Tips For Tor Users

Tor

Tor is an incredibly useful tool for regular people, political dissidents, script kiddies, marketeers, pedophiles and state agencies like the FBI and NSA that receive billions in annual funding (these agencies have their equivalents in every country). It's important that you know what you're doing when you use it since almost every time a seemingly regular person is caught doing something illegal, it's a result of bad OpSec and also software exploits in your web browser or even OS (however even most exploits can be avoided through disabling JS). In this page I'll tell you what you should do to remain anonymous.

This page is open to criticism and I encourage you to do research with other resources in addition to this one, typically you shouldn't trust one single resource for all of your information especially if being compromised could result in a permanent loss of freedom. Not everyone will need to follow this guide, it's moreover suited to the incredibly paranoid and those that may truly need the security (i.e. if you're only using Tor for minor things such as browsing basic websites, doing sensitivive searches or even just browsing hidden services out of curiousity, you likely won't need to go this far).

This guide does not cover aspects that go beyond Tor usage such as ordering packages anonymously through darknet markets. This guide also does not cover how to securely and effectively host hidden services. Please refer to other sources if you need information about those topics.


Use The Tor Browser

The Tor Browser is based on Firefox-ESR with specialized patches which are specifically meant to maximize your security and anonymity online. The purpose of providing and recommending the Tor Browser is so that all users have an identical browser fingerprint, this helps improve anonymity as tracking you down would be way easier if you exposed a unique fingerprint, most of which are. When you use Tor on a different browser, you do not gain the patches and configuration by default and this exposes a lot, for example you are vulnerable to exploits of WebRTC which can reveal your main IP address and this can be pulled off quite easily. Though in theory you could match the configuration of the Tor Browser if you used the standard release of Firefox-ESR, it simply isn't worth the effort when the Tor Browser makes it just work by default. It's even worse if you use a closed-source browser or simply any browser that doesn't use the Gecko rendering engine, you are unnecessarily exposing yourself by using other browsers and you have virtually nothing to gain from it.

This also means that you shouldn't use Brave Browser's Tor mode or even GNU IceCat's Tor mode. Brave's own website even recommends using Tor Browser instead if you require something that really works. Brave is at least letting users know that their implementation of Tor isn't the best, however the FSF's IceCat shamelessly bundles it in without giving any explicit warning whatsoever.

Another important thing I should note, don't go fucking around in the about:config page. I know that power users and even ones that claim to know what they're doing in regards to Tor usage may shrug off this warning, but I can guarantee that you're not doing any good for anybody by fucking around with the default settings.

Don't Use Windows

Windows is a completely proprietary product with a history of insecurity as a result of its design and general user incompetence. Not even accounting for these features, Windows is a massive spyware-infested OS out of the box and Microsoft is in bed with organizations such as the NSA. Not using Windows is especially important if you use a shared computer with other people who may not be as tech-literate as you are (or maybe you're the tech-illiterate one, what do I know) and may possibly just download a virus without you even knowing. You need to utilize at the very least a Linux distro such as Debian, don't use distros like Manjaro, MX-Linux or Linux Mint which come bundled with proprietary spyware.

Preferably, you should use a specialized distro such as Tails or Qubes. Tails and Qubes both have a unique approach to security but both are also designed around using Tor in the most secure manor possible.

This should go without saying, but please refrain from using macOS too. Also refrain from using Android, hardening it to prevent all possible leaks is borderline impossible.

Identity Discipline

Tor anonymizes your connection to the outside world by routing your connection through three different relays run by volunteers and as a result any account or pseudonymous identity you manage to create over a Tor connection will be known to website operators and observers as an anonymous account. As an example, lets say you create a Reddit account over Tor, the Reddit admins will be able to see that you're a Tor user, this is fine as they won't know your real IP or who you really are. However all of that is ruined when you log into that same Reddit account over your standard connection without Tor, now the NSA and Reddit's admins know who you are for real, best thing you can do at that point is delete the account. The same applies to your real accounts that you regularly access, don't use them over Tor, you're not doing yourself any good by logging into your publicly available Facebook profile via Tor and in fact you might be unnecessarily compromising the security of your real accounts as bad exit relays may attempt to hijack your connection somehow.

To sum it up in simple terms; keep your regular internet accounts and anonymous internet accounts separate. The practice itself doesn't require any special skill, only discipline.

Avoid Creating Patterns

If you access Reddit over Tor at the same time of day, every single day, then you are creating a pattern. This pattern becomes more discernable if you log into an account as well each time. An observer could note that you are connecting to the Tor network and your pseudonym is accessing Reddit within the same time frame, if this pattern persists for a long enough time, that observer can make an educated guess and link your pseudonym to your real identity.

If you intend to regularly access one single webpage, at least try to diversify the times you access it and perhaps even the IP addresses you access it from, provided you have a laptop you can travel to certain areas such as a local coffee shop. I'd recommend using a bridge however since Tor connections may cause the admins of any publicly accessible network to investigate. Don't go to the same coffee shop or McDonalds location too regularly as the regular employees will be able to recognize you eventually (it doesn't help if you typically wear similar or the same clothes every single day either). Visit different places at different times, ensure that this is completely random! No patterns are acceptable.

Different places, different times of day, different frequency of visits. Just like with pseudonymous identity management, you must remain disciplined.

Be Careful In Public Spaces

To further elaborate from what I mentioned above, there may come a time when you need to (or maybe you just want to) use Tor over a public connection. Whether this be at your local library, a coffee shop, or an internet café. If you are in a place with freely accessible computers such as a library, do not use Tor from there. Virtually every library, internet café and office has spyware preinstalled to monitor user behaviour. If you're going to one of these places, bring your own laptop instead as you have the freedom to use it anywhere within that location instead of sitting at a backdoored PC where everyone can likely peek in on what you're doing.

Use bridges in public spaces at all times. Tor traffic is often blocked as it is much simpler to do than to deal with potential troubles with LE. If it isn't blocked, than it is likely going to attract attention from network administrators. Using bridges can mitigate both of these problems.

Run A Tor Relay From Home

Timing attacks and traffic analysis from sophisticated threat actors are something that Tor alone cannot mitigate. While the effectiveness of this strategy is debatable, it's worth a try plus you'll also help out the network. You can run a relay from the same IP you regularly use (do not run an exit relay or a bridge relay from home, only a normal relay) to relay traffic for other Tor users. This in theory should assist in obfuscating your traffic, making certain types of traffic analysis less effective as a result, improving your own anonymity. Under regular circumstances, an observer likely wouldn't be able to tell when you are connecting to Tor as you'd be constantly relaying Tor traffic at variable upload and download rates.

Consequently, you must run this relay as often as possible and never turn it off, running a relay is less useful if you're going to only activate it when you use Tor yourself.