Let’s say we want to talk to each other in secret, and we are going to do so by exchanging letters via the postal system.
I start by writing you a letter. I lock that letter in a tiny metal box, one that only you have the key for. Assume that this box is completely indestructible and its contents cannot be read in any possible way without having the key to open it. That way, even if this box gets intercepted somehow, our messages are safe. Real-world Internet communication using regular browsers is already like this right now. (Ever notice that little padlock up top?)
To send you the locked box, I have to put it in a cardboard shipping box and write “TO: /u/Lowrider_Fan1969” on the outside. If I didn’t, how would the post office know to get it to you? Additionally, I have to also write “FROM: /u/DiamondIceNS” on the outside, because if you wanted to reply, the post office would also need to know where to send it back to. This can present a problem, as even though the contents of our communications are safe, a snooping postal worker can still see that *we are talking to each other*, as we have to publicly tell them where our packages are coming from and heading to. Internet traffic in regular browsers has a similar problem.
We could throw off the scent by using a middleman. Instead of me sending all of my packages to you, I’ll send my packages to the middleman, with instructions to forward the package to you. So anyone watching my mail won’t see me talking to you, they only see me talking to the middleman. To keep the instructions private so no one knows that the mail is going to be forwarded after it gets to my middleman, I’ll lock the instructions and the metal box from before inside another, bigger metal box, this time one that only the middleman has the key for. What we essentially have at this point is what we’d call a *proxy*. A slight variation of this idea is also how *VPN* services work.
With enough investigation, it could be deduced that we’re using a middleman. To throw off the scent even more, we could choose to use a chain of many middlemen. Each one requires us to put a box inside of another box, so we get a crazy nested Russian doll of boxes containing more boxes. All these layers start to look like an onion, which is where the association between Tor and onions comes from.
One extra feature that gives onion routing (the secret sauce behind Tor) its anonymizing power is that not only are you and I using a long chain of middlemen to communicate, but so is everyone else. Including all of the middlemen themselves. We’re also middlemen for other random people! Each middleman is constantly receiving a deluge of packages from other middlemen on the network and passing them on to some other random middlemen somewhere else on the network in one hopelessly complex shuffle. In this situation, since *everyone* is a middleman for *everyone* else, no one person on the network stands out as suspicious for any specific communication line. And since *every* package is a hopelessly nested Russian doll of locked boxes within locked boxes, no one package is going to help you trace a route of who is *really* talking to whom.
A couple of notes to add that aren’t completely ELI5 level answers but worth noting.
One is that there used to be a pre-configured default of 3 hops in tor. Although that could be overridden, few changed it. That made it less difficult to identify origins through a few different ways (such as timing). If “they” (such as a hostile government) managed or controlled enough nodes (around 50% I believe, which it turns out was trivially easy to do when there weren’t all that many active nodes in use), then there was an almost certainty that they controlled all 3 nodes for a given connection and therefore could determine source and origins fairly easily. I assume that’s changed in the past 5 years?
The second thing to note is that ultimately, regardless of how many hops you do, the final destination website can identify you may different ways. An obvious one would be if you go to a website that requires an email address. It is increasingly difficult to obtain an email address completely anonymously – and the few places that will still give you one are banned or rejected as valid email addresses by most websites. And most sites that issue acceptable email addresses only do so after you’ve provided them with some form of traceable identification (such as a mobile phone or another, traceable email address). And if you created that email address while not on tor, then it’s likely that you are traceable back through your ip address.
Users of tor need to understand that no amount of obfuscation and encryption is any good if you simply give up your anonymity the moment you’re on a website while using tor.
Tor browsers by default will try to prevent website code from asking your browser who you are (JavaScript, Facebook icons, unique identifiers etc) but these same tor browsers allow users to override these safety measures fairly easily – and wily websites will often intentionally make it frustrating for users to use them with these safety features enabled.
A frustrated tor user may decide to lower or switch off some of these tor capabilities, forsaking security for convenience. And in doing so, allow websites to quickly ascertain data on the user that the tor browser was trying to prevent being known.
And while there still remain ways to keep your identity completely anonymous and untraceable while using tor, those ways are becoming more and more difficult to achieve without extensive and current technical knowledge. Meaning that for the majority of non-expert level tor users, you shouldn’t assume your identity is unknowable or untraceable. You’ll likely give it away at some point.
Obviously many technical people will argue this point, but it’s likely that these are people with sufficient technical prowess and motivation to stay ahead of the game. For the rest, probably not so.
My point is this. Those that aren’t highly skilled at security may believe that tor browsing provides complete anonymity with little effort or regard on their part. And people asking ELI5-level questions are probably the most vulnerable to this mistaken belief. For the rest of us, it’s worth remembering that when we explain tor et al to the masses.
Latest Answers