How to Access the Dark Web

A long-form, plain-language guide for the curious — written for journalists, researchers, privacy-conscious users, and anyone who has ever wondered what is actually on the other side of that "dark web" headline.

Table of Contents

1. Why this guide exists
2. Surface web, deep web, dark web — what's the difference?
3. A short history of the dark web and Tor
4. How Tor actually works
5. Threat modeling: who are you hiding from?
6. Installing Tor Browser, step by step
7. Verifying the download (and why you should)
8. Configuring Tor Browser like a sane person
9. Bridges, pluggable transports, and censored networks
10. Using Tails: the amnesic operating system
11. Using Whonix: isolation by design
12. What onion services are
13. Finding legitimate onion sites
14. Operational security (OPSEC) basics
15. Mistakes that get people deanonymized
16. The legal landscape
17. Frequently asked questions
18. Final thoughts

Why this guide exists

If you have ever typed "how to access the dark web" into a search engine, you have probably been buried in two kinds of content: breathless tabloid articles claiming the dark web is a hellscape of hitmen and organ markets, and shady "tutorial" sites covered in pop-ups, tracking pixels, and dubious affiliate links to VPNs that "guarantee" your anonymity. Neither tells you what is actually going on.

The reality is calmer and more interesting. The dark web is a small but important part of the internet that uses cryptography and routing tricks to make it very difficult to know who is connecting to whom. It is used by criminals, yes. It is also used by journalists protecting sources, by activists working under repressive governments, by whistleblowers communicating with newsrooms, by researchers studying censorship, by ordinary people who simply do not want to be tracked, and increasingly by mainstream companies (Facebook, the BBC, the New York Times, ProPublica, DuckDuckGo, and even some governments) who run "onion" versions of their public sites so that users in surveilled countries can reach them safely.

Most of the alarming headlines you have seen are downstream of a handful of high-profile criminal busts. The technology itself is a tool, in the same way that a kitchen knife or a bicycle is a tool. Whether it is good or bad depends entirely on what you do with it.

This guide is meant to be the kind of explanation a patient friend would give you over a coffee. It will walk you through:

• What the dark web actually is, and what it is not.
• How the network underneath it (Tor) works at a level you can actually understand.
• How to install and configure the official Tor Browser on Windows, macOS, and Linux.
• The two operating systems (Tails and Whonix) that privacy-minded users prefer when they want to go further than the browser alone.
• The thinking — known as "threat modeling" — that should drive every decision you make about your privacy setup.
• Common mistakes that get people deanonymized, often catastrophically.
• The legal landscape, in plain language.

By the end you should be able to access the dark web safely, understand the risks, and make informed decisions about how far you want to go.

Surface web, deep web, dark web — what's the difference?

Almost every popular article muddles these three terms. Let's untangle them. (For a focused comparison, see our article on dark web vs. deep web.)

The surface web

The surface web is what you are using right now. It is the part of the internet that search engines like Google and Bing index. If a page is publicly linked to, has no robots.txt blocking crawlers, and lives at a normal web address, it is part of the surface web. Wikipedia, news sites, blog posts, product pages, this article — all of it is surface web.

The surface web is, somewhat famously, only the tip of the iceberg in terms of the total content of the internet. Some estimates put it at less than 5% of all the data accessible via the protocols of the World Wide Web. The exact number is unknowable, but the order of magnitude is right: there is much, much more out there than what shows up on the first page of search results.

The deep web

The deep web is everything that exists on web servers but is not indexed by search engines. This is not mysterious or sinister. It is mostly:

• Anything behind a login. Your webmail inbox, your bank account dashboard, your private messages on social media, your medical records, your company's internal wiki, your Netflix queue. Search engines cannot see these because they require authentication.
• Content behind paywalls. Most academic journals, many newspapers, and a lot of professional databases.
• Dynamic content generated on demand. Database query results, internal search pages, and pages that only exist after you submit a form.
• Pages explicitly excluded from indexing, either via robots.txt, noindex meta tags, or because the content owner has not submitted a sitemap.

In other words, your online tax return is on the deep web. Your private Google Docs are on the deep web. Your work intranet is on the deep web. There is nothing scary or unusual about it. The vast majority of the deep web is utterly mundane.

The deep web is enormous — vastly bigger than the surface web. By some estimates the deep web is hundreds of times larger than the indexed portion. Whether that number is exactly right is less important than the underlying point: the visible internet is the smaller part.

The dark web

The dark web is a small corner of the deep web that you can only reach using special software that anonymizes your connection. The most famous of these networks is Tor, but there are others, including I2P (the Invisible Internet Project) and Freenet/Hyphanet. When people say "dark web" they almost always mean "the network of websites that you reach using the Tor Browser."

What makes the dark web "dark" is not that it is full of villains. It is that:

1. The content is hosted in a way that hides the server's physical location and IP address.
2. The visitor connects in a way that hides their own identity from the server and from anyone watching their traffic.

In other words, on the surface web both ends are visible. On the deep web at least one end (often the server) is visible but the content is gated. On the dark web, both ends are deliberately obscured.

That sounds dramatic, but in practice an onion site looks like an ordinary website. If you visit the BBC's onion address with Tor Browser, you see the same headlines you would see at bbc.com. The difference is in the plumbing, not the experience.

A useful mental model

If you find iceberg metaphors tiresome, think of it this way:

• Surface web = a public street with shops, signs, and a phone book.
• Deep web = your house, your office building, your bank — buildings on the same street, but you need a key or an appointment to get inside.
• Dark web = a parallel postal system where every letter is in an unmarked envelope, sealed inside another unmarked envelope, sealed inside a third unmarked envelope, and routed through a chain of strangers who each only know the next person in the chain.

The dark web is a different layer of addressing and routing. Not a different internet.

A short history of the dark web and Tor

The story of the dark web is, perhaps surprisingly, the story of a U.S. government research project.

In the mid-1990s, researchers at the U.S. Naval Research Laboratory were working on a problem. They needed a way for intelligence officers, agents in the field, and other U.S. personnel to communicate over the internet without revealing who or where they were. Encryption alone was not enough: even if your message is unreadable, the fact that you connected at all to a particular server can give you away. The researchers — Paul Syverson, Michael Reed, and David Goldschlag — wanted to hide the metadata, not just the content.

They came up with an idea called onion routing. The plan was to bounce traffic through several intermediate computers, encrypting each hop with a different key, like layers of an onion. Each computer in the chain would only know the previous and next hop. None of them would know the whole route, and no observer could tell who the original sender was or what the final destination was just by watching one point in the network.

The first prototype ran on a single computer in the mid-1990s. By the early 2000s, the project had a name: Tor ("The Onion Router"), and a new collaborator, Roger Dingledine. Dingledine, along with Nick Mathewson and others, worked on a second-generation design that fixed many of the problems with the original prototype.

In 2002, the alpha version of Tor was deployed publicly. At that point its developers made a critical observation: a privacy network used only by U.S. intelligence is a privacy network of one user — and one user is not anonymous. To be useful for spies, Tor needed many other people on it as well, so that the intelligence traffic would blend in with everyone else's traffic. The decision was made to release Tor as free, open-source software available to anyone in the world.

This is the central paradox at the heart of Tor: it was funded in part by the U.S. government, and it is also one of the few tools that can frustrate U.S. government surveillance. Both can be true at the same time. The math does not care who you are.

In 2006, the Tor Project, a U.S.-based 501(c)(3) nonprofit, was founded to maintain and develop the software. It is funded today by a mix of government grants, foundations (like the Ford Foundation and the Open Technology Fund), and individual donors. Its source code is open and audited.

Over the years Tor became something different from what its founders imagined. Beyond U.S. intelligence and the privacy-conscious computer crowd, it became a lifeline for activists during the Arab Spring, a tool for journalists protecting sources, and a way for people in authoritarian countries to read the news.

It also became, inevitably, a place where illegal markets sprang up. The most famous of these was Silk Road, an early online drug marketplace that operated as a Tor hidden service from 2011 until its founder, Ross Ulbricht, was arrested by the FBI in 2013. Silk Road was followed by a parade of imitators, most of which have also been shut down. The press attention from these busts is the source of much of the dark web's lurid reputation.

But the criminal use is a small slice of the actual traffic. The Tor Project has long argued that the vast majority of Tor users are simply people who do not want to be tracked. Major news organizations and tech companies now run official onion services. The European Court of Human Rights and several human rights organizations consider access to Tor a free-speech issue. The picture is more textured than the headlines suggest.

How Tor actually works

To use Tor wisely you do not need a PhD in cryptography, but you should have a working mental model of what it is doing. Let's build one.

The problem Tor is solving

When you visit a normal website, your computer makes a TCP connection to the server. Your IP address is visible to the server, to your internet service provider (ISP), to anyone who runs a router along the path, and to anyone who runs the Wi-Fi network you are on. Even if you use HTTPS so that the content of your traffic is encrypted, the fact that you talked to that server, when, and how much data you exchanged, is all visible to a determined observer.

This metadata is more sensitive than people realize. If your ISP can see that you visited a certain medical site, a certain political party's site, a certain religious site, or a certain dating site, that paints a portrait of you. If a government can see that a particular dissident's blog gets traffic from a particular café in a particular city, they can investigate that café.

Tor's job is to break the link between who you are (your IP address) and what you are doing (the sites you visit).

The Tor circuit

When you start Tor, it builds a path through three relays in the Tor network. This path is called a circuit.

1. The guard relay (also called the entry node) is the first relay in your circuit. It sees your real IP address, but it does not know where your traffic is ultimately going. Tor uses the same guard for an extended period (typically months) to mitigate certain attacks.
2. The middle relay is the second hop. It sees only the guard's address and the exit's address. It does not know who you are, and it does not know what site you are visiting.
3. The exit relay is the third hop. It sees the destination — for example, example.com — but it does not see your real IP address. To example.com, the connection appears to come from the exit relay.

Each of these relays is run by a volunteer somewhere in the world. The Tor network has thousands of relays in dozens of countries, run by individuals, universities, nonprofits, and privacy organizations.

Onion encryption

Here is where the "onion" metaphor comes in.

Before your traffic leaves your computer, the Tor client wraps it in three layers of encryption, like the layers of an onion:

• The innermost layer is encrypted with a key that only the exit relay can decrypt.
• The middle layer is encrypted with a key that only the middle relay can decrypt.
• The outermost layer is encrypted with a key that only the guard relay can decrypt.

When you send data, the guard peels off the outermost layer and forwards what is left to the middle. The middle peels off its layer and forwards what is left to the exit. The exit peels off the last layer and forwards the cleartext request to the destination.

The result:

• The guard sees your IP, but only sees encrypted data going to the middle. It has no idea what you are doing.
• The middle sees nothing useful at all. Just encrypted blobs going from one relay to another.
• The exit sees your traffic to the destination, but it has no idea who you are. To it, you are just one of thousands of people whose circuits happen to terminate at this exit.

No single relay knows both who you are and what you are doing. That is the central trick.

Onion services: hiding the server too

Everything we just described hides the user. But what if you want to hide the server too? What if you want to run a website where the operator's location is also unknown?

That is what onion services (sometimes called "hidden services") are. An onion service has an address that ends in .onion instead of .com or .org, and that address is not registered with any DNS authority. Instead, it is derived from the cryptographic public key of the server.

When you connect to an onion service, your Tor client and the server do an elaborate dance: each one builds a circuit to a meeting point in the middle of the network called a rendezvous point, and they communicate through that. Neither end ever learns the other end's IP address. The exit relay is not even involved — your traffic never leaves the Tor network.

This has two important consequences:

1. Onion services are end-to-end encrypted by design. You do not need HTTPS on top of Tor for an onion address; the connection is already encrypted and authenticated by the cryptography of the Tor protocol.
2. The operator's location is hidden from the user. Even if you compromise the user's Tor Browser, you do not learn where the server is.

Modern onion addresses are 56 characters long and look like this (this is a real, public example, the DuckDuckGo onion service):

duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion

The whole address is the public key of the service. There is no way to "register" a name with someone — you generate the key yourself, and the address is whatever the key says it is. This is wonderful for trust (no central authority can take your name away or hand it to someone else) but ugly for memorability. Most people bookmark onion addresses or get them from trusted directories.

What Tor does not do

Tor protects your network identity. It does not protect you from yourself.

• It does not encrypt the content of your traffic between the exit and the destination if the destination is on the surface web and is not using HTTPS. (Onion sites do not have this problem because the entire path is encrypted.)
• It does not stop you from logging into a personal account that identifies you. If you log into your Facebook profile through Tor, you have just told Facebook that you were on Tor, with all the same identifying information you always provide.
• It does not stop browser fingerprinting unless you use the Tor Browser, which is specifically designed to make all users look identical.
• It does not protect you from malware that runs on your machine, or from physical access to your device.

These limitations are not flaws in Tor. They are reminders that anonymity is a system, not a single tool. We will return to this in the section on operational security.

Threat modeling: who are you hiding from?

Before you install anything, you should answer a question that almost nobody asks themselves: what are you actually trying to protect, and from whom?

This is called threat modeling, and it is the single most important habit to develop if you care about privacy. Without it, you will either do too little (leaving big gaps) or too much (making your life miserable for no real benefit).

A threat model has roughly five questions. Answer them honestly.

1. What are you trying to protect?

Sometimes called your "assets." This might be:

• The fact that you read certain news sites.
• The fact that you participate in certain forums.
• A document you wrote that names a corrupt official in your country.
• The contents of a private conversation with a source.
• Your real name.
• Your physical location.
• The fact that you are using Tor at all.

Be specific. "My privacy" is not a useful answer. "The fact that my employer cannot see I have been job-hunting" is.

2. Who do you want to protect it from?

Your "adversary." Different adversaries have wildly different capabilities.

• A nosy roommate has access to your shared Wi-Fi router and maybe your laptop when you are not looking.
• An advertising network wants to track you across sites for profit.
• A school or workplace IT department can see traffic on the network they run.
• A local police force has subpoena power.
• A government can compel ISPs and platforms to hand over data.
• A well-funded intelligence agency can do all of the above and conduct active attacks against your devices.

Tor protects against many adversaries very well. It does not, by itself, protect against all of them.

3. How likely is it that you will need to protect it?

Sometimes called your "risk." This is the probability that the adversary will actually try to come after you.

A journalist working on a politically explosive story has a much higher risk than someone who just doesn't like ads. Both are valid reasons to use privacy tools, but they should drive different choices.

4. How bad are the consequences if you fail?

If a marketing company figures out that you read this article, the consequence is that you might see a slightly more relevant ad. If a totalitarian government figures out that you read certain banned content, the consequence might be a prison sentence.

The bigger the downside, the more effort it is rational to put into your defenses.

5. How much trouble are you willing to go through to prevent those consequences?

Privacy is not free in the sense of "effort." Strong privacy means slower browsing, sometimes broken websites, careful habits, and patience. Most people are not willing to live their entire digital life under those constraints — and they do not need to. The right answer is to use stronger tools when you have something to protect, and lighter tools the rest of the time.

Once you have written down your answers — even just on a sticky note — the rest of this guide is much easier to apply. You will know which sections matter to you and which you can skim.

Installing Tor Browser, step by step

The Tor Browser is the official, recommended way for ordinary people to use Tor. It is a modified version of Mozilla Firefox that is preconfigured to route all of its traffic through the Tor network, with a set of privacy-protecting extensions and settings baked in. (If you want a shorter, step-by-step walkthrough, see our Tor Browser setup guide.)

The most important rule when installing Tor Browser is to download it only from the official Tor Project website. There are countless fake or backdoored versions floating around the internet. Do not get one from a third party, do not get one from a search engine ad, do not trust a screenshot from a forum.

The only correct address is:

https://www.torproject.org/download/

If your country blocks torproject.org, you can also request the installer by email from the Tor Project (more on that in the bridges section).

Windows

1. Open a normal browser and go to https://www.torproject.org/download/.
2. Click the Windows download button. You will get an installer file with a name like tor-browser-windows-x86_64-portable-13.x.x.exe (the version number changes over time).
3. Move the installer to a folder where you have write permissions, for example your Downloads folder or a USB stick.
4. Verify the signature before running it (see the next section). This step is optional but strongly recommended, especially if you live somewhere where the network might be tampered with.
5. Double-click the installer. It will ask you where to extract Tor Browser to. The default is fine, but you can also extract it to a USB drive — Tor Browser is portable and does not need to be "installed" in the system sense.
6. After extraction, open the new folder and double-click Start Tor Browser. You will see a small connection window. Click Connect.
7. After a few seconds, Tor Browser will open. The first page will confirm that you are connected to the Tor network. You are now using Tor.

macOS

1. Open Safari (or whatever browser you use) and go to https://www.torproject.org/download/.
2. Click the Apple/macOS download button. You will get a .dmg disk image.
3. Verify the signature (see the next section) if you can.
4. Open the .dmg file. A window appears with a Tor Browser icon and an Applications folder.
5. Drag the Tor Browser icon into the Applications folder.
6. Eject the disk image.
7. Open Tor Browser from your Applications folder. macOS may warn you that it is from an unidentified developer the first time. Right-click (or Control-click) the app and choose "Open" to bypass that warning.
8. Click Connect in the connection dialog.

Linux

1. Open your normal browser and go to https://www.torproject.org/download/.

2. Click the Linux download button. You will get a .tar.xz archive.

3. Verify the signature (see the next section).

4. Extract the archive somewhere convenient, such as ~/Apps/tor-browser. You can do this with your file manager or with a terminal command:

   tar -xf tor-browser-linux*.tar.xz -C ~/Apps/
   

5. Open the extracted folder and run the start-tor-browser.desktop file. On most desktops you can either double-click it or run:

   ~/Apps/tor-browser/Browser/start-tor-browser --register-app
   

   The --register-app flag adds Tor Browser to your applications menu so you can launch it normally afterwards.

6. Tor Browser opens and asks if you want to connect. Click Connect.

Android

The Tor Project also maintains an official Tor Browser for Android. You can install it from F-Droid (recommended for privacy) or from the Google Play Store. Search for "Tor Browser" by The Tor Project. Do not install any other "Tor" app on Android — many are unrelated and a few are outright malicious.

There is no official Tor Browser for iOS. The Tor Project recommends Onion Browser for iPhone and iPad, which is a third-party browser that uses the Tor network. It is not as hardened as Tor Browser proper because Apple's rules require all iOS browsers to use the WebKit engine, but it is the best option on that platform.

Verifying the download (and why you should)

This section is optional in the sense that Tor Browser will work without it. It is not optional if your threat model includes anyone who might tamper with files in transit.

When you download Tor Browser from torproject.org, you are trusting two things:

1. That the website you reached is really torproject.org and not an impostor.
2. That nothing modified the file between their server and your computer.

Modern HTTPS handles the first point reasonably well, but it is not perfect. Country-level adversaries have been known to issue fake certificates for popular sites. Verifying the signature on the file lets you check that the file you downloaded was actually built by the Tor developers and not by someone in the middle.

The Tor Project signs every Tor Browser release with a known cryptographic key. To verify a download, you fetch the signature file alongside the installer, then use the GnuPG (GPG) tool to confirm that the signature on the installer matches the developers' key.

The exact commands change over time, so the Tor Project keeps an up-to-date verification guide on their website. The general flow is:

1. Install GnuPG if you do not already have it. (gpg is preinstalled on most Linuxes, available via Gpg4win on Windows, and via gpgtools.org on macOS.)
2. Download the developer's signing key from the Tor Project's documentation page and import it into your keyring.
3. Download the .asc signature file that lives next to the installer on the download page.
4. Run a gpg --verify command pointing at the signature and the installer.

If the verification succeeds you will see a "Good signature" message. Pay attention to it — that is your assurance that the file you have is the file the Tor developers shipped.

If you cannot or will not verify, at least make sure you downloaded the file directly from https://www.torproject.org/download/ and that the address bar shows a valid TLS certificate from the Tor Project. That covers most casual threat models.

Configuring Tor Browser like a sane person

When Tor Browser opens for the first time, it is already a significantly more private browser than anything you are used to. There are still a few settings worth knowing about.

The security level slider

In the top right corner of Tor Browser there is a small shield icon. Click it and choose Settings…. You will see a slider with three positions: Standard, Safer, and Safest.

• Standard enables all features. Sites work the way they would in Firefox. JavaScript runs everywhere. This is the default.
• Safer disables JavaScript on non-HTTPS sites and turns off some risky features (HTML5 media autoplay, certain fonts and math symbols). Many sites still work, but some break.
• Safest disables JavaScript on all sites, blocks remote fonts, blocks images that are part of CSS, and disables some other features. Many modern sites are unusable at this level. You get the best protection in exchange for a frustrating experience.

For most casual reading, Safer is a sensible compromise. For high-risk research, use Safest. For routine browsing of well-known onion sites that you trust, Standard is fine. The right setting depends on your threat model.

New identity and new circuit

To the right of the address bar is a small broom icon (or similar — it changes between releases). This gives you two important options.

• New Identity (also reachable from the menu) closes all your tabs, clears your cookies and history, and starts a fresh Tor circuit. Use this when you are switching between different "personas" — for example, finishing some research and starting unrelated reading. It is the digital equivalent of stepping outside, washing your hands, and coming back as a different person.
• New Tor Circuit for this Site changes only the relays for your current site, leaving everything else as-is. Use it if a particular onion site is being slow or if you are routed through an exit that is blocked by the destination.

NoScript and HTTPS-Only

Tor Browser ships with the NoScript extension, which gives you fine-grained control over JavaScript. The security level slider is the easy way to use it; the icon in the toolbar is the advanced way. Most users should leave it alone unless they are sure they know what they are clicking on.

Tor Browser also enforces HTTPS-Only mode by default, which means it will refuse to load surface-web pages over plain HTTP. This is a sensible default and you should not turn it off.

Window size

Tor Browser deliberately opens at a non-maximized window size. Do not maximize the window. The reason is browser fingerprinting: a lot of websites can read your viewport dimensions, and if your dimensions are unique, you become identifiable across sessions. By keeping every Tor Browser at a similar default size, the network of all Tor users becomes a single large crowd of look-alike browsers. Maximize one, and you stand out.

Newer versions of Tor Browser use a feature called "letterboxing" that adds neutral gray bars when you resize, so that the actual page area snaps to one of a small number of possible sizes. Let it do its job.

Bookmarks, history, and downloads

Tor Browser remembers bookmarks across sessions, but it does not remember history beyond the current session by default. Downloads go to your normal Downloads folder unless you change it.

Be careful about downloading files through Tor Browser. Do not open downloaded files while you are still online, especially documents like PDFs and Office files that can contain embedded resources. Those resources can phone home over your normal internet connection, completely bypassing Tor and revealing your real IP address. Always disconnect from the internet (or move to an isolated environment such as Tails) before opening sensitive downloads.

Bridges, pluggable transports, and censored networks

In some countries, ISPs block connections to known Tor relays. This is meant to make it harder for ordinary people to use Tor. The Tor Project has spent years building tools that get around these blocks. The two key concepts are bridges and pluggable transports.

Bridges

A bridge is just a Tor relay whose address is not published in the public Tor directory. Censors can block all the public relays, but they cannot block the bridges they do not know about.

The Tor Project gives out bridge addresses through three channels:

1. The Tor Browser bridge selector. When you start Tor Browser in a censored environment, you can ask it to request a bridge directly. It will give you a few options and try them.
2. The BridgeDB website, at https://bridges.torproject.org/. You can request a few bridges at a time, with optional filters.
3. By email, by sending a message to [email protected] from a Gmail or Riseup address with the body get transport obfs4 (or whichever transport you want). The bot replies with a few bridges. This works even if you cannot reach torproject.org from your country.

To use a bridge, copy the address line into Tor Browser's connection settings. The next time you connect, Tor Browser will use that bridge as its first hop.

Pluggable transports

A pluggable transport is a way to disguise Tor traffic so that it does not look like Tor traffic on the wire. An ordinary Tor connection has a particular pattern that automated censors can recognize. A pluggable transport scrambles that pattern.

The most widely used transport today is obfs4 (and its successor, obfs4-bridges). It makes Tor traffic look like nothing in particular — random bytes. Other transports make the traffic look like ordinary HTTPS, like a video call, or even like other applications. Recent ones include:

• meek, which routes through a major cloud provider (Microsoft, Amazon, or Google) so that your traffic looks like ordinary cloud traffic. Slow but very hard to block.
• Snowflake, which uses volunteer-run browser extensions and WebRTC to relay traffic through ordinary web browsers. Even more flexible — anyone with a browser can become a volunteer Snowflake bridge for a few minutes at a time.
• WebTunnel, which makes the traffic look like ordinary HTTPS traffic to a regular website.

The Tor Project's connection assistant (built into Tor Browser) tries to figure out the best transport for your country automatically. In most cases you can just say "Connect" and let it work.

What if your country blocks even bridges?

This is rare but it does happen, particularly during politically sensitive periods. The Tor Project's response is to ship new bridges and transports faster than they can be blocked. The arms race is real, and the Tor Project's anti-censorship team is one of the most dedicated groups in the privacy community.

If you are in a high-censorship country and Tor stops working overnight, the right move is usually to update Tor Browser, try a different transport, and check the Tor Project's blog and social media for current advice.

Using Tails: the amnesic operating system

Tor Browser is enough for many users. But if you want more isolation — if you are worried that your computer might be compromised, or that you might leave traces on your hard drive — there is another tool that goes much further: Tails.

Tails is short for The Amnesic Incognito Live System. It is a complete Linux operating system that you boot from a USB stick. It runs entirely in your computer's memory. When you shut it down, everything you did is gone. There is no hard drive, no swap, no log file, no persistent state. The next time you boot, it is exactly as it was before.

Tails forces every internet connection through Tor. Ordinary network traffic from any program is blocked. There is no way for an application to "accidentally" make a connection that bypasses Tor — the operating system will not allow it.

This makes Tails the gold standard for high-stakes privacy work. Journalists working with whistleblowers, human rights researchers documenting abuses, and political dissidents around the world use Tails for the parts of their lives where being traced would be dangerous.

What you need to use Tails

• A USB stick with at least 8 GB of space (16 GB or more is better).
• A computer that can boot from USB. Almost all PCs from the last fifteen years can. Macs require a few extra steps.
• A working internet connection.
• About an hour the first time, less after that.

Installing Tails

The Tails Project provides extremely detailed installation instructions for every supported platform. They guide you step by step through:

1. Downloading the Tails image from https://tails.net/.
2. Verifying the image, either using their browser-based verification tool or with GPG.
3. Writing the image to a USB stick using a tool like Etcher (cross-platform), dd (Linux/macOS), or Rufus (Windows).
4. Booting from the USB stick. On most computers you press a key like F12, Esc, or F2 during boot to choose the boot device.

Once Tails is running, you get a desktop that looks vaguely like a normal Linux desktop, with Tor Browser already installed and configured, plus a few other privacy-friendly applications: an email client (Thunderbird), an office suite (LibreOffice), a password manager (KeePassXC), an image editor (GIMP), and tools for encrypted communication.

Persistent storage

Tails is amnesic by default, but you can choose to enable an encrypted persistent volume on the same USB stick. The persistent volume stores things like your bookmarks, your saved files, your KeePassXC database, and any additional software you install — all encrypted with a passphrase you set.

Persistent storage is convenient, but it comes with a tradeoff: the more you store, the more there is to lose if your USB stick is seized or stolen. For maximum safety, keep it lean. For workflows where you need to come back to a project repeatedly, persistence is a reasonable compromise.

When to use Tails

Tails shines when:

• You want a guarantee that nothing of what you did is left on your computer afterwards.
• You are using a computer you do not fully trust (for example, an internet café or a shared library machine).
• Your threat model includes physical seizure of your hardware. (If your laptop is taken, the part that mattered is on the USB stick, which you can swallow, snap in half, or never have on your person in the first place.)
• You are communicating with sources via SecureDrop or similar systems, where the entire workflow is designed to be done from Tails.

Tails is not a tool for everyday browsing. It is slow to boot, it is inconvenient, and the constant need to redo any per-session configuration is exhausting. Use it for the work that demands it. For a dedicated walkthrough, see our Tails OS guide.

Using Whonix: isolation by design

Whonix is another privacy-focused operating system, but it takes a fundamentally different approach from Tails. Where Tails is one OS booted from a USB stick, Whonix is two virtual machines that you run on top of your existing computer.

The two virtual machines are:

1. The Gateway. This VM runs Tor and nothing else. It is the only VM that has access to the real internet. It accepts traffic from one direction (the Workstation) and routes it through Tor in the other direction.
2. The Workstation. This VM runs all the applications: Tor Browser, email clients, chat apps, whatever you need. Its only network connection is to the Gateway. It cannot reach the real internet directly. If a piece of malware takes over the Workstation, it still cannot find out the host's IP address, because the Workstation does not even know what that IP address is.

This split is the key insight of Whonix. Tor Browser bundles a Tor client and a browser into one process; if the browser is compromised, an attacker can sometimes find a way to talk to the network outside Tor. With Whonix, even total compromise of the Workstation gives an attacker no way to leak the user's identity, because there is no network path that bypasses the Gateway.

What you need to use Whonix

• A computer with at least 8 GB of RAM (16 GB is more comfortable).
• A virtualization platform. The two best supported options are VirtualBox (free, cross-platform) and KVM/QEMU (free, Linux). Whonix also supports Qubes OS, but Qubes is its own operating system and a separate setup challenge.
• About 30 GB of free disk space.

Installing Whonix

The Whonix project provides downloadable VM images and detailed instructions on https://www.whonix.org/. The general flow is:

1. Install VirtualBox (or your preferred virtualization platform).
2. Download the Whonix Gateway and Workstation images, plus the signature and signing key.
3. Verify the images.
4. Import them into VirtualBox.
5. Start the Gateway VM first, then start the Workstation VM.

The first time you boot Whonix, it walks you through a setup wizard that updates the system and explains the key concepts.

When to use Whonix

Whonix is a good fit when:

• You want strong isolation but cannot or do not want to dedicate a USB stick and reboot your computer every time you need privacy.
• You are doing technical work — research, software development, administration of an onion service — that needs more flexibility than Tails offers.
• You want persistence as the default. Unlike Tails, Whonix VMs keep their state between reboots. (You can also take VM snapshots and roll back to a clean state when you need to.)
• You are running on a powerful machine where running two VMs is comfortable.

Whonix and Tails are not competitors. They solve overlapping but different problems. Some users use Whonix for daily work and switch to Tails for the highest-stakes tasks.

What onion services are

Now that you have Tor Browser (and maybe Tails or Whonix) running, what can you actually visit on the dark web?

Onion services — the websites whose addresses end in .onion — fall into a few broad categories.

Mirror sites of mainstream services

A growing number of well-known services run official onion versions of their public sites. The point is to give users in censored countries a reliable way to reach them and to make traffic analysis harder. Examples include:

• DuckDuckGo, the privacy-focused search engine.
• The New York Times, BBC News, The Guardian, and ProPublica, all of which run onion mirrors of their journalism.
• Facebook, which famously launched an onion mirror in 2014 to allow users in countries that block Facebook to access it.
• Riseup, an activist-friendly email provider.
• The Tor Project itself, whose own website is also available as an onion service.
• SecureDrop, the whistleblower submission system used by many newsrooms.

These services are useful, mainstream, and uncontroversial. They are also a great way to get comfortable with Tor Browser before exploring further.

Communication tools

Several encrypted communication tools live primarily as onion services or work better when accessed via Tor. These include privacy-respecting webmail providers (such as ProtonMail's onion address), encrypted messaging services, and file-drop tools designed for anonymous handoffs.

Forums and communities

Many discussion communities have moved at least part of their presence to onion services to protect their members. Some of these are technical (security research, privacy tools), some are political (activist organizing, free-speech communities), and many are simply niche interests where people prefer to talk without being tracked.

Hosting and infrastructure

A surprising number of administrative services for the Tor network itself, for the Linux distribution mirrors that activists use, and for other privacy infrastructure live on the dark web. They are dull but important.

Other things

Yes, there are also illegal markets and other unsavory places. We are not going to link to them or describe how to find them. Their existence is well-documented elsewhere. If you came here looking for that, this is not the right guide. The vast majority of legitimate, useful onion services are easy to find through legitimate directories.

Finding legitimate onion sites

Finding onion addresses can feel awkward at first. There is no Google for the dark web in the traditional sense. There are a few accepted ways.

Official directories and search engines

There are a handful of search engines that index onion services. They vary in quality and in editorial standards. The two most commonly recommended are:

• Ahmia (https://ahmia.fi/), a search engine for onion services that explicitly filters out abusive content.
• DuckDuckGo's onion mirror, which can search the surface web from inside Tor.

There are also community-maintained search engines and directories for onion services. Deepr is a dark web search engine and link directory where every link is voted on by users — you can search by keyword, browse by category, check whether sites are online or offline, and see each site's stability history, all without creating an account. Some directories are also linked from the Tor Project's own resources.

Onion-Location HTTP header

A growing number of websites that have an onion mirror tell you about it automatically when you visit them with Tor Browser. They send a special HTTP header called Onion-Location whose value is their onion address. Tor Browser sees this header and shows a small purple ".onion available" button next to the address bar. Click it, and you switch to the onion version.

This is the most user-friendly way to discover onion services in 2025. If you visit nytimes.com with Tor Browser, you will see the button. Click it once and you will be on the onion site. Bookmark it.

Word of mouth and trusted publications

Many onion addresses are still distributed informally — through trusted news articles, EFF guides, the Tor Project's blog, academic papers, and conference talks. If a major publication like Wired, The Guardian, or The Intercept lists an onion address in an article, that is generally a trustworthy source.

Verifying that you are on the right site

Because onion addresses are long, confusing strings of characters, phishing is a real problem. Attackers can generate addresses that look superficially similar to a popular site (sharing the first or last few characters with the real address) and trick users into visiting their fake version.

A few best practices:

• Bookmark addresses you trust. Once you have visited a real site by following a link from a trustworthy source, save the bookmark and use it next time. Do not retype the address from memory.
• Compare the full address character by character if you are typing it in. Especially the parts in the middle, which are easy to overlook.
• Look for an Onion-Location button on the site's surface-web version, and use that to switch over.
• Cross-check addresses against multiple directories like Deepr before visiting.
• Use the search engines that filter out scams, like Ahmia.

Operational security (OPSEC) basics

You can install the most secure software in the world and still be deanonymized in five minutes by a careless habit. Operational security is the part of privacy work that is about your behavior, not your tools.

Here are the principles that matter most.

Compartmentalize your identities

Decide, in advance, what identity each piece of activity belongs to. Your "real" identity, with your real name and real email, is one identity. Your pseudonymous research identity is another. Your activist identity is a third. Never let them touch each other.

Concretely:

• Use different browsers (or different Tor Browser sessions, restarted with New Identity) for different identities.
• Use different email accounts. Never use a personal email to register for an account that should be pseudonymous.
• Never log into a personal account from a Tor session you also use for pseudonymous activity.
• Do not use the same nickname or "handle" across identities. Adversaries can and do correlate handles across the entire internet using search engines.
• Do not write in the same style. (This is hard. There is software that can identify authors by their writing style alone — "stylometry.")

Watch what you share

Photos contain metadata. Documents contain metadata. Voice notes contain background noise that can identify a location. Even an innocuous detail like "I'm watching the snow fall outside my office" can narrow your possible location to a few hundred kilometers.

Before you share anything — anything — pause and ask: "What does this tell someone about me, beyond what I meant to say?"

• Strip metadata from images using tools like exiftool or Tails' built-in Metadata Cleaner.
• Strip metadata from documents using the document properties dialog in Word, LibreOffice, or your PDF software.
• Crop or blur identifying details in screenshots: window titles, taskbars, browser tabs, time zones, language settings, autocomplete suggestions.
• Avoid posting from a phone in real time. Phones leak more metadata than computers, and "real time" is a strong identifier.

Protect the device, not just the connection

Tor protects your network traffic. It does not protect your laptop from someone who steals it.

• Use full-disk encryption. Modern operating systems make this easy: BitLocker on Windows, FileVault on macOS, LUKS on Linux. Choose a long passphrase and remember it.
• Use a strong screen lock. Set your computer to lock automatically after a short period of inactivity.
• Be aware of physical surveillance: shoulder surfing, cameras pointed at your screen, USB devices left in your machine by someone else.
• Do not leave your laptop unattended in places where someone could install hardware on it.

Update everything

Almost every "deanonymized via Tor" story you read is downstream of an exploit in software the user did not bother to update. Tor Browser auto-updates by default — let it. Tails and Whonix prompt you to update at boot — let them. Your operating system, your antivirus, your other applications — keep them current.

Don't run random binaries

This sounds obvious, but it is the single most common way that high-value targets are compromised. Someone sends you an attached PDF or Word document, you open it, and the embedded JavaScript or macro reaches out to a server controlled by an attacker. Your IP address is captured. Game over.

If you absolutely must open a suspicious document, do it in an isolated environment: a Tails session with no persistence, a freshly booted virtual machine that you will throw away afterwards, or — for truly high-stakes work — a dedicated computer that has never had your real identity on it.

Time is metadata

When you do things is itself a fingerprint. If your "anonymous" account only ever posts during business hours in one specific city, an analyst can guess where you live. If you always go offline at 11 PM, an analyst can guess your time zone within an hour.

You cannot eliminate this entirely, but you can be aware of it. Stagger your activity. Use scheduling tools when appropriate. Be especially careful about being the first to post about events in your local area.

Resist the urge to brag

A surprising number of investigations have been broken open because the target told someone — sometimes a lot of someones — what they were doing. Whether it was a chat partner, a romantic interest, a forum acquaintance, or an undercover agent, the principle is the same: the strength of your privacy is bounded by how much you tell people.

If you are doing serious work, the only people who should know about your activities are the people who absolutely need to know. Even your closest friends do not need to know what you do on Tor.

Mistakes that get people deanonymized

Almost every famous deanonymization story has the same shape: a clever, technically sophisticated person did something boring and stupid that broke the chain. Some real examples (or paraphrases of them) to learn from.

Logging into your real account

Probably the number-one mistake. You boot up Tails, you launch Tor Browser, and then you log into your personal Gmail "just to check." Congratulations: Google now knows that, at this date and time, your real-name account was accessed from the Tor network. If anything else you did from that Tor session is later attributed to your Tor exit, the dots can be joined.

Rule: a session is either anonymous or it is not. The moment you cross the line, the whole session is contaminated. Start a new identity (or, better, a new boot of Tails) and try again.

Using identifiable handles

Using the same nickname on a pseudonymous forum that you use anywhere else on the surface web is a one-line search away from identification. Adversaries can and do query the entire indexed internet for unusual usernames. If your name is "exampleuser1987" and you use it on Reddit, on a gaming forum, and on your "anonymous" dark-web account, then your "anonymous" account is no longer anonymous.

Rule: pick fresh handles for each persona. Treat them like burner phones.

Linking accounts via writing style

This is creepier than it sounds. Stylometric analysis can identify authors by the patterns of their word choices and sentence structures with surprising accuracy, especially when there are multiple longer texts to compare. A sufficiently motivated adversary with samples of your public writing can sometimes match them to your "anonymous" posts.

There is no perfect defense. Possible mitigations include keeping anonymous writing short, deliberately changing your style, or using machine translation as a kind of stylistic blender (translate to another language and back). None of these are bulletproof. The strongest defense is to write under one identity and not duplicate it under another.

Posting photos with metadata

Cameras embed a staggering amount of information in image files: GPS coordinates, the camera model, the date, the time, the lens, sometimes the user's name. If you post a "totally anonymous" photo and forget to scrub the EXIF data, you have just published your home address.

Rule: always strip metadata. Use a dedicated tool that you trust. Verify the result before posting.

Mixing Tor with non-Tor for the same task

If you research a topic over Tor, and then you switch to your normal browser to look at the same topic, you have revealed your interest in that topic from two different network identities. Correlation is straightforward.

This applies to research, to dark-web purchases (legal or otherwise), to viewing certain content, and to messaging. If something is private, it stays private the entire time.

Running unsigned software

People download "useful" tools — wallet generators, scrapers, "anonymity boosters" — from forums and run them. A nontrivial percentage of these tools are backdoors written by malicious actors specifically to harvest information from privacy-conscious users. The more interested you are in privacy, the more attractive a target you are.

Rule: if you cannot verify the source and the signature, do not run it. Especially anything that promises to make you "more anonymous." That is not how anonymity works.

Overusing one circuit

Tor Browser uses a fresh circuit per site, but if you do many things from the same long-running session — log into one account, then another, then visit several other pages — patterns can build up that make traffic analysis easier. Periodically use New Identity to start over.

Forgetting that the exit can read unencrypted traffic

If you are visiting a surface-web site that is still on plain HTTP (rare, but it happens), the Tor exit relay can see everything you send and everything you receive. A malicious exit could log it. This is one of the reasons that HTTPS-Only Mode is on by default in Tor Browser. Do not turn it off.

For onion services this is not a concern because there is no exit relay involved.

Taking shortcuts because "this time is different"

Almost every famous case study includes a moment when the person made an obvious mistake out of impatience, fatigue, or overconfidence. Privacy work is tiring. The brain wants to take shortcuts. The single most important habit is the habit of not taking shortcuts when you are tired.

If you are too tired to do things correctly, stop. Do something else. Come back tomorrow. The internet will still be there.

The legal landscape

This is not legal advice. Laws differ between countries, between regions, and over time, and you should consult a qualified lawyer if your work might intersect with the law in any serious way. With that disclaimer firmly in place, here is the broad picture. (For a country-by-country breakdown, see Is the Dark Web Illegal?)

Using Tor is legal in most countries

In the United States, the European Union, the United Kingdom, Canada, Australia, most of Latin America, and most of Africa, using Tor is legal. The Tor Project is a U.S.-registered nonprofit. Most governments treat it as a privacy tool, even if individual law-enforcement officers may have negative opinions about it.

In a small number of countries, the use of Tor is restricted, blocked, or in some cases illegal. China, Iran, Russia (in waves), Belarus, Saudi Arabia, the United Arab Emirates, Egypt, Turkmenistan, and Venezuela have all imposed or attempted various levels of blocking or restriction at different times. The list changes. If you live in or travel to a country whose laws or political situation are uncertain, find out the current state of the law before you act.

In a slightly larger set of countries, Tor is legal but viewed with suspicion, and using it may attract attention even if it does not lead to charges. This is part of your threat model.

What you do with Tor is your responsibility

Using Tor does not place you above the law. The content of what you do still matters. Buying drugs over Tor is still illegal where buying drugs is illegal. Distributing CSAM is illegal everywhere on Earth and morally indefensible. Hiring a "hitman" is, when it is not a scam (and it is almost always a scam), a crime that gets people killed.

Tor is a tool. It does not absolve you of the consequences of what you choose to do with it.

Running a relay or an exit

Running a Tor relay (a guard or middle node) is legal in essentially every jurisdiction and is genuinely helpful to the network. If you have a server with bandwidth to spare and you want to support privacy, this is one of the best things you can do.

Running a Tor exit relay is more complicated. Because the exit relay is the address that the destination sees, it sometimes attracts complaints from sites whose users have been abused by people elsewhere on the network. In some jurisdictions, exit operators have faced legal pressure even though they were not the ones who committed the underlying acts. The Tor Project, the EFF, and the Library Freedom Project have all written extensively on the legal protections available to exit operators in different countries.

If you are considering running an exit, read those resources first, and consult a lawyer. Do not run an exit from your home internet. Run it from a server hosted at an organization that is willing to receive abuse complaints and respond to them appropriately.

Reporting abuse

If you encounter content on the dark web that depicts abuse — particularly child sexual abuse material — there are organizations whose entire job is to receive and act on those reports. The Internet Watch Foundation (IWF) in the UK, the National Center for Missing & Exploited Children (NCMEC) in the U.S., and similar bodies in other countries accept reports anonymously. Reporting abusive content is the right thing to do, and you should not feel constrained from doing it just because you are using Tor.

Frequently asked questions

Is using Tor illegal?

In most countries, no. See the legal section above for the exceptions.

Will my ISP know I am using Tor?

Without bridges, yes, your ISP can see that you are connecting to a known Tor relay. They cannot see what you are doing, but they can see that you are using Tor. With bridges and a pluggable transport like obfs4 or meek, the connection is disguised and your ISP cannot easily tell that you are using Tor at all.

Should I use a VPN with Tor?

Probably not. The Tor Project and most security researchers recommend that ordinary users do not add a VPN on top of Tor. Reasons include:

• A VPN provider can see all your traffic. Even if they say they don't log it, you are placing trust in a single company. Tor distributes that trust across thousands of relays.
• A VPN can break Tor's circuit-building logic and make some attacks easier, not harder.
• Many "Tor + VPN" guides on the internet are written by VPN affiliate marketers, not by privacy researchers.

There are a handful of niche cases where adding a VPN before Tor (so that Tor sees the VPN, not your real address) is reasonable — for example, when you live in a country where the very fact of using Tor is dangerous and you cannot get a working bridge. Even then, the right answer is usually to use a Tor bridge or a pluggable transport, not a VPN.

For almost everyone, the right answer is use Tor Browser as designed and skip the VPN. For a detailed breakdown, see VPN vs. Tor.

Is Tor slow?

Yes, somewhat. Each request goes through three relays, often on different continents, each of which is run by a volunteer with limited bandwidth. You will not stream 4K video. You can read articles, send messages, and do most things you would do online. The Tor Project has invested heavily in performance over the years and Tor in 2025 is dramatically faster than Tor in 2015, but it will never match the speed of a direct connection.

Can I use my phone?

Yes. There is an official Tor Browser for Android, and there is Onion Browser (a third-party, Tor-Project-recommended app) for iOS. Phones, however, have many other tracking surfaces — operating system telemetry, app fingerprinting, baseband software, and so on — and are not the right device for high-stakes privacy work. For serious work, use Tails on a laptop.

Can I host my own onion service?

Yes. The Tor Project's documentation explains how to set up an onion service for a website or other server. You do not need any special infrastructure — just a normal web server and a few configuration lines. This is one of the cleanest ways to publish information that you do not want tied to a particular hosting provider.

What about cryptocurrency?

Cryptocurrency is sometimes used on the dark web, including by perfectly legitimate services that accept it as a privacy-friendly form of payment. Bitcoin in particular is not anonymous — every transaction is permanently recorded on a public ledger, and cryptocurrency analysis firms have become very good at de-anonymizing Bitcoin flows. If you genuinely need anonymous payment, most experts recommend looking into privacy-preserving cryptocurrencies designed for that purpose, while understanding that cryptocurrency law varies wildly by jurisdiction.

Can I get a virus from the dark web?

You can get a virus from anywhere on the internet. The dark web does not have a special concentration of malware, but some onion sites — particularly those in the gray-market world — have a higher density of phishing and scam attempts than the surface web does. The defenses are the same: don't run untrusted code, keep your software updated, use isolated environments for risky activity.

Will the police kick down my door if I read a Wikipedia article on Tor?

No. Reading about Tor is not a crime in any jurisdiction this author is aware of. Installing Tor is not a crime in most jurisdictions. Visiting an onion site is not a crime in most jurisdictions. The thing that makes things criminal is the underlying activity, not the network.

How do I leave Tor?

Just close Tor Browser. Tor only runs while the browser is open (unless you have specifically configured a system-wide Tor service, which most people do not). When the browser closes, the circuits go away, and your computer goes back to using the normal internet.

Final thoughts

If you have read this far, you know more about the dark web than most people who write about it for a living. You know that it is a tool, not a place; that the same software that lets criminals avoid investigation also lets journalists protect their sources, lets dissidents read banned news, and lets ordinary people opt out of being tracked. You know how Tor builds its circuits, how onion services work, and what makes Tails and Whonix different.

You also know that the most important parts of staying safe are not technical. They are about habits. Compartmentalization. Patience. Knowing what you are protecting and from whom. Refusing to take shortcuts when you are tired. Saying less than you want to say.

The dark web is not a magic invisibility cloak. It is a carefully designed system that does specific things very well, and you have to understand what those things are to use it intelligently. With a clear head and a realistic threat model, you can use Tor safely. Without those, no amount of fancy software will save you.

A final word for the curious. The first time you visit an onion site, it feels strange — half thrilling, half anticlimactic. The screen looks like any other web page. The text loads more slowly than you are used to. The address bar shows fifty-six characters of nonsense. And then you think about everything that just happened to make those words appear: your traffic wrapped in three layers of cryptography, bounced around the world, met by another circuit at a rendezvous point, and answered back through the same elaborate path. Thousands of volunteers, some of them strangers in countries you have never visited, briefly acted as relays for your connection. None of them knew who you were or where you were going.

That is the dark web. Not a basement of horrors. A quietly remarkable piece of mathematics, run by a small global community of people who believe that privacy is a thing worth working for.

Use it well.