Dark web and Tor network glossary

The vocabulary of the dark web blends cryptography, internet culture, journalistic jargon, and legal concepts. The same words sometimes mean different things depending on the context, and technical terms intermingle with urban legends. This glossary aims to provide clear, factual, and up-to-date definitions of the most commonly used terms in the Tor ecosystem and around the dark web.

Each entry begins with a short definition (perfect for understanding in a few seconds), then expands the concept in a more detailed paragraph with the necessary technical, historical, or cultural context. Some terms have aliases or synonyms, indicated in italics. For a more narrative overview, see our pillar articles: unusual dark web FAQ, 50 myths debunked, and 30 unusual sites.

⚫ We know why you are here. It's not this page. Tor access →

.

.onion Address

Also known as: onion address, adresse oignon

Unique identifier for a hidden service on the Tor network, consisting of 56 characters followed by .onion.

A .onion address is the unique identifier of a hidden service on the Tor network. Unlike a traditional domain name such as example.com, a .onion address is not registered with any registrar and does not rely on any centralised DNS: it is in fact the base32-encoded representation of a cryptographic public key. .onion v3 addresses, in use since October 2021, are 56 characters long and are derived from a 256-bit Ed25519 key. This length guarantees a virtually infinite address space and makes brute-force attacks impossible. Older v2 addresses (16 characters) were deprecated due to cryptographic vulnerabilities. A .onion address is only accessible with a Tor-capable browser and cannot be opened from a standard browser.

A

Ahmia

Search engine for Tor hidden services, known for its strict moderation.

Ahmia is a search engine specialising in indexing hidden services on the Tor network, created in 2014 by Finnish researcher Juha Nurmi at the University of Tampere. Its distinguishing feature is active content filtering: child sexual abuse material, terrorist apologist sites, and overtly illegal content are excluded from the index. Ahmia indexes approximately 20,000 to 30,000 active .onion services and is accessible both from the clearnet (ahmia.fi) and from Tor. It is the search engine recommended by the Tor Project for users seeking an ethical approach to exploring the dark web.

Air Gap

Also known as: air-gapped

Physical isolation of a computer, completely disconnected from the Internet and all networks.

An air-gapped system is a computer physically isolated from all networks, including the Internet. No Ethernet cable, no active Wi-Fi, no Bluetooth, no USB port connected to a networked device. This radical isolation is used for the most sensitive systems: private key servers for cryptocurrencies, classified military infrastructure (SIPRNet, JWICS), SecureDrop machines used to review documents submitted by sources. The trade-off is operational inconvenience: transferring a file to or from an air-gapped machine requires a dedicated USB drive and many precautions. The Stuxnet attack in 2010 demonstrated that an air gap is not absolute: a sufficiently sophisticated malware can jump across via physical media.

Anonymity

The inability to link an online action to the real-world identity of its author.

Anonymity refers to the technical impossibility for an observer to associate an online activity with the physical or civil identity of the person who performed it. On Tor, anonymity is achieved through onion routing: traffic passes through several relays that successively conceal the origin of the connection. Anonymity is never absolute: it depends on the user's good practices (not logging into identifying accounts, not sharing personal information), the quality of the software used, and the absence of opsec errors. Anonymity is distinct from pseudonymity (a consistent but non-civil identity) and from confidentiality (content hidden but author identifiable).

B

Backdoor

Also known as: backdoor

Hidden access in software or a system that bypasses its protections.

A backdoor is a mechanism deliberately placed in software, hardware, or a protocol that allows a specific party to bypass its protections. Some backdoors are intentional and documented (maintenance accounts), others are covert. In debates over encryption, several governments have repeatedly called for backdoors to be introduced into mainstream encryption systems to allow judicial access. Cryptographers largely oppose this, arguing that a backdoor for "the good guys" is automatically exploitable by "the bad guys". The debate ran through the Apple vs FBI case in 2016 and continues today with European proposals on encryption.

Bitcoin

Historic pseudonymous cryptocurrency, created in 2009, widely used on the dark web.

Bitcoin is the first operational cryptocurrency, created in 2009 by the pseudonymous Satoshi Nakamoto. Its architecture relies on a public blockchain where all transactions are permanently recorded. Contrary to its reputation, Bitcoin is not anonymous but pseudonymous: every address can be traced, and specialist firms (Chainalysis, Elliptic) can often link addresses back to real identities through flow analysis. On dark web marketplaces, Bitcoin was long the dominant currency before being progressively replaced or supplemented by more privacy-preserving cryptocurrencies such as Monero.

Blockchain

Distributed public ledger of a cryptocurrency's transactions.

The blockchain is the distributed ledger that permanently and publicly records all transactions of a cryptocurrency. Each block contains a set of validated transactions, cryptographically linked to the previous block, forming an unbroken chain since the currency's creation. The blockchain is maintained by a decentralised network of nodes that validate transactions according to a consensus protocol (Proof of Work for Bitcoin, Proof of Stake for Ethereum, etc.). For the dark web, the blockchain represents both a tool (cryptocurrency payments) and a risk (the traceability of transactions).

Botnet

Network of compromised computers controlled remotely by an attacker.

A botnet is a network of computers infected by malware that places them under the control of a central attacker (the "botmaster"). Compromised machines, called "bots" or "zombies", can be used for distributed denial-of-service (DDoS) attacks, spam, cryptocurrency mining, or the distribution of other malware. Some botnets have controlled millions of machines (Mirai, Emotet, Conficker). Command-and-control (C&C) servers are often hosted on the dark web to evade takedowns. International law enforcement operations regularly target these infrastructures, but their distributed structure makes them resilient.

Briar

Encrypted peer-to-peer messaging app that works even without Internet access.

Briar is an open-source messaging application developed since 2014 by The Guardian Project and the Briar Project. Its technical distinguishing feature is that it operates without a central server: messages synchronise directly between devices, via Tor when the Internet is available, or via Bluetooth and Wi-Fi Direct when infrastructure is cut off. This resilience makes it valuable in contexts of protests, state-ordered Internet shutdowns, or mass surveillance. No phone number or email address is required: users connect via QR codes that establish a permanent relationship between their devices.

Bridge (Tor Bridge)

Also known as: pont tor

Unlisted Tor relay used to bypass blocks on the Tor network.

A bridge is a Tor relay whose address is not published in the network's official directory. Bridges allow users to bypass blocks imposed by governments or Internet service providers, which typically filter the addresses of public entry relays. Users obtain bridge addresses via the torproject.org website, by email at [email protected], or more recently via BridgeDB and Telegram. Several types of bridges exist, including obfs4, meek, and Snowflake, which add an obfuscation layer to disguise Tor traffic as ordinary HTTPS traffic.

C

CAPTCHA

Automated test to distinguish a human from a bot on a website.

A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a device that presents the user with a task easy for a human but hard for a program: recognising distorted characters, identifying images, solving a puzzle. Google reCAPTCHA and hCaptcha dominate the market. Tor users encounter CAPTCHAs abnormally frequently because Tor exit node IPs are shared and flagged as suspicious by anti-abuse systems. Some sites block Tor connections entirely. DuckDuckGo is notable for not imposing CAPTCHAs on Tor users.

Clearnet

Also known as: surface web

The ordinary Internet, indexable by Google and accessible via standard browsers.

Clearnet refers to the ordinary Internet as most people know it: all the sites accessible through standard browsers (Chrome, Firefox, Safari) and indexable by Google. The term is contrasted with darknet and dark web. All sites in .com, .org, .net, etc. are part of the clearnet. Clearnet sites offer no anonymity by default: servers see your IP address, cookies identify you across sessions, and analytics track your behaviour. Browsing the clearnet via Tor Browser is an interesting compromise: you benefit from Tor anonymity while still accessing the entire standard web.

CoinJoin

Bitcoin privacy protocol by aggregating multiple transactions.

CoinJoin is a cryptographic technique proposed in 2013 by Gregory Maxwell to improve the privacy of Bitcoin transactions. Multiple users combine their transactions into a single Bitcoin transaction with multiple inputs and outputs, making blockchain analysis harder: it becomes impossible to determine which output corresponds to which input. Wallets such as Wasabi Wallet and Samourai Wallet implement variants (ZeroLink, Whirlpool) with varying levels of anonymity. Unlike centralised mixers, CoinJoin requires no trust in a third party: participants cooperate directly via a cryptographic protocol. Modern blockchain forensics can sometimes unravel certain CoinJoin implementations, especially poorly configured ones.

Consensus (Tor)

Official document listing the state of the Tor network, published every hour.

The Tor consensus is a document published every hour by the Tor network's Directory Authorities. It lists all active relays, their characteristics (bandwidth, status flags, public keys), and constitutes the source of truth about the state of the network. Tor clients download the consensus to build their circuits. The generation process involves a vote among the nine Directory Authorities, followed by a collective signing phase. Attacking the consensus would require compromising a majority of the Directory Authorities, making it a critical but well-protected security point of the network.

Cryptocurrency

Also known as: crypto

Decentralised digital currency based on cryptography and the blockchain.

A cryptocurrency is a digital currency whose transactions are secured by cryptography and whose issuance is regulated by a decentralised protocol, with no central authority. Bitcoin (2009) is the oldest and best known; Ethereum, Monero, Zcash, and thousands of others have followed. Cryptocurrencies play an important role on the dark web because they enable payments without traditional banking intermediaries. Their degree of anonymity varies: Bitcoin is pseudonymous and traceable, while Monero integrates privacy mechanisms by default (ring signatures, stealth addresses). The use of cryptocurrencies is legal in most countries, but capital gains are generally taxable.

Cypherpunk

Activist movement promoting the use of cryptography to defend privacy.

Cypherpunks are an informal movement born in the 1980s–1990s around the idea that strong cryptography can be a tool for political liberation. The manifesto written by Eric Hughes in 1993 sets the founding principle: "Privacy is necessary for an open society in the electronic age". Julian Assange, Phil Zimmermann (creator of PGP), David Chaum, Hal Finney, Nick Szabo, and Wei Dai are among the historic figures. Cypherpunks are the origin of many foundational technologies: PGP, anonymity via remailers, and digital currencies that preceded Bitcoin. Their philosophy continues to inspire projects like Tor, Signal, and cryptocurrencies.

D

Dark Web

Also known as: darknet

The set of websites not indexed by Google, accessible only via specific protocols such as Tor or I2P.

The dark web is the portion of the Internet that is not indexed by standard search engines and is only accessible with specific software (Tor Browser for .onion sites, for example). It constitutes a small part of the deep web (which also includes all password-protected content, internal databases, etc.). The dark web hosts both legitimate sites (media outlets, privacy tools, secure communications) and illegal activities (marketplaces, illicit content). Credible estimates put the number of simultaneously active .onion sites at between 30,000 and 80,000 — a tiny fraction of the 1.8 billion sites on the standard web.

Deep Packet Inspection (DPI)

Also known as: DPI

In-depth analysis of network packet contents to identify and filter traffic.

Deep Packet Inspection is a network analysis technique that goes beyond examining packet headers (source/destination addresses, ports) and also inspects their content. Authoritarian governments (China, Iran, Russia) use DPI to detect and block Tor traffic, which has a recognisable cryptographic signature. Tor's pluggable transports (obfs4, meek, Snowflake) were designed precisely to evade DPI by disguising Tor traffic as random data or ordinary HTTPS traffic. DPI is also used legitimately by companies to filter traffic on their internal networks.

Deep Web

All web content not indexed by search engines.

The deep web encompasses all content accessible on the Internet but not indexed by Google, Bing, or other general-purpose search engines. This includes your emails, online banking accounts, companies' internal databases, intranets, pages behind a login, university document archives, and so on. The deep web accounts for roughly 90 to 96% of all content available online. The dark web constitutes only a tiny fraction of it. The common confusion between the deep web and the dark web stems from iceberg-shaped infographics that popularised the distinction without rigour.

Descriptor (service)

Signed file that describes a Tor hidden service so it can be reached.

In Tor's architecture, a descriptor is a cryptographically signed file that describes a hidden service: its public key, its Introduction Points, and the metadata needed to connect to it. Hidden services publish their descriptors in the network's Distributed Hash Table (DHT) via HSDir nodes (Hidden Service Directories). Clients wishing to connect to a service retrieve the descriptor corresponding to the targeted .onion address, verify the signature using the public key encoded in the address, and contact one of the Introduction Points. v3 descriptors incorporate encryption that makes their content opaque to anyone who does not know the full .onion address.

Digital Dead Drop

Asynchronous communication method with no direct contact between sender and recipient.

A digital dead drop is the online equivalent of the traditional intelligence "dead drop": a location where the sender deposits a message that the recipient retrieves later, without them ever meeting. Digitally, this can take the form of shared drafts on a common email account (a technique used by David Petraeus and Paula Broadwell), files deposited via OnionShare, or anonymous pastes on .onion services. The principle avoids any traceable direct communication. SecureDrop operates on this asymmetric model: the source drops documents, the journalist checks later, with no direct contact.

Digital Forensics

Also known as: forensics, computer forensics

Discipline of analysing computer systems to reconstruct past events.

Digital forensics is the discipline that reconstructs actions performed on a computer system from the traces they left behind. Investigators analyse hard drives, RAM, system logs, and captured network traffic. Specialised tools (EnCase, FTK, Autopsy, Volatility) allow deleted files to be recovered, browsing history to be reconstructed, and applications used to be identified. Tails OS is designed to leave no forensic trace on the host computer: the system erases itself on shutdown, leaving forensic tools with nothing to analyse.

Directory Authority

Also known as: directory authority

Trusted servers that maintain the list of relays on the Tor network.

Directory Authorities are a small number of trusted servers (currently 9) that maintain and distribute the official list of Tor relays. Every hour, they publish a "consensus" describing the state of the network: which relays are active, their bandwidth, and their characteristics. Tor clients download this consensus to build their circuits. The Directory Authorities are operated by trusted individuals and organisations within the Tor Project, geographically distributed to resist censorship or compromise attempts. Attacking these authorities would be one way to weaken Tor, which is why their security is a permanent area of concern.

DNS Leak

Also known as: fuite DNS

Leakage of DNS queries to ISP servers despite using a VPN or Tor.

A DNS leak occurs when domain name resolution requests exit through the user's ISP instead of passing through the VPN or Tor tunnel. This is a major anonymity flaw: even if your traffic passes through Tor, plaintext DNS requests reveal to your ISP which sites you are visiting. Tor Browser handles this natively by routing all DNS resolutions through the Tor network via the exit node. With VPNs, a careless configuration can allow DNS to leak. Sites such as dnsleaktest.com allow you to verify the integrity of your setup.

Dread

Major dark web community forum, often compared to Reddit.

Dread is a forum accessible via Tor, launched in 2018 by HugBunter in response to the closure of Reddit's /r/DarknetMarkets. Its architecture mirrors Reddit's model (sub-forums, votes, nested comments) but runs entirely on .onion. Dread hosts diverse discussions: technical topics, opsec, marketplace news, politics, and philosophy. No email address or phone number is required to register. Over the years, the platform has become the largest English-language community on the dark web and a central space for important ecosystem announcements. It has survived multiple major DDoS attacks and the test of time — remarkable in an environment where projects rarely last more than a few years.

E

Ed25519

Cryptographic signature algorithm used by Tor for v3 .onion addresses.

Ed25519 is a digital signature algorithm based on elliptic curves, published by Daniel J. Bernstein and co-authors in 2011. It offers an excellent trade-off between security (equivalent to 128 bits of symmetric security), performance (very fast signatures), and size (public keys of only 32 bytes). Tor adopted it for v3 .onion addresses: each hidden service is identified by an Ed25519 public key, whose base32-encoded representation forms the .onion address. Ed25519 is also used by many modern protocols such as SSH, TLS 1.3, and package signatures in certain Linux distributions. Its cryptographic robustness is considered very strong against current attacks.

EFF (Electronic Frontier Foundation)

Major American non-profit defending digital rights.

The Electronic Frontier Foundation (EFF) is a non-profit organisation founded in 1990 in San Francisco by Mitch Kapor, John Gilmore, and John Perry Barlow. It defends civil liberties in the digital world: privacy, freedom of expression, net neutrality, and open access to knowledge. The EFF has played a historic role in supporting the Tor Project, both financially and legally. It has contributed to numerous landmark cases: defending security researchers facing prosecution, opposing mandated backdoors, and promoting strong encryption. The EFF regularly publishes practical guides, including Surveillance Self-Defense, which recommends Tor for many use cases. It is one of the leading institutions in global digital rights activism.

End-to-End Encryption

Also known as: end-to-end encryption, E2EE

Encryption where only the sender and recipient can read the content.

End-to-end encryption (E2EE) is a system in which only the sender and the recipient of a message can read its content. No intermediary, not even the messaging service provider, holds the decryption keys. Signal, WhatsApp (officially), ProtonMail, and Ricochet Refresh all implement E2EE. This encryption is distinct from in-transit encryption (TLS/HTTPS), which protects data during transfer but leaves it accessible to the intermediate server. On the dark web, E2EE is an expected standard for sensitive communications, particularly in investigative journalism.

Exit Node

Also known as: noeud de sortie

Last relay in a Tor circuit, which communicates with the destination site.

An exit node is the final relay in a Tor circuit. It establishes the actual connection to the destination website on the clearnet. The destination site sees the IP address of the exit node, not that of the user. Operating an exit node exposes its owner to particular responsibilities: illegal actions carried out by anonymous users will appear to originate from their IP. Several countries treat exit node operators as protected technical intermediaries (similar to ISPs), but legal issues arise regularly. Exit nodes represent approximately 10% of all Tor relays.

Exit Policy

Rules that define what type of traffic a Tor exit node agrees to relay.

An exit policy is the configuration that determines which ports and protocols a Tor exit node agrees to relay to the Internet. A relay operator can choose to allow only HTTP/HTTPS (ports 80 and 443), or be more permissive by including SSH, IRC, and email. Some operators explicitly ban certain ports or destinations to avoid abuse. Exit policies are published in the Tor consensus, allowing clients to choose their exit node according to the targeted service. The "reduced exit policies" recommended by the Tor Project balance utility and abuse limitation.

Exit Scam

Organised disappearance of a marketplace operator along with escrowed funds.

An exit scam is the practice by which operators of a dark web marketplace abruptly shut down the site, taking with them all funds held in escrow. This leaves buyers without their goods and sellers without payment. This practice recurs throughout marketplace history: Sheep Marketplace in 2013, Evolution in 2015, Apollon in 2020, among many others. The scheme is facilitated by the operators' anonymity and the absence of any legal recourse for victims (who would have to admit their involvement in illegal activities). The exit scam has become a structural risk of marketplaces, discrediting the entire model.

Exploit

Code or technique that takes advantage of a vulnerability in software.

An exploit is code, a technique, or a sequence of commands that takes advantage of a vulnerability in software, hardware, or a protocol to obtain unintended behaviour: code execution, privilege escalation, authentication bypass. Exploits can be public (documented in the CVE database, available on Metasploit) or private (sold on specialised markets for amounts ranging from a few thousand to several million dollars depending on their value). "Zero-day" exploits are those that take advantage of vulnerabilities unknown to the software vendor, and therefore unpatched.

F

Fingerprinting

Also known as: digital fingerprint

Technique for identifying a user via the unique characteristics of their device.

Fingerprinting is a tracking technique that identifies a user from the unique characteristics of their device and browser: screen resolution, installed fonts, plugins, time zone, browser version, WebGL configuration, mobile sensors, and more. Combined, these parameters form a near-unique fingerprint that allows a user to be tracked across sessions, even without cookies. Tor Browser is designed to present a standardised fingerprint identical across all users, which neutralises the most common fingerprinting methods. However, maximising the window or installing custom extensions can break this uniformity and make the user identifiable.

Freedom of the Press Foundation

Also known as: FPF

American organisation supporting journalism and maintaining SecureDrop.

The Freedom of the Press Foundation (FPF) is an American non-profit organisation founded in 2012. It supports investigative journalism, notably through the development and maintenance of SecureDrop, the whistleblowing platform used by dozens of newsrooms worldwide. Its board has included Edward Snowden, Glenn Greenwald, Laura Poitras, Daniel Ellsberg, and other major figures in journalism and whistleblowing. The FPF also publishes a press freedom tracker for the United States, which systematically documents violations of journalists' rights. The organisation is funded by individual and institutional donations.

G

GnuPG

Also known as: GPG

Open-source implementation of PGP for encryption and signatures.

GnuPG (GNU Privacy Guard), also called GPG, is the free and open-source implementation of the OpenPGP standard. Created in 1997 by Werner Koch, GPG enables file and email encryption, digital signatures, and cryptographic key management. It is the reference tool for practical PGP use on Linux, macOS, and Windows. Integration with Thunderbird (via the Enigmail plugin, then natively since 2020) is the most common use case for email encryption. Tor Browser and Tails ship with GPG pre-installed. GPG development is primarily funded by donations, with Werner Koch as its historic maintainer.

Guard Node

Also known as: entry node

First relay in a Tor circuit, kept stable for each user over several months.

A guard node, or entry node, is the first relay used in a Tor circuit. It is the only node that sees your real IP address (since it receives your direct connection). To limit risks, Tor uses a small set of stable guard nodes for several weeks to several months per user, rather than changing them with each connection. This strategy, called "entry guards" and introduced in 2005, reduces the probability that an adversary controlling a fraction of the network can correlate your entry and exit traffic. Being selected as a guard node requires excellent bandwidth and long-term relay stability.

Guardian Project

Collective of developers building open-source privacy tools for mobile platforms.

The Guardian Project is an international collective of developers and researchers who design open-source software focused on security and privacy, primarily for mobile platforms. Founded in 2009 by Nathan Freitas, the project is behind Orbot (Tor proxy for Android), Orfox (predecessor of Tor Browser for Android), ObscuraCam (photo blurring), Briar (peer-to-peer messaging), and several other tools used by journalists and activists around the world. The Guardian Project receives funding from the Open Technology Fund, the Freedom of the Press Foundation, and individual donors, and regularly collaborates with the Tor Project on mobile versions of its tools.

H

Hidden Service (Onion Service)

Also known as: hidden service, onion service

Website accessible only via Tor, whose host remains anonymous.

A hidden service (or onion service since v3) is a server accessible only through the Tor network, via a .onion address. Its key feature is preserving the anonymity of both the connecting client and the hosting server. The architecture relies on Introduction Points (which announce the service's existence) and a Rendezvous Point (where client and server meet without either knowing the other's IP address). Hidden services are used for a wide variety of purposes: media outlets (BBC, NYT), whistleblowing platforms (SecureDrop), messaging apps (Ricochet), marketplaces, personal blogs, and more.

Hidden Wiki

Historic directory of .onion links, existing in several versions.

The Hidden Wiki is a collaborative directory of links to .onion services, appearing in the earliest days of the Tor network. The name actually refers to several successive and competing sites, each presenting itself as the "real" Hidden Wiki. The concept is open and various communities maintain their own versions. The Hidden Wiki organises links by category: search engines, forums, marketplaces, hosting, media, financial services. The reliability of entries varies depending on successive administrators, some of whom have been accused of deliberately listing scams in exchange for commissions. Despite its imperfections, The Hidden Wiki remains an important sociological document on the evolution of the dark web.

Honeypot

Trap site designed by law enforcement to identify targets.

A honeypot is an IT device designed to attract attackers or targets and collect information about them. In the dark web context, several high-profile cases have involved law enforcement taking over a marketplace and continuing to operate it in order to identify sellers and buyers. Operation Bayonet in 2017 is the most publicised example: after shutting down AlphaBay, Dutch police took control of Hansa (the second-largest marketplace) and kept it running for a month, gathering evidence leading to dozens of arrests. Honeypot operations are now a standard tool in dark web investigations.

HSDir (Hidden Service Directory)

Tor relay responsible for publishing and distributing hidden service descriptors.

HSDir nodes (Hidden Service Directories) are Tor relays bearing the "HSDir" flag in the consensus, selected to publish and distribute hidden service descriptors via the Distributed Hash Table (DHT). When a .onion service starts up, it publishes its descriptor to six specific HSDir nodes (determined by an algorithm based on the .onion address and timestamp). Clients wishing to connect to the service query these same HSDirs to obtain the descriptor. This decentralised architecture makes blocking hidden services difficult: one would have to identify and attack all six HSDirs to prevent access to a given service.

I

I2P

Also known as: invisible internet project

Anonymous network alternative to Tor, designed for internal services rather than clearnet browsing.

I2P (Invisible Internet Project) is an alternative anonymisation network to Tor, launched in 2003. Its architecture differs: I2P favours communications internal to the network ("eepsites") rather than clearnet browsing. I2P tunnels are unidirectional (one tunnel for sending, another for receiving), which complicates certain correlation attacks. I2P is considered technically more resilient for certain use cases, but its adoption remains far lower than Tor's. The two networks are complementary: Tor for anonymously accessing the clearnet and .onion services, I2P for strictly internal communications within an alternative network.

Introduction Point

Relay that announces the availability of a hidden service on the Tor network.

An Introduction Point is a Tor network relay chosen by a hidden service to announce its availability. The hidden service publishes in the network's Distributed Hash Table (DHT) a list of its Introduction Points signed by its private key. When a client wants to connect to the hidden service, it retrieves this list, contacts an Introduction Point, and proposes a Rendezvous Point for the actual connection. This architecture allows the hidden service to remain invisible while still being reachable: Introduction Points never know the real IP of the service, only a Tor circuit leading to it. Introduction Points are renewed regularly to limit risks.

K

Kill Switch

Mechanism that automatically cuts the Internet connection if the VPN or Tor drops.

A kill switch is a safety device that automatically cuts the Internet connection if the VPN or Tor tunnel stops working, preventing traffic from leaking in plaintext. Without a kill switch, a momentary VPN disconnection (session renewal, network reconnection) would cause traffic to fall back to the regular connection, revealing your real IP to visited sites. Major VPN clients (Mullvad, ProtonVPN, IVPN) include a configurable kill switch. Tor Browser handles this natively by closing connections that do not pass through Tor. On Tails, the architecture is designed to block all traffic that has not passed through Tor, forming a structural kill switch.

L

Log (Activity Log)

Record of activities on a server or application.

A log is a chronological record of activities on a computer system: connections, HTTP requests, errors, transactions. On the standard web, server logs allow administrators to diagnose problems but also expose users' privacy (IP addresses, pages visited, timestamps). On Tor, network nodes are designed to retain as few logs as possible; a properly configured relay records nothing about the connections it handles. Responsible hidden services also maintain a strict no-logging policy. The claim "no log" has become a major marketing argument for VPNs, but its actual observance depends on the operator's good faith.

M

Mail2Tor

Free email service accessible via Tor, with no identity requirement.

Mail2Tor is an anonymous email service accessible via .onion, historically popular on the dark web. Registration requires no personal data: no phone number, no recovery email, no real name. Users obtain an address at @mail2tor.com or @mail2tor2.com that they can use to correspond. The service is free and maintained by volunteers. Limitations are real: restricted storage space, attachment limits, and notably the Mail2Tor domains are often classified as suspicious by Gmail and Outlook, which complicates communications with ordinary recipients. For confidential exchanges between informed parties, Mail2Tor nonetheless remains a reference option.

Malware

Also known as: logiciel malveillant

Software designed to harm, steal from, or take control of a system.

Malware (malicious software) is any software designed with malicious intent: stealing data, taking control of a system, encrypting files to demand a ransom, spying on the user, or using the machine for other attacks. The main families are viruses, worms, Trojans, ransomware, spyware, rootkits, and botnets. The dark web hosts both the malware marketplace (selling access, compromised accounts, stolen databases) and the tools to distribute them. Tor users must be particularly careful with files downloaded from the dark web, which are a prime infection vector.

Metadata

Contextual data describing a communication without revealing its content.

Metadata is information that describes a communication without revealing its content: who communicated with whom, at what time, from which device, via which protocol, with what message size. Metadata is often as revealing as the content itself: knowing that you called a suicide helpline at 2 a.m. is enough to draw conclusions, without listening to the conversation. Tor and E2EE messaging protect content but not always metadata. Tools like Ricochet Refresh or Briar go further by eliminating metadata at the server level too, since there is no server. Metadata analysis is at the core of modern intelligence.

Mixer (Tumbler)

Also known as: tumbler, cryptocurrency mixer

Service that blends crypto transactions to obscure the trail.

A mixer, or tumbler, is a service that blends cryptocurrency transactions from multiple users in order to obscure the trail on the blockchain. The principle: you send a certain amount to the mixer, which blends it with funds from other users, then returns an equivalent amount (minus a fee) from other addresses with no apparent link to the origin. Centralised mixers (Helix, Bitcoin Fog, ChipMixer) have been subject to prosecution for money laundering and most have been shut down. Decentralised protocols (Wasabi Wallet with CoinJoin, Samourai Wallet with Whirlpool) offer better legal and technical guarantees, but modern blockchain analysis tools can often unravel part of the mixing.

Monero

Also known as: XMR

Cryptocurrency designed for default anonymity, using ring signatures.

Monero (ticker XMR) is a cryptocurrency launched in 2014 and specifically designed to provide privacy by default, where Bitcoin exposes all transactions. Three main mechanisms ensure this privacy: ring signatures (a transaction is indistinguishable from those in the group it belongs to), stealth addresses (a recipient receives funds via a unique one-time address), and RingCT (transaction amounts are encrypted). On the dark web, Monero has progressively become the preferred cryptocurrency for sensitive transactions, at the expense of Bitcoin, deemed too traceable. US law enforcement agencies have offered significant bounties to develop Monero tracing tools, with no publicly acknowledged success to date.

O

obfs4

Pluggable transport that disguises Tor traffic as random data.

obfs4 (obfuscation 4) is a Tor pluggable transport — a module that transforms the appearance of Tor traffic to make it indistinguishable from random data. This obfuscation bypasses Deep Packet Inspection (DPI) systems used by states to detect and block Tor, such as the Great Firewall of China or Iranian filtering devices. obfs4 traffic appears as random data, with no identifiable protocol signature. To use obfs4, Tor Browser must be configured to connect via a compatible bridge. Several thousand obfs4 bridges are maintained by volunteers around the world. Other pluggable transports exist, notably meek (which mimics HTTPS traffic to Cloudflare or Azure) and Snowflake.

OnionShare

Open-source tool for sharing files anonymously without a third-party server.

OnionShare is an open-source application created in 2014 by Micah Lee, security engineer at The Intercept. It allows sharing a file (or folder, static site, or chat) via a .onion address generated locally on the sender's computer. No third-party server is involved: your computer itself becomes a temporary .onion server. The recipient accesses the address via Tor Browser and downloads directly from your machine. Once OnionShare is closed, the address disappears. The software is cross-platform (Windows, macOS, Linux) and is particularly used by journalists, lawyers, activists, and anyone wanting to share sensitive files without leaving traces on cloud services.

OpSec (Operational Security)

Also known as: operational security

Set of practices aimed at protecting critical information within an activity.

OpSec (Operational Security) refers to the set of practices that protect an activity or identity from information gathering by adversaries. Borrowed from military vocabulary, OpSec is a central concept in dark web culture: users learn to compartmentalise their identities, avoid recognisable patterns, never mix pseudonyms with their civil identity, and use technical tools correctly. Good OpSec includes the choice of operating system (Tails, Whonix), rigorous password management, caution in communications, metadata elimination, and time zone control. Most arrests on the dark web result from OpSec failures, not from flaws in the Tor protocol itself.

OSINT

Open-source intelligence: collecting public information for investigation.

OSINT (Open Source Intelligence) refers to techniques for collecting and analysing publicly available information: websites, social networks, official registries, satellite imagery, academic publications, government documents. Bellingcat, Forensic Architecture, and other journalistic collectives have popularised OSINT in modern investigation. Tools include Maltego, SpiderFoot, theHarvester, and Shodan. Investigative journalists often combine OSINT with confidential sources submitted via SecureDrop. Learning OSINT has become a baseline skill for field journalists, cybersecurity investigators, and intelligence analysts.

OTR (Off-the-Record)

Encryption protocol for instant messaging, with plausible deniability.

OTR (Off-the-Record Messaging) is a cryptographic protocol for instant messaging published in 2004. It provides end-to-end encryption, authentication, perfect forward secrecy, and above all "plausible deniability": messages received cannot be cryptographically proven to a third party, even if they are authenticated in real time by the recipient. OTR was widely used with Pidgin and Adium to encrypt XMPP and IRC conversations. The more recent OMEMO protocol has replaced OTR for XMPP, and Signal Protocol (Double Ratchet) has modernised the approach. OTR remains implemented in several privacy-focused messaging clients.

P

Perfect Forward Secrecy

Also known as: PFS, perfect forward secrecy

Cryptographic property guaranteeing that past messages remain unreadable if a key is compromised.

Perfect Forward Secrecy (PFS) is a property of cryptographic protocols that guarantees a long-term key compromise cannot decrypt past communications. Concretely, each session uses an ephemeral key derived cryptographically and deleted after use. If an attacker obtains the main private key months later, they cannot retroactively decrypt recorded exchanges. TLS 1.3, Signal Protocol, OTR, and Tor v3 handshakes implement PFS. It is a critical property against the "capture now, decrypt later" attack practised by intelligence agencies.

PGP (Pretty Good Privacy)

Historic standard for asymmetric encryption of emails and files.

PGP (Pretty Good Privacy) is an encryption program created in 1991 by Phil Zimmermann, which became the standard for asymmetric encryption of emails and files. The principle rests on a key pair: a public key (freely distributed) that anyone can use to encrypt a message addressed to you, and a private key (kept secret) that alone can decrypt it. The most widely used open-source implementation is GnuPG (GPG). On the dark web, PGP is a cultural standard: serious vendors publish their public key to receive encrypted postal addresses, while journalists publish theirs so sources can contact them in complete confidentiality. Keybase offers simplified management of PGP keys linked to social identities.

Plausible Deniability

Also known as: plausible deniability

Property that allows a person to credibly deny having done or said something.

Plausible deniability is the property that allows a person to technically credibly deny having done, said, or stored something. In cryptography, OTR offers plausible deniability for messages (impossible to prove authenticity to a third party after the fact). VeraCrypt offers plausible deniability through its hidden containers: one can reveal a password that gives access to innocuous content, while keeping a second password secret that reveals the true content. For activists and journalists in contexts where one may be compelled to reveal passwords, these mechanisms offer an additional layer of legal and physical protection.

Pluggable Transport

Tor module that transforms the appearance of traffic to bypass blocks.

A pluggable transport is an optional Tor module that transforms the appearance of network traffic to evade detection and blocking systems. Different pluggable transports exist, each suited to different censorship contexts. The most common are: obfs4 (indistinguishable random-looking traffic), meek (mimics HTTPS traffic to CDNs such as Cloudflare or Azure), and Snowflake (bounces via volunteer browsers using WebRTC). Pluggable transports are particularly useful in countries that practise Deep Packet Inspection (China, Iran, Russia). They are configured in Tor Browser via the "Use a bridge" option and are regularly updated to counter the evolution of censorship techniques.

ProPublica

American investigative newsroom, the first major media outlet to launch a .onion site.

ProPublica is an independent non-profit newsroom based in New York, founded in 2008, specialising in investigative journalism. It has received several Pulitzer Prizes for its investigations into finance, politics, public health, and inequality. In January 2016, ProPublica became the first major media outlet to launch an official .onion version of its site, well ahead of the New York Times, the BBC, and others. This initiative, led by Mike Tigas, aimed to offer sources and readers in at-risk countries traceless access to investigations. ProPublica also uses SecureDrop to receive confidential documents. The organisation has served as a model for the entire journalism ecosystem.

Proxy

Intermediary that relays requests between a client and a server.

A proxy is an intermediate server that receives requests from a client and forwards them to the destination server. Proxies can hide the client's identity from the server (partial anonymity), filter content, or cache responses. VPNs are a form of proxy with encryption. Tor is a form of chained proxy (multiple successive relays). SOCKS5 proxies are commonly used to redirect traffic from a specific application through Tor: Tor Browser's SOCKS proxy listens by default on port 9050. Unlike a VPN, a simple proxy generally offers no encryption between the client and itself.

R

Ransomware

Also known as: ransomware

Malware that encrypts the victim's data and demands a ransom to decrypt it.

Ransomware is malicious software that encrypts a victim's files and demands payment of a ransom, generally in cryptocurrency, to provide the decryption key. Major families (LockBit, BlackCat/ALPHV, Conti, REvil, Cl0p) sometimes operate as "RaaS" (Ransomware-as-a-Service): developers rent their malware to affiliates who carry out attacks. Negotiations and payments typically transit through the dark web, with "name and shame" sites for victims who refuse to pay. International police operations have dismantled several major groups in recent years (operation against LockBit in February 2024, Hive in January 2023), but the phenomenon remains a major cybersecurity problem.

Rendezvous Point

Relay where a client and a hidden service meet without revealing their IPs.

A Rendezvous Point is a Tor network relay where a client and a hidden service meet to establish a connection. The client proposes a Rendezvous Point via one of the hidden service's Introduction Points; the service, once informed, builds a circuit to this Rendezvous Point; both parties can then communicate through this common point, without either knowing the other's real IP address. This three-step architecture (Introduction Point, DHT publication, Rendezvous Point) is what allows a .onion service to be anonymously reachable by millions of users while itself remaining anonymous.

Ricochet Refresh

Serverless peer-to-peer messenger built exclusively on Tor.

Ricochet Refresh is an instant messaging application that relies exclusively on Tor hidden services. Each user runs a local .onion service, and conversations take place directly between participants' .onion addresses. No central server, no registration, no metadata collected anywhere other than on the participants' own devices. A user's identity on Ricochet is their .onion address, which they can renew at any time. Conversations are end-to-end encrypted and metadata is non-existent from an outside observer's perspective. Ricochet Refresh is the continuation of an original 2014 project, taken over and modernised by Blueprint for Free Speech. It is arguably the most anonymous messenger currently available for extreme privacy needs.

Riseup

Activist technology collective providing email, VPN, and mailing lists since 2000.

Riseup is an activist technology collective founded in 1999–2000 in Seattle by alterglobalist activists. For over twenty years it has provided infrastructure services — email, mailing lists, VPN, collaborative pads — to progressive social movements worldwide. Its .onion access allows activists to communicate without ISPs, employers, or governments being able to intercept their metadata. Riseup email accounts are obtained by invitation, to limit abuse. The collective is structured as a non-profit in the United States, with a deliberately distributed technical infrastructure. It has resisted several requests for access from US federal agencies and embodies an activist vision of technology.

S

SecureDrop

Open-source platform for anonymous communication between sources and journalists.

SecureDrop is an open-source platform that allows an anonymous source to transmit sensitive documents to a newsroom via a .onion interface. The project, initially designed by Aaron Swartz and Kevin Poulsen in 2013 under the name DeadDrop, was taken over by the Freedom of the Press Foundation after Aaron Swartz's death. SecureDrop's architecture involves several air-gapped machines inside the newsroom, physical authentication steps, and multi-layer end-to-end encryption. More than eighty major newsrooms worldwide use SecureDrop: the New York Times, Washington Post, The Guardian, ProPublica, The Intercept, Le Monde, Mediapart, and others. Several major leaks from the past decade have passed through this platform.

Silk Road

First major dark web marketplace, active from 2011 to 2013.

Silk Road was the first major dark web marketplace, launched in February 2011 by Ross Ulbricht under the pseudonym Dread Pirate Roberts. The platform enabled buying and selling of various goods, primarily drugs, with payment exclusively in Bitcoin. Its success was swift, with tens of thousands of active sellers and buyers. In October 2013, Ross Ulbricht was arrested in a public library in San Francisco and the site seized. Sentenced in 2015 to two life terms without the possibility of parole, Ulbricht became a symbol of debates over the severity of the US federal justice system. He was pardoned by Donald Trump in January 2025.

Snowflake

Pluggable transport using WebRTC to bypass Tor blocks.

Snowflake is a Tor pluggable transport launched in 2019 that uses WebRTC technology to circumvent blocking systems. Its originality lies in relying on "ephemeral proxies": volunteers around the world install a Chrome or Firefox extension that turns their browser into a temporary Tor relay while they are online. Users in censored countries are routed through these random proxies, making blocking particularly difficult (one would have to block every browser that opens WebRTC). Snowflake was massively used during the protests in Iran in 2022–2023, with hundreds of thousands of sessions per day. The project is maintained by the Tor Project with external contributions.

SOCKS5

Generic proxy protocol supporting all types of TCP traffic.

SOCKS5 is version 5 of the SOCKS (Socket Secure) protocol, a standard for generic proxies. Unlike an HTTP proxy that only handles web traffic, SOCKS5 can carry any type of TCP traffic (and optionally UDP): email, SSH, FTP, messaging apps, torrents. It supports multiple authentication methods and can operate with or without additional encryption. Tor exposes a local SOCKS5 interface on port 9050 (9150 in Tor Browser), allowing any SOCKS5-compatible application to be redirected through the Tor network. Most modern clients (Firefox, Thunderbird, IRC clients) natively support SOCKS5.

Stem (Python library)

Official Python library for interacting with the Tor protocol.

Stem is the official Python library for interacting with the Tor protocol, maintained by the Tor Project since 2012. It enables writing scripts that control Tor, monitor relays, publish hidden services, or analyse the network. The tools Nyx (command-line relay monitoring), OnionShare, and countless research projects rely on Stem. The library provides a complete API for all programmatic aspects of Tor: circuit construction, relay flag control, descriptor publication. It is the reference tool for developers who want to build applications integrated with Tor.

Stylometry

Statistical analysis of writing style to identify or distinguish authors.

Stylometry is a technique that statistically analyses the stylistic characteristics of a writer: word frequency, sentence structure, punctuation, specific vocabulary. These characteristics form a relatively stable "stylistic fingerprint" over time, which can serve to identify an anonymous author by comparing them to known texts. Famous legal cases have relied on stylometry (the identification of Unabomber Ted Kaczynski via his manifesto). For whistleblowers and journalistic sources, stylometry is a serious threat to anonymity: documents sometimes need to be reformulated to erase distinctive writing habits before publication.

T

Tails OS

Also known as: tails

Amnesic operating system booted from a USB drive, routing all traffic through Tor.

Tails (The Amnesic Incognito Live System) is a Debian-based Linux operating system designed to preserve privacy and anonymity. Its key feature: it boots from a USB drive without being installed on the hard disk, and all Internet traffic is routed by default through Tor. On shutdown, Tails leaves no trace on the host machine, unless the user has enabled an encrypted "persistent storage". The system includes Tor Browser, Thunderbird with Enigmail, KeePassXC, OnionShare, Electrum, and many other privacy tools by default. Tails is recommended by Edward Snowden and used by investigative journalists worldwide, particularly those working on especially sensitive cases.

TLS

Also known as: SSL

Encryption protocol used to secure web communications (HTTPS).

TLS (Transport Layer Security) is the protocol that secures most modern Internet communications, notably HTTPS for the web. The successor to SSL (obsolete since 2015), TLS is currently on version 1.3 (published in 2018), which considerably simplified the handshake and improved security. TLS ensures confidentiality, integrity, and authentication via certificates issued by certificate authorities. Let's Encrypt has democratised free certificate issuance since 2015. Native .onion services generally do not need TLS because the .onion address itself cryptographically authenticates the server, but some use TLS anyway for compatibility.

Tor Browser

Official Firefox-based browser providing access to the Tor network.

Tor Browser is the official browser developed by the Tor Project to access the Tor network. It is based on Firefox ESR (Extended Support Release) and pre-configured with a series of protections: plugins disabled by default, standardised browser fingerprint to counter fingerprinting, integration of HTTPS Everywhere and NoScript, and automatic routing of traffic via Tor. Tor Browser is free, open source, and available on Windows, macOS, Linux, and Android (via Google Play or F-Droid). An official iOS version does not yet exist; Onion Browser is the recommended alternative on iPhone. Keeping Tor Browser up to date is essential: updates patch security vulnerabilities that could compromise anonymity.

Tor Circuit

Chain of three Tor relays through which a user's traffic is routed.

A Tor circuit is the chain of relays through which a user's traffic is routed to achieve anonymity. A standard circuit comprises three nodes: an entry node (guard node), a middle node, and an exit node. Each packet is encrypted in successive layers, and each node can only decrypt the layer intended for it, knowing only the previous and the next node in the chain. Tor creates new circuits every ten minutes by default to reinforce anonymity. Hidden services (.onion) use a slightly different architecture involving Introduction Points and a Rendezvous Point.

Tor Project

American non-profit organisation that develops and maintains Tor.

The Tor Project is a non-profit organisation founded in December 2006 by Roger Dingledine and Nick Mathewson, based in Seattle. Its mission is to develop and maintain the Tor software and the associated ecosystem (Tor Browser, Tails, pluggable transports). The organisation is funded by individual donations, philanthropic foundations (Ford, Open Society, Knight), and government grants (notably via the US Open Technology Fund). This last funding source creates a paradox regularly noted: Tor is partly funded by the US government while being used by dissidents worldwide. The Tor Project employs around sixty people and coordinates thousands of volunteers who operate relays.

Tor2web

Gateway that allows accessing .onion services from a standard browser.

Tor2web was a project launched in 2010 by Aaron Swartz and Virgil Griffith that allowed accessing .onion services from an ordinary browser without installing Tor. One simply replaced ".onion" with ".tor2web.org" (or other domains) in the URL. This service simplified access but radically compromised anonymity: the gateway could see both the user and the service visited. The Tor Project has always advised against this use. The historic Tor2web project was officially shut down in 2018. Similar gateways continue to exist but remain inadvisable for any serious use.

Torrc

Main configuration file for the Tor software.

The torrc file is the main configuration file for the Tor software. It allows customising the program's behaviour: specifying a bridge, configuring a hidden service, adjusting a relay's exit policy, defining listening ports, enabling client or relay mode, and many other options. Editing torrc is necessary for advanced configurations: hosting a .onion site, operating as a relay or bridge, using specific obfuscated transports. The official Tor Project documentation exhaustively describes all available options. For everyday Tor Browser use, no modifications are necessary: the default settings are optimised for security and privacy.

Two-Factor Authentication (2FA)

Also known as: MFA, authentification forte

Authentication mechanism combining two distinct elements to strengthen security.

Two-factor authentication (2FA or MFA) combines two identification elements to secure an account: something you know (password) plus something you have (phone with OTP code, FIDO key) or something you are (biometrics). Modern standards favour TOTP applications (Google Authenticator, Aegis, Raivo) over SMS (vulnerable to SIM swap). FIDO2/WebAuthn keys (YubiKey, Nitrokey) offer the best security by being phishing-resistant. For sensitive accounts used via Tor, TOTP app-based 2FA is a minimum: SMS compromises privacy by linking the account to a real phone number.

V

Vanity Address

Also known as: adresse vanity

.onion address whose first characters form a readable word.

A vanity address is a .onion address whose first characters form a readable word or string, such as facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion for Facebook. These addresses are not freely chosen: they are generated by randomly computing billions of Ed25519 keys until one produces an address matching the desired prefix. The longer the prefix, the more time-consuming the generation. A six-character prefix may take a few hours on a powerful machine; an eight-character prefix several days; beyond that, the cost becomes industrially significant. Tools such as mkp224o facilitate generation. Vanity addresses are no more secure than random addresses, but they aid recognition.

VeraCrypt

Open-source disk and container encryption software, successor to TrueCrypt.

VeraCrypt is an open-source disk and container encryption application, launched in 2013 as a fork of TrueCrypt (mysteriously abandoned in May 2014). It allows encrypting entire partitions, USB drives, or creating encrypted containers that appear as ordinary files. Its "hidden volumes" feature offers plausible deniability: a container can hold two levels of content accessible via two different passwords, with no way to prove the existence of the second. VeraCrypt is cross-platform (Windows, macOS, Linux), included by default in Tails, and remains the reference for local encryption of sensitive data.

VPN (Virtual Private Network)

Encrypted tunnel masking your IP behind that of an intermediate server.

A VPN (Virtual Private Network) is an encrypted tunnel between your device and an intermediate server, through which all your Internet traffic passes. Sites you visit see the VPN server's IP address, not yours. Most VPNs are commercial (NordVPN, ExpressVPN, ProtonVPN, Mullvad, etc.) and their reliability depends entirely on the provider's stated logging policy and respect for privacy. Unlike Tor, a VPN is centralised: all your traffic passes through a single company, which could theoretically monitor you. The combined use of Tor + VPN is debated in the community: some scenarios can strengthen anonymity, while others weaken it. The Tor Project does not systematically recommend adding a VPN to Tor.

W

Warrant Canary

Also known as: canari judiciaire

Regularly published message that signals by its absence that a secret legal demand has been received.

A warrant canary is an indirect legal mechanism that allows an organisation to signal that it has received a secret legal demand (such as a National Security Letter in the United States, which recipients cannot publicly disclose). The principle: regularly publish a message stating "we have received no secret demands to date". If the message disappears or is no longer renewed, informed users can infer that a demand has been received. Apple, Reddit, Mullvad VPN, and other companies use this technique. Its legal validity has never been tested before US courts.

WebRTC Leak

Leakage of the real IP via the browser's WebRTC API, even behind a VPN or Tor.

WebRTC leaks are a privacy issue where a browser reveals the user's actual local IP address via the WebRTC (Web Real-Time Communication) API, normally used for peer-to-peer video conferencing. Even behind a VPN or Tor, WebRTC can reveal the real IP through STUN/TURN network discovery mechanisms. Tor Browser disables WebRTC by default to avoid this risk. VPN users with Chrome or Firefox should check their configuration (certain extensions or advanced settings can disable WebRTC). Sites such as browserleaks.com allow testing the integrity of anonymity.

Whonix

Operating system isolated into two virtual machines for intensive Tor use.

Whonix is a Debian-based operating system designed for anonymous and secure use. Its technical distinguishing feature is being composed of two isolated virtual machines: a "Gateway" that handles exclusively the Tor connection, and a "Workstation" where the user works. This architecture ensures that even if the Workstation is compromised by malware, it cannot discover the real IP address of the host machine — it only sees the Tor Gateway. Whonix runs inside VirtualBox, QEMU, or Qubes OS, and is complementary to Tails: where Tails is an amnesic system on a USB drive, Whonix is a persistent system for intensive daily use. It is the preferred solution for professional users with extreme security requirements.

Z

Zcash

Also known as: ZEC

Cryptocurrency using zero-knowledge proofs for optional anonymity.

Zcash is a cryptocurrency launched in 2016 that offers optional private transactions through zk-SNARKs (zero-knowledge cryptographic proofs). Unlike Monero where privacy is mandatory, Zcash allows choosing between transparent transactions (like Bitcoin) and "shielded" (encrypted) transactions. Addresses begin with "t" for transparent ones, "z" for private ones. The protocol was designed by leading academic cryptographers (Matthew Green, Eli Ben-Sasson, and others). Zcash is less used than Monero on the dark web because most users choose transparent transactions for convenience, but its cryptographic architecture is remarkable.

Zero-day

Also known as: 0-day, faille zero-day

Software vulnerability unknown to the vendor and therefore without an available patch.

A zero-day (or 0-day) is a security vulnerability unknown to the affected software vendor, and therefore without an available patch. Zero-day exploits have considerable commercial value: bug bounty programmes (paid by vendors to fix issues) offer rewards ranging from tens of thousands to several million dollars depending on the software, while grey markets (governments, intelligence agencies) and black markets (criminals) pay even more. Zerodium, Crowdfense, and other specialist brokers buy zero-days for several million dollars on certain critical software (iOS, Android, Chrome). Browsers such as Tor Browser are particularly attractive targets because exploiting a zero-day on Tor Browser allows de-anonymising users.

Going Further

This glossary is regularly expanded with new terms. A concept escapes you and is not listed here? Write to us and we will add the entry. Our other resources usefully complement this vocabulary: the OnionDir directory for legitimate .onion sites, our blog for more narrative explanations, our 50 fact-checked myths to separate fact from fiction, and our unusual FAQ for more unexpected questions.