The dark web is just a portion of the internet you reach through a different address scheme. Most of what's there is unremarkable: forums, news mirrors, search engines, and whistleblower drop boxes. The risk almost always comes from how you reach it, not from where you land.
Updated 2026. This guide walks through what the term actually covers, why running Tor on your own machine is a bad idea for casual visits, and how an isolated cloud session solves the real problems. No marketplace talk, no mystique. Just the mechanics.
Surface, deep, and dark web, separated
The surface web is everything Google, Bing, and DuckDuckGo index. It's small, a few percent of what exists overall. The deep web is everything that lives behind a login, a paywall, or a private URL. Your online banking, your company wiki, a non-public Google Doc, all of that counts. None of it is secret or dangerous, it's just not publicly indexable.
The dark web is a different thing. It's a small subset of sites you can only reach over an overlay network like Tor or I2P. Addresses end in .onion instead of .com and they're routed through several encrypted hops, so the visitor can't find the server and the server can't find the visitor. Deep and dark don't mean the same thing, and confusing them is the most common mistake people make on this topic.
When this post says "dark web" it means .onion services reached over Tor, nothing else. It's the only part that needs special precautions, and the only part most people are actually worried about when they read the word.
Why Tor on your own machine is risky
Installing Tor on your laptop looks like the easy path to .onion. In practice it moves risk around rather than removing it. Five points are the ones that keep tripping up Tor users.
Your ISP sees you. Tor encrypts the payload, but the connection to the first relay sits on a published list every major provider can match against. In the US, UK, and most of Western Europe that's rarely a direct problem, but it can land in a security file. In Iran, China, or Belarus it's a reason for a knock on the door.
Anything you download persists. Tor Browser protects the session, but anything you save lands on your real disk. A poisoned PDF, a Word doc with a macro, an image with an embedded tracker, all of it survives the browser closing.
Your fingerprint leaks. Tor Browser standardizes most of the fingerprint, but updates, system fonts, screen size, and installed plugins still slip through. More on that in Browser Fingerprinting.
One click outside Tor is enough. If you read mail in the same OS profile and a .onion link arrives in your inbox, it opens in your default browser over your real IP. A single bad route can deanonymize an entire investigation.
JavaScript exploits are real. Mozilla CVE-2016-9079 was probably the best-known case, used by the FBI's Operation Pacifier to identify Tor users. The patch arrived days later. Holes like that resurface every few years. On your own device the consequences are permanent.
What a cloud-browser session changes
A cloud browser runs as a container on a server, far away from your laptop. You drive it through an ordinary browser connection, and the Tor traffic stays entirely inside the container. That moves the critical points.
Your ISP sees a plain TLS connection to a known cloud provider, not a Tor entry. That removes the most conspicuous marker without blocking access to the network.Downloads die with the session. The container has RAM-backed storage, everything is gone after you close. The fingerprint belongs to the container, not to your laptop, your fonts, your GPU.
You can run a Tor session and a regular clearnet session in parallel without cross-contamination. They live in separate containers with separate cookies, IPs, and profiles. A misclick in the wrong window is no longer an identity leak.
The one honest caveat: the provider sees the decrypted contents inside the container, because it hosts the browser process. You're trading one threat (your ISP, your device) for another (your cloud provider). For most threat models that's a good trade, but you should know the jurisdiction and logging policy of the provider before you lean on it.
| Risk | Tor on your laptop | Tor in a cloud session |
|---|---|---|
| What your ISP sees | Tor entry-node connection | Plain TLS to a cloud provider |
| Download persistence | Stays on your disk | Gone when the session ends |
| Device fingerprint | Leaks through OS and drivers | Abstracted by the container |
| Recovery after exploit | Manual cleanup, sometimes impossible | Restart the container |
| Who you have to trust | Mozilla, your device, the Tor network | Plus your cloud provider |
A safe-access workflow
Six steps for a typical research session. None of it is exotic, but each step defuses a specific weakness.
- 1
Start a fresh cloud session in a Tor-enabled image
Browser.lol has a Tor Browser image. Select it and open a new session. No cookies, no history, no tabs left over from a previous visit. - 2
Verify Tor is actually routing
Visit check.torproject.org from inside the container. You should see the green "Congratulations" page. If you don't, something is leaking to clearnet, stop and restart. - 3
Stick to HTTPS .onion services when you can
Modern v3 .onion addresses support ordinary HTTPS. Combined, you get end-to-end authenticity without the weaknesses of the classical certificate trust model. - 4
Keep JavaScript on "Safer" or "Safest"
The Tor Browser shield in the top right. "Safer" disables JS on non-HTTPS sites. "Safest" disables it everywhere. It breaks many sites, but it eliminates the most common exploit vector. - 5
Never sign in to a clearnet account
No Gmail, no Twitter, no banking, no Reddit. The moment you log in, the session ties itself to your real identity and the entire anonymity gain evaporates. - 6
Close the session when you're done
The container is destroyed. Tabs, cookies, downloads, cache, all gone. Next time you start from zero again.
Legitimate reasons to open a .onion
The headlines orbit marketplaces, but the real Tor traffic is more mundane. A few concrete examples you'll actually run into.
The New York Times runs an official .onion mirror of its front page. BBC News does too. If you're in a country that blocks the clearnet domain, the mirror is the simplest way to keep reading.
SecureDrop and GlobaLeaksare .onion platforms that let sources contact newsrooms. Reuters, The Guardian, ProPublica, the BBC, all run official SecureDrop endpoints for whistleblowers.
The Internet Archive hosts a .onion mirror that's useful when a regional block keeps you out of the Wayback Machine. Tor Project,Mullvad, and Riseupall run their main sites in parallel as .onion endpoints so you can reach them without an exit node.
DuckDuckGo publishes a .onion endpoint for searches from inside the Tor network, and Brave Search does the same. Both keep every query from having to hop to clearnet.
Things to never do
This list isn't moral, it's operational. Each item is a concrete way to burn an otherwise safe session.
Don't log in to clearnet accounts. Gmail, Twitter, your bank, anything else where you have a profile. A single login ties the entire Tor session to your real identity. A separate session for personal logins is trivial, do it.
Don't open downloaded documents in the same session if Tor Browser warns you. PDFs with embedded trackers and Office documents with macros are a classic deanonymization vector against Tor users. Save the file, close the session, examine the file afterwards in a separate sandbox.
Don't trust random "onion directories".Many are honeypots, others list dead or hijacked addresses. Use community-vetted lists only. The Tor Project's official directory and the established wikis are a reasonable starting point.
Don't enable JavaScript on unknown sites.Knowing a .onion address doesn't tell you the operator is friendly. Keep the security slider high, only flip JavaScript on if the page genuinely needs it and you trust who runs it.
Don't use your real name, location, or a recycled username. Cross-platform correlation is the main tool tracking systems use. A username you also use on Reddit showing up on an onion forum links both accounts automatically.
Is this legal?
In the US, UK, Canada, Australia, Germany, France, and most of the EU, using the Tor network and visiting .onion sites is legal. What you do once you're there is a separate question. Accessing material that's already illegal on its own (child sexual abuse material, weapons trafficking, illicit drugs) is a crime everywhere, regardless of the address scheme you used to reach it.
Some countries go the other direction and block or criminalize the Tor network itself. China and Iran block it systematically, Russia blocks it in part, and several Gulf states monitor access closely. The usual answer there is Tor bridges, which are non-public entry relays. A cloud session in a jurisdiction outside the block is a pragmatic alternative.
You are responsible for compliance with your local law. This post is not legal advice. If you live somewhere Tor is blocked, check the current legal situation before each use.
A short FAQ
Will my ISP know I'm on Tor if I use a cloud browser?
No. It sees a TLS connection to the cloud provider and nothing else. The Tor entry node is contacted by the container, not by your laptop.
Is the dark web really mostly illegal stuff?
No, considerably less than the headlines suggest. The often-cited Daniel Moore study (King's College London, 2016) found that roughly 57% of the .onion services they indexed hosted illegal content. Later studies put the share lower, because the service population has grown. Weighted by actual traffic, search engines, news mirrors, and legitimate forums dominate.
Can I get hacked just by visiting a .onion site?
Possible but rare. JavaScript exploits against Tor Browser have happened, Operation Pacifier being the famous example. In a cloud session the blast radius is bounded by the container. Close the session and the damage goes with it.
Does a VPN help on top of Tor?
Usually no. Tor is already an anonymization layer. A VPN in front only hides that you're using Tor, which the cloud browser already does. A VPN behind the exit node helps in some cases but is easy to misconfigure, and a bad configuration hurts anonymity rather than helping. When in doubt, leave it out.
The practical takeaway
The dark web isn't what Hollywood makes of it. It's an address scheme that lets servers and visitors find each other without knowing each other's real IPs. For journalists, whistleblowers, people in countries with internet blocks, and ordinary privacy-aware users, that's useful. For criminals it's useful too, but that's not your problem unless you choose to make it one.
If you just want to see what the fuss is about, the recipe is short. Start a fresh cloud session in a Tor image, set JavaScript to "Safer", skip any clearnet logins, look at the NYTimes mirror or DuckDuckGo's onion search, and close the session when you're done. The whole mechanic takes under ten minutes and leaves nothing on your device. That's all a casual visit needs. For deeper work, you now have the building blocks to do it without collateral damage. For more on what "anonymity" actually means in practice, read Anonymous Browsing: VPN, Tor, or Virtual Browsers? and Incognito Mode Is a Lie.
Ready to unlock desktop power on any device?
Try Browser.lol free and experience true mobile productivity.
Start Your Desktop BrowserNo downloads required • Works on any device
