Vitalii Gulenok/istock via Getty
How to use Tor -- and whether you should -- in your enterprise
The Tor browser has sparked discussion and dissension since its debut. Does the software, which promises anonymous and secure web access, have a role to play in the enterprise?
In the two decades since the Tor web browser was publicly introduced, it has been a subject of praise and notoriety. Proponents tout the free and open source software for its ease in accessing web content securely and anonymously. But Tor has attracted equal attention for its use as a tool to access potentially illegal content on the dark web.
For enterprises considering whether to allow employees to use Tor as part of their everyday responsibilities, it's important to understand both the browser's pros and cons. Let's examine how to use Tor and discuss where it might work in enterprise situations.
What is the Tor browser?
Short for The Onion Router, the Tor web browser is based on Firefox. It offers users additional layers of security and anonymity when browsing websites. It accomplishes this in two ways: first, by using a Tor-specific network of relays to transmit information and, second, through locked-down security settings.
People use Tor when they don't want their IP addresses to be identified or when they don't want their web activities to be traced -- often in situations where they fear persecution from government or other tracking sources.
Users range from political activists and journalists to those conducting illicit transactions, as well as residents in countries where free speech or other activities are restricted.
If your organization operates in these arenas -- absent the illicit activities, of course -- or if you care strongly about privacy online, then Tor might be for you.
How Tor works
Tor uses a combination of encryption and routing to hide web activity. A worldwide network of Tor relays, run by volunteers, routes web traffic. These relays help make each connection look the same, preventing unique identifiers in specific traffic from indicating where that traffic originated.
Tor includes only one plugin -- NoScript -- and discourages the use of any others. Plugins might reduce anonymity or expose information based on their functionality. They can also introduce browser vulnerabilities. Many organizations already restrict the installation of plugins for Flash, QuickTime and other services, so this constraint probably isn't an issue for your company.
NoScript lets users select trusted sites that are allowed to run JavaScript or other code, a much more restrictive and secure setting. It's installed and enabled by default in Tor and available for other browsers to help reduce script-oriented security problems, such as cross-site scripting.
When it closes, Tor deletes browsing history, cookies and other elements involved in tracking a user's activities. Many users already implement these additional security settings on their browser of choice, including Chrome, Safari and Firefox. Tor strongly urges users to refrain from altering these settings; however, be aware they limit users' ability to view some web content.
Tor in the enterprise
For all its strengths in anonymity and security, Tor is an unlikely browser choice in many enterprise environments. Most businesses will likely stick with popular browsers for various reasons, even beyond those of Tor's enterprise privacy and security concerns. For one thing, due to the physical design of the Tor network -- connections must be made between each relay -- Tor browsing is noticeably slower. Plugin and script limitations might frustrate users for tasks without privacy requirements.
Under the right circumstances, however, Tor might be a viable option.
Business Tor use cases
Tor might be suitable for uses that include restricted speech, controversial topics or legal/criminal activities, including investigation. Among them are the following:
- Journalism. Journalists and other information providers who operate from countries that forbid the transmission of particular information could benefit from Tor's anonymity and relay network.
- Activism. Tor's increased security and ability to hide users' identities make it a practical choice for political activists or whistleblowers who want to shed light on shady business activities. Such communication must often be camouflaged to prevent threats to the individuals involved.
- Security application development. Developers working on security-specific projects might wish to hide their identity while doing research. They could also need to test applications in the context of Tor relays and encryption. If your organization delves deep into secure communications, Tor could be a useful utility.
- Law enforcement investigations. Investigators who pursue criminal activities on the internet or the dark web might find that Tor aids in retaining anonymity and maintaining cover.
These roles are only a subset of common internet users, but they represent industries where above-and-beyond web security is essential.
Legal concerns
The installation and use of the Tor browser in itself is not typically against the law, although the browser may violate acceptable use policies within a business. Legal issues are more likely to arise from how employees use Tor rather than the fact they use it. This topic gets murky fast. Sometimes, you're dealing with international law and dark web access.
Should employees use Tor?
Deciding whether to let employees use the Tor browser is an exercise in managing expectations. The experience of using the Tor browser differs from using a less-secure Chrome or Firefox browser stuffed with add-ons.
Discuss the following key issues with end users:
- Slower browsing speeds. Because of Tor's more roundabout routing, sites don't respond or load as quickly.
- Blocked multimedia. Scripts, media clips and other "flashy" site designs probably don't load or run correctly in Tor.
- Acceptable use. Tor makes it difficult for security teams to track employee web use, increasing the risk your business resources could be used in unsavory activities online. Discuss this with users to educate them.
- Blocked sites. Users' exit points from Tor's relay structure causes their origination point to appear to be from a different part of the world. Banking and other sites could restrict access from these parts of the world to secure resources. Users could be forced to update credentials or profile information when using Tor.
It's unlikely people will use Tor for every browsing need. Instead, they will probably use it for specific tasks related to particular security requirements.
If your organization decides to allow Tor use, ensure its help desk is prepared to support users through any growing pains when starting with Tor. The Tor Project provides many online resources for learning the browser's ins and outs.
If your organization decides to prohibit Tor, clearly communicate this to staff, and include it in security and acceptable use policies.
Advantages and disadvantages of Tor in the enterprise
Your organization's circumstances dictate if Tor is a viable option. Here are some potential advantages and disadvantages in allowing Tor in your business environment.
Potential advantages include the following:
- Increased privacy while browsing and researching questionable topics online.
- Increased privacy after browsing by deleting cookies and other settings.
- Browsing anonymity.
- Solid cross-platform support for Linux, macOS, Windows and Android.
- Relatively secure default configuration.
Potential disadvantages include the following:
- Slower browsing experience.
- Fewer browsing enhancements, such as multimedia and scripts.
- Exit points from the Tor relay network could still expose information.
- Tor is built on Firefox and might include its security vulnerabilities.
- Tech support resources might be greater.
- ISPs know when Tor is used, and they might report you to law enforcement for additional scrutiny.
- Some sites might block Tor, especially if exit points are from remote locations.
- Increased risk of business resources being used in illicit dealings.
- Potential increased exposure to malware.
- Difficult to enforce your organization's acceptable use policy.
How to install Tor
Installing Tor is straightforward. The browser supports multiple languages -- a crucial consideration for people using the software in countries where web access is restricted. Its cross-platform support -- Linux downloads as a .tar extract, Mac users receive a .dmg disk image and Windows relies on a traditional .exe application -- makes Tor easy to deploy to end-user workstations and usable in nearly every enterprise environment.
An official Android version is available for mobile users. An official iOS version is not available, but iPhone and iPad users can download the Onion Browser app from Apple App Store. ChromeOS users, meanwhile, can download the Android Tor app. It displays the mobile version of websites, but it shouldn't be a problem for most users.
The Tor site provides documentation, including an extensive FAQ and user manual. The FAQ covers a wide array of questions, from Tor installation to relay support to add-ons. The user manual provides more detailed procedures for configuring options, such as bridges and identity management. Plenty of information is available for your help desk to support Tor browser users.
Bridging the connection could be required in some network environments. Select from several built-in bridges, or configure your own.
Tor defaults to DuckDuckGo rather than Google, whose search engine tracks user information extensively.
Users should check their organization's security and acceptable use policies to determine whether they are permitted to use Tor before following these download instructions.
Tor's features appeal to security-conscious users. While it's not for every business environment or user, Tor's commitment to anonymous and private web access can make it an effective tool in the right situation.
Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial and CompTIA Blogs.