About to use Tor. Any security tips?
Posted on 19 Jan 2019 by Matt TraudtLast updated 25 Jul 2019 at 12:28 pm
If you're going to browse the web, use Tor Browser. Don't try to make Firefox, Chrome, or something else proxy its traffic over Tor. There is no combination of settings tweaks that produces as good of a product as Tor Browser. You will be essentially uniquely fingerprintable. You will not get Tor Browser's awesome state and traffic isolation.
The rest of this post assumes you want to browse the web.
Read Tor's suggestions on their download page.
This is where most people should stop giving concrete advice without knowing your adversary model. Nonetheless they keep going and suggest ...
- Adding a VPN
- Using Tails or Whonix
- Not logging in to "real" accounts over Tor
- Testing your fingerprint
- Adding extra extensions to Tor Browser
Adding a VPN
It sounds good, but it only helps in a small number of cases, does nothing in most cases, and hurts in a small number of cases.
If you're going to say something about
- hiding the fact you use Tor from your ISP
- adding extra hops
- but VPNs don't log
- Five eyes / geolocation
then read my blog post (linked above) first please.
This is unnecessary for the majority of adversary models and will make the web significantly less usable.
Using Tails or Whonix
Tails is overkill for the majority of adversary models. Tails is awesome though, for when you do actually need it.
I neither suggest for or against using Whonix.
Not logging in to "real" accounts over Tor
There's generally nothing wrong with logging in to "real" accounts over Tor.
Tor Browser intelligently isolates your traffic so logging in to your "real" Facebook while doing secret stuff on a different website is not correlate-able via traffic patterns.
It also isolates local state (like cookies) so it won't leak that way.
Finally, most sites worth using and logging in to these days use HTTPS, making it impossible for exits to steal your credentials (and when they try, they get noticed by people monitoring the network for malicious relays and removed from the network).
Some places (especially banks) will treat you poorly if you visit them over Tor. I've heard that banks will generally lock your account until you contact them. But this is different than having security issues introduced, which is usually what people are thinking about when giving this advice.
Testing your fingerprint
If the site you use doesn't give you an "anonymity score" but just gives you a bunch of numbers and information you don't understand, don't read into it. Don't immediately assume that just because there is information being displayed to you that that information is identifying. Do some research (posting on Reddit as your first step is more similar to spreading FUD than research, so do that last please) and try to determine if the scary looking info is actually not scary at all.
Here is a non-exhaustive list of some things that may be used to track you that these sites tend to not test. Just because you are able to say that you've prevented these methods from being effective, that does not mean you are "untraceable."
Whether or not you are loading ads, tracking pixels, etc. can be part of your fingerprint (they aren't going to be able to track you in Tor Browser anyway).
In addition, Tor Browser tries to make you look like as many other Tor Browser users as possible, not like as many other people as possible. For example, hardly any Internet user has their browser open to exactly 1000x1000, but of those that do, they are all very similar because essentially all of them are using Tor Browser.
As already stated, these tests do not test for every little fact that can be fingerprinted.
Finally, these sites generally suffer from selection bias: they compare you to other people that have also taken their test, but this is not the same as comparing you to everyone else in the world who browses the web.
Please don't freak out over your vanilla Tor Browser "failing" a fingerprint test. It probably hasn't. Please do some research to see if your result is good or bad before running to Reddit.
Adding extra extensions to Tor Browser
Such as privacy badger or uBlock origin.
Privacy badger is either pointless (because bad ads and tracking scripts aren't going to be able to track you while you use Tor Browser anyway) or harmful (its blocking behavior is based on your behavior, so the pattern with which your browser is blocking stuff becomes more identifying to you).
uBlock origin is great for blocking ads and making the web faster. I use it in Firefox and most of the time in Tor Browser. However, using it will add to your fingerprint because now you are blocking ads ... unlike most Tor Browser users. Tails does include uBlock origin by default, but you will not be able to blend in with this group of people unless you are also using Tails. If you are fine with being more easily fingerprintable*, then perhaps uBlock origin is fine.
* Someone contacted me because they have actually tested how unique they were according to Panoptclick with and without uBlock (origin?). They saw with a default TB that 1/5000 have the same fingerprint as them, a relatively good result. With default TB and uBlock (origin?) they were unique in a pool of 200,000 people, a pretty bad result. This is a pretty big difference, and despite not knowing very much about their test setup and what else went into the results they saw, I must acknowledge that uBlock (origin?) makes you more than "slightly more fingerprintable", which was my previous claim. Thank you for reaching out. edit: the same person updated me to say that they ran the tests again, but with a very controlled setup. With both the original version of TB and the updated one that had been released, now they got exactly the same ~1/5000 (AKA good) result regardless of whether or not uBlock origin is installed. What changed? What happened? They don't know, and neither do I. So I point the reader back at the Testing your fingerprint section for why I don't think you should care very much about what a fingerprint test site tells you.