likely blocking people in
repressive countries who want to use a free internet, journalists and
researchers who want to protect themselves from discovery, whistleblowers,
activists, and ordinary people who want to opt out of invasive third party
tracking. Please take a strong stance in favor of digital privacy and internet
freedom, and allow Tor users access to xyz.com. Thank you."

In the case of banks, and other sensitive websites, it is also common to see
geography-based blocking (if a bank knows you generally access their services
from one country, and suddenly you are connecting from an exit relay on the
other side of the world, your account may be locked or suspended).

If you are unable to connect to an onion service, please see I cannot reach
X.onion!.

   
 * Edit this page - Suggest Feedback - Permalink

HTTPS

WHEN I'M USING TOR, CAN EAVESDROPPERS STILL SEE THE INFORMATION I SHARE WITH
WEBSITES, LIKE LOGIN INFORMATION AND THINGS I TYPE INTO FORMS?

Tor prevents eavesdroppers from learning sites that you visit. However,
information sent unencrypted over the internet using plain HTTP can still be
intercepted by exit relay operators or anyone observing the traffic between your
exit relay and your destination website. If the site you are visiting uses
HTTPS, then the traffic leaving your exit relay will be encrypted, and won't be
visible to eavesdroppers.

The following visualization shows what information is visible to eavesdroppers
with and without Tor Browser and HTTPS encryption:

 * Click the “Tor” button to see what data is visible to observers when you're
   using Tor. The button will turn green to indicate that Tor is on.
 * Click the “HTTPS” button to see what data is visible to observers when you're
   using HTTPS. The button will turn green to indicate that HTTPS is on.
 * When both buttons are green, you see the data that is visible to observers
   when you are using both tools.
 * When both buttons are grey, you see the data that is visible to observers
   when you don't use either tool.


HTTPS
Tor






POTENTIALLY VISIBLE DATA

Site.com The site being visited. user / pw Username and password used for
authentication. data Data being transmitted. location Network location of the
computer used to visit the website (the public IP address). Tor Whether or not
Tor is being used.
   
 * Edit this page - Suggest Feedback - Permalink

RELAY OPERATORS

WHAT IS THE BADEXIT FLAG?

When an exit is misconfigured or malicious it's assigned the BadExit flag. This
tells Tor to avoid exiting through that relay. In effect, relays with this flag
become non-exits. If you got this flag then we either discovered a problem or
suspicious activity when routing traffic through your exit and weren't able to
contact you. Please reach out to the bad-relays team so we can sort out the
issue.

   
 * Edit this page - Suggest Feedback - Permalink

MY RELAY RECENTLY GOT THE GUARD FLAG AND TRAFFIC DROPPED BY HALF.

Since it's now a guard, clients are using it less in other positions, but not
many clients have rotated their existing guards out to use it as a guard yet.
Read more details in this blog post or in Changing of the Guards: A Framework
for Understanding and Improving Entry Guard Selection in Tor.

   
 * Edit this page - Suggest Feedback - Permalink

DO I GET BETTER ANONYMITY IF I RUN A RELAY?

Yes, you do get better anonymity against some attacks.

The simplest example is an attacker who owns a small number of Tor relays. They
will see a connection from you, but they won't be able to know whether the
connection originated at your computer or was relayed from somebody else.

There are some cases where it doesn't seem to help: if an attacker can watch all
of your incoming and outgoing traffic, then it's easy for them to learn which
connections were relayed and which started at you. (In this case they still
don't know your destinations unless they are watching them too, but you're no
better off than if you were an ordinary client.)

There are also some downsides to running a Tor relay. First, while we only have
a few hundred relays, the fact that you're running one might signal to an
attacker that you place a high value on your anonymity. Second, there are some
more esoteric attacks that are not as well-understood or well-tested that
involve making use of the knowledge that you're running a relay -- for example,
an attacker may be able to "observe" whether you're sending traffic even if they
can't actually watch your network, by relaying traffic through your Tor relay
and noticing changes in traffic timing.

It is an open research question whether the benefits outweigh the risks. A lot
of that depends on the attacks you are most worried about. For most users, we
think it's a smart move.

   
 * Edit this page - Suggest Feedback - Permalink

HOW CAN I LIMIT THE TOTAL AMOUNT OF BANDWIDTH USED BY MY TOR RELAY?

The accounting options in the torrc file allow you to specify the maximum amount
of bytes your relay uses for a time period.

    AccountingStart day week month [day] HH:MM


This specifies when the accounting should reset. For instance, to setup a total
amount of bytes served for a week (that resets every Wednesday at 10:00am), you
would use:

    AccountingStart week 3 10:00
    AccountingMax 500 GBytes


This specifies the maximum amount of data your relay will send during an
accounting period, and the maximum amount of data your relay will receive during
an accounting period. When the accounting period resets (from AccountingStart),
then the counters for AccountingMax are reset to 0.

Example: Let's say you want to allow 50 GB of traffic every day in each
direction and the accounting should reset at noon each day:

    AccountingStart day 12:00
    AccountingMax 50 GBytes


Note that your relay won't wake up exactly at the beginning of each accounting
period. It will keep track of how quickly it used its quota in the last period,
and choose a random point in the new interval to wake up. This way we avoid
having hundreds of relays working at the beginning of each month but none still
up by the end.

If you have only a small amount of bandwidth to donate compared to your
connection speed, we recommend you use daily accounting, so you don't end up
using your entire monthly quota in the first day. Just divide your monthly
amount by 30. You might also consider rate limiting to spread your usefulness
over more of the day: if you want to offer X GB in each direction, you could set
your RelayBandwidthRate to 20*X KBytes. For example, if you have 50 GB to offer
each way, you might set your RelayBandwidthRate to 1000 KBytes: this way your
relay will always be useful for at least half of each day.

    AccountingStart day 0:00
    AccountingMax 50 GBytes
    RelayBandwidthRate 1000 KBytes
    RelayBandwidthBurst 5000 KBytes # allow higher bursts but maintain average


   
 * Edit this page - Suggest Feedback - Permalink

HOW STABLE DOES MY RELAY NEED TO BE?

We aim to make setting up a Tor relay easy and convenient:

 * It's fine if the relay goes offline sometimes. The directories notice this
   quickly and stop advertising the relay. Just try to make sure it's not too
   often, since connections using the relay when it disconnects will break.
 * Each Tor relay has an exit policy that specifies what sort of outbound
   connections are allowed or refused from that relay. If you are uncomfortable
   allowing people to exit from your relay, you can set it up to only allow
   connections to other Tor relays.
 * Your relay will passively estimate and advertise its recent bandwidth
   capacity, so high-bandwidth relays will attract more users than low-bandwidth
   ones. Therefore, having low-bandwidth relays is useful too.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I CHANGE MY BRIDGE DISTRIBUTION METHOD?

BridgeDB implements six mechanisms to distribute bridges: HTTPS, Moat, Email,
Telegram, Settings and Reserved. Bridge operators can check which mechanism
their bridge is using, on the Relay Search. Enter the bridge's <HASHED
FINGERPRINT> in the form and click "Search".

Operators can also choose which distribution method their bridge uses. To change
the method, modify the BridgeDistribution setting in the torrc file to one of
these: https, moat, email, telegram, settings, lox, none, any. You can find a
description of each distributor in the rdsys distributors documentation.

Read more on the Bridges post-install guide.

   
 * Edit this page - Suggest Feedback - Permalink

SHOULD I RUN AN EXIT RELAY FROM HOME?

No. If law enforcement becomes interested in traffic from your exit relay, it's
possible that officers will seize your computer. For that reason, it's best not
to run your exit relay in your home or using your home internet connection.

Instead, consider running your exit relay in a commercial facility that is
supportive of Tor. Have a separate IP address for your exit relay, and don't
route your own traffic through it. Of course, you should avoid keeping any
sensitive or personal information on the computer hosting your exit relay.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT BANDWIDTH SHAPING OPTIONS ARE AVAILABLE TO TOR RELAYS?

There are two options you can add to your torrc file:

BandwidthRate is the maximum long-term bandwidth allowed (bytes per second). For
example, you might want to choose "BandwidthRate 10 MBytes" for 10 megabytes per
second (a fast connection), or "BandwidthRate 500 KBytes" for 500 kilobytes per
second (a decent cable connection). The minimum BandwidthRate setting is 75
kilobytes per second.

BandwidthBurst is a pool of bytes used to fulfill requests during short periods
of traffic above BandwidthRate but still keeps the average over a long period to
BandwidthRate. A low Rate but a high Burst enforces a long-term average while
still allowing more traffic during peak times if the average hasn't been reached
lately. For example, if you choose "BandwidthBurst 500 KBytes" and also use that
for your BandwidthRate, then you will never use more than 500 kilobytes per
second; but if you choose a higher BandwidthBurst (like 5 MBytes), it will allow
more bytes through until the pool is empty.

If you have an asymmetric connection (upload less than download) such as a cable
modem, you should set BandwidthRate to less than your smaller bandwidth (Usually
that's the upload bandwidth). Otherwise, you could drop many packets during
periods of maximum bandwidth usage - you may need to experiment with which
values make your connection comfortable. Then set BandwidthBurst to the same as
BandwidthRate.

Linux-based Tor nodes have another option at their disposal: they can prioritize
Tor traffic below other traffic on their machine, so that their own personal
traffic is not impacted by Tor load. A script to do this can be found in the Tor
source distribution's contrib directory.

Additionally, there are hibernation options where you can tell Tor to only serve
a certain amount of bandwidth per time period (such as 100 GB per month). These
are covered in the hibernation entry.

Note that BandwidthRate and BandwidthBurst are in Bytes, not Bits.

   
 * Edit this page - Suggest Feedback - Permalink

MY RELAY IS SLOW, HOW CAN I FIX IT?


WHY RELAY LOAD VARIES

Tor manages bandwidth across the entire network. It does a reasonable job for
most relays. But Tor's goals are different to protocols like BitTorrent. Tor
wants low-latency web pages, which requires fast connections with headroom.
BitTorrent wants bulk downloads, which requires using all the bandwidth.

We're working on a new bandwidth scanner, which is easier to understand and
maintain. It will have diagnostics for relays that don't get measured, and
relays that have low measurements.


WHY DOES TOR NEED BANDWIDTH SCANNERS?

Most providers tell you the maximum speed of your local connection. But Tor has
users all over the world, and our users connect to one or two Guard relays at
random. So we need to know how well each relay can connect to the entire world.

So even if all relay operators set their advertised bandwidth to their local
connection speed, we would still need bandwidth authorities to balance the load
between different parts of the Internet.


WHAT IS A NORMAL RELAY LOAD?

It's normal for most relays to be loaded at 30%-80% of their capacity. This is
good for clients: an overloaded relay has high latency. (We want enough relays
to so that each relay is loaded at 10%. Then Tor would be almost as fast as the
wider Internet).

Sometimes, a relay is slow because its processor is slow or its connections are
limited. Other times, it is the network that is slow: the relay has bad peering
to most other tor relays, or is a long distance away.


FINDING OUT WHAT IS LIMITING A RELAY

Lots of things can slow down a relay. Here's how to track them down.

SYSTEM LIMITS

 * Check RAM, CPU, and socket/file descriptor usage on your relay

Tor logs some of these when it starts. Others can be viewed using top or similar
tools.

PROVIDER LIMITS

 * Check the Internet peering (bandwidth, latency) from your relay's provider to
   other relays. Relays transiting via Comcast have been slow at times. Relays
   outside North America and Western Europe are usually slower.

TOR NETWORK LIMITS

Relay bandwidth can be limited by a relay's own observed bandwidth, or by the
directory authorities' measured bandwidth. Here's how to find out which
measurement is limiting your relay:

 * Check each of the votes for your relay on consensus-health (large page), and
   check the median. If your relay is not marked Running by some directory
   authorities:
   * Does it have the wrong IPv4 or IPv6 address?
   * Is its IPv4 or IPv6 address unreachable from some networks?
   * Are there more than 2 relays on its IPv4 address?

Otherwise, check your relay's observed bandwidth and bandwidth rate (limit).
Look up your relay on Metrics. Then mouse over the bandwidth heading to see the
observed bandwidth and relay bandwidth rate.

Here is some more detail and some examples: Drop in consensus weight and Rampup
speed of Exit relay.

HOW TO FIX IT

The smallest of these figures is limiting the bandwidth allocated to the relay.

 * If it's the bandwidth rate, increase the BandwidthRate/Burst or
   RelayBandwidthRate/Burst in your torrc.
 * If it's the observed bandwidth, your relay won't ask for more bandwidth until
   it sees itself getting faster. You need to work out why it is slow.
 * If it's the median measured bandwidth, your relay looks slow from a majority
   of bandwidth authorities. You need to work out why they measure it slow.


DOING YOUR OWN RELAY MEASUREMENTS

If your relay thinks it is slow, or the bandwidth authorities think it is slow,
you can test the bandwidth yourself:

 * Run a test using tor to see how fast tor can get on your network
   
   For this, you need to configure a tor client to use use your relay as entry.
   If your relay has only Guard flag, set EntryNodes with your relay fingerprint
   in torrc. If your relay doesn't have Guard flag or it has Guard and Exit
   flags, you can't set your relay as an entry node (see
   https://gitlab.torproject.org/tpo/core/tor/-/issues/22204), but you can set
   it as your bridge, even if it is not a bridge. To set your relay as a bridge,
   add to your torrc:
   
   Bridge <ip>:<port>
   UseBridge 1
   
   
   Then download a large file using your SocksPort as a socks proxy. For this,
   you can use curl, eg:
   
   curl https://target/path --proxy socks5h://<user>:<password>@127.0.0.1:<socks-port>
   
   
   Using different user/password guarantees different circuits. You can use
   $RANDOM.
   
   That will give you some idea of how much traffic your relay can sustain.
   
   Alternatively, you can run relay_bw to test your relay using 2 hops circuits,
   in a similar way as sbws does.

 * Run a test using tor and chutney to find out how fast tor can get on your
   CPU. Keep increasing the data volume until the bandwidth stops increasing.

   
 * Edit this page - Suggest Feedback - Permalink

MY RELAY IS PICKING THE WRONG IP ADDRESS.

Tor guesses its IP address by asking the computer for its hostname, and then
resolving that hostname. Often people have old entries in their /etc/hosts file
that point to old IP addresses.

If that doesn't fix it, you should use the "Address" config option to specify
the IP address you want it to pick. If your computer is behind a NAT and it only
has an internal IP address, see the following Support entry on dynamic IP
addresses.

Also, if you have many addresses, you might also want to set
"OutboundBindAddress" so external connections come from the IP you intend to
present to the world.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO OFFLINE ED25519 IDENTITY KEYS WORK? WHAT DO I NEED TO KNOW?

In simple words, it works like this:

 * There is a primary ed25519 identity secret key file named
   "ed25519_master_id_secret_key". This is the most important one, so make sure
   you keep a backup in a secure place - the file is sensitive and should be
   protected. Tor could encrypt it for you if you generate it manually and enter
   a password when asked.
 * A medium term signing key named "ed25519_signing_secret_key" is generated for
   Tor to use. Also, a certificate is generated named "ed25519_signing_cert"
   which is signed by the primary identity secret key and confirms that the
   medium term signing key is valid for a certain period of time. The default
   validity is 30 days, but this can be customized by setting
   "SigningKeyLifetime N days|weeks|months" in torrc.
 * There is also a primary public key named "ed25519_master_id_public_key",
   which is the actual identity of the relay advertised in the network. This one
   is not sensitive and can be easily computed from
   "ed5519_master_id_secret_key".

Tor will only need access to the medium term signing key and certificate as long
as they are valid, so the primary identity secret key can be kept outside
DataDirectory/keys, on a storage media or a different computer. You'll have to
manually renew the medium term signing key and certificate before they expire
otherwise the Tor process on the relay will exit upon expiration.

This feature is optional, you don't need to use it unless you want to. If you
want your relay to run unattended for longer time without having to manually do
the medium term signing key renewal on regular basis, best to leave the primary
identity secret key in DataDirectory/keys, just make a backup in case you'll
need to reinstall it. If you want to use this feature, you can consult our more
detailed guide on the topic.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I RUN A MIDDLE OR GUARD RELAY ON FREEBSD OR HARDENEDBSD?

For the most in-depth resource on running a relay, see the Relay Setup Guide.

   
 * Edit this page - Suggest Feedback - Permalink

HOW SHOULD I CONFIGURE THE OUTGOING FILTERS ON MY RELAY?

All outgoing connections must be allowed, so that each relay can communicate
with every other relay.

In many jurisdictions, Tor relay operators are legally protected by the same
common carrier regulations that prevent internet service providers from being
held liable for third-party content that passes through their network. Exit
relays that filter some traffic would likely forfeit those protections.

Tor promotes free network access without interference. Exit relays must not
filter the traffic that passes through them to the internet. Exit relays found
to be filtering traffic will get the BadExit flag once detected.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I RUN A RELAY IN WINDOWS?

You can run a relay in Windows following this tutorials:

 * For running a guard relay in Windows, please read:
   https://community.torproject.org/relay/setup/guard/windows/
 * For running a bridge relay in Windows, please read:
   https://community.torproject.org/relay/setup/bridge/windows/

You should only run a Windows relay if you can run it 24/7. If you are unable to
guarantee that, Snowflake is a better way to contribute your resources to the
Tor network.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT TYPE OF RELAYS ARE MOST NEEDED?

 * The exit relay is the most needed relay type but it also comes with the
   highest legal exposure and risk (and you should NOT run them from your home).
 * If you are looking to run a relay with minimal effort, fast guard relays are
   also very useful
 * Followed by bridges.

   
 * Edit this page - Suggest Feedback - Permalink

I WANT TO RUN MORE THAN ONE TOR RELAY.

Great. If you want to run several relays to donate more to the network, we're
happy with that. But please don't run more than a few dozen on the same network,
since part of the goal of the Tor network is dispersal and diversity.

If you do decide to run more than one relay, please set the "MyFamily" config
option in the torrc of each relay, listing all the relays (comma-separated) that
are under your control:

MyFamily $fingerprint1,$fingerprint2,$fingerprint3


where each fingerprint is the 40 character identity fingerprint (without
spaces).

That way, Tor clients will know to avoid using more than one of your relays in a
single circuit. You should set MyFamily if you have administrative control of
the computers or of their network, even if they're not all in the same
geographic location.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I RUN A TOR RELAY USING A DYNAMIC IP ADDRESS?

Tor can handle relays with dynamic IP addresses just fine. Just leave the
"Address" line in your torrc blank, and Tor will guess.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DOES MY RELAY WRITE MORE BYTES ONTO THE NETWORK THAN IT READS?

You're right, for the most part a byte into your Tor relay means a byte out, and
vice versa. But there are a few exceptions:

If you open your DirPort, then Tor clients will ask you for a copy of the
directory. The request they make (an HTTP GET) is quite small, and the response
is sometimes quite large. This probably accounts for most of the difference
between your "write" byte count and your "read" byte count.

Another minor exception shows up when you operate as an exit node, and you read
a few bytes from an exit connection (for example, an instant messaging or ssh
connection) and wrap it up into an entire 512 byte cell for transport through
the Tor network.

   
 * Edit this page - Suggest Feedback - Permalink

SHOULD I INSTALL TOR FROM MY PACKAGE MANAGER, OR BUILD FROM SOURCE?

If you're using Debian or Ubuntu especially, please use the Tor Project's
repository, so you can easily receive updates. In addition, using the package
provides other conveniences:

 * Your ulimit -n gets set to a high number, so Tor can keep open all the
   connections it needs.
 * The package creates and uses a separate user, so you don't need to run Tor as
   your own user.
 * The package includes an init script so Tor runs at boot.
 * Tor can bind to low-numbered ports, then drop privileges.

   
 * Edit this page - Suggest Feedback - Permalink

MY RELAY OR BRIDGE IS OVERLOADED WHAT DOES THIS MEAN?

On relay search we show an amber dot next to the relay nickname when it is
overloaded. This means that one or many of the following load metrics have been
triggered:

 * Any Tor OOM invocation due to memory pressure
 * Any ntor onionskins are dropped
 * TCP port exhaustion

Note that if a relay reaches an overloaded state we show it for 72 hours after
the relay has recovered.

If you notice that your relay is overloaded please:

 1. Check https://status.torproject.org/ for any known issues in the "Tor
    network" category.

 2. Consider tuning sysctl for your system for network, memory and CPU load.

 3. Consider enabling MetricsPort to understand what is happening.


TUNING SYSCTL FOR NETWORK, MEMORY AND CPU LOAD


TCP PORT EXHAUSTION

If you are experiencing TCP port exhaustion consider expanding your local port
range. You can do that with

# sysctl -w net.ipv4.ip_local_port_range="15000 64000"

or

# echo 15000 64000 > /proc/sys/net/ipv4/ip_local_port_range

Keep in mind that tuning sysctl as described is not permanent and will be lost
upon restart. You need to add the configuration to /etc/sysctl.conf or to a file
in /etc/sysctl.d/ to make it permanent.


METRICSPORT

To understand the well-being of Tor relays and the Tor network it is vital to
provide and have access to relay metrics. Relay overload information has been
added to relay descriptors since 0.4.6+ but it was not until Tor >=
0.4.7.1-alpha that an interface to the underlying relay metrics was available:
the metrics port.


ENABLING METRICSPORT

Tor provides access to the metrics port via a torrc configuration option called
MetricsPort.

It's important to understand that exposing the tor MetricsPort publicly is
dangerous for the Tor network users, which is why that port is not enabled by
default and its access has to be governed by an access policy. Please take extra
precaution and care when opening this port, and close it when you are done
debugging.

Let's assume you are the only user on a server that runs a Tor relay. You can
enable the metrics port adding this to your torrc file:

MetricsPort 127.0.0.1:9035
MetricsPortPolicy accept 127.0.0.1


And then you will be able to easily retrieve the metrics with:

# curl http://127.0.0.1:9035/metrics

which are by default in a Prometheus format.

Note: every user on that server will be able to access those relay metrics in
the example above. In general, set a very strict access policy with
MetricsPortPolicy and consider using your operating systems firewall features
for defense in depth.

For a more detailed explanation about MetricsPort and MetricsPortPolicy see
tor's man page.


METRICSPORT OUTPUT

Here is an example of what output enabling MetricsPort will produce (we omitted
any congestion control related metrics as we still need to stabilize that
interface):

# HELP tor_relay_connections Total number of opened connections
# TYPE tor_relay_connections gauge
tor_relay_connections{type="OR listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="OR listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="OR listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="OR listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="OR",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="OR",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="OR",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="OR",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Exit",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Exit",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Exit",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Exit",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Socks listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Socks listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Socks listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Socks listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Socks",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Socks",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Socks",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Socks",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Directory listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Directory listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Directory listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Directory listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Directory",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Directory",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Directory",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Directory",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Control listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Control listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Control listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Control listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Control",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Control",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Control",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Control",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Transparent pf/netfilter listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Transparent pf/netfilter listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Transparent pf/netfilter listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Transparent pf/netfilter listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Transparent natd listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Transparent natd listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Transparent natd listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Transparent natd listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="DNS listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="DNS listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="DNS listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="DNS listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Extended OR",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Extended OR",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Extended OR",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Extended OR",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Extended OR listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Extended OR listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Extended OR listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Extended OR listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="HTTP tunnel listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="HTTP tunnel listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="HTTP tunnel listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="HTTP tunnel listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Metrics listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Metrics listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Metrics listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Metrics listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Metrics",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Metrics",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Metrics",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Metrics",direction="received",state="opened",family="ipv6"} 0
# HELP tor_relay_connections_total Total number of created/rejected connections
# TYPE tor_relay_connections_total counter
tor_relay_connections_total{type="OR listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="OR listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="OR listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="OR listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="OR listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="OR listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="OR",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="OR",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="OR",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="OR",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="OR",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="OR",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Exit",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Exit",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Exit",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Exit",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Exit",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Exit",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Socks listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Socks listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Socks listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Socks listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Socks listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Socks listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Socks",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Socks",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Socks",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Socks",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Socks",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Socks",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Directory listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Directory listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Directory listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Directory listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Directory listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Directory listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Directory",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Directory",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Directory",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Directory",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Directory",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Directory",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Control listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Control listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Control listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Control listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Control listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Control listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Control",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Control",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Control",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Control",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Control",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Control",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="DNS listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="DNS listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="DNS listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="DNS listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="DNS listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="DNS listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Metrics listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Metrics listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Metrics listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Metrics listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Metrics listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Metrics listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Metrics",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Metrics",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Metrics",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Metrics",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Metrics",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Metrics",direction="received",state="rejected",family="ipv6"} 0
# HELP tor_relay_flag Relay flags from consensus
# TYPE tor_relay_flag gauge
tor_relay_flag{type="Fast"} 0
tor_relay_flag{type="Exit"} 0
tor_relay_flag{type="Authority"} 0
tor_relay_flag{type="Stable"} 0
tor_relay_flag{type="HSDir"} 0
tor_relay_flag{type="Running"} 0
tor_relay_flag{type="V2Dir"} 0
tor_relay_flag{type="Sybil"} 0
tor_relay_flag{type="Guard"} 0
# HELP tor_relay_circuits_total Total number of circuits
# TYPE tor_relay_circuits_total gauge
tor_relay_circuits_total{state="opened"} 0
# HELP tor_relay_streams_total Total number of streams
# TYPE tor_relay_streams_total counter
tor_relay_streams_total{type="BEGIN"} 0
tor_relay_streams_total{type="BEGIN_DIR"} 0
tor_relay_streams_total{type="RESOLVE"} 0
# HELP tor_relay_traffic_bytes Traffic related counters
# TYPE tor_relay_traffic_bytes counter
tor_relay_traffic_bytes{direction="read"} 0
tor_relay_traffic_bytes{direction="written"} 0
# HELP tor_relay_dos_total Denial of Service defenses related counters
# TYPE tor_relay_dos_total counter
tor_relay_dos_total{type="circuit_rejected"} 0
tor_relay_dos_total{type="circuit_killed_max_cell"} 0
tor_relay_dos_total{type="circuit_killed_max_cell_outq"} 0
tor_relay_dos_total{type="marked_address"} 0
tor_relay_dos_total{type="marked_address_maxq"} 0
tor_relay_dos_total{type="conn_rejected"} 0
tor_relay_dos_total{type="concurrent_conn_rejected"} 0
tor_relay_dos_total{type="single_hop_refused"} 0
tor_relay_dos_total{type="introduce2_rejected"} 0
# HELP tor_relay_load_onionskins_total Total number of onionskins handled
# TYPE tor_relay_load_onionskins_total counter
tor_relay_load_onionskins_total{type="tap",action="processed"} 0
tor_relay_load_onionskins_total{type="tap",action="dropped"} 0
tor_relay_load_onionskins_total{type="fast",action="processed"} 0
tor_relay_load_onionskins_total{type="fast",action="dropped"} 0
tor_relay_load_onionskins_total{type="ntor",action="processed"} 0
tor_relay_load_onionskins_total{type="ntor",action="dropped"} 0
tor_relay_load_onionskins_total{type="ntor_v3",action="processed"} 0
tor_relay_load_onionskins_total{type="ntor_v3",action="dropped"} 0
# HELP tor_relay_exit_dns_query_total Total number of DNS queries done by this relay
# TYPE tor_relay_exit_dns_query_total counter
tor_relay_exit_dns_query_total 0
# HELP tor_relay_exit_dns_error_total Total number of DNS errors encountered by this relay
# TYPE tor_relay_exit_dns_error_total counter
tor_relay_exit_dns_error_total{reason="success"} 0
tor_relay_exit_dns_error_total{reason="format"} 0
tor_relay_exit_dns_error_total{reason="serverfailed"} 0
tor_relay_exit_dns_error_total{reason="notexist"} 0
tor_relay_exit_dns_error_total{reason="notimpl"} 0
tor_relay_exit_dns_error_total{reason="refused"} 0
tor_relay_exit_dns_error_total{reason="truncated"} 0
tor_relay_exit_dns_error_total{reason="unknown"} 0
tor_relay_exit_dns_error_total{reason="tor_timeout"} 0
tor_relay_exit_dns_error_total{reason="shutdown"} 0
tor_relay_exit_dns_error_total{reason="cancel"} 0
tor_relay_exit_dns_error_total{reason="nodata"} 0
# HELP tor_relay_load_oom_bytes_total Total number of bytes the OOM has freed by subsystem
# TYPE tor_relay_load_oom_bytes_total counter
tor_relay_load_oom_bytes_total{subsys="cell"} 0
tor_relay_load_oom_bytes_total{subsys="dns"} 0
tor_relay_load_oom_bytes_total{subsys="geoip"} 0
tor_relay_load_oom_bytes_total{subsys="hsdir"} 0
# HELP tor_relay_load_socket_total Total number of sockets
# TYPE tor_relay_load_socket_total gauge
tor_relay_load_socket_total{state="opened"} 0
tor_relay_load_socket_total 0
# HELP tor_relay_load_tcp_exhaustion_total Total number of times we ran out of TCP ports
# TYPE tor_relay_load_tcp_exhaustion_total counter
tor_relay_load_tcp_exhaustion_total 0
# HELP tor_relay_load_global_rate_limit_reached_total Total number of global connection bucket limit reached
# TYPE tor_relay_load_global_rate_limit_reached_total counter
tor_relay_load_global_rate_limit_reached_total{side="read"} 0
tor_relay_load_global_rate_limit_reached_total{side="write"} 0


Let's find out what some of these lines actually mean:


TOR_RELAY_LOAD_ONIONSKINS_TOTAL{TYPE="NTOR",ACTION="DROPPED"} 0

When a relay starts seeing "dropped", it is a CPU/RAM problem usually.

Tor is sadly single threaded except for when the "onion skins" are processed.
The "onion skins" are the cryptographic work that needs to be done on the famous
"onion layers" in every circuits.

When tor processes the layers we use a thread pool and outsource all of that
work to that pool. It can happen that this pool starts dropping work due to
memory or CPU pressure and this will trigger an overload state.

If your server is running at capacity this will likely be triggered.


TOR_RELAY_EXIT_DNS_ERROR_TOTAL{...}

Any counter in the "*_dns_error_total" realm (apart from the one for successful
queries) indicates a potential DNS related problem. However, we realized during
the 0.4.7 release cycle that DNS errors are way too noisy and contain too many
false positives to be useful for overload reporting purposes. We therefore don't
use them anymore for that purpose starting with 0.4.6.9 and 0.4.7.4-alpha.
However, we still keep DNS metrics around to give the relay operator insight
into what is going on with their relay.

DNS timeout issues and errors only apply to Exit nodes.


TOR_RELAY_LOAD_OOM_BYTES_TOTAL{...}

An Out-Of-Memory invocation indicates a RAM problem. The relay might need more
RAM or it is leaking memory. If you noticed that the tor process is leaking
memory, please report the issue either via Tor gitLab or sending an email to the
tor-relays mailing list.

Tor has its own OOM handler and it is invoked when 75%, of the total memory tor
thinks is available, is reached. Thus, let's say tor thinks it can use 2GB in
total then at 1.5GB of memory usage, it will start freeing memory. That is
considered an overload state.

To estimate the amount of memory it has available, when tor starts, it will use
MaxMemInQueues or, if not set, will look at the total RAM available on the
system and apply this algorithm:

    if RAM >= 8GB {
      memory = RAM * 40%
    } else {
      memory = RAM * 75%
    }
    /* Capped. */
    memory = min(memory, 8GB) -> [8GB on 64bit and 2GB on 32bit)
    /* Minimum value. */
    memory = max(250MB, memory)


To avoid an overloaded state we recommend to run a relay above 2GB of RAM on
64bit. 4GB is advised, although of course it doesn't hurt to add more RAM if you
can. Note: If you are running a powerful server with lots of RAM then you might
end up in an overloaded state due to the default queue size limit of 8GB even
though you still have plenty of RAM unused. Add an appropriate MaxMemInQueues
entry to your torrc configuration in that case.

One might notice that tor could be called by the OS OOM handler itself. Because
tor takes the total memory on the system when it starts, if the overall system
has many other applications running using RAM, it ends up eating too much
memory. In this case the OS could OOM tor, without tor even noticing memory
pressure.


TOR_RELAY_LOAD_SOCKET_TOTAL

If the number of opened sockets is close to or the same as total sockets
available then this indicates the relay is running out of sockets. The solution
is to increase ulimit -n for the tor process.


TOR_RELAY_LOAD_TCP_EXHAUSTION_TOTAL

These lines indicate the relay is running out of TCP ports.

Try to tune sysctl as described above.


TOR_RELAY_LOAD_GLOBAL_RATE_LIMIT_REACHED_TOTAL

If this counter is incremented by some noticeable value over a short period of
time, the relay is congested. It is likely being used as a Guard by a big onion
service or for an ongoing DDoS on the network.

If your relay is still overloaded and you don't know why, please get in touch
with network-report@torproject.org. You can encrypt your email using
network-report OpenPGP key.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I MAKE SURE THAT I'M USING THE CORRECT PACKAGES ON UBUNTU?

 * Do not use the packages in Ubuntu's repositories. They are not reliably
   updated. If you use them, you will miss important stability and security
   fixes.
 * Determine your Ubuntu version by running the following command:
   
    ‪$ lsb_release -c
   

 * As root, add the following lines to /etc/apt/sources.list. Replace 'version'
   with the version you found in the previous step:
   
    deb https://deb.torproject.org/torproject.org version main
    deb-src https://deb.torproject.org/torproject.org version main
   

 * Add the gpg key used to sign the packages by running the following commands:
   
    ‪$ curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -
   

 * Run the following commands to install tor and check its signatures:
   
    ‪$ sudo apt-get update
    ‪$ sudo apt-get install tor deb.torproject.org-keyring
   

   
 * Edit this page - Suggest Feedback - Permalink

I WANT TO UPGRADE/MOVE MY RELAY. HOW DO I KEEP THE SAME IDENTITY?

When upgrading your Tor relay, or moving it to a different computer, be sure to
keep the same identity keys (stored in keys/ed25519_master_id_secret_key and
keys/secret_id_key in your DataDirectory).

If you are a bridge operator, also make sure to keep pt_state/. It contains data
required for your bridge to keep working with the same bridge line.

For simplicity, just copying over the entire DataDirectory should work too.

You may wish to keep backups of these identity keys, plus pt_state for a bridge,
so you can restore the relay if something goes wrong.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I USE IPV6 ON MY RELAY?

Tor has partial support for IPv6 and we encourage every relay operator to enable
IPv6 functionality in their torrc configuration files when IPv6 connectivity is
available. For the time being Tor will require IPv4 addresses on relays, you can
not run a Tor relay on a host with IPv6 addresses only.

   
 * Edit this page - Suggest Feedback - Permalink

WHY IS MY TOR RELAY USING SO MUCH MEMORY?

If your Tor relay is using more memory than you'd like, here are some tips for
reducing its footprint:

 * If you're on Linux, you may be encountering memory fragmentation bugs in
   glibc's malloc implementation. That is, when Tor releases memory back to the
   system, the pieces of memory are fragmented so they're hard to reuse. The Tor
   tarball ships with OpenBSD's malloc implementation, which doesn't have as
   many fragmentation bugs (but the tradeoff is higher CPU load). You can tell
   Tor to use this malloc implementation instead: ./configure
   --enable-openbsd-malloc.
 * If you're running a fast relay, meaning you have many TLS connections open,
   you are probably losing a lot of memory to OpenSSL's internal buffers (38KB+
   per socket). We've patched OpenSSL to release unused buffer memory more
   aggressively. If you update to OpenSSL 1.0.0 or newer, Tor's build process
   will automatically recognize and use this feature.
 * If you still can't handle the memory load, consider reducing the amount of
   bandwidth your relay advertises. Advertising less bandwidth means you will
   attract fewer users, so your relay shouldn't grow as large. See the
   MaxAdvertisedBandwidth option in the man page.

All of this said, fast Tor relays do use a lot of ram. It is not unusual for a
fast exit relay to use 500-1000 MB of memory.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I RUN AN OBFS4 BRIDGE?

See our obfs4 setup guide to learn how to set up an obfs4 bridge.

   
 * Edit this page - Suggest Feedback - Permalink

IS THERE A LIST OF DEFAULT EXIT PORTS?

The default open ports are listed below but keep in mind that, any port or ports
can be opened by the relay operator by configuring it in torrc or modifying the
source code. The default according to src/or/policies.c (line 85 and line 1901)
from the source code release release-0.4.6:

reject 0.0.0.0/8
reject 169.254.0.0/16
reject 127.0.0.0/8
reject 192.168.0.0/16
reject 10.0.0.0/8
reject 172.16.0.0/12

reject *:25
reject *:119
reject *:135-139
reject *:445
reject *:563
reject *:1214
reject *:4661-4666
reject *:6346-6429
reject *:6699
reject *:6881-6999
accept *:*


   
 * Edit this page - Suggest Feedback - Permalink

I'M FACING LEGAL TROUBLE. HOW DO I PROVE THAT MY SERVER WAS A TOR RELAY AT A
GIVEN TIME?

Exonerator is a web service that can check if an IP address was a relay on a
given date. We can also provide a signed letter if needed.

   
 * Edit this page - Suggest Feedback - Permalink

WHY ISN'T MY RELAY BEING USED MORE?

If your relay is relatively new then give it time. Tor decides which relays it
uses heuristically based on reports from Bandwidth Authorities. These
authorities take measurements of your relay's capacity and, over time, directs
more traffic there until it reaches an optimal load. The lifecycle of a new
relay is explained in more depth in this blog post. If you've been running a
relay for a while and still having issues then try asking on the tor-relays
list.

   
 * Edit this page - Suggest Feedback - Permalink

WHY CAN I NOT BROWSE ANYMORE AFTER LIMITING BANDWIDTH ON MY TOR RELAY?

The parameters assigned in the AccountingMax and BandwidthRate apply to both
client and relay functions of the Tor process. Thus you may find that you are
unable to browse as soon as your Tor goes into hibernation, signaled by this
entry in the log:

Bandwidth soft limit reached; commencing hibernation.
No new connections will be accepted


The solution is to run two Tor processes - one relay and one client, each with
its own config. One way to do this (if you are starting from a working relay
setup) is as follows:

 * In the relay Tor torrc file, simply set the SocksPort to 0.
 * Create a new client torrc file from the torrc.sample and ensure it uses a
   different log file from the relay. One naming convention may be torrc.client
   and torrc.relay.
 * Modify the Tor client and relay startup scripts to include -f
   /path/to/correct/torrc.
 * In Linux/BSD/Mac OS X, changing the startup scripts to Tor.client and
   Tor.relay may make separation of configs easier.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DO I GET PORTSCANNED MORE OFTEN WHEN I RUN A TOR RELAY?

If you allow exit connections, some services that people connect to from your
relay will connect back to collect more information about you. For example, some
IRC servers connect back to your identd port to record which user made the
connection. (This doesn't really work for them, because Tor doesn't know this
information, but they try anyway.) Also, users exiting from you might attract
the attention of other users on the IRC server, website, etc. who want to know
more about the host they're relaying through.

Another reason is that groups who scan for open proxies on the Internet have
learned that sometimes Tor relays expose their socks port to the world. We
recommend that you bind your socksport to local networks only.

In any case, you need to keep up to date with your security. See this article on
security for Tor relays for more suggestions.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I RUN AN EXIT RELAY ON DEBIAN?

For the most in-depth resource on running a relay, see the Relay Setup Guide.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I DECIDE IF I SHOULD RUN A RELAY?

We're looking for people with reasonably reliable Internet connections, that
have at least 10 Mbit/s (Mbps) available bandwidth each way. If that's you,
please consider running a Tor relay.

Even if you do not have at least 10 Mbit/s of available bandwidth you can still
help the Tor network by running a Tor bridge with obfs4 support. In that case
you should have at least 1 MBit/s of available bandwidth.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I RUN A MIDDLE OR GUARD RELAY ON DEBIAN?

For the most in-depth resource on running a relay, see the Relay Setup Guide.

   
 * Edit this page - Suggest Feedback - Permalink

I'M BEHIND A NAT/FIREWALL.

See portforward.com for directions on how to port forward with your NAT/router
device.

If your relay is running on a internal net, you need to setup port forwarding.
Forwarding TCP connections is system dependent but the firewalled-clients FAQ
entry offers some examples on how to do this.

Also, here's an example of how you would do this on GNU/Linux if you're using
iptables:

/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 9001 -j ACCEPT

You may have to change "eth0" if you have a different external interface (the
one connected to the Internet). Chances are you have only one (except the
loopback) so it shouldn't be too hard to figure out.

   
 * Edit this page - Suggest Feedback - Permalink

I'D RUN A RELAY, BUT I DON'T WANT TO DEAL WITH ABUSE ISSUES.

Great. That's exactly why we implemented exit policies.

Each Tor relay has an exit policy that specifies what sort of outbound
connections are allowed or refused from that relay. The exit policies are
propagated to Tor clients via the directory, so clients will automatically avoid
picking exit relays that would refuse to exit to their intended destination.
This way each relay can decide the services, hosts, and networks it wants to
allow connections to, based on abuse potential and its own situation. Read the
Support entry on issues you might encounter if you use the default exit policy,
and then read Mike Perry's tips for running an exit node with minimal
harassment.

The default exit policy allows access to many popular services (e.g. web
browsing), but restricts some due to abuse potential (e.g. mail) and some since
the Tor network can't handle the load (e.g. default file-sharing ports). You can
change your exit policy by editing your torrc file. If you want to avoid most if
not all abuse potential, set it to "reject *:*". This setting means that your
relay will be used for relaying traffic inside the Tor network, but not for
connections to external websites or other services.

If you do allow any exit connections, make sure name resolution works (that is,
your computer can resolve Internet addresses correctly). If there are any
resources that your computer can't reach (for example, you are behind a
restrictive firewall or content filter), please explicitly reject them in your
exit policy otherwise Tor users will be impacted too.

   
 * Edit this page - Suggest Feedback - Permalink

ONION SERVICES

WHAT IS A .ONION OR WHAT ARE ONION SERVICES?

Onion services allow people to browse but also to publish anonymously, including
publishing anonymous websites.

Onion services are also relied on for metadata-free chat and file sharing, safer
interaction between journalists and their sources like with SecureDrop or
OnionShare, safer software updates, and more secure ways to reach popular
websites like Facebook.

These services use the special-use top level domain (TLD) .onion (instead of
.com, .net, .org, etc.) and are only accessible through the Tor network.



When accessing a website that uses an onion service, Tor Browser will show at
the URL bar an icon of an onion displaying the state of your connection: secure
and using an onion service.

To learn more about onion services, read How do Onion Services work?

   
 * Edit this page - Suggest Feedback - Permalink

WHAT ".ONION AVAILABLE" MEANS IN MY BROWSER?

Onion-Location is a HTTP header that web sites can use to advertise their onion
counterpart. If the web site that you're visiting has an onion site available, a
purple suggestion pill will prompt at the URL bar saying ".onion available".
When you click on ".onion available", the web site will be reloaded and
redirected to its onion counterpart. At the moment, Onion-Location is available
for Tor Browser desktop (Windows, macOS and GNU/Linux). You can learn more about
Onion-Location in the Tor Browser Manual. If you're an onion service operator,
learn how to configure Onion-Location in your onion site.

   
 * Edit this page - Suggest Feedback - Permalink

V2 ONION SERVICES DEPRECATION


HOW DO I KNOW IF I'M USING V2 OR V3 ONION SERVICES?

You can identify v3 onion addresses by their 56 character length, e.g. Tor
Project's v2 address:http://expyuzz4wqqyqhjn.onion/, and Tor Project's v3
address: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/

If you're an onion service administrator, you must upgrade to v3 onion services
as soon as possible. If you're a user, please ensure that you update your
bookmarks to the website's v3 onion addresses.


WHAT IS THE TIMELINE FOR THE V2 DEPRECATION?

In September 2020, Tor started warning onion service operators and clients that
v2 will be deprecated and obsolete in version 0.4.6. Tor Browser started warning
users in June, 2021.

In July 2021, 0.4.6 Tor will no longer support v2 and support will be removed
from the code base.

In October 2021, we will release new Tor client stable versions for all
supported series that will disable v2.

You can read more in the Tor Project's blog post Onion Service version 2
deprecation timeline.


CAN I KEEP USING MY V2 ONION ADDRESS? CAN I ACCESS MY V2 ONION AFTER SEPTEMBER?
IS THIS A BACKWARD-INCOMPATIBLE CHANGE?

V2 onion addresses are fundamentally insecure. If you have a v2 onion, we
recommend you migrate now. This is a backward incompatible change: v2 onion
services will not be reachable after September 2021.


WHAT IS THE RECOMMENDATION FOR DEVELOPERS TO MIGRATE? ANY TIPS ON HOW TO SPREAD
THE NEW V3 ADDRESSES TO PEOPLE?

In torrc, to create a version 3 address, you simply need to create a new service
just as you did your v2 service, with these two lines:

HiddenServiceDir /full/path/to/your/new/v3/directory/
HiddenServicePort <virtual port> <target-address>:<target-port>


The default version is now set to 3 so you don't need to explicitly set it.
Restart tor, and look on your directory for the new address. If you wish to keep
running your version 2 service until it is deprecated to provide a transition
path to your users, add this line to the configuration block of your version 2
service:

HiddenServiceVersion 2


This will allow you to identify in your configuration file which one is which
version.

If you have Onion-Location configured on your website, you need to set the
header with your new v3 address. For technical documentation about running onion
services, please read the Onion Services page in our Community portal.


I DIDN'T SEE THE ANNOUNCEMENT, CAN I GET MORE TIME TO MIGRATE?

No, v2 onion connections will start failing nowish, first slowly, then suddenly.
It's time to move away.


WILL SERVICES START FAILING TO BE REACHED IN SEPTEMBER, OR BEFORE ALREADY?

Already, introduction points are not in Tor 0.4.6 anymore, so they will not be
reachable if relay operators update.


AS A WEBSITE ADMINISTRATOR, CAN I REDIRECT USERS FROM MY V2 ONION TO V3?

Yes, it will work until the v2 onion address is unreachable. You may want to
encourage users to update their bookmarks.


ARE V3 ONION SERVICES GOING TO HELP IN MITIGATING DDOS PROBLEMS?

Yes, we are continuously working on improving onion services security. Some of
the work we have in our roadmap is ESTABLISH_INTRO Cell DoS Defense Extension,
Res tokens: Anonymous Credentials for Onion Service DoS Resilience, and A First
Take at PoW Over Introduction Circuits. For an overview about these proposals,
read the detailed blog post How to stop the onion denial (of service).

   
 * Edit this page - Suggest Feedback - Permalink

DOES THE TOR PROJECT RUN ANY ONION SERVICES?

Yes! A list of our Onion Services is available at onion.torproject.org.

   
 * Edit this page - Suggest Feedback - Permalink

I CANNOT REACH X.ONION!

If you cannot reach the onion service you desire, make sure that you have
entered the 56-character onion address correctly; even a small mistake will stop
Tor Browser from being able to reach the site. If you are still unable to
connect to the onion service, please try again later. There may be a temporary
connection issue, or the site operators may have allowed it to go offline
without warning.

You can also ensure that you're able to access other onion services by
connecting to DuckDuckGo's onion service.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT'S A CLIENT OR ONION AUTHENTICATION?

An authenticated onion service is an onion service that requires you to provide
an authentication token (in this case, a private key) before accessing the
service. The private key is not transmitted to the service, and it's only used
to decrypt its descriptor locally. You can get the access credentials from the
onion service operator. Reach out to the operator and request access. Learn more
about how to use onion authentication in Tor Browser. If you want to create an
onion service with client authentication, please see the Client Authorization
section in the Community portal.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT DO THE DIFFERENT ONION ICONS IN THE ADDRESS BAR MEAN?

When browsing an Onion Service, Tor Browser displays different onion icons in
the address bar indicating the security of the current webpage.

An onion means:

 * The Onion Service is served over HTTP, or HTTPS with a CA-Issued certificate.
 * The Onion Service is served over HTTPS with a Self-Signed certificate.

An onion with a red slash means:

 * The Onion Service is served with a script from an insecure URL.

An onion with caution sign means:

 * The Onion Service is served over HTTPS with an expired Certificate.
 * The Onion Service is served over HTTPS with a wrong Domain.
 * The Onion Service is served with a mixed form over an insecure URL.

   
 * Edit this page - Suggest Feedback - Permalink

I'VE HEARD ABOUT WEBSITES THAT ARE ONLY ACCESSIBLE OVER TOR. WHAT ARE THESE
WEBSITES, AND HOW CAN I ACCESS THEM?

Websites that are only accessible over Tor are called "onions" and end in the
TLD .onion. For example, the DuckDuckGo onion is
https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/. You can
access these websites by using Tor Browser. The addresses must be shared with
you by the website host, as onions are not indexed in search engines in the
typical way that vanilla websites are.

   
 * Edit this page - Suggest Feedback - Permalink

MISC

HOW CAN I SHARE FILES ANONYMOUSLY THROUGH TOR?

For sharing files over Tor, OnionShare is a good option. OnionShare is an open
source tool for securely and anonymously sending and receiving files using Tor
onion services. It works by starting a web server directly on your computer and
making it accessible as an unguessable Tor web address that others can load in
Tor Browser to download files from you, or upload files to you. It doesn't
require setting up a separate server, using a third party file-sharing service,
or even logging into an account.

Unlike services like email, Google Drive, DropBox, WeTransfer, or nearly any
other way people typically send files to each other, when you use OnionShare you
don't give any companies access to the files that you're sharing. So long as you
share the unguessable web address in a secure way (like pasting it in an
encrypted messaging app), no one but you and the person you're sharing with can
access the files.

OnionShare is developed by Micah Lee.

Many exit nodes are configured to block certain types of file sharing traffic,
such as BitTorrent. BitTorrent in particular is not anonymous over Tor.

   
 * Edit this page - Suggest Feedback - Permalink

DOES TOR PROJECT OFFER EMAIL SERVICE OR OTHER PRIVACY PROTECTING WEB SERVICES?

No, we don't provide any online services. A list of all of our software projects
can be found on our projects page.

   
 * Edit this page - Suggest Feedback - Permalink

HOW CAN I DONATE TO TOR PROJECT?

Thank you for your support! You can find more information about donating on our
donor FAQ.

   
 * Edit this page - Suggest Feedback - Permalink

DOES THE TOR PROJECT OFFER HOSTING?

No, the Tor Project does not offer hosting services.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DON'T YOU PREVENT BAD PEOPLE FROM DOING BAD THINGS WHEN USING TOR?

Tor is designed to defend human rights and privacy by preventing anyone from
censoring things, even us. We hate that there are some people who use Tor to do
terrible things, but we can't do anything to get rid of them without also
undermining the human rights activists, journalists, abuse survivors, and other
people who use Tor for good things. If we wanted to block certain people from
using Tor, we'd basically be adding a backdoor to the software, which would open
up our vulnerable users to attacks from bad regimes and other adversaries.

   
 * Edit this page - Suggest Feedback - Permalink

I HAVE A COMPELLING REASON TO TRACE A TOR USER. CAN YOU HELP?

There is nothing the Tor developers can do to trace Tor users. The same
protections that keep bad people from breaking Tor's anonymity also prevent us
from tracking users.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I VOLUNTEER WITH TOR PROJECT?

A few things everyone can do now:

 1. Please consider running a relay to help the Tor network grow.
 2. Tell your friends! Get them to run relays. Get them to run onion services.
    Get them to tell their friends.
 3. If you like Tor's goals, please take a moment to donate to support further
    Tor development. We're also looking for more sponsors - if you know any
    companies, NGOs, agencies, or other organizations that want anonymity /
    privacy / communications security, let them know about us.
 4. We're looking for more good examples of Tor users and Tor use cases. If you
    use Tor for a scenario or purpose not yet described on that page, and you're
    comfortable sharing it with us, we'd love to hear from you.


DOCUMENTATION

 1. Help localize the documentation into other languages. See becoming a Tor
    translator if you want to help out. We especially need Arabic or Farsi
    translations, for the many Tor users in censored areas.


ADVOCACY

 1. The Tor community uses the Tor Forum, IRC/Matrix, and public mailing lists.
 2. Create a presentation that can be used for various user group meetings
    around the world.
 3. Create a poster around a theme, such as "Tor for Human Rights!".
 4. Spread the word about Tor at a symposium or conference and use these Tor
    brochures as conversation starter.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I CHECK IF MY APPLICATION THAT USES SOCKS IS LEAKING DNS REQUESTS?

Even if your application is using the correct variant of the SOCKS protocol,
there is still a risk that it could be leaking DNS queries. This problem happens
in Firefox extensions that resolve the destination hostname themselves, for
example to show you its IP address, what country it's in, etc. If you suspect
your application might behave like this, follow the instructions below to check.

 1. Add TestSocks 1 to your torrc file.
 2. Start Tor, and point your program's SOCKS proxy settings to Tor's SOCKS5
    server (socks5://127.0.0.1:9050 by default).
 3. Watch your logs as you use your application. For each socks connection, Tor
    will log a notice for safe connections, and a warn for connections leaking
    DNS requests.

If you want to automatically disable all connections leaking DNS requests, set
SafeSocks 1 in your torrc file.

   
 * Edit this page - Suggest Feedback - Permalink

I'M HAVING A PROBLEM UPDATING OR USING VIDALIA.

Vidalia is no longer maintained or supported. A large portion of the features
Vidalia offered have now been integrated into Tor Browser itself.

   
 * Edit this page - Suggest Feedback - Permalink

YOU SHOULD HIDE THE LIST OF TOR RELAYS, SO PEOPLE CAN'T BLOCK THE EXITS.

There are a few reasons we don't:

 1. We can't help but make the information available, since Tor clients need to
    use it to pick their paths. So if the "blockers" want it, they can get it
    anyway. Further, even if we didn't tell clients about the list of relays
    directly, somebody could still make a lot of connections through Tor to a
    test site and build a list of the addresses they see.
 2. If people want to block us, we believe that they should be allowed to do so.
    Obviously, we would prefer for everybody to allow Tor users to connect to
    them, but people have the right to decide who their services should allow
    connections from, and if they want to block anonymous users, they can.
 3. Being blockable also has tactical advantages: it may be a persuasive
    response to website maintainers who feel threatened by Tor. Giving them the
    option may inspire them to stop and think about whether they really want to
    eliminate private access to their system, and if not, what other options
    they might have. The time they might otherwise have spent blocking Tor, they
    may instead spend rethinking their overall approach to privacy and
    anonymity.

   
 * Edit this page - Suggest Feedback - Permalink

HOW TO REPORT A BUG OR GIVE FEEDBACK

Tor relies on the support of users and volunteers around the world to help us
improve our software and resources, so your feedback is extremely valuable to us
(and to all Tor users).


FEEDBACK TEMPLATE

When sending us feedback or reporting a bug, please include as many of these as
possible:

 * Operating System you are using
 * Tor Browser version
 * Tor Browser Security Level
 * Step by step of how you got to the issue, so we can reproduce it (e.g. I
   opened the browser, typed a url, clicked on (i) icon, then my browser
   crashed)
 * A screenshot of the problem
 * The log


HOW TO REACH US

There are several ways to reach us, so please use what works best for you.

TOR FORUM

We recommend asking for help on the Tor Forum. You will need to create an
account to submit a new topic. Before you ask, please review our discussion
guidelines. At the moment, for the fastest response, please write in English. If
you found a bug, please use GitLab.

GITLAB

First, check if the bug is already known. You can search and read all the issues
at https://gitlab.torproject.org/. To create a new issue, please request a new
account to access Tor Project's GitLab instance and find the right repository to
report your issue. We track all Tor Browser related issues at Tor Browser issue
tracker. Issues related to our websites should be filed under the Web issue
tracker.

TELEGRAM

If you need help installing or troubleshooting Tor Browser and the Tor Forum is
blocked or censored where you are, you can reach out to us on Telegram
https://t.me/TorProjectSupportBot. A Tor support specialist will assist you.

WHATSAPP

You can reach our support team with a text message to our WhatsApp number:
+447421000612. This service is only available for text messages; videos or calls
are not supported.

SIGNAL

You can get help by sending a text message to our Signal number: +17787431312.
Signal is a free and privacy-focused messaging app. This service is only
available for text messages; videos or calls are not supported. After sending a
message, our support agents will guide you and help troubleshoot your issue.

EMAIL

Send us an email to frontdesk@torproject.org.

In the subject line of your email, please tell us what you're reporting. The
more specific your subject line is (e.g. "Connection failure", "feedback on
website", "feedback on Tor Browser, "I need a bridge"), the easier it will be
for us to understand and follow up. Sometimes when we receive emails without
subject lines, they're marked as spam and we don't see them.

For the fastest response, please write in English, Spanish, and/or Portuguese if
you can. If none of these languages works for you, please write in any language
you feel comfortable with, but keep in mind it will take us a bit longer to
answer as we will need help with translation to understand it.

BLOG POST COMMENTS

You can always leave comments on the blog post related to the issue or feedback
you want to report. If there is not a blog post related to your issue, please
contact us another way.

IRC

You can find us in the #tor channel on OFTC to give us feedback or report
bugs/issues. We may not respond right away, but we do check the backlog and will
get back to you when we can.

Learn how to connect to OFTC servers.

EMAIL LISTS

For reporting issues or feedback using email lists, we recommend that you do so
on the one that is related to what you would like to report. A complete
directory of our mailing lists can be found here.

For feedback or issues related to our websites: ux

For feedback or issues related to running a Tor relay: tor-relays


REPORT A SECURITY ISSUE

If you've found a security issue, please email security@torproject.org.

If you want to encrypt your mail, you can get the OpenPGP public key for this
address from keys.openpgp.org. Here is the current fingerprint:

  pub   rsa3072/0x3EF9EF996604DE41 2022-11-15 [SC] [expires: 2024-12-11]
      Key fingerprint = 835B 4E04 F6F7 4211 04C4  751A 3EF9 EF99 6604 DE41
  uid Tor Security Contact <security@torproject.org>
  sub   rsa3072/0xF59EF1669B798C36 2022-11-15 [E] [expires: 2024-12-11]
      Key fingerprint = A16B 0707 8A47 E0E1 E5B2  8879 F59E F166 9B79 8C36


If you wish to participate in our bug bounty program, please be aware,
submitting a security issue to a third-party website carries certain risks that
we cannot control, as a result we'd prefer the report directly.

   
 * Edit this page - Suggest Feedback - Permalink

THE FILES ON MY COMPUTER HAVE BEEN LOCKED, AND SOMEONE IS DEMANDING I DOWNLOAD
TOR BROWSER TO PAY A RANSOM FOR MY FILES!

We are so sorry, but you have been infected with malware. The Tor Project did
not create this malware. The malware authors are asking you to download Tor
Browser presumably to contact them anonymously with the ransom they're demanding
from you.

If this is your first introduction to Tor Browser, we understand that you might
think we're bad people who enable even worse people.

But please consider that our software is used every day for a wide variety of
purposes by human rights activists, journalists, domestic violence survivors,
whistleblowers, law enforcement officers, and many others. Unfortunately, the
protection that our software can provide to these groups of people can also be
abused by criminals and malware authors. The Tor Project does not support or
condone the use of our software for malicious purposes.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I USE THE TOR LOGO IN MY PRODUCT?

You can read all about that on our Trademark faq page.

   
 * Edit this page - Suggest Feedback - Permalink

WHO FUNDS TOR?

Tor is funded by a number of different sponsors including US federal agencies,
private foundations, and individual donors. Check out a list of all our sponsors
and a series of blog posts on our financial reports.

We feel that talking openly about our sponsors and funding model is the best way
to maintain trust with our community. We are always seeking more diversity in
our funding sources, especially from foundations and individuals.

   
 * Edit this page - Suggest Feedback - Permalink

DOES TOR KEEP LOGS?

Tor doesn't keep any logs that could identify a particular user. We do take some
safe measurements of how the network functions, which you can check out at Tor
Metrics.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I CHANGE THE NUMBER OF HOPS TOR USES?

Right now the path length is hard-coded at 3 plus the number of nodes in your
path that are sensitive. That is, in normal cases it's 3, but for example if
you're accessing an onion service or a ".exit" address it could be more.

We don't want to encourage people to use paths longer than this as it increases
load on the network without (as far as we can tell) providing any more security.
Also, using paths longer than 3 could harm anonymity, first because it makes
denial of security attacks easier, and second because it could act as an
identifier if only a small number of users have the same path length as you.

   
 * Edit this page - Suggest Feedback - Permalink

DOES TOR PROJECT MAKE AN APPLICATION FOR PRIVATE CHAT?

No. After eleven beta releases, we discontinued support of Tor Messenger. We
still believe in Tor's ability to be used in a messaging app, but we don't have
the resources to make it happen right now. Do you? Contact us.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I USE TOR WITH BITTORRENT?

We do not recommend using Tor with BitTorrent. For further details, please see
our blog post on the subject.

   
 * Edit this page - Suggest Feedback - Permalink

About Documentation Press Jobs Blog Newsletter Contact Donate Support Community
Most Frequently Asked Questions About Tor Tor Browser Tor Messenger Tor Mobile
GetTor Connecting To Tor Censorship HTTPS Operators Onion Services Debian
Repository RPM Repository Alternate Designs little-t-tor Misc Abuse FAQs Get in
Touch

   
 * Edit this page - Suggest Feedback - Permalink

GET IN TOUCH

WHY I CAN'T JOIN TOR-DEV AND OTHER CHANNELS?

The #tor-project channel is where Tor people discuss and coordinate daily Tor
work. It has fewer members than #tor and is more focused on the work at hand.
You are also welcome to join this channel. To access #tor-project, your nickname
(nick) must be registered and verified.

Here's how to reach #tor-project and other registered channels.


REGISTER YOUR NICKNAME

 1. Log onto #tor. See How can I chat with Tor Project teams?

 2. Then, click on the word "Status" at the top left of the screen.

 3. In the window at the bottom of the page, type: /msg nickserv REGISTER
    yournewpassword youremailaddress

 4. Hit enter.

If all goes well, you will receive a message that you are registered.

The system may register you as your nick_ instead of your nick.

If so, just go with it but remember you are user_ and not user.

Every time you log on to IRC, to identify your registered nick, type:

/nick yournick

/msg nickserv IDENTIFY YourPassWord


HOW TO VERIFY YOUR NICKNAME

After registering your nickname, to gain access to the #tor-project and other
protected channels, your nickname must be verified.

 1. Go to https://services.oftc.net/ and follow the steps in the 'To verify your
    account' section

 2. Go back to the IRC webpage where you are logged in and type:
    
    /msg nickserv checkverify

 3. Click ENTER.

 4. If all is well, you will receive a message that says:

*!NickServ*checkverify

Usermodechange: +R

!NickServ- Successfully set +R on your nick.


Your nick is verified!

Now, to join #tor-project, you can just type:

/join #tor-project and hit enter.

You will be allowed into the channel. If so, Congratulations!

However, if you get stuck, you can ask for help in the #tor channel.

You can toggle back and forth between channels by clicking on the different
channel names at the top left of the IRC window.

   
 * Edit this page - Suggest Feedback - Permalink

HOW CAN I CHAT WITH TOR PROJECT TEAMS?

For a long time, the Tor community has been running many day-to-day activities
using the IRC network known as OFTC. IRC has worked out well for us, and our
community on IRC has been evolving over the years with new people joining in and
new channels appearing for specific needs in the organization.


MATRIX BRIDGE

The Tor community is opening up its day-to-day conversations by bridging our IRC
community to the Matrix network. For regular Tor users, it means that you can
chat with us using a friendly App like Element. The #tor:matrix.org room or the
#tor IRC channel are connected: whichever platform you chose, your message will
be shared on both platforms.

To join the conversation with Tor contributors on Matrix, you need a Matrix
account. Several providers can get you one. One of these is the Matrix.org
Foundation, which allows people to register an account for free. You can
register an account on app.element.io.

Once you have a Matrix account, you can either join the Tor Matrix Space to
browse the Tor rooms, or directly join the #tor:matrix.org user support room.


OFTC IRC NETWORK

Alternatively, if you want to use IRC you can use OFTC's web IRC client:

 1. Open OFTC webchat

 2. Fill in the blanks:
    
    NICKNAME: Anything you want, but choose the same nickname (nick) every time
    you use IRC to talk to people on Tor. If your nick is already being used,
    you will get a message from the system and you should choose another nick.
    
    CHANNEL: #tor

 3. Click Enter

Congratulations! You're on IRC.

After a few seconds, you will automatically enter #tor, which is a chatroom with
Tor developers, relay operators and other community members. There are some
random people in #tor as well.

You can ask questions in the empty bar at the bottom of the screen. Please,
don't ask to ask, just ask your question.

People may be able to answer right away, or there may be a bit of a delay (some
people are listed on the channel but are away from their keyboards and record
channel activities to read later).

If you want to chat with someone specific, start your comment with their nick
and they will typically receive a notification that someone is trying to contact
them.

OFTC often doesn't allow people to use their webchat over Tor. For this reason,
and because many people end up preferring it anyway, you should also consider
using an IRC client.

   
 * Edit this page - Suggest Feedback - Permalink

HOW TO REPORT A BUG OR GIVE FEEDBACK

Tor relies on the support of users and volunteers around the world to help us
improve our software and resources, so your feedback is extremely valuable to us
(and to all Tor users).


FEEDBACK TEMPLATE

When sending us feedback or reporting a bug, please include as many of these as
possible:

 * Operating System you are using
 * Tor Browser version
 * Tor Browser Security Level
 * Step by step of how you got to the issue, so we can reproduce it (e.g. I
   opened the browser, typed a url, clicked on (i) icon, then my browser
   crashed)
 * A screenshot of the problem
 * The log


HOW TO REACH US

There are several ways to reach us, so please use what works best for you.

TOR FORUM

We recommend asking for help on the Tor Forum. You will need to create an
account to submit a new topic. Before you ask, please review our discussion
guidelines. At the moment, for the fastest response, please write in English. If
you found a bug, please use GitLab.

GITLAB

First, check if the bug is already known. You can search and read all the issues
at https://gitlab.torproject.org/. To create a new issue, please request a new
account to access Tor Project's GitLab instance and find the right repository to
report your issue. We track all Tor Browser related issues at Tor Browser issue
tracker. Issues related to our websites should be filed under the Web issue
tracker.

TELEGRAM

If you need help installing or troubleshooting Tor Browser and the Tor Forum is
blocked or censored where you are, you can reach out to us on Telegram
https://t.me/TorProjectSupportBot. A Tor support specialist will assist you.

WHATSAPP

You can reach our support team with a text message to our WhatsApp number:
+447421000612. This service is only available for text messages; videos or calls
are not supported.

SIGNAL

You can get help by sending a text message to our Signal number: +17787431312.
Signal is a free and privacy-focused messaging app. This service is only
available for text messages; videos or calls are not supported. After sending a
message, our support agents will guide you and help troubleshoot your issue.

EMAIL

Send us an email to frontdesk@torproject.org.

In the subject line of your email, please tell us what you're reporting. The
more specific your subject line is (e.g. "Connection failure", "feedback on
website", "feedback on Tor Browser, "I need a bridge"), the easier it will be
for us to understand and follow up. Sometimes when we receive emails without
subject lines, they're marked as spam and we don't see them.

For the fastest response, please write in English, Spanish, and/or Portuguese if
you can. If none of these languages works for you, please write in any language
you feel comfortable with, but keep in mind it will take us a bit longer to
answer as we will need help with translation to understand it.

BLOG POST COMMENTS

You can always leave comments on the blog post related to the issue or feedback
you want to report. If there is not a blog post related to your issue, please
contact us another way.

IRC

You can find us in the #tor channel on OFTC to give us feedback or report
bugs/issues. We may not respond right away, but we do check the backlog and will
get back to you when we can.

Learn how to connect to OFTC servers.

EMAIL LISTS

For reporting issues or feedback using email lists, we recommend that you do so
on the one that is related to what you would like to report. A complete
directory of our mailing lists can be found here.

For feedback or issues related to our websites: ux

For feedback or issues related to running a Tor relay: tor-relays


REPORT A SECURITY ISSUE

If you've found a security issue, please email security@torproject.org.

If you want to encrypt your mail, you can get the OpenPGP public key for this
address from keys.openpgp.org. Here is the current fingerprint:

  pub   rsa3072/0x3EF9EF996604DE41 2022-11-15 [SC] [expires: 2024-12-11]
      Key fingerprint = 835B 4E04 F6F7 4211 04C4  751A 3EF9 EF99 6604 DE41
  uid Tor Security Contact <security@torproject.org>
  sub   rsa3072/0xF59EF1669B798C36 2022-11-15 [E] [expires: 2024-12-11]
      Key fingerprint = A16B 0707 8A47 E0E1 E5B2  8879 F59E F166 9B79 8C36


If you wish to participate in our bug bounty program, please be aware,
submitting a security issue to a third-party website carries certain risks that
we cannot control, as a result we'd prefer the report directly.

   
 * Edit this page - Suggest Feedback - Permalink

DEBIAN REPOSITORY

WHY AND HOW I CAN ENABLE TOR PACKAGE REPOSITORY IN DEBIAN?

The Tor Project maintains its own Debian package repository. Since Debian
provides the LTS version of Tor, this might not always give you the latest
stable Tor version. Therefore, it's recommended to install tor from our
repository.

Here's how you can enable Tor Package Repository in Debian based distributions:

> Note: The symbol # refers to running the code as root. This means you should
> have access to a user account with system administration privileges, i.e. your
> user should be in the sudo group.

PREREQUISITE: VERIFY THE CPU ARCHITECTURE

The package repository offers amd64, arm64, and i386 binaries. Verify your
operating system is capable of running the binary by inspecting the output of
the following command:

  # dpkg --print-architecture


It should output either amd64, arm64, or i386. The repository does not support
other CPU architectures.

Note: The package repository does not offer 32-bit ARM architecture (armhf)
images (yet). You should either install the version Debian offers (make sure to
check out Debian backports, too, as that one has often a more up-to-date Tor
package), or build Tor from source.

1. INSTALL APT-TRANSPORT-HTTPS

To enable all package managers using the libapt-pkg library to access metadata
and packages available in sources accessible over https (Hypertext Transfer
Protocol Secure).

   # apt install apt-transport-https


2. CREATE A NEW FILE IN /ETC/APT/SOURCES.LIST.D/ NAMED TOR.LIST. ADD THE
FOLLOWING ENTRIES:

   deb     [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main
   deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main


If you want to try experimental packages, add these in addition to the lines
from above:

   deb     [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org tor-experimental-<DISTRIBUTION> main
   deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org tor-experimental-<DISTRIBUTION> main


Or nightly builds:

   deb     [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org tor-nightly-main-<DISTRIBUTION> main
   deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org tor-nightly-main-<DISTRIBUTION> main


Replace <DISTRIBUTION> with your Operating System codename. Run lsb_release -c
or cat /etc/debian_version to check the Operating System version.

Note: Ubuntu Focal dropped support for 32-bit, so instead use:

   deb     [arch=<ARCHITECTURE> signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org focal main
   deb-src [arch=<ARCHITECTURE> signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org focal main


Replace <ARCHITECTURE> with your system architecture (you found it earlier by
writing dpkg --print-architecture).

Warning symptom, when running sudo apt update:

   Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://deb.torproject.org/torproject.org focal InRelease' doesn't support architecture 'i386'


3. THEN ADD THE GPG KEY USED TO SIGN THE PACKAGES BY RUNNING THE FOLLOWING
COMMAND AT YOUR COMMAND PROMPT:

   # wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null


4. INSTALL TOR AND TOR DEBIAN KEYRING

We provide a Debian package to help you keep our signing key current. It is
recommended you use it. Install it with the following commands:

   # apt update
   # apt install tor deb.torproject.org-keyring


   
 * Edit this page - Suggest Feedback - Permalink

CAN I USE TOR FROM UBUNTU'S REPOSITORY?

No. Do not use the packages in Ubuntu's universe. In the past they have not been
reliably updated. That means you could be missing stability and security fixes.
Instead, please use Tor Debian repository.

   
 * Edit this page - Suggest Feedback - Permalink

CAN I USE APT OVER TOR?

Yes, deb.torproject.org is also served through via an Onion Service:
http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/

> Note: The symbol # refers to running the code as root. This means you should
> have access to a user account with system administration privileges, i.e. your
> user should be in the sudo group.

To use Apt over Tor, the apt transport needs to be installed:

   # apt install apt-transport-tor


Then you need to add the following entries to /etc/apt/sources.list or a new
file in /etc/apt/sources.list.d/:

   # For the stable version.
   deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org <DISTRIBUTION> main

   # For the unstable version.
   deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org tor-nightly-main-<DISTRIBUTION> main


Replace <DISTRIBUTION> with your Operating System codename. Run lsb_release -c
or cat /etc/debian_version to check the Operating System version.

Since Debian bookworm you can also use the more modern deb822-style:

   # echo "\
     Types: deb deb-src
     Components: main
     Suites: bookworm
     URIs: tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org
     Architectures: amd64 arm64 i386
     Signed-By: /usr/share/keyrings/deb.torproject.org-keyring.gpg
     " | sudo tee /etc/apt/sources.list.d/tor.sources


   
 * Edit this page - Suggest Feedback - Permalink

TOR RPM PACKAGES

HOW CAN I INSTALL TOR RPM PACKAGE

The Tor Project maintains its own RPM package repository for CentOS and RHEL and
Fedora.

> Note: The symbol # refers to be running the code as root. That means you
> should have access to a user account with system administration privileges,
> e.g your user should be in the sudo group.

Here's how you can enable Tor Package Repository for both CentOS and RHEL and
Fedora:


1. ENABLE EPEL REPOSITORY (ONLY FOR CENTOS AND RHEL)

‪# dnf install epel-release -y



2. ADD THE FOLLOWING TO /ETC/YUM.REPOS.D/TOR.REPO

For CentOS or RHEL:

[tor]
name=Tor for Enterprise Linux $releasever - $basearch
baseurl=https://rpm.torproject.org/centos/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/centos/public_gpg.key
cost=100


For Fedora:

[tor]
name=Tor for Fedora $releasever - $basearch
baseurl=https://rpm.torproject.org/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/fedora/public_gpg.key
cost=100



3. INSTALL THE TOR PACKAGE

Then you can install the latest Tor package.

‪# dnf install tor -y


Using it for the first time, you will have to import the GPG public key.

Importing GPG key 0x3621CD35:
Userid     : "Kushal Das (RPM Signing key) <kushal@torproject.org>"
Fingerprint: 999E C8E3 14BC 8D46 022D 6C7D E217 C30C 3621 CD35
From       : https://rpm.torproject.org/fedora/public_gpg.key
Is this ok [y/N]: y


   
 * Edit this page - Suggest Feedback - Permalink

ABUSE FAQ

I'D RUN A RELAY, BUT I DON'T WANT TO DEAL WITH ABUSE ISSUES.

Great. That's exactly why we implemented exit policies.

Each Tor relay has an exit policy that specifies what sort of outbound
connections are allowed or refused from that relay. The exit policies are
propagated to Tor clients via the directory, so clients will automatically avoid
picking exit relays that would refuse to exit to their intended destination.
This way each relay can decide the services, hosts, and networks it wants to
allow connections to, based on abuse potential and its own situation. Read the
Support entry on issues you might encounter if you use the default exit policy,
and then read Mike Perry's tips for running an exit node with minimal
harassment.

The default exit policy allows access to many popular services (e.g. web
browsing), but restricts some due to abuse potential (e.g. mail) and some since
the Tor network can't handle the load (e.g. default file-sharing ports). You can
change your exit policy by editing your torrc file. If you want to avoid most if
not all abuse potential, set it to "reject *:*". This setting means that your
relay will be used for relaying traffic inside the Tor network, but not for
connections to external websites or other services.

If you do allow any exit connections, make sure name resolution works (that is,
your computer can resolve Internet addresses correctly). If there are any
resources that your computer can't reach (for example, you are behind a
restrictive firewall or content filter), please explicitly reject them in your
exit policy otherwise Tor users will be impacted too.

   
 * Edit this page - Suggest Feedback - Permalink

DOESN'T TOR ENABLE CRIMINALS TO DO BAD THINGS?

Tor's mission is to advance human rights with free and open-source technology,
empowering users to defend against mass surveillance and internet censorship. We
hate that there are some people who use Tor for nefarious purposes, and we
condemn the misuse and exploitation of our technology for criminal activity.

It's essential to understand that criminal intent lies with the individuals and
not the tools they use. Just like other widely available technology, Tor can be
used by individuals with criminal intent. And because of other options they can
use it seems unlikely that taking Tor away from the world will stop them from
engaging in criminal activity. At the same time, Tor and other privacy measures
can fight identity theft, physical crimes like stalking, and be used by law
enforcement to investigate crime and help support survivors.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT ABOUT DISTRIBUTED DENIAL OF SERVICE ATTACKS?

Distributed denial of service (DDoS) attacks typically rely on having a group of
thousands of computers all sending floods of traffic to a victim. Since the goal
is to overpower the bandwidth of the victim, they typically send UDP packets
since those don't require handshakes or coordination.

But because Tor only transports correctly formed TCP streams, not all IP
packets, you cannot send UDP packets over Tor. (You can't do specialized forms
of this attack like SYN flooding either.) So ordinary DDoS attacks are not
possible over Tor. Tor also doesn't allow bandwidth amplification attacks
against external sites: you need to send in a byte for every byte that the Tor
network will send to your destination. So in general, attackers who control
enough bandwidth to launch an effective DDoS attack can do it just fine without
Tor.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT ABOUT SPAMMERS?

First of all, the default Tor exit policy rejects all outgoing port 25 (SMTP)
traffic. So sending spam mail through Tor isn't going to work by default. It's
possible that some relay operators will enable port 25 on their particular exit
node, in which case that computer will allow outgoing mails; but that individual
could just set up an open mail relay too, independent of Tor. In short, Tor
isn't useful for spamming, because nearly all Tor relays refuse to deliver the
mail.

Of course, it's not all about delivering the mail. Spammers can use Tor to
connect to open HTTP proxies (and from there to SMTP servers); to connect to
badly written mail-sending CGI scripts; and to control their botnets — that is,
to covertly communicate with armies of compromised computers that deliver the
spam.

This is a shame, but notice that spammers are already doing great without Tor.
Also, remember that many of their more subtle communication mechanisms (like
spoofed UDP packets) can't be used over Tor, because it only transports
correctly-formed TCP connections.

   
 * Edit this page - Suggest Feedback - Permalink

DOES TOR GET MUCH ABUSE?

Tor has implemented exit policies. Each Tor relay has an exit policy that
specifies what sort of outbound connections are allowed or refused from that
relay. This way each relay can decide the services, hosts, and networks it wants
to allow connections to, based on abuse potential and its own situation. We also
have a dedicated team, Network Health, to investigate bad relay behavior and
kick them out of the network.

It is important to note that while we can combat some type of abuse like bad
relays in our network, we can't see or manage what users do on the network and
that is by design. This design overwhelmingly allows for beneficial uses by
providing human rights activists, journalists, domestic violence survivors,
whistleblowers, law enforcement officers, and many others with as much privacy
and anonymity as possible. Learn more about our users and Tor's beneficial use
cases here.

   
 * Edit this page - Suggest Feedback - Permalink

SO WHAT SHOULD I EXPECT IF I RUN AN EXIT RELAY?

If you run a Tor relay that allows exit connections (such as the default exit
policy), it's probably safe to say that you will eventually hear from somebody.
Abuse complaints may come in a variety of forms. For example:

 * Somebody connects to Hotmail, and sends a ransom note to a company. The FBI
   sends you a polite email, you explain that you run a Tor relay, and they say
   "oh well" and leave you alone. [Port 80]
 * Somebody tries to get you shut down by using Tor to connect to Google groups
   and post spam to Usenet, and then sends an angry mail to your ISP about how
   you're destroying the world. [Port 80]
 * Somebody connects to an IRC network and makes a nuisance of himself. Your ISP
   gets polite mail about how your computer has been compromised; and/or your
   computer gets DDoSed. [Port 6667]
 * Somebody uses Tor to download a Vin Diesel movie, and your ISP gets a DMCA
   takedown notice. See EFF's Tor DMCA Response Template, which explains why
   your ISP can probably ignore the notice without any liability. [Arbitrary
   ports]

Some hosting providers are friendlier than others when it comes to Tor exits.
For a listing see the good and bad ISPs wiki.

For a complete set of template responses to different abuse complaint types, see
the collection of templates. You can also proactively reduce the amount of abuse
you get by following these tips for running an exit node with minimal harassment
and running a reduced exit policy.

You might also find that your Tor relay's IP is blocked from accessing some
Internet sites/services. This might happen regardless of your exit policy,
because some groups don't seem to know or care that Tor has exit policies. (If
you have a spare IP not used for other activities, you might consider running
your Tor relay on it.) In general, it's advisable not to use your home internet
connection to provide a Tor relay.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO I RESPOND TO MY ISP ABOUT MY EXIT RELAY?

A collection of templates for successfully responding to ISPs is collected here.

   
 * Edit this page - Suggest Feedback - Permalink

TOR IS BANNED FROM THE IRC NETWORK I WANT TO USE.

Sometimes jerks make use of Tor to troll IRC channels. This abuse results in
IP-specific temporary bans ("klines" in IRC lingo), as the network operators try
to keep the troll off of their network.

This response underscores a fundamental flaw in IRC's security model: they
assume that IP addresses equate to humans, and by banning the IP address they
can ban the human. In reality, this is not the case — many such trolls routinely
make use of the literally millions of open proxies and compromised computers
around the Internet. The IRC networks are fighting a losing battle of trying to
block all these nodes, and an entire cottage industry of blocklists and
counter-trolls has sprung up based on this flawed security model (not unlike the
antivirus industry). The Tor network is just a drop in the bucket here.

On the other hand, from the viewpoint of IRC server operators, security is not
an all-or-nothing thing. By responding quickly to trolls or any other social
attack, it may be possible to make the attack scenario less attractive to the
attacker. And most individual IP addresses do equate to individual humans, on
any given IRC network at any given time. The exceptions include NAT gateways
which may be allocated access as special cases. While it's a losing battle to
try to stop the use of open proxies, it's not generally a losing battle to keep
klining a single ill-behaved IRC user until that user gets bored and goes away.

But the real answer is to implement application-level auth systems, to let in
well-behaving users and keep out badly-behaving users. This needs to be based on
some property of the human (such as a password they know), not some property of
the way their packets are transported.

Of course, not all IRC networks are trying to ban Tor nodes. After all, quite a
few people use Tor to IRC in privacy in order to carry on legitimate
communications without tying them to their real-world identity. Each IRC network
needs to decide for itself if blocking a few more of the millions of IPs that
bad people can use is worth losing the contributions from the well-behaved Tor
users.

If you're being blocked, have a discussion with the network operators and
explain the issues to them. They may not be aware of the existence of Tor at
all, or they may not be aware that the hostnames they're klining are Tor exit
nodes. If you explain the problem, and they conclude that Tor ought to be
blocked, you may want to consider moving to a network that is more open to free
speech. Maybe inviting them to #tor on irc.oftc.net will help show them that we
are not all evil people.

Finally, if you become aware of an IRC network that seems to be blocking Tor, or
a single Tor exit node, please put that information on The Tor IRC block tracker
so that others can share. At least one IRC network consults that page to unblock
exit nodes that have been blocked inadvertently.

   
 * Edit this page - Suggest Feedback - Permalink

YOUR NODES ARE BANNED FROM THE MAIL SERVER I WANT TO USE.

Even though Tor isn't useful for spamming, some over-zealous blocklisters seem
to think that all open networks like Tor are evil — they attempt to strong-arm
network administrators on policy, service, and routing issues, and then extract
ransoms from victims.

If your server administrators decide to make use of these blocklists to refuse
incoming mail, you should have a conversation with them and explain about Tor
and Tor's exit policies.

   
 * Edit this page - Suggest Feedback - Permalink

I WANT TO BAN THE TOR NETWORK FROM MY SERVICE.

We're sorry to hear that. There are some situations where it makes sense to
block anonymous users for an Internet service. But in many cases, there are
easier solutions that can solve your problem while still allowing users to
access your website securely.

First, ask yourself if there's a way to do application-level decisions to
separate the legitimate users from the jerks. For example, you might have
certain areas of the site, or certain privileges like posting, available only to
people who are registered. It's easy to build an up-to-date list of Tor IP
addresses that allow connections to your service, so you could set up this
distinction only for Tor users. This way you can have multi-tiered access and
not have to ban every aspect of your service.

For example, the Freenode IRC network had a problem with a coordinated group of
abusers joining channels and subtly taking over the conversation; but when they
labeled all users coming from Tor nodes as "anonymous users", removing the
ability of the abusers to blend in, the abusers moved back to using their open
proxies and bot networks.

Second, consider that hundreds of thousands of people use Tor every day simply
for good data hygiene — for example, to protect against data-gathering
advertising companies while going about their normal activities. Others use Tor
because it's their only way to get past restrictive local firewalls. Some Tor
users may be legitimately connecting to your service right now to carry on
normal activities. You need to decide whether banning the Tor network is worth
losing the contributions of these users, as well as potential future legitimate
users. (Often people don't have a good measure of how many polite Tor users are
connecting to their service — you never notice them until there's an impolite
one.)

At this point, you should also ask yourself what you do about other services
that aggregate many users behind a few IP addresses. Tor is not so different
from AOL in this respect.

Lastly, please remember that Tor relays have individual exit policies. Many Tor
relays do not allow exiting connections at all. Many of those that do allow some
exit connections might already disallow connections to your service. When you go
about banning nodes, you should parse the exit policies and only block the ones
that allow these connections; and you should keep in mind that exit policies can
change (as well as the overall list of nodes in the network).

If you really want to do this, we provide a Tor exit relay list or a DNS-based
list you can query.

(Some system administrators block ranges of IP addresses because of official
policy or some abuse pattern, but some have also asked about allowing Tor exit
relays because they want to permit access to their systems only using Tor. These
scripts are usable for allowlisting as well.)

   
 * Edit this page - Suggest Feedback - Permalink

I HAVE A COMPELLING REASON TO TRACE A TOR USER. CAN YOU HELP?

There is nothing the Tor developers can do to trace Tor users. The same
protections that keep bad people from breaking Tor's anonymity also prevent us
from figuring out what's going on.

Some fans have suggested that we redesign Tor to include a backdoor. There are
two problems with this idea. First, it technically weakens the system too far.
Having a central way to link users to their activities is a gaping hole for all
sorts of attackers; and the policy mechanisms needed to ensure correct handling
of this responsibility are enormous and unsolved. Second, the bad people aren't
going to get caught by this anyway, since they will use other means to ensure
their anonymity (identity theft, compromising computers and using them as bounce
points, etc).

This ultimately means that it is the responsibility of site owners to protect
themselves against compromise and security issues that can come from anywhere.
This is just part of signing up for the benefits of the Internet. You must be
prepared to secure yourself against the bad elements, wherever they may come
from. Tracking and increased surveillance are not the answer to preventing
abuse.

But remember that this doesn't mean that Tor is invulnerable. Traditional police
techniques can still be very effective against Tor, such as investigating means,
motive, and opportunity, interviewing suspects, writing style analysis,
technical analysis of the content itself, sting operations, keyboard taps, and
other physical investigations. The Tor Project is also happy to work with
everyone including law enforcement groups to train them how to use the Tor
software to safely conduct investigations or anonymized activities online.

   
 * Edit this page - Suggest Feedback - Permalink

I WANT SOME CONTENT REMOVED FROM A .ONION ADDRESS.

The Tor Project does not host, control, nor have the ability to discover the
owner or location of a .onion address. The .onion address is an address from an
onion service. The name you see ending in .onion is an onion service descriptor.
It's an automatically generated name which can be located on any Tor relay or
client anywhere on the Internet. Onion services are designed to protect both the
user and service provider from discovering who they are and where they are from.
The design of onion services means the owner and location of the .onion site is
hidden even from us.

But remember that this doesn't mean that onion services are invulnerable.
Traditional police techniques can still be very effective against them, such as
interviewing suspects, writing style analysis, technical analysis of the content
itself, sting operations, keyboard taps, and other physical investigations.

If you have a complaint about child abuse materials, you may wish to report it
to the National Center for Missing and Exploited Children, which serves as a
national coordination point for investigation of child pornography:
http://www.missingkids.com/. We do not view links you report.

   
 * Edit this page - Suggest Feedback - Permalink

WHERE DOES TOR PROJECT STAND ON ABUSERS USING TECHNOLOGY?

We take abuse seriously. Activists and law enforcement use Tor to investigate
abuse and help support survivors. We work with them to help them understand how
Tor can help their work. In some cases, technological mistakes are being made
and we help to correct them. Because some people in survivors' communities
embrace stigma instead of compassion, seeking support from fellow victims
requires privacy-preserving technology.

Our refusal to build backdoors and censorship into Tor is not because of a lack
of concern. We refuse to weaken Tor because it would harm efforts to combat
child abuse and human trafficking in the physical world, while removing safe
spaces for victims online. Meanwhile, criminals would still have access to
botnets, stolen phones, hacked hosting accounts, the postal system, couriers,
corrupt officials, and whatever technology emerges to trade content. They are
early adopters of technology. In the face of this, it is dangerous for
policymakers to assume that blocking and filtering is sufficient. We are more
interested in helping efforts to halt and prevent child abuse than helping
politicians score points with constituents by hiding it. The role of corruption
is especially troubling; see this United Nations report on The Role of
Corruption in Trafficking in Persons.

Finally, it is important to consider the world that children will encounter as
adults when enacting policy in their name. Will they thank us if they are unable
to voice their opinions safely as adults? What if they are trying to expose a
failure of the state to protect other children?

   
 * Edit this page - Suggest Feedback - Permalink

I HAVE LEGAL QUESTIONS ABOUT TOR ABUSE.

We're only the developers. We can answer technical questions, but we're not the
ones to talk to about legal questions or concerns.

Please take a look at the Tor Legal FAQ, and contact EFF directly if you have
any further legal questions.

   
 * Edit this page - Suggest Feedback - Permalink

I HAVE QUESTIONS ABOUT A TOR IP ADDRESS FOR A LEGAL CASE.

Please read the legal FAQ written by EFF lawyers. There's a growing legal
directory of people who may be able to help you.

If you need to check if a certain IP address was acting as a Tor exit node at a
certain date and time, you can use the ExoneraTor tool to query the historic Tor
relay lists and get an answer.

   
 * Edit this page - Suggest Feedback - Permalink

TOR METRICS

HOW IS IT EVEN POSSIBLE TO COUNT USERS IN AN ANONYMITY NETWORK?

We actually don't count users, but we count requests to the directories that
clients make periodically to update their list of relays and estimate number of
users indirectly from there.

   
 * Edit this page - Suggest Feedback - Permalink

DO ALL DIRECTORIES REPORT THESE DIRECTORY REQUEST NUMBERS?

No, but we can see what fraction of directories reported them, and then we can
extrapolate the total number in the network.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO YOU GET FROM THESE DIRECTORY REQUESTS TO USER NUMBERS?

We put in the assumption that the average client makes 10 such requests per day.
A tor client that is connected 24/7 makes about 15 requests per day, but not all
clients are connected 24/7, so we picked the number 10 for the average client.
We simply divide directory requests by 10 and consider the result as the number
of users. Another way of looking at it, is that we assume that each request
represents a client that stays online for one tenth of a day, so 2 hours and 24
minutes.

   
 * Edit this page - Suggest Feedback - Permalink

SO, ARE THESE DISTINCT USERS PER DAY, AVERAGE NUMBER OF USERS CONNECTED OVER THE
DAY, OR WHAT?

Average number of concurrent users, estimated from data collected over a day. We
can't say how many distinct users there are.

   
 * Edit this page - Suggest Feedback - Permalink

ARE THERE MORE FINE-GRAINED NUMBERS AVAILABLE, FOR EXAMPLE, ON THE NUMBER OF
USERS PER HOUR?

No, the relays that report these statistics aggregate requests by country of
origin and over a period of 24 hours. The statistics we would need to gather for
the number of users per hour would be too detailed and might put users at risk.

   
 * Edit this page - Suggest Feedback - Permalink

ARE THESE TOR CLIENTS OR USERS? WHAT IF THERE'S MORE THAN ONE USER BEHIND A TOR
CLIENT?

Then we count those users as one. We really count clients, but it's more
intuitive for most people to think of users, that's why we say users and not
clients.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT IF A USER RUNS TOR ON A LAPTOP AND CHANGES THEIR IP ADDRESS A FEW TIMES PER
DAY? DON'T YOU OVERCOUNT THAT USER?

No, because that user updates their list of relays as often as a user that
doesn't change IP address over the day.

   
 * Edit this page - Suggest Feedback - Permalink

HOW DO YOU KNOW WHICH COUNTRIES USERS COME FROM?

The directories resolve IP addresses to country codes and report these numbers
in aggregate form. This is one of the reasons why tor ships with a GeoIP
database.

   
 * Edit this page - Suggest Feedback - Permalink

WHY ARE THERE SO FEW BRIDGE USERS THAT ARE NOT USING THE DEFAULT OR PROTOCOL OR
THAT ARE USING IPV6?

Very few bridges report data on transports or IP versions yet, and by default we
consider requests to use the default OR protocol and IPv4. Once more bridges
report these data, the numbers will become more accurate.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DO THE GRAPHS END 2 DAYS IN THE PAST AND NOT TODAY?

Relays and bridges report some of the data in 24-hour intervals which may end at
any time of the day.
And after such an interval is over relays and bridges might take another 18
hours to report the data.
We cut off the last two days from the graphs, because we want to avoid that the
last data point in a graph indicates a recent trend change which is in fact just
an artifact of the algorithm.

   
 * Edit this page - Suggest Feedback - Permalink

BUT I NOTICED THAT THE LAST DATA POINT WENT UP/DOWN A BIT SINCE I LAST LOOKED A
FEW HOURS AGO. WHY IS THAT?

The reason is that we publish user numbers once we're confident enough that they
won't change significantly anymore. But it's always possible that a directory
reports data a few hours after we were confident enough, but which then slightly
changed the graph.

   
 * Edit this page - Suggest Feedback - Permalink

WHY ARE NO NUMBERS AVAILABLE BEFORE SEPTEMBER 2011?

We do have descriptor archives from before that time, but those descriptors
didn't contain all the data we use to estimate user numbers. Please find the
following tarball for more details:

Tarball

   
 * Edit this page - Suggest Feedback - Permalink

WHY DO YOU BELIEVE THE CURRENT APPROACH TO ESTIMATE USER NUMBERS IS MORE
ACCURATE?

For direct users, we include all directories which we didn't do in the old
approach. We also use histories that only contain bytes written to answer
directory requests, which is more precise than using general byte histories.

   
 * Edit this page - Suggest Feedback - Permalink

AND WHAT ABOUT THE ADVANTAGE OF THE CURRENT APPROACH OVER THE OLD ONE WHEN IT
COMES TO BRIDGE USERS?

Oh, that's a whole different story. We wrote a 13 page long technical report
explaining the reasons for retiring the old approach.
tl;dr: in the old approach we measured the wrong thing, and now we measure the
right thing.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT ARE THESE RED AND BLUE DOTS INDICATING POSSIBLE CENSORSHIP EVENTS?

We run an anomaly-based censorship-detection system that looks at estimated user
numbers over a series of days and predicts the user number in the next days. If
the actual number is higher or lower, this might indicate a possible censorship
event or release of censorship. For more details, see our technical report.

   
 * Edit this page - Suggest Feedback - Permalink

LITTLE-T-TOR

HOW TO INSTALL LITTLE-T-TOR?

Attention: These instructions are meant for installing tor the network daemon
i.e. little-t-tor. For instructions on installing Tor Browser, refer to Tor
Browser user manual.

Admin access: To install Tor you need root privileges. Below all commands that
need to be run as root user like apt and dpkg are prepended with '#', while
commands to be run as user with '$' resembling the standard prompt in a
terminal. To open a root terminal you have several options: sudo su, or sudo -i,
or su -i. Note that sudo asks for your user password, while su expects the root
password of your system.


DEBIAN / UBUNTU

Do not use the packages in Ubuntu's universe. In the past they have not reliably
been updated. That means you could be missing stability and security fixes.

 * Configure Tor package repository

Enable the Tor Project APT repository by following the instructions.

 * Package installation

# apt install tor


FEDORA

 * Configure Tor Package repository

Enable the Tor Project's RPM package repository by following the instructions.

 * Package installation

# dnf install tor


FREEBSD

 * Package installation

# pkg install tor


OPENBSD

 * Package installation

# pkg_add tor


MACOS

 * Install a package manager

There are two package manager on OS X: Homebrew and Macports. You can use the
package manager of your choice.

To install Homebrew follow the instructions on brew.sh.

To install Macports follow the instructions on macports.org/install.php.

 * Package installation

If you are using Homebrew in a Terminal window, run:

# brew install tor


If you are using Macports in a Terminal window, run:

$ sudo port install tor



ARCH LINUX

 * To install the tor package on Arch Linux, run:

# pacman -Syu tor



DRAGONFLYBSD

 * Bootstrap pkg

DragonFlyBSD's daily snapshots and releases (starting with 3.4) come with pkg
already installed. Upgrades from earlier releases, however, will not have it. If
pkg is missing on the system for any reason, it can be quickly bootstrapped
without having to build it from source or even having DPorts installed:

# cd /usr
# make pkg-bootstrap
# rehash
# pkg-static install -y pkg
# rehash


 * Recommended steps to setup pkg

Here, it will be similar to what we have on a FreeBSD system, and we are going
to use HTTPS to fetch our packages, and updates - so here we also need an extra
package to help us out (ca_root_nss).

Installing the ca_root_nss package:

# pkg install ca_root_nss


For fresh installations, the file /usr/local/etc/pkg/repos/df-latest.conf.sample
is copied to /usr/local/etc/pkg/repos/df-latest. The files ending in the
".sample" extension are ignored; pkg(8) only reads files that end in ".conf" and
it will read as many as it finds.

DragonflyBSD has 2 packages repositories:

 * Avalon (mirror-master.dragonflybsd.org);
 * Wolfpond (pkg.wolfpond.org).

We can simply edit the URL used to point out the repositories on
/usr/local/etc/pkg/repos/df-latest and that's it! Remember to use pkg+https://
for Avalon.

After applying all these changes, we update the packages list again and try to
check if there's already a new update to apply:

# pkg update -f
# pkg upgrade -y -f


 * Package installation

Install the tor package:

# pkg install tor



NETBSD

 * Setup pkg_add

Modern versions of the NetBSD operating system can be set to use pkgin, which is
a piece of software aimed to be like apt or yum for managing pkgsrc binary
packages. We are not convering its setup here, and opt to use plain pkg_add
instead.

# echo "PKG_PATH=http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/$(uname -m)/$(uname -r)/All" > /etc/pkg_install.conf


 * Package installation

Install tor NetBSD's package:

# pkg_add tor



VOID LINUX

To install the tor package on Void Linux, please run:

# xbps-install -S tor



INSTALLING TOR FROM SOURCE

 * Download latest release and dependencies

The latest release of Tor can be found on the download page.

If you're building from source, first install libevent, and make sure you have
openssl and zlib (including the -devel packages if applicable).

 * Install Tor
   
   tar -xzf tor-0.4.3.6.tar.gz; cd tor-0.4.3.6
   
   ./configure && make

Now you can run tor as src/app/tor (0.4.3.x and later), or you can run make
install (as root if necessary) to install it into /usr/local/, and then you can
start it just by running tor.

   
 * Edit this page - Suggest Feedback - Permalink

HOW CAN I VERIFY TOR SOURCE CODE?

Attention: These instructions are to verify the tor source code. Please follow
the right instructions to verify Tor Browser's signature.

Digital signature is a process ensuring that a certain package was generated by
its developers and has not been tampered with. Below we explain why it is
important and how to verify that the tor source code you download is the one we
have created and has not been modified by some attacker.

Each file on our download page is accompanied by two files which are labelled
"checksum" and "sig" with the same name as the package and the extension
".sha256sum" and ".sha256sum.asc" respectively.

The .asc file will verify that the .sha256sum file (containing the checksum of
the package) has not been tampered with. Once the signature has been validated
(see below on how to do it), the package integrity can be validated with:

$ sha256sum -c *.sha256sum

These files allow you to verify the file you've downloaded is exactly the one
that we intended you to get. This will vary by web browser, but generally you
can download this file by right-clicking the "sig" and "checksum" link and
selecting the "save file as" option.

For example, tor-0.4.6.7.tar.gz is accompanied by
tor-0.4.6.7.tar.gz.sha256sum.asc. These are example file names and will not
exactly match the file names that you download.

We now show how you can verify the downloaded file's digital signature on
different operating systems. Please notice that a signature is dated the moment
the package has been signed. Therefore every time a new file is uploaded a new
signature is generated with a different date. As long as you have verified the
signature you should not worry that the reported date may vary.


INSTALLING GNUPG

First of all you need to have GnuPG installed before you can verify signatures.

FOR WINDOWS USERS:

If you run Windows, download Gpg4win and run its installer.

In order to verify the signature you will need to type a few commands in windows
command-line, cmd.exe.

FOR MACOS USERS:

If you are using macOS, you can install GPGTools.

In order to verify the signature you will need to type a few commands in the
Terminal (under "Applications").

FOR GNU/LINUX USERS:

If you are using GNU/Linux, then you probably already have GnuPG in your system,
as most GNU/Linux distributions come with it preinstalled.

In order to verify the signature you will need to type a few commands in a
terminal window. How to do this will vary depending on your distribution.


FETCHING THE TOR DEVELOPERS KEY

The following keys can sign the tarball. Don't expect them all, it can vary
depending on who is available to make the release.

 * Alexander Færøy: 514102454D0A87DB0767A1EBBE6A0531C18A9179
 * David Goulet: B74417EDDF22AC9F9E90F49142E86A2A11F48D36
 * Nick Mathewson: 2133BC600AB133E1D826D173FE43009C4607B1FB

You can fetch the key with the links provided above or with:

$ gpg --auto-key-locate nodefault,wkd --locate-keys ahf@torproject.org
$ gpg --auto-key-locate nodefault,wkd --locate-keys dgoulet@torproject.org
$ gpg --auto-key-locate nodefault,wkd --locate-keys nickm@torproject.org


This should show you something like (for nickm):

gpg: key FE43009C4607B1FB: public key "Nick Mathewson <nickm@torproject.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
pub   rsa4096 2016-09-21 [C] [expires: 2025-10-04]
      2133BC600AB133E1D826D173FE43009C4607B1FB
uid           [ unknown] Nick Mathewson <nickm@torproject.org>
sub   rsa4096 2016-09-23 [S] [expires: 2025-10-04]
sub   rsa4096 2016-09-23 [E] [expires: 2025-10-04]


If you get an error message, something has gone wrong and you cannot continue
until you've figured out why this didn't work. You might be able to import the
key using the Workaround (using a public key) section instead.

After importing the key, you can save it to a file (identifying it by its
fingerprint here):

$ gpg --output ./tor.keyring --export 0x2133BC600AB133E1D826D173FE43009C4607B1FB


This command results in the key being saved to a file found at the path
./tor.keyring, i.e. in the current directory. If ./tor.keyring doesn't exist
after running this command, something has gone wrong and you cannot continue
until you've figured out why this didn't work.


VERIFYING THE SIGNATURE

To verify the signature of the package you downloaded, you will need to download
the corresponding .sha256sum.asc signature file and the .sha256sum file itself,
and verify it with a command that asks GnuPG to verify the file that you
downloaded.

The examples below assume that you downloaded these two files to your
"Downloads" folder. Note that these commands use example file names and yours
will be different: you will have downloaded a different version than 9.0 and you
may not have chosen the English (en-US) version.

FOR WINDOWS USERS:

gpgv --keyring .\tor.keyring Downloads\tor-0.4.6.10.tar.gz.sha256sum.asc Downloads\tor-0.4.6.10.tar.gz.sha256sum


FOR MACOS USERS:

gpgv --keyring ./tor.keyring ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum.asc ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum


FOR BSD/LINUX USERS:

gpgv --keyring ./tor.keyring ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum.asc ~/Downloads/tor-0.4.6.10.tar.gz.sha256sum


The result of the command should produce something like this (depending on which
key signed it):

gpgv: Signature made Mon 16 Aug 2021 04:44:27 PM -03
gpgv:                using RSA key 7A02B3521DC75C542BA015456AFEE6D49E92B601
gpgv: Good signature from "Nick Mathewson <nickm@torproject.org>"


If you get error messages containing 'No such file or directory', either
something went wrong with one of the previous steps, or you forgot that these
commands use example file names and yours will be a little different.

You may also want to learn more about GnuPG.


VERIFYING CHECKSUM

Now that we validated the signatures of the checksum, we need to verify the
integrity of the package.

FOR WINDOWS USERS:

certUtil -hashfile tor-0.4.6.10.tar.gz.sha256sum SHA256


FOR MACOS USERS:

shasum -a 256 tor-0.4.6.10.tar.gz.sha256sum


FOR BSD/LINUX USERS:

sha256sum -c tor-0.4.6.10.tar.gz.sha256sum


   
 * Edit this page - Suggest Feedback - Permalink

ALTERNATE DESIGNS WE DON'T DO (YET)

YOU SHOULD LET THE NETWORK PICK THE PATH, NOT THE CLIENT.

No, you cannot trust the network to pick the path. Malicious relays could route
you through their colluding friends. This would give an adversary the ability to
watch all of your traffic end to end.

   
 * Edit this page - Suggest Feedback - Permalink

YOU SHOULD TRANSPORT ALL IP PACKETS, NOT JUST TCP PACKETS.

This would be handy for a number of reasons: It would make Tor better able to
handle new protocols like VoIP. It could solve the whole need to socksify
applications. Exit relays would also not need to allocate a lot of file
descriptors for all the exit connections.

We're heading in this direction. Some of the hard problems are:

 1. IP packets reveal OS characteristics. We would still need to do IP-level
    packet normalization, to stop things like TCP fingerprinting attacks. Given
    the diversity and complexity of TCP stacks, along with device fingerprinting
    attacks, it looks like our best bet is shipping our own user-space TCP
    stack.

 2. Application-level streams still need scrubbing. We will still need user-side
    applications like Torbutton. So it won't become just a matter of capturing
    packets and anonymizing them at the IP layer.

 3. Certain protocols will still leak information. For example, we must rewrite
    DNS requests so they are delivered to an unlinkable DNS server rather than
    the DNS server at a user's ISP; thus, we must understand the protocols we
    are transporting.

 4. DTLS (datagram TLS) basically has no users, and IPsec sure is big. Once
    we've picked a transport mechanism, we need to design a new end-to-end Tor
    protocol for avoiding tagging attacks and other potential anonymity and
    integrity issues now that we allow drops, resends, et cetera.

 5. Exit policies for arbitrary IP packets mean building a secure Intrusion
    Detection System (IDS). Our node operators tell us that exit policies are
    one of the main reasons they're willing to run Tor. Adding an IDS to handle
    exit policies would increase the security complexity of Tor, and would
    likely not work anyway, as evidenced by the entire field of IDS and
    counter-IDS papers. Many potential abuse issues are resolved by the fact
    that Tor only transports valid TCP streams (as opposed to arbitrary IP
    including malformed packets and IP floods.) Exit policies become even more
    important as we become able to transport IP packets. We also need to
    compactly describe exit policies in the Tor directory, so clients can
    predict which nodes will allow their packets to exit. Clients also need to
    predict all the packets they will want to send in a session before picking
    their exit node!

 6. The Tor-internal name spaces would need to be redesigned. We support onion
    service ".onion" addresses by intercepting the addresses when they are
    passed to the Tor client. Doing so at the IP level will require a more
    complex interface between Tor and the local DNS resolver.

   
 * Edit this page - Suggest Feedback - Permalink

EXIT POLICIES SHOULD BE ABLE TO BLOCK WEBSITES, NOT JUST IP ADDRESSES.

It would be nice to let relay operators say things like reject www.slashdot.org
in their exit policies, rather than requiring them to learn all the IP address
space that could be covered by the site (and then also blocking other sites at
those IP addresses).

There are two problems, though. First, users could still get around these
blocks. For example, they could request the IP address rather than the hostname
when they exit from the Tor network. This means operators would still need to
learn all the IP addresses for the destinations in question.

The second problem is that it would allow remote attackers to censor arbitrary
sites. For example, if a Tor operator blocks www1.slashdot.org, and then some
attacker poisons the Tor relay's DNS or otherwise changes that hostname to
resolve to the IP address for a major news site, then suddenly that Tor relay is
blocking the news site.

   
 * Edit this page - Suggest Feedback - Permalink

YOU SHOULD MAKE EVERY TOR USER BE A RELAY.

Requiring every Tor user to be a relay would help with scaling the network to
handle all our users, and running a Tor relay may help your anonymity. However,
many Tor users cannot be good relays — for example, some Tor clients operate
from behind restrictive firewalls, connect via modem, or otherwise aren't in a
position where they can relay traffic. Providing service to these clients is a
critical part of providing effective anonymity for everyone, since many Tor
users are subject to these or similar constraints and including these clients
increases the size of the anonymity set.

That said, we do want to encourage Tor users to run relays, so what we really
want to do is simplify the process of setting up and maintaining a relay. We've
made a lot of progress with easy configuration in the past few years: Tor is
good at automatically detecting whether it's reachable and how much bandwidth it
can offer.

There are four steps we need to address before we can do this though:

 * First, we still need to get better at automatically estimating the right
   amount of bandwidth to allow. It might be that switching to UDP transport is
   the simplest answer here — which alas is not a very simple answer at all.

 * Second, we need to work on scalability, both of the network (how to stop
   requiring that all Tor relays be able to connect to all Tor relays) and of
   the directory (how to stop requiring that all Tor users know about all Tor
   relays). Changes like this can have large impact on potential and actual
   anonymity. See Section 5 of the Challenges paper for details. Again, UDP
   transport would help here.

 * Third, we need to better understand the risks from letting the attacker send
   traffic through your relay while you're also initiating your own anonymized
   traffic. Three different research papers describe ways to identify the relays
   in a circuit by running traffic through candidate relays and looking for dips
   in the traffic while the circuit is active. These clogging attacks are not
   that scary in the Tor context so long as relays are never clients too. But if
   we're trying to encourage more clients to turn on relay functionality too
   (whether as bridge relays or as normal relays), then we need to understand
   this threat better and learn how to mitigate it.

 * Fourth, we might need some sort of incentive scheme to encourage people to
   relay traffic for others, and/or to become exit nodes. Here are our current
   thoughts on Tor incentives.

Please help on all of these!

   
 * Edit this page - Suggest Feedback - Permalink

MULLVAD BROWSER

WHAT IS MULLVAD BROWSER?

Mullvad Browser is Tor Browser without the Tor Network - that allows anyone to
take advantage of all the privacy features Tor created. If people want to
connect the browser with a VPN they trust, they can easily do so.

The browser's 'out-of-the-box' configurations and settings will mask many
parameters and features commonly used to extract information from a person's
device, including fonts, rendered content, and several hardware APIs. By
default, Mullvad Browser has private mode enabled, blocks third-party trackers
and cookies.

The browser is free and open-source and was developed by the Tor Project in
collaboration with Mullvad VPN. It is distributed by Mullvad and can be
downloaded on their website.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT IS THE DIFFERENCE BETWEEN MULLVAD BROWSER AND TOR BROWSER?

Mullvad Browser is free and open-source software that connects to the internet
(if you use it together with Mullvad VPN) through the encrypted VPN tunnels and
VPN servers of Mullvad. You can use it without or with any VPN, but you should
make sure to use a VPN provider you can trust. Aside from the way that both
browsers connect users to the internet (Tor network vs trusted VPN connection)
the differences between both browsers are very small and come down to individual
preference and use cases for the end-user.

As a benefit of connecting to the internet using the Tor network, various Tor
specific features are closely integrated with our own browser that Mullvad
Browser does not offer, including:

 * Circuit isolation and the integration with new-identity
 * Access to Onion Services (i.e. onionsites, Onion-Location redirects, onion
   authentication, and SecureDrop integration)
 * Built-in censorship circumvention with a unique UX found in Tor Browser's
   connection settings and connection assist

Our objective with this collaboration is to provide more choice for online
privacy (e.g., minimize fingerprinting and try to prevent linkability) to users
at all levels.

   
 * Edit this page - Suggest Feedback - Permalink

WHEN SHOULD I USE MULLVAD BROWSER?

You should use Mullvad Browser if you are looking for a privacy enhanced browser
solution to connect with your trusted VPN. Its default settings and features are
intended to combat mass surveillance, data mining and tracking, or other privacy
violations that are commonly employed by big tech companies.

While Mullvad Browser offers similar privacy protections to Tor Browser, it is
best suited for the threat model of corporate mass-surveillance by big tech
companies.

   
 * Edit this page - Suggest Feedback - Permalink

WHY SHOULD I TRUST MULLVAD BROWSER?

Unlike other browsers on the market, Mullvad Browser's business model does not
rely on capitalizing on users' behavioral data. Mullvad makes money by selling
their VPN, they are not in the business of selling user data from the browser.

Mullvad Browser was developed by the Tor Project who have a proven track record
of building and deploying free and open-source privacy preserving technologies
such as Tor Browser, Onion Services, the Tor network etc. that have helped
millions of people from at-risk communities defend their right to privacy and
anonymity online.

   
 * Edit this page - Suggest Feedback - Permalink

WHERE CAN I GET SUPPORT FOR MULLVAD BROWSER?

For any and all support inquiries, please email: support@mullvad.net. User
support is currently only available via email.

   
 * Edit this page - Suggest Feedback - Permalink

WHAT IS THE RELATIONSHIP BETWEEN MULLVAD VPN AND THE TOR PROJECT?

Mullvad has been part of the Tor community for many years now. They are a
Shallot Level member (highest membership tier) of the Tor Project membership
program and have been a founding member of the Tor Project's Membership Program.

When Mullvad approached us to jointly develop a browser, we said yes because
there is great value alignment between our two organizations in our efforts to
make privacy-enhancing technologies more widely available and make
mass-surveillance impractical.

   
 * Edit this page - Suggest Feedback - Permalink

WHY DID THE TOR PROJECT DECIDE TO DEVELOP THIS BROWSER FOR MULLVAD VPN?

Mullvad Browser fills a gap in the market for those who want to run a
privacy-focused browser as good as Tor Browser but with a trusted VPN instead of
the Tor Network. This partnership contributes to providing people with more free
privacy options for web browsing while challenging the current business model of
exploiting people's data. It demonstrates that it is possible to develop free
technology solutions that prioritize the protection of user privacy. Mullvad
shares the same values around internet privacy and freedom and is dedicated to
making privacy-enhancing technologies more widely available and rendering
mass-surveillance impractical.

This joint project with Mullvad has contributed to addressing legacy code issues
for Tor Browser and allowed the allocation of dedicated resources to make
necessary improvements that benefit both Tor and Mullvad Browsers. Over the last
couple of years, the Tor Project has launched a number of initiatives to
increase adoption of our technologies and made significant improvements to the
usability of our own products.

   
 * Edit this page - Suggest Feedback - Permalink

DOES THIS MEAN TOR BROWSER IS GOING AWAY?

No, Tor Browser is here to stay. We know that millions of users around the world
rely on Tor Browser and other solutions that the Tor Project offers to safely
connect to the internet, to browse anonymously online and to circumvent
censorship. Therefore Tor Browser will continue to exist. There are a lot of
reasons to continue to maintain and improve Tor Browser, it is still one of the
few solutions that provides anonymity online because of its use of the Tor
network. This combination is a powerful one and sometimes one of the few options
that censored and surveilled users have in their region to freely and safely
access the internet. This is also a free solution for all, making it an
affordable solution for people at risk.

The development of Mullvad Browser will actually help make Tor Browser stronger
because it allows us to continue to address legacy issues and code, and fix
vulnerabilities.

   
 * Edit this page - Suggest Feedback - Permalink

DOES THIS MEAN TOR BROWSER WILL GET LESS ATTENTION?

Not at all, we are continuing to invest on improving the usability of Tor
Browser, as we have done in the last 5 years with major releases that included
user experience improvements. We are also working hard on bringing Tor Browser
for Android up to par with the desktop version's features.

The development of Mullvad Browser has helped us address legacy issues and code,
and fix vulnerabilities. It has not affected our attention and dedication to Tor
Browser.

   
 * Edit this page - Suggest Feedback - Permalink

IS TOR PLANNING TO ENTER THE VPN SPACE?

Two years ago we started a project to bring a VPN-like app that connects to the
Tor network for Android users. We know that many of the sites and services a
user connects to via browser on desktop become an app when they are using the
internet on mobile. It is important for us to address this use case as the
majority of people around the world only use a mobile device to connect to the
internet, especially those in the Global South and at risk situations. Offering
a browser that connects to the internet with a trusted VPN as opposed to the Tor
network is an important step in offering more alternatives when it comes to free
privacy-focused browsers and can benefit Tor Browser in the future when our
'VPN-like' app has launched.

   
 * Edit this page - Suggest Feedback - Permalink

DOES MULLVAD COLLECT OR STORE ANY OF MY BROWSER OR PERSONAL DATA?

No. Please contact Mullvad Browser user support for any further questions:
support@mullvad.net.

   
 * Edit this page - Suggest Feedback - Permalink

DOES MULLVAD BROWSER MAKE ANY OUTGOING CONNECTIONS?

Yes, here are the full list of requests Mullvad Browser makes by default:

 * Browser update (Mullvad)
 * Mullvad Browser Extension update (Mullvad)
 * Mullvad DoH (Mullvad)
 * NoScript/Ublock Origin update (Mozilla)
 * Certificates & Domains update (Mozilla)
 * Ublock Origin filter lists update (various lists)

   
 * Edit this page - Suggest Feedback - Permalink


DOWNLOAD TOR BROWSER

Download Tor Browser to experience real private browsing without tracking,
surveillance, or censorship.

Download Tor Browser

OUR MISSION:

To advance human rights and freedoms by creating and deploying free and open
source anonymity and privacy technologies, supporting their unrestricted
availability and use, and furthering their scientific and popular understanding.

 * Jobs
 * Blog
 * Contact
 * Press
 * PrivChat

Donate Now

SUBSCRIBE TO OUR NEWSLETTER

Get monthly updates and opportunities from the Tor Project:

SIGN UP



Trademark, copyright notices, and rules for use by third parties can be found in
our FAQ .

English (en)
العربية (ar) Deutsch (de) Español (es) فارسی (fa) Français (fr) Indonesia (id)
Italiano (it) 한국어(ko) Português Br. (pt-BR) Română (ro) Русский (ru) Kiswahili
(sw) Türkçe (tr) українська (uk) Tiếng Việt (vi) 简体中文 (zh-CN) 正體中文 (zh-TW)