Overview #

This report is part research, part field observation of the dark web.

I start by clearly defining the three layers that make up the web — the surface web, the deep web, and the dark web.

I then walk through Tor (The Onion Router) — the anonymization technology that's essential for reaching the dark web — its mechanics, its strengths, and its risks.

Finally, I use the Tor Browser to actually observe the dark web, and write up what I noticed and what it means from a security perspective.# 1. What the dark web is (the layered web)

Websites on the internet are often described in iceberg terms, partitioned into three layers based on accessibility and search-engine reach.

## 1-1. Surface web

What it is #

The surface web is the set of websites indexed (and therefore searchable) by general-purpose search engines like Google or Bing, and reachable from ordinary browsers like Firefox or Chrome.

Characteristics #

• Search engine crawlers can follow links and add the pages to their indexes.
• Includes the websites most people use day to day — news, blogs, e-commerce, public-facing social media pages.
• Browsable with a regular browser in a default configuration. No special setup required.
• Said to make up only a relatively small fraction of all internet content (the "tip of the iceberg" metaphor).

A caveat #

"Easily accessible" doesn't equal "safe" — phishing sites, misinformation, and malware distribution are all alive and well on the surface web. Don't lower your guard just because something is in plain sight.

---

1-2. Deep web #

What it is #

The deep web is web content that can't be indexed by search-engine crawlers, and so doesn't show up in general search. Reasons it's not indexed include: requires login, has a structure that crawlers can't traverse, is excluded by robots.txt, and so on.

Examples #

• Pages behind authentication that external crawlers can't reach — your online banking balance, your email inbox.
• Academic-paper databases, legal/medical/government portals, internal corporate intranets.
• Dynamically generated pages (search results), pages with virtually no inbound links from outside.
• It's described as "deep" in the sense that it isn't indexed and so is hard to find via search.

Characteristics #

• Almost all of it is legal and ordinary — authenticated information, private content, internal company resources.
• Most of it is reachable with an ordinary browser; no special encrypted network is required.
• The volume is enormous — much larger than the surface web by most estimates.

From a security perspective #

• It contains a lot of authenticated and private data, which makes accidental exposure (an internal database becoming public-search-indexable, say) a major source of breaches.
• "We know it exists, but it's hard to reach" makes the deep web an important focus area for security operations and monitoring.

---

1-3. Dark web #

What it is #

The dark web typically refers to the subset of the deep web that lives on anonymized, purpose-built networks and cannot be reached with an ordinary browser by ordinary means. In other words, the part of the "hidden web" that requires special tools — Tor Browser, I2P, etc. — to access.

Examples #

• Domains like .onion — outside ordinary DNS, outside the regular publicly accessible structure of the internet.
• Communications routed across multiple nodes with anonymization and encryption — designed to be hard to trace.
• Higher-stakes uses: data leaks and sales, dark markets, anonymous communication, journalists and whistleblowers.

A famous example (Silk Road): the most famous dark-market on the dark web was Silk Road. It existed on the Tor network and traded primarily in illegal drugs, anonymously, until the FBI took it down in 2013. The case became a symbol of two things at once: the criminal use of the dark web's anonymity, and authorities' real ability to track perpetrators down.

Characteristics #

• A relatively small slice of even the deep web.
• Reaching it requires a specialized browser and configuration. Effectively undiscoverable through normal search engines.
• Defined by its anonymity and traceability resistance — but for those reasons, often associated with illegal and high-risk activity.
• Not everything there is illegal. There are legitimate uses too — circumventing censorship, posting anonymously about sensitive topics.

---

2. Tor (The Onion Router) #

Tor stands for "The Onion Router" — **a network system that enables anonymous communication**.

It's mostly known for "accessing the dark web" and "circumventing censorship," but at its core it's a technology for anonymizing your communication path.

2-1. The basic mechanism #

Tor hides your communication path through multi-hop relaying.

Between the client and the destination site, traffic passes through multiple intermediate nodes (relays).

Diagram #

Client → Node A → Node B → Node C → Destination server

In this arrangement:

• Node A knows the client's IP address but not the final destination.
• Node C (the exit node) knows the destination server but not who originated the request.
• Node B is just a midpoint and only knows the nodes immediately before and after it.

This structure makes it extremely difficult to map a sender to a specific receiver.

2-2. Why "Onion"? #

Tor's traffic uses layered encryption.

The data is wrapped in multiple encryption layers, and each node can only decrypt the layer addressed to it.

The mental image: peeling back an onion one layer at a time to reach the inside. Hence "Onion Router."

2-3. Tor Browser #

The dedicated browser for connecting to the Tor network is **Tor Browser**.

It's based on Firefox, and it routes traffic through the Tor network automatically.

Features:

• Your IP rotates via random exit nodes.
• Cookies and history are kept to a minimum.
• JavaScript and tracking are restricted by default.
• HTTPS is enforced (HTTPS Everywhere is built in).

2-4. Sites accessible via Tor (.onion) #

Tor uses the special .onion domain.

These domains aren't registered in normal DNS — they can only be resolved and reached from inside the Tor network.

Example:

http://facebookcorewwwi.onion/    (Facebook's official Tor site)

Because .onion sites are highly anonymous, they're used for legitimate purposes too: ・Free speech in countries where the surface web is censored. ・Safe communication for journalists and whistleblowers.

2-5. Strengths and risks #

Strengths

• Hard to trace your IP address.
• Communication paths are anonymized — strong privacy posture.
• Provides free access in countries with state-level censorship.

Risks

• An exit node can eavesdrop on unencrypted (HTTP) traffic passing through it.
• The network is mixed with malware and phishing sites.
• Latency is high — multiple hops add up.

---

3. VPN (Virtual Private Network) #

A VPN — Virtual Private Network — builds a "virtual leased line" over the public internet to establish a secure communication path.

3-1. The intended purpose (encryption and security) #

A VPN's primary job is to keep traffic safe.

Data is encapsulated (a technique called "tunneling") and encrypted along the way. That keeps third parties from intercepting or tampering with your traffic on, say, a café or airport public Wi-Fi. (It's also an effective defense against the ARP spoofing we experimented with earlier.)

Beyond that, VPNs are used for connecting back to a corporate intranet from home for remote work, or for reaching content with geographic restrictions (geo-blocking).

3-2. The misuse angle (no-logs policies) #

Because a VPN replaces your traffic's source IP with the VPN server's, it has the side-effect of hiding where you connected from.

Some VPN providers maximize user privacy with a "no-logs policy" — they retain no records of your connection times, destinations, or traffic content.

The policy itself is great for privacy, but that same anonymity gets exploited too: covering tracks for cyberattacks and other illegal activity. With no logs, attribution and criminal investigations become much harder.

4. Observation (visiting via Tor Browser) #

I used Tor Browser to actually visit pages on the dark web (.onion sites). Here's what I observed.

Lab setup and precautions #

• Environment: to be safe, I installed Tor Browser inside a Kali Linux VM and isolated its traffic from the host OS.
• Encryption: on top of Tor, I enabled NordVPN's double-VPN feature for extra layering.
• What I did: to avoid both encouraging misuse and tempting myself to dig in, I'm omitting the specific techniques I used. I focused on the difference in indexing accuracy versus surface-web search engines and on the kinds of sites that come up.

What it actually felt like #

Speed was crawling — predictably, given how many proxies the traffic threads through. Day-to-day usage isn't remotely viable.

I came across plenty of innocuous sites — Facebook, personal pages.

But I was also surprised by how easily visible the illegal sites were. Many of the sites I came across functioned like e-commerce storefronts trading in firearms, drugs, fake IDs, leaked data dumps. Almost all of them transacted in cryptocurrencies like Bitcoin.

That fits — cryptocurrencies are anonymous enough that even if a site is taken down, buyers stand a decent chance of escaping prosecution behind that anonymity.

---

5. Reflections and analysis #

Here's what I took away from the research and the observation, and what I noticed from a security perspective.

Reflections: The chaotic image conjured up by the phrase "dark web" doesn't entirely match reality — many sites are (with their dated visual design) running quite professionally and orderly. At the same time, you can clearly see openly illegal information and services being traded out in the open. Anonymization technology has a genuinely double-edged character.

Analysis (from a security perspective): Anonymization tech is a powerful shield for journalists and activists fleeing political repression — and an equally powerful cloak for cybercriminals avoiding attribution. The fact that ransomware groups host their leak sites on .onion domains is a strong signal that monitoring the dark web is not optional for defenders (blue teams) gathering threat intelligence. The exit-node eavesdropping risk is also worth re-emphasizing: even when using Tor, end-to-end HTTPS still matters.