How Tor Really Works and Where It Breaks
imagine you want to pass a note across a crowded room without anyone learning both who sent it and who it was meant for. you hand it to a stranger, who hands it to a second stranger, who hands it to a third, and only that last person sets it down on the right desk. each of them is blindfolded to part of the path. the first knows your face but not the destination. the last knows the destination but never saw your face. no single person in that chain holds the whole story.
that picture is the heart of how Tor tries to work. it is a system for moving traffic across the internet in a way that breaks the usual link between who you are and what you are doing. and like most things that sound like magic, it does something real, and it fails in ways that are quieter and more human than most people expect.
the problem it is actually solving
normally, when you visit a site, the connection is direct in a very revealing way. your traffic carries your address, the site sees where you came from, and anyone sitting in the middle, your network or your provider, can see both ends at once. they know it was you, and they know where you went.
that single fact is the whole problem. it is not usually the contents of the message that gives you away. it is the simple pairing of source and destination, sitting together in one place, readable by whoever is watching that spot. you can encrypt the contents all you like, but the from line and the to line are still written on the same envelope. what you actually need to hide is the relationship between the two ends.
onion routing, in plain terms
Tor’s answer is to never let those two facts sit in the same place. instead of going straight to the site, your traffic is bounced through three volunteer relays, run by strangers all over the world, before it reaches the destination.
the first relay, the one you connect to, can see your real address but has no idea what site you are ultimately trying to reach. the last relay, the one that talks to the site, can see the destination but has no idea who you are. the relay in the middle exists only to keep those two apart, so the first and the last never meet and never compare notes. one relay would see both ends. two would let the first and last touch directly. three is the smallest number that keeps the two dangerous facts a full step apart.
the path stays secret even from the relays carrying it, because before your traffic leaves your machine it is wrapped in three layers of encryption, one for each relay, like a letter sealed inside three nested envelopes. each relay opens exactly one layer. the first finds only an instruction to pass it on. the middle learns only where to send it next. the last opens the final layer and finds the actual request. layers wrapped around layers, peeled back one at a time, like an onion. that is where the name comes from.
what this genuinely protects
it is worth being precise about what this buys you, because it is real. against an observer sitting next to you, the cafe wifi, the person running the local router, Tor hides where you are going. they see you talking to the Tor network, and then the trail goes cold.
against the site at the far end, it hides where you came from. the site sees a connection arriving from the last relay, somewhere else in the world, with no clear thread back to you. and against any single relay in the chain, it hides either your identity or your destination, never both. for a journalist, a researcher, or a person trying to read freely under a watchful network, that gap is the difference between exposed and not.
the exit relay can read unencrypted traffic
here is where the story turns, because Tor is not a cloak of invisibility, and pretending it is gets people hurt. the same design that protects you also has seams, and the seams are where most real failures live.
the first seam is the exit relay, the last machine in the chain, the one that strips off the final layer of Tor’s encryption and sends your request out to the real site. at that moment, whatever you are sending is only as protected as it was to begin with. if your connection to the site is itself encrypted, the way most modern sites are, the exit relay can see that you are talking to that site but cannot read the contents. but if any part of your traffic is unencrypted, the exit relay can read it in the clear. it does not know who you are, but it can read what you sent. anonymous and private are not the same thing, and Tor mainly gives you the first.
the watcher who sees both ends
the second limit is subtler and more serious. Tor is built to defeat someone watching one spot. it is not built to defeat someone powerful enough to watch many spots at once.
imagine an observer who can see the traffic entering the network near you and, at the same time, the traffic leaving the network near the site. they cannot read the layered encryption, and they do not need to. they can simply watch the timing and the size of the data going in and coming out, and notice that the two patterns rise and fall together, like two clocks ticking in sync. that technique is called traffic correlation. it sidesteps the math entirely by matching shapes instead of reading contents. against a watcher with that kind of reach this is a known limit, openly acknowledged by the people who built the network, not a hidden flaw.
where deanonymization really comes from
now the part almost nobody leads with. when people are actually traced through Tor, it is rarely because someone broke the encryption. far more often, the person broke their own cover.
they logged into an account tied to their real name. they reused a username from another part of their life. they posted a detail only they would know, or turned on a feature that leaked their true address around the network entirely. the tool was working perfectly. the human stepped outside of it. the most common way the chain of three strangers fails is that the sender, at some point, simply signs the note. the weak point is almost never the onion routing. it is the ordinary, forgettable moment where identity slips through a side door the network was never covering.
why it is slow, and what it is for
all of this protection has a cost, and the cost is speed. your traffic is not taking the short path. it is bouncing through three volunteer machines, possibly on three different continents, getting encrypted and decrypted at each hop. the relays are run by volunteers with limited capacity, so pages load slowly and anything that wants a fast, fat connection feels like it is wading through mud. that slowness is the visible price of bouncing through strangers instead of going straight there.
so it helps to be clear eyed about the fit. Tor is genuinely good at letting someone reach or publish information without the network around them easily logging where they went. it is not good at making you untraceable while you log into your real accounts, while a global scale adversary watches both ends, or while you leak your own identity through habit. it raises the cost of surveillance. it does not zero it out.
anonymity is a discipline, not a switch
you will hear Tor described as undetectable, foolproof, completely anonymous. none of those words are true, and believing them is how people get caught. there is no tool, on the entire internet, that makes you risk free. what Tor actually offers is narrower and more honest. it removes the easy, automatic link between you and your destination, and forces anyone who wants that link back to spend real effort or catch a real mistake.
so the real lesson sits one level above the software. the network can shuffle your traffic through three blindfolded strangers, wrap it in layers, and keep any single party from seeing the whole path. it cannot stop you from signing the note at the other end. anonymity, in the end, is not a thing you switch on. it is a discipline you keep. the tool supports it. the tool never guarantees it.
The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.