In most enterprise environments I've worked in, the word "Tor" triggers an automatic risk-register entry and a blocked egress rule. That reflex is understandable, but it reflects a caricature rather than the actual technology. Tor is a privacy network used by the Associated Press, the US State Department's democracy programs, the Electronic Frontier Foundation, and a long list of newsrooms running SecureDrop. If you're responsible for policy around it, you should understand what it actually does.

How Onion Routing Actually Works

Tor is a layered-encryption overlay network. When the Tor client builds a circuit, it typically chooses three relays: a guard, a middle, and an exit. Your traffic is encrypted in three nested layers, one per relay, using ephemeral keys negotiated through the ntor handshake (described in the original Tor design paper by Dingledine, Mathewson, and Syverson).

  • The guard knows who you are (your IP) but not what you're doing.
  • The middle knows nothing meaningful — just that it's shuffling packets between two other relays.
  • The exit knows what you're doing (the destination, and plaintext if you didn't use TLS) but not who you are.

No single relay holds both sides of the correlation. That property is what Tor provides — not invisibility, but unlinkability between source and destination given a non-global adversary.

Legitimate Use Cases

Tor is a general-purpose privacy tool. The ones I see most often in practice:

  • SecureDrop — used by The New York Times, The Washington Post, The Guardian, and dozens of others to receive documents from sources.
  • Dissident and activist communications in jurisdictions that surveil or block civil society traffic.
  • Security research — pulling samples, visiting leak sites, verifying IOCs — without tipping off the operator via your corporate IP.
  • Circumventing network-level censorship using bridges and pluggable transports (obfs4, meek, webtunnel).
  • Protecting browsing metadata from ISPs and ad-tech networks, which is the bulk of daily usage.

Tor Browser vs. Running a Relay

There are three roles, and you should separate them in your head:

  • Tor Browser — a hardened Firefox ESR that routes through Tor, defeats a large class of fingerprinting, and is the right tool for almost all users.
  • Running a middle or guard relay — a donation of bandwidth to the network. No exit traffic leaves your IP. Low legal risk, high community value.
  • Running an exit relay — your IP appears as the source of other people's traffic. This attracts abuse complaints and legal notices. Generally run by organizations (torservers.net, Calyx, Nos Oignons), not individuals.

Bridges and Threat Models

Where a country blocks access to known Tor relays, bridges — unlisted entry points, often combined with traffic obfuscation — restore access. The pluggable-transport ecosystem (obfs4, meek over CDN fronting, Snowflake using WebRTC) is genuinely elegant engineering, and worth reading about even if you never use it.

A word on threat models. Tor defends well against local network observers, ISPs, and most website operators. It does not defend against a global passive adversary who can observe both ends of the circuit simultaneously (end-to-end correlation), nor against browser-level deanonymization if you log in to Gmail over Tor with your real account. Tor is a tool, not a magic wand. Knowing its edges makes you a better consumer of it — and a fairer policymaker when someone on your team has a legitimate reason to use it.