How to Install Tor Browser Safely (5 Steps)
Install Tor safely: download from torproject.org, verify the GPG signature, and set the right security level. Skipping any step risks a tampered build.
Downloading Tor Browser from the right source and verifying its integrity takes less than five minutes — but skipping those steps is how researchers and journalists end up running modified Tor builds that leak their identity. The only legitimate source is torproject.org. Mirror sites, Reddit links, bundled installers, and browser extensions that claim to be Tor are all risks, whether through negligence or deliberate tampering.
Step 1: Go Directly to torproject.org
Open your regular browser and go to https://www.torproject.org/download/. The page automatically detects your operating system and surfaces the correct download. Versions are available for Windows, macOS, Linux, and Android.
What not to do:
- Do not search "download Tor browser" and click the first result — ad-injected pages have appeared above the official site in search results
- Do not use third-party mirror sites even if they look legitimate
- Do not install browser extensions that claim to route traffic through Tor — they don't work like Tor Browser and they don't provide the same protections
The Tor Project also operates a .onion address for the download page itself: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/ — this is useful if torproject.org is blocked in your region.
Step 2: Verify the GPG Signature
Signature verification confirms that the file you downloaded was produced by the Tor Project's signing key and has not been altered in transit. This step is not optional if you're using Tor for high-stakes work.
Download both the installer file and the .asc signature file (listed alongside the main download on the torproject.org page).
Then run these commands:
# Import the Tor Browser signing key
gpg --auto-key-locate nodefault,wkd --locate-keys [email protected]
# Verify the signature
gpg --verify tor-browser-*.asc
Expected output includes:
gpg: Good signature from "Tor Browser Developers (signing key) <[email protected]>"
The fingerprint should match: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290. A "bad signature" or "no public key" result means the file should not be trusted. Re-download from the official site and try again.
GNU Privacy Guard (GPG) is pre-installed on most Linux distributions and macOS. Windows users need to install Gpg4win first.
Step 3: Install Without Modification
Once verified, extract or run the installer. On Linux and macOS, Tor Browser runs as a portable folder — you don't need administrator privileges. On Windows, the installer will guide you through the process.
After launch, leave the defaults exactly as they are. Do not:
- Install additional browser extensions (including ad blockers or password managers)
- Change the default search engine (DuckDuckGo via .onion is the default for a reason)
- Enable plugins like Flash or PDF viewer
- Import browser bookmarks from your regular browser
Tor Browser's security depends on all users presenting an identical fingerprint to websites. A standard Tor Browser with no extensions looks the same as every other Tor Browser. The moment you add uBlock Origin — a sensible tool in any other context — your browser instance becomes distinguishable from others. Tor Project's research on browser fingerprinting, developed with the EFF, underpins these defaults.
See common Tor mistakes for a breakdown of which modifications break anonymity and why.
Step 4: Set the Right Security Level
Click the shield icon in the toolbar (to the right of the address bar). Three security levels are available:
| Level | JavaScript | Use Case |
|---|---|---|
| Standard | Enabled everywhere | General privacy browsing |
| Safer | Disabled on HTTP sites | Research on unfamiliar .onion sites |
| Safest | Disabled everywhere | High-risk research, journalism |
For most research involving dark web content, Safer is the practical floor. Some .onion services require JavaScript to function, but accepting that trade-off at Safer (HTTP-only restriction) keeps the risk contained. At Safest, attack surface from JavaScript exploits is eliminated — at the cost of some site functionality.
The Freedom of the Press Foundation recommends Safer or Safest for journalists using Tor Browser to access SecureDrop.
Step 5: Understand What Tor Can't Protect
Tor Browser is a browser. It protects traffic flowing through that browser. It does not protect:
Other apps on your device. If you open a PDF downloaded through Tor in your system's PDF viewer, that viewer may make network requests using your real IP. The Tor Project's official guidance is to never open downloaded files outside the Tor Browser sandbox while connected.
Your accounts. Logging into any personal account — Google, social media, email, forum — while using Tor Browser immediately links your Tor session to that identity. The site sees the account login regardless of your IP.
Full-screen mode. Your screen resolution is a fingerprinting vector. Tor Browser uses letterboxing to pad the window and prevent resolution detection. Full-screen mode bypasses this.
Long-lived sessions. Extended browsing sessions in a single circuit build correlatable traffic patterns. Use "New Circuit for This Site" (from the site identity button) when visiting sensitive services, or restart Tor Browser between sessions.
For the full picture of what Tor protects and where it stops, the Tor Browser overview covers protections and threat model in detail. For choosing between Tor and a VPN, see Tor vs VPN.
Frequently Asked Questions
Is it illegal to download Tor Browser?
No. Tor Browser is legal software in the United States, European Union, United Kingdom, Canada, Australia, and most other countries. Certain authoritarian governments restrict Tor — if you're in a region where it's blocked, use Tor bridges or a VPN to access the download page. The legality of what you do with Tor is a separate question from the legality of the tool itself.
How do I know my Tor Browser is genuine?
Run GPG signature verification as described in Step 2. A "Good signature" result from the key fingerprint EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290 confirms the file was produced by the Tor Project. Without verification, you're trusting the download channel alone, which is not sufficient.
Should I use a VPN with Tor?
Connecting to a VPN before launching Tor (Tor over VPN) hides the fact that you're using Tor from your ISP, at the cost of trusting the VPN provider. Whether that's a worthwhile trade depends on your threat model. If your ISP flagging Tor usage is a concrete risk — say, you're in a country where Tor is monitored — then a VPN with a verified no-logs policy adds a meaningful layer. If not, it adds a point of trust without clear benefit.