Tor Browser

Anonymous web browsing via the Tor network. Prevents traffic analysis and fingerprinting.

Open source

Strong

https://www.torproject.org/download/ · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — based on public security research and audits

What should journalists know about Tor Browser?

Tor is essential infrastructure for investigative journalism — the only practical way to access SecureDrop tip lines, research sensitive subjects without creating a trail, and bypass censorship. The Tor Project merged with Tails in September 2024, combining network-level anonymity with OS-level security under one nonprofit. In October 2024, CVE-2024-9680 (CVSS 9.8) exploited a Firefox Animation timeline use-after-free against Tor Browser users in the wild; Mozilla patched it within 25 hours. In September 2024, German police confirmed they used timing analysis to deanonymize a darknet operator between 2019–2021 — the Chaos Computer Club documented four successful timing attacks in a single investigation. The Tor Project responded that the target used an outdated version of Ricochet messenger lacking guard discovery protections, and that current Tor versions have mitigations. Tor Browser 15.0, released October 2025, is based on Firefox ESR 140 and underwent a security audit by Radically Open Security. 7ASecurity conducted a separate code audit in mid-2025. The network runs ~8,000 relays (2,500 exit nodes) serving 2–3 million daily users across 200+ million total downloads. Russia, China, Iran, and Turkmenistan actively block Tor; the anti-censorship team counters with WebTunnel, Snowflake, and the new Conjure pluggable transport. Slower than regular browsing, and requires discipline — but every journalist covering sensitive topics needs this in their toolkit.

Best for

Researching sensitive topics without revealing your location/identity. Accessing .onion sites (SecureDrop). Bypassing censorship in restrictive countries.

Not for

Everyday browsing (slow). Logging into personal accounts (defeats anonymity). Large file downloads. Users unwilling to keep software updated — outdated Tor is a real risk.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Partial

Data is scrambled when stored on their servers

Data jurisdiction No data stored. Traffic encrypted through three Tor relays (guard, middle, exit). Exit node to destination follows normal HTTPS. No single relay knows both source and destination.

Where servers are located — affects which governments can request your data

Security rating Strong

Tor Browser stores nothing by default. Browsing history, cookies, and cache are wiped on close. The Tor Project collects no user data. Your ISP can see you're using Tor but not what you're accessing. Tor metrics publishes aggregate, anonymized usage data only.

How to protect yourself:

Never log into personal accounts while using Tor. Don't maximize the browser window (screen size is a fingerprinting vector). Use HTTPS-only mode. Don't install additional browser extensions. Use bridges if Tor is blocked in your country. Keep Tor Browser updated — the 2024 German timing attack succeeded partly because the target used outdated software. Don't download files and open them while online (use Tails for this). Consider using Tails OS for highest-risk work.

Battle-tested anonymity network with ~8,000 relays serving millions daily. Open-source, with regular independent audits (Radically Open Security for ESR transitions, 7ASecurity code audit in 2025, Cure53 for censorship circumvention tools). The 2024 German timing attack is the most significant documented deanonymization — but it targeted outdated software and required months of surveillance plus ISP cooperation. Current versions have mitigations. CVE-2024-9680 was critical but patched in under 25 hours. Merged with Tails OS in 2024, strengthening both projects. Funding is diversifying away from US government dependency. Exit-node vulnerability remains a known limitation — mitigated by HTTPS-only mode.

Who Owns This

Owner The Tor Project (nonprofit, 501(c)(3))

Funding Diversified: 35% US government (primarily State Dept Bureau of Democracy, Human Rights, and Labor — $2.12M), 19% Mullvad, plus Craig Newmark Philanthropies, Ford Foundation, #StartSmall, Sweden's Sida, Power Up Privacy, and individual donors ($1.1M in 2023–2024). Total budget: $7.3M. Government share dropped from 53% (2021–2022) to 35% (2023–2024).

Business model Nonprofit. No monetization. No ads, no data collection, no premium tier.

Known issues

Timing analysis attacks are real — German police used them successfully between 2019–2021, confirmed by the Chaos Computer Club. CVE-2024-9680 (October 2024) was a critical Firefox zero-day (CVSS 9.8) actively exploited against Tor users; patched within 25 hours. Exit nodes can see unencrypted traffic if you're not using HTTPS. Website fingerprinting research continues to advance — adversaries who control both entry and exit points can correlate traffic. Russia, China, Iran, and Turkmenistan actively block Tor access, requiring bridges or pluggable transports. Screen size and other browser fingerprinting vectors require discipline to mitigate.

Pricing

Free

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.