Slicing onions: Part 1 - Myth-busting Tor

I have just posted my first post in my new blog series on Tor called: Slicing onions.

It will be a four part blog series covering everything tor related

Pary one (this one) is about busting the commonly believed myths that surround Tor. The second post will be all about how Tor relates to VPN’s. The third will talk about browser fingerprinting in Tor browser and how these hold up against a hardend Firefox install.

And the last post will give a big in depth explanation on how the Tor network functions, and is meant for our more technical readers.

I hope guys enjoy it, and are not afraid to give feedback! :slight_smile:


Great article @blacklight447.

Small correction:

If I were to login into a webpage using HTTP, an exit node could intercept my password

This only applies to clearnet over tor. An .onion site can use http, and the password would still be encrypted.


Question - I’ve noticed that on some onion sites, there’s an error message that says “connection not secure,” or something along those lines. Does this mean that the exit node could (in theory) intercept private information, or that the onion site isn’t configured correctly?

P.S. I have read of instances where something similar happened.

It actully is correct. When you use an .onion address, it won’t go over an exit node, hence it won’t be able to take my traffic.

1 Like

I think typically when I see that it means the .onion site has embedded images or other assets that go through clearnet domains. So in theory an exit node could see the request you’re making to those other domains. Check your network sources on those sites maybe.

Also, on onion sites there are no “exit nodes” so information can’t be intercepted. That applies to clearnet sites only.

1 Like

It might not get you on a global watchlist but it might get you on a local one. C.f. the guy who called in a bomb threat at Harvard. Bad opsec, but still worth to note.

Nice overlord name.

1 Like

That makes perfect sense! Actually, certain onion sites warn you if you don’t have JavaScript disabled on NoScript (so presumably it’s a non-javascript site that doesn’t need it to function).