Tor vs HTTPS TLS: What Each Protects and Why You May Need Both

TLS (Transport Layer Security) provides: (1) content encryption - the data transmitted between client and server is encrypted, preventing network observers from reading the content, (2) server authentication - the TLS certificate verifies the server's identity, preventing man-in-the-middle attacks that substitute a different server, (3) integrity - TLS provides message authentication codes ensuring the data was not modified in transit. What TLS does not protect: the IP address of the connecting client is visible to the server and to network observers (ISP can see you connected to example.com even if they cannot read the content), the SNI (Server Name Indication) field in the TLS handshake reveals the domain name to network observers even before the encrypted channel is established (SNI is sent in the clear in standard TLS 1.2/1.3 unless ECH - Encrypted Client Hello - is used), and DNS queries to resolve the server's domain name reveal browsing destinations to the DNS resolver.

When Tor is used to access an HTTPS site: the client's IP address is hidden from the destination server (the server sees the Tor exit relay's IP), the client's connection destination is hidden from the ISP (ISP sees only that the client is using Tor, not which sites are visited), DNS resolution is performed by the Tor exit relay (the client's DNS queries are not visible to local DNS resolvers), and multiple layers of encryption protect traffic on each relay hop. What Tor does not add on top of HTTPS: Tor exit relays for clearnet HTTPS sites can see the domain name (via SNI) and the connection metadata, though HTTPS encrypts the content. Exit relays that are malicious could perform SSL stripping attacks if HTTPS is not strictly enforced - hence the importance of HTTPS for any sensitive content even when using Tor.

Threats and which technology addresses them: ISP monitoring your browsing destinations - requires Tor (HTTPS does not hide destinations from ISP). Government surveillance of which sites you visit - requires Tor. Server knowing your real IP - requires Tor. Public WiFi attacker reading your communications - requires HTTPS (Tor helps but HTTPS is the primary protection). DNS-based censorship blocking sites by domain - requires Tor (or encrypted DNS). Content of your communications being read - requires HTTPS (Tor alone without HTTPS leaves exit relay able to read content). Authentication verification that you are communicating with the real server - requires HTTPS (Tor does not provide server authentication). Combining Tor with HTTPS addresses all of these threats simultaneously - this is why Tor Project recommends using HTTPS while using Tor, and Tor Browser enforces HTTPS where available.

Encrypted Client Hello (ECH) is a TLS extension that encrypts the SNI field, hiding the destination domain from network observers during the TLS handshake. This addresses one of the remaining clearnet leaks - ISPs could see domain names from SNI even for HTTPS connections. ECH encrypts the SNI using a public key published by the destination server. ECH adoption is growing (Cloudflare supports ECH, major CDNs are implementing it). ECH + HTTPS provides stronger privacy than standard HTTPS without ECH. However, ECH does not hide the destination IP address (ISPs can still see you connected to Cloudflare IPs, inferring likely destinations). Tor provides destination IP hiding that ECH cannot. For maximum privacy: Tor (hides IP) + HTTPS with ECH (hides domain name in TLS) provides comprehensive protection against network-layer surveillance.

For everyday privacy-sensitive browsing: use Tor Browser (which integrates Tor with HTTPS enforcement) rather than configuring Tor separately. Tor Browser enables HTTPS-Only Mode by default, and automatically upgrades HTTP to HTTPS where available. For hidden services (.onion): TLS is optional because Tor provides transport encryption, but HTTPS with a certificate adds defense in depth. For clearnet sites via Tor: HTTPS is essential - exit relays can potentially read unencrypted HTTP traffic. Tor Browser enforces HTTPS for clearnet sites to prevent this. For understanding why both are used: Tor provides network anonymity (WHO is connecting to WHAT), HTTPS provides content privacy (WHAT is the content of the communication). They are complementary layers addressing different aspects of privacy.