Matt Traudt

An onion (v3) (SAT [What's this?]) a day keeps the bad guys away | About me

About to use Tor. Any security tips?

Posted on 19 Jan 2019 by Matt Traudt

Last upated 10 Feb 2019 at 9:50 am

If you're going to browse the web, use Tor Browser. Don't try to make Firefox, Chrome, or something else proxy its traffic over Tor. There is no combination of settings tweaks that produces as good of a product as Tor Browser. You be essentially uniquely fingerprintable. You will not get Tor Browser's awesome state and traffic isolation.

The rest of this post assumes you want to browse the web.

Read Tor's suggestions on their download page.

This is where most people should stop giving concrete advice without knowing your adversary model. Nonetheless they keep going and suggest ...

Adding a VPN

It sounds good, but it only helps in a small number of cases, does nothing in most cases, and hurts in a small number of cases.

If you're going to say something about

then read my blog post (linked above) first please.

Disabling JavaScript / setting the security slider to its highest setting

This is unnecessary for the majority of adversary models and will make the web significantly less usable.

The only people who have had significant JavaScript exploits used against them in Tor Browser were pedophiles using Windows. This suggests to me (and security experts in general, AKA not people that read "tech news" and parrot everything they read) that these exploits are rare, expensive, and hard to replace. Thus they aren't going to be used against random people because the risk of the exploit being discovered and fixed is too great.

Setting the security slider to its highest setting does remove JavaScript as a possible attack vector. So as long as you set it there consciously, are aware much of the web may break, I support your choice to disable it. I especially support it if you have legitimate concerns that JavaScript exploits may be used against you, not just dumb paranoia.

Using Tails or Whonix

Tails is overkill for the majority of adversary models. Tails is awesome though, for when you do actually need it.

I neither suggest for or against using Whonix.

Not logging in to "real" accounts over Tor

There's generally nothing wrong with logging in to "real" accounts over Tor.

Tor Browser intelligently isolates your traffic so logging in to your "real" Facebook while doing secret stuff on a different website is not correlate-able via traffic patterns.

It also isolates local state (like cookies) so it won't leak that way.

Finally, most sites worth using and logging in to these days use HTTPS, making it impossible for exits to steal your credentials (and when they try, they get noticed by people monitoring the network for malicious relays and removed from the network).

Some places (especially banks) will treat you poorly if you visit them over Tor. I've heard that banks will generally lock your account until you contact them. But this is different than having security issues introduced, which is usually what people are thinking about when giving this advice.

Testing your fingerprint

With websites such as panopticlick to see how anonymous you are.

You should not conclude that you're super mega anonymous because you get a good result from these websites. These websites do not test for every little thing that can be fingerprinted, and they do not try every fingerprinting method for getting a specific fact: they rely heavily on JavaScript and do not fall back on alternative methods of fingerprinting if JS is disabled. You will falsely conclude that you're extra anonymous with JS disabled.

Here is a non-exhaustive list of some things that may be used to track you that these sites tend to not test.. Just because you are able to say that you've prevented these methods from being effective, that does not mean you are "untraceable."

In addition, Tor Browser tries to make you look like as many other Tor Browser users as possible, not like as many other people as possible. For example, hardly any Internet user has their browser open to exactly 1000x1000, but of those that do, they are all very similar because essentially all of them are using Tor Browser.

Finally, these sites generally suffer from selection bias: they compare you to other people that have also taken their test, but this is not the same as comparing you to everyone else in the world who browses the web.

Stop freaking out over your vanilla Tor Browser "failing" (in your mind) a fingerprint test. It probably hasn't.

Adding extra extensions to Tor Browser

Such as privacy badger or uBlock origin.

Privacy badger is either pointless (because bad ads and tracking scripts aren't going to be able to track you while you use Tor Browser anyway) or harmful (its blocking behavior is based on your behavior, so the pattern with which your browser is blocking stuff becomes more identifying to you).

uBlock origin is great for blocking ads and making the web faster. I use it in Firefox and most of the time in Tor Browser. However, using it will add to your fingerprint because now you are blocking ads ... unlike most Tor Browser users. Tails does include uBlock origin by default, but you will not be able to blend in with this group of people unless you are also using Tails. If you are fine with being slightly more fingerprintable, then perhaps uBlock origin is fine.

tags: tor, tor-browser