How to Access the Dark Web Safely — Step-by-Step

Q: Can I use a VPN instead of Tor to access the dark web?

No. A VPN alone doesn't give you access to .onion sites — you still need Tor for that. Adding a VPN on top of Tor (Tor-over-VPN) moves trust from your ISP to your VPN provider but doesn't eliminate it. For most threat models, Tor alone is the correct choice. For very specific situations (hiding Tor use from your ISP), bridges or obfuscated transports are better than a VPN.

Q: What's the first thing I should visit on the dark web?

The Tor Project's own .onion check page (check.torproject.org) tells you whether your Tor connection is working. Beyond that, Privacy Guides maintains a curated list of legitimate privacy-focused services with .onion mirrors.

Most writeups stop at “download Tor.” That skips verified install, configuration, and the behavior that decides whether any of it holds. This guide covers device choice, Tor Browser with signature checks, settings, and the rules that actually matter.

Your threat model determines how far down this checklist you need to go. A curious researcher has different requirements than a journalist protecting a source in a hostile country. We'll flag which steps are critical for everyone vs. which are for higher-risk situations.

Step 1: Pick the Right Device

Your device is the foundation. Tor's routing protects your traffic in transit — it can't protect you from malware already on your machine.

Standard threat model (researcher, curious user): Use a personal computer you control, running a mainstream OS (macOS, Linux, or Windows). Don't use a work device. Don't use a shared computer.

Higher threat model (journalist, activist, whistleblower): Use Tails OS — an amnesic operating system that runs from a USB drive, leaves no trace on the host machine, and routes all traffic through Tor automatically. Tails is what we recommend for anyone who has a specific reason to protect their identity from a well-resourced adversary.

Whonix is another option: a pair of virtual machines where one (Gateway) handles Tor routing and the other (Workstation) handles your activity. More complex to set up than Tails, but usable on a persistent system.

For most readers: a dedicated browser profile on your personal machine, using Tor Browser, is an adequate starting point. Just don't use the same machine for dark web browsing and clearnet identity work in the same session.

Step 2: Install Tor Browser from torproject.org — Verify the Signature

Go to torproject.org. Download the Tor Browser for your operating system. This part is not complicated — the site is straightforward.

The step most people skip: verify the cryptographic signature before installing.

Why it matters: if you download from a compromised mirror or a phishing site, a malicious Tor Browser can deanonymize you from the start. Signature verification confirms you got the real binary signed by the Tor Project's key.

The Tor Project's signature verification guide covers the process for each OS. It requires GnuPG. On macOS with Homebrew, that's brew install gnupg. On Linux, gpg is usually already installed.

Verification takes 5 minutes. Skip it only if your threat model is low enough that a fake Tor Browser is not a realistic attack against you.

Step 3: Configure Tor Browser Security Level

Open Tor Browser and look for the shield icon in the toolbar. Set Security Level to Safest.

What each level does:

Security level	JavaScript	Media	Fonts
Standard	Enabled everywhere	Enabled	System fonts
Safer	Disabled on non-HTTPS sites	Blocked	Restricted
Safest	Disabled everywhere	Blocked	Restricted

Safest is the right default for dark web browsing. Yes, many .onion sites break without JavaScript — that's acceptable. Sites that require JavaScript to function are sites that can use JavaScript to fingerprint your browser, determine your screen resolution, probe your plugins, and potentially reveal identifying information.

If you need a site that requires JavaScript, evaluate that site specifically and consider whether you trust it enough to enable scripts for that domain.

Step 4: Disable Scripts Where It Matters

Tor Browser's Safest mode disables JavaScript globally, but there's more to script management than JavaScript alone.

A few additional practices:

Don't install browser extensions. Each extension you add makes your Tor Browser fingerprint more unique. The whole point of Tor Browser's defaults is that all users look identical. Plugins break that.
Don't change the window size. Tor Browser opens at a specific size to prevent screen-size fingerprinting. If you drag it to full screen, you've just revealed your screen resolution.
Don't open downloaded files while online. If a .onion site offers a PDF or document to download, open it offline (in an air-gapped environment or after disconnecting). Documents can contain external references that phone home and reveal your real IP.

The Tor Project's own documentation covers browser hardening in detail.

Step 5: Don't Log Into Clearnet Identities

This is the OPSEC rule that catches more people than any technical vulnerability. If you log into your Google account, your Facebook, your clearnet email, or any real-world identity while using Tor, you've connected your real identity to your Tor session. The fact that your traffic was routed through Tor no longer matters.

The browser isolation is simple:

Tor Browser: dark web activities, anonymous browsing
Your regular browser: everything connected to your real identity

Never mix sessions. Never carry cookies across them. If your threat model is high, use a separate physical machine for each.

This also applies to pseudonymous identities. If you've built an anonymous persona on the dark web, don't use the same username, writing patterns, or email address anywhere on the clearnet. Cross-linking identities is how operational security fails.

Step 6: PGP-Verify Any Onion Addresses You Trust

.onion addresses are long and ugly. facebookwkhpilnemxj7asber7cybz4os7vdfowqh.onion is Facebook's official Tor address — how would you know that without a trusted source telling you?

Two problems to solve:

Problem 1 — Typosquatting. Attackers generate .onion addresses that visually resemble real ones. One character off and you're on a phishing site.

Problem 2 — Address substitution. If a forum or resource you trust lists onion addresses, how do you know that list hasn't been tampered with?

The solution: PGP-signed address lists. When a service publishes its canonical .onion addresses signed with a known PGP key, you can verify the signature and trust the address. We verify market addresses this way — see how we vet markets for our process.

At minimum: get canonical .onion addresses from the service's own clearnet site (over HTTPS) rather than from forums or link aggregators.

Step 7: Plan an Exit

People don't think about this until they need it. Exiting a dark web session safely matters.

Close Tor Browser completely — don't just close tabs. Tor Browser's "New Identity" function creates a new Tor circuit, but actually quitting the browser is the cleanest break.

If using Tails: Tails wipes RAM on shutdown and leaves no trace on the host disk. Reboot into your normal OS when you're done.

Clear operational artifacts: If you wrote notes, downloaded files, or copy-pasted addresses, decide where those live. A notes app synced to the cloud is not a secure archive. For anything sensitive, encrypted local storage or Tails' persistent storage with a strong passphrase.

Don't brag. What you accessed, when, and why — that's operational information. Keep it to yourself.

Frequently Asked Questions

Can I use a VPN instead of Tor to access the dark web?

No. A VPN alone doesn't give you access to .onion sites — you still need Tor for that. Adding a VPN on top of Tor (Tor-over-VPN) moves trust from your ISP to your VPN provider but doesn't eliminate it. For most threat models, Tor alone is the correct choice. For very specific situations (hiding Tor use from your ISP), bridges or obfuscated transports are better than a VPN.

Is Tor Browser safe to download?

Yes, from torproject.org — the official site. Verify the cryptographic signature to confirm you have the genuine binary. Don't download from third-party sites, app stores not officially endorsed by the Tor Project, or links in forums.

What's the first thing I should visit on the dark web?

The Tor Project's own .onion check page (check.torproject.org) tells you whether your Tor connection is working. Beyond that, Privacy Guides maintains a curated list of legitimate privacy-focused services with .onion mirrors.

Do I need to be technical to use Tor Browser?

Tor Browser is designed for non-technical users. The installation is the same as any browser. Signature verification requires a few command-line steps but the Tor Project documents them clearly. The security settings are a slider. The behavioral OPSEC — not logging into real accounts, not changing window size — requires discipline, not technical skill.