I will be attempting to update this post somewhat regularly, so check back from time to time! I'll be sure to make it known when I've updated.

As always, I welcome your input—if you agree, disagree, have additions, have questions—please speak up! Feel free to reach out to me on Social Media or by Email (details at bottom of post). Let's talk and learn from each other. I'll try my best to respond as much as I can, even if it takes me a little bit of time to do so. :)

UPDATED 11/01/2020 (See Changes)

Contents

• Encrypting Web Traffic
  • VPN
  • Tor
    • VPN + Tor?
  • DNS Requests
• Encrypting Communications
  • SMS/MMS and Voice Calls
  • Email
  • Private Messaging, VoIP, and/or Video Chat
• Encrypting Synced Data
  • All-in-One Solution
  • Passwords
  • 2FA/MFA/OTP
  • Contacts & Calendar Sync
  • Personal Notes / Journals
  • Documents
  • Cloud Storage
• Encrypting Collaborative Projects & File Sharing
  • Communication for Teams
  • Shared Documents
  • File Sharing
• Encrypting Your Files
  • Encrypting System Drives
    • Android
    • iOS
    • Linux
    • Mac
    • Windows 10
  • Encrypting Flash Drives / External Drives
  • Encrypted Folders / Partitions
• Hiding Files and Secret Messages in Plain Sight with Steganography (Coming soon!)
• Contact Me

Encrypting Web Traffic

There are currently two excellent, reliable ways to encrypt your web traffic that are widely used: a VPN and TOR. Let's talk about both. I will also touch on DNS encryption at the end of the section.

VPN

VPN stands for Virtual Private Network, and a good, trustworthy VPN is an indespensible tool in the fight for privacy. A VPN will generally allow you access a collection of servers across multiple countries and continents. You may have seen people using VPNs to access Netflix or YouTube content from different regions, which is definitely a nice perk, but not why I'm bringing them up.

When you connect to a website, your IP address is logged. We could dive deeper into why this might be problematic, but if you're reading this, I'm assuming you've already got some semblance of an idea. In very short terms, that IP can be used to track you around the web, from site to site, mostly for marketing purposes (and potentially reasons more sinister). A VPN worth its salt will encrypt your request to connect to a site and any other data you may be uploading, then ferry it safely to a remote server before decrypting it and directing it where it's meant to go. The beauty of this is twofold:

1. Your true IP address will not be revealed to the sites you visit, as it will only see the remote server's IP, from which hundreds or thousands of varying connections are made daily, effectively obscuring your identity and habits online.
2. Your ISP (Comcast, TWC, Century Link, AT&T, Verizon, etc.) will only see your encrypted traffic headed to a single remote server, and not where it goes after. Essentially, they have no idea what you're doing on the web, either.

This is not a foolproof method of achieving anonymity, however. Why? Because your VPN can see your true IP and exactly what you're doing with it. This is where things get tricky, and why it's so crucial to use a reputable VPN service.

I can make a few recommendations on VPNs I've found worthy of my own trust, but first I want to detail a couple of the important facors that I look for in a VPN:

• Loglessness. There's nothing from stopping a VPN service from claiming to be logless and collecting logs anyway, so there is absolutely an element of trust needed here. My personal view is that for any privacy strategy to work, you are going to have to need to be able to place trust in certain organizations and tools—it's inevitable. We just have to do our homework and practice with failsafes/redundancy when we can.
• Jurisdiction. In general, I am skeptical of VPNs based in the USA or China, as their privacy laws are less than stellar. A VPN based somewhere like Switzerland, however, would be subject to their remarkably forward-thinking privacy laws. Depending on your own unique use-case, you may want to consider where your VPN provider is headquartered. In researching this, you may see terms like “Five Eyes,” “Nine Eyes,” or “Fourteen Eyes” come up. This is a detailed subject, so I recommend skimming this article to get a better idea of what this means for you.
• Leak Protection. Ideally, the VPN service will have a mitigation in place for DNS Leaks.
• Security. Arguably the most important aspect, the VPN provider needs to offer strong encryption protocols (ideally AES-128 or AES-256, avoid blowfish or anything below 128-bit encryption).
• Monetization. VPN services are expensive operations to run, and as such, any VPN that is provided at no charge should draw immense skepticism. You must consider how they monetize their service to properly evaluate if it will be an asset to your privacy.

Luckily, comparing all of these traits and more has been made extricably easy by That One Privacy Guy through the detailed VPN comparison chart on his site, aptly named That One Privacy Site. Use this resource, please.

My Recommendations: I personally feel comfortable using and recommending Mullvad, Proton VPN, Nord VPN, or Mozilla VPN (which piggybacks on Mullvad's servers).

A Note on PIA: I was a Private Internet Access user for a long time, but many are unaware that they were recently purchased by Kape Technologies, a less-than-reputable PLC that, at one time, created adware and has since rebranded as a “cybersecurity” company. I am not aware of any major changes to their policies since the acquisition, so they may still be a fine service, but the purchase was a major red flag for me and I can no longer comfortably recommend the service.

You can host your own VPN at no cost, but this is only recommended if you have the knowledge and means to do so properly, for your own security.

Tor

Tor differs from a VPN in a few key ways. Tor is The Onion Routing network, and it is a free global network of nodes that can only be accessed via the Tor Browser that runs on donations. When you connect, your web activity is encrypted and routed through a series of 3 random nodes BEFORE it makes a connection. While you can use the Tor browser to access “Clearnet” (or “normal”) websites, it also offers the ability to visit Onion sites. These are sites accessible only via the Tor network and provide an additional layer of protection.

Both Tor and VPNs are exceptional tools for privacy, and while there's a bit of overlap, they both have unique strenths that will make them each better suited for different use-cases. Here is a more technical breakdown to help decide if a VPN or Tor is better for you.

For more information on using Tor, see my recent post on How to Get The Most Out of Tor in 2020.

VPN + Tor?

So if VPNs are good, and Tor is also good, wouldn't they be better together? This is where things get a little messy, because it depends on who you ask. Many very knowledgable folks make the argument that using a VPN with Tor can compromise your anonymity. I personally subscribe to the idea that using Tor over a VPN (not the other way around) can significantly improve your anonymity, and here is my reasoning:

1. Your ISP can see you're using Tor, so going VPN > Tor means that your ISP won't know you're using the Tor network.
2. As far as data transfer, your packets will go VPN server > Tor Node #1 > Tor Node #2 > Tor Node #3 > Target Site, so whether or not you use a VPN, the site you're connecting to is only gonna see the IP of the Tor exit node, not the VPN server's IP.
3. The entry node will see your IP, but it sees your real IP, anyway. Using a VPN can hide your IP from the entry node, but this requres that you have a trustworthy VPN provider that is truly logless, and that you pay for the service by reasonably anonymous means.

As far as I can tell, if done right, the only downside would be a terribly slow connection (VPNs and Tor will both take a hit on your connection speeds). Since there are some valid arguments for both sides of this old, rusty coin, I will not give you a definitive answer on whether it's right for you. Luckily, a community-managed wiki for The Tor Project has created an excellent post on this subject, so I highly recommend giving it a read.

If you have any thoughts on this, please let me know. Let's discuss! I'm here to learn, too.

DNS Requests

A Domain Name System (or DNS) server works much like an old school phone operator. When you type reddit.com into your browser, you are calling in to say, “Hello, I would like to be connected to my old pal, Reddit.” The operator will then find the phone number (or IP Address) of Reddit and help direct the connection. If you had no idea what a DNS server was, you are most likely using the DNS provided by your ISP. Many may also be using Google's DNS option, as it's quick and reliable. In both cases, your DNS requests (or the sites you are trying to visit) are unencrypted and logged by a third-party. Much like a VPN, it is possible to host your own private DNS server. This is a great option if you have the know-how and the resources to set it up properly, but it won't hardly be the most accessible option for many.

For those that use a VPN, many VPN providers include their own secure DNS. This is great! This means you don't have to do anything special while the VPN is running. If your provider offers DNS leak protection, please note that it is not recommended that you try to use DNS over TLS or DNS over HTTPS, as it can invalidate the protection.

If you are not using a VPN with an included DNS or are still in need of a quick and easy solution, there are lots of DNS choices out there, so I've narrowed them down to a few that I have found to be reputable enough. You'll want to make sure that the provider you choose is equipped with DNSSEC and supports some kind of encrypted tunneling protocol, such as DoT (DNS over TLS) or even better, DNSCrypt (see below chart for more info).

*Please note: Cloudflare claims that their logging is extremely minimal. Regardless, many users around the internet do not trust them as an organization. I have been unable to find enough evidence to make a truly informed recommendation regarding Cloudflare's reputability, but I am including them because, at this time, they at least appear to be committed to offering a private, secure alternative DNS. They are also the fastest DNS out there by a notable margin. I personally would opt for another choice—such as Quad9—in the interest of privacy, but I did want to include this one as a more private alternative to Google DNS for the performance freaks.

You can find a much more comprehensive comparison chart with more options where I borrowed some of this information from, on PrivacyTools.io. As mentioned above, DNSCrypt is highly recommended. To use it, you need only download a client from their website and run it. In the client, you can typically select from numerous supported DNS options, but while they are all secure options, not all of them are necessarily the most private options. This is why it's important to look over the supported choices on sites like PrivacyTools and go in knowing what you're using.

If you choose not to—or are unable to—use the DNSCrypt client on your chosen device, here is a quick and dirty guide to change your DNS server on any device courtesy of HowToGeek.

Encrypting Communications

For some, like journalists and whistleblowers, encrypted communications are vital to their work—and in some areas, their survival. For others, we simply don't want our private messages parsed for marketing data. Both cases are completely valid. I firmly believe that everyone has a use for legitimately private communication and that it should be easily obtainable. As of today, fortunately, it is for many of us.

Here are some recommendations for a mix of paid services and FOSS (free and open source software) for communication that provide E2EE (end-to-end encryption*). What this means is that all communications are fully encrypted on your device (“clientside”) and decrypted only upon arriving at the receiver's device. E2EE exists to promise the user a zero-knowledge service, meaning that even the company themselves cannot read your messages, nor could any government-based or malicious actors that compromise their servers. They can only be deciphered on your physical device.

**Please note that for all of the following, the other user must use the same tool in order to get the most protection from them.*

SMS/MMS and Voice Calls

• Signal (Android/iOS/Linux/Mac/Windows) [FOSS] – An SMS application by Open Whisper Systems that can handle both plain, unencrypted text messages with anyone AND E2EE text messages with other Signal users (for mobile users—on PC, it will only allow private messaging between other Signal users). It is endorsed by Edward Snowden himself and widely used in both private and public sector by cybersecurity professionals and government officials alike. There are alternatives and forks out there, but they are not cross-compatible with Signal. Some prefer alternatives, as Signal does require a phone number on sign up, but since Signal dominates this particular niche, you're going to find way more people are already using this one, so it's easily my preferred recommendation. Signal is also capable of E2EE voice and video calls. I'm often surprised at how many of my friends and contacts are already using Signal once we swap numbers.
• MySudo (Android/iOS) [PAID] – MySudo is a closed-source service by Anonyome Labs that allows users to create multiple “Sudos” or alternate identities, each with their own phone number and email address. All texts, calls, and emails between other MySudo users are free and E2EE, but you need to pay for a subscription service to take advantage of the full suite of tools. Theoretically, one could have a Sudo for personal matters, a Sudo for work, and a Sudo for finance. Let's say they leave a job or their work phone number becomes otherwise compromised—they could simply kill that number and get a new Sudo. Some users will even go so far as to never give out their actual cell number, and instead rely only on Sudo numbers. This can be a very practical way to compartmentalize your life and conceal one of your most sought-after digital assets. In my experience with it, the numbers are often rejected by businesses and online retailers that demand a phone number, but it's excellent for Craigslist dealing and many other situations.

Email

• Protonmail (Android/iOS/Linux/Mac/Windows/Web) [FOSS/PAID] – ProtonMail is a Swiss-based, open source email service with an incredible dedication to privacy, security, and zero-knowledge. They take security so seriously, in fact, that their datacenter is located in a underground in a guarded bunker beneath 1,000 meters of solid stone. I shit you not, they are Bond-villain-level committed. You can read more about their security features here, including offerings such as self-destructing messages. They also have an onion address and can therefore be accessed securely via the Tor network. ProtonMail is handily the service that I feel most comfortable recommending out of anything else in this guide.
• Tutanota (Android/iOS/Linux/Mac/Windows/Web) [FOSS/PAID] – ProtonMail is a tough act to follow, but Tutanota manages to be a serious contender as another open source, privacy-conscious email provider. If for any reason you opt not to go with ProtonMail, Tutanota is a swell alternative. > Bonus Tip:

If you are communicating with another individual that is not also using your same secure email provider, you can still use PGP encryption to secure your communications. Here's a great guide to getting started with PGP in Mozilla Thunderbird, which should work with almost any email provider. If you opt to use ProtonMail, they also allow you to send PGP encrypted emails very easily, right in the web browser! Here is their guide for PGP with non-ProtonMail users.

Private Messaging, VoIP, and/or Video Chat

• Wire (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Wire is an open source, Swiss-based tool for private messaging, video chat, and voice chat. You can easily create group chats, perform screen sharing, send GIFs, and more. Of course, all communication in the app is E2EE. It's my preferred alternative to Skype, Teams, and other similar tools. In my personal experience, it has also performed better and provided more stability across all platforms than some of the more commercial offerings. It's a brilliant piece of software and I highly recommend it.
• Briar (Android) [FOSS] – Briar is a unique messenger for two reasons: it offers more than just messaging with blogs, forums, and groups; it also has the ability to connect to nearby users without an internet connection. It is the only messenger I know of that will allow you to send messages locally over Bluetooth, which could be handy in a number of scenarios. For the Tor users, it also give you the option to connect over the Tor network, which is a huge perk. At the time of writing, it is only available for Android.
• Mumble (Linux/Mac/Windows/Web) [FOSS] – Mumble is an open source alternative to Discord. It's a low-latency messenger and audio chat program built for gamers. I haven't used this one much, but my experiences have been good, if only brief.
• Pidgin + OTR (XMPP) (Tails) [FOSS] – If you are using the Tails live operating system, Pidgin is a great Tor-friendly messenger option, pre-installed and configured out of the box for you. Here is a video with a detailed guide on getting this set up. Snopyta offers a solid private XMPP server that you can use over Tor, but you can also always look to Calyx Institute or RiseUp, among others.
• Rocket.Chat (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Simply put, this is a free, open source, self-hostable replacement for Slack and other team-based collaborative chat platforms. All communication is E2EE. This platform comes highly recommended for companies, online communities, collaborations, or even just a friendly group chat.
• Jitsi Meet (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Jitsi Meet is an open source tool for video conferencing. It works similarly to Zoom, but performs better and offers a significantly more private and secure experience. If you use Zoom for work, I do recommend looking into whether you could get others on board with switching.

Encrypting Synced Data

We sync a lot of data with the cloud. Like, a lot a lot. Contacts, calendars, notes, photos, etc. These details could be particularly sensitive, as they are quite personal. This information is regularly collected by many of the apps you have on your phone—and by your phone's own operating system—to generate a targeted-marketing profile on you. They're also generally stored unencrypted, making them vulnerable to malicious actors who manage to compromise your device or a network to which you're connected. Luckily, we can fix this.

All-in-One Solution

• NextCloud (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – You can think of Nextcloud like having your own personal Dropbox or OneDrive. It can sync files, calendar, contacts, notes, and more between a myriad of devices. It even has plug-ins available that expand functionality, and you can even use it for secure video calling. This is a reasonably elegant solution, and it pairs well with Cryptomator for an additional layer of security. There is a cost to this option, however: this is a service that must be hosted. This means you will either need a private server of your own to host it on, or you will need to pay a web-hosting provider to borrow space on their servers. If this is not teneble for you, please check out the individual services below. If you're looking to rent a server, there are many, many reputable VPS solutions out there—but I like to recommend wölkli.

• Syncthing (Android/Linux/Mac/Windows/More) [Foss] – This is a tool that will allow for seamless, continuous background syncing of files, folders, and directories between multiple devices. There is no central “cloud” server here, so your data is transfered securely between only your own devices.

Passwords

• Bitwarden (Android/iOS/Linux/Mac/Windows/Firefox/Chromium/Web) [FOSS/Paid] – Bitwarden is among the very few “online” password managers that I feel comfortable recommending. One major reason is that it can be self-hosted, if you have the means. If not, I still feel Bitwarden is the best password manager with syncing capability. It's convenient, it has all the bells and whistles you might want (such as auto-fill), and it's a zero-knowledge, open source solution from a reputable company. It's every bit as secure as those syncing their KeePassXC databases with Cryptomator, but significantly easier to manage.

2FA/MFA/OTP

• Authy (Android/iOS/Chromium) [Free] – 2FA is one of the best things you can do for your own security, and Authy makes it pretty simple. Some will be concerned that Authy is not open source, and some will take issue with the fact that your 2FA codes sync with their servers. These are absolutely valid concerns, and for you, there are great options like AndOTP (Android) or KeePassXC (Multi-platform) out there; however, these apps won't sync your access tokens and you are responsible for manually creating your own backups. In my own personal research, I feel comfortable recommending Authy, particularly to those that are apt not to use 2FA due to the inconvenience, as Authy is about as convenient as 2FA gets and it is nearly always better to use 2FA than not. Authy is zero-knowledge and will sync your keys in an encrypted state. By default, Authy can only be used on a single device for your security, but you can opt to sync between multiple devices with a simple toggle in the app settings. If anything ever happens to your device, your access tokens will be backed up securely and automatically, so you don't have to worry about being locked out of an account—just don't forget your backup password.

Contacts & Calendar Sync

• Etesync (Android/iOS/Linux/Mac/Web) [FOSS/PAID] – Etesync is an open source, zero knowledge tool for transparently syncing your contacts and calendars in the background. It's based on DAVDroid, but with some much-needed security enhancements. The syncing itself is encrypted, and then the data is stored in an encrypted state locally. The best part is that you can use any Calendar or Contact apps you like—even the stock ones—and while your data will be displayed in those clients, they cannot actually parse the data. See the FAQ for more information. It's also worth noting that they have recently added note syncing capability, and it is possible to host your own Etesync instance.

Personal Notes / Journal

• Joplin (Android/iOS/Linux/Mac/Windows) [FOSS] – Joplin is a multi-platform note taking solution with markdown support and multiple ways to organize notes. It can be synced securely with your Nextcloud server, via WebDAV, or other cloud storage services. It's the most feature-rich option in this list, as well, and it's completely free and open source.
• Etesync Notes (Android/iOS) [FOSS/Paid] – Still in beta, this is a newly-released alternative to Joplin that syncs directly to your Etesync account. I have not tested it thoroughly, but I can say with certainty that it's a project worth keeping an eye on, at least.
• Standard Notes (Android/iOS/Linux/Mac/Windows) [FOSS/Paid] – This app is open source, but some of the more premium features are locked behind a paywall. For this reason, it's not my app of choice while robust options like Joplin are freely available, but it does offer a slightly different approach and a more elegant interface that many are sure to appreciate.
• Turtl (Android/Linux/Mac/Windows) [FOSS] – I know people who swear by this app. I really wanted to love it, but I have always found this one a bit of a struggle to use, in my personal experience. That said, it is an excellent, highly secure option if it works for you!

Documents

• CryptPad (Web) [FOSS] – The web editors are based on OnlyOffice, my preferred Office suite. I find that it's really easy to edit in the web browser, but it's also quite simple to move local files to the cloud and vice versa.

Cloud Storage

• Cryptomator (Android/iOS/Linux/Mac/Windows) [FOSS] – Cryptomator allows you to quickly and easily create an encrypted folder on your local machine. This folder can be synced with any cloud service (NextCloud, OneDrive, Dropbox, etc.) to secure your files and prevent even “big data” cloud providers like Google or Microsoft from knowing what it is that you're storing. This is my own recommendation, but there are alternatives that appear solid, like CryFS.

• Cryptee (Android/iOS/Linux/Mac/Windows/Chrome OS) [FOSS/Paid] – Cryptee is a cloud service for storing photos, documents, and other personal data. A meager 100 MB of storage space is offered at no cost, but there are paid plans available up to nearly 2 TB. This is an excellent alternative to Google Photos/Drive and similar such cloud storager offerings.

Encrypting Collaborative Projects & File Sharing

Communication for Teams

• Rocket.Chat (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Simply put, this is a free, open source, self-hostable replacement for Slack and other team-based collaborative chat platforms. All communication is E2EE. This platform comes highly recommended for companies, online communities, collaborations, or even just a friendly group chat.
• Jitsi Meet (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Jitsi Meet is an open source tool for video conferencing. It works similarly to Zoom, but performs better and offers a significantly more private and secure experience. If you use Zoom for work, I do recommend looking into whether you could get others on board with switching.
• Wire Pro/Enterprise (Android/iOS/Linux/Mac/Windows/Web) [FOSS] – Wire is an open source, Swiss-based tool for private messaging, video chat, and voice chat. You can easily create group chats, perform screen sharing, send GIFs, and more. Of course, all communication in the app is E2EE. It's my preferred alternative to Skype, Teams, and other similar tools. In my personal experience, it has also performed better and provided more stability across all platforms than some of the more commercial offerings. It's a brilliant piece of software and I highly recommend it.

Shared Documents

• CryptPad (Web) [FOSS] – The web editors are based on OnlyOffice, my preferred Office suite. I find that it's really easy to edit in the web browser, but it's also quite simple to move local files to the cloud and vice versa. This suite of tools includes the ability to share documents between teams, with real-time updating and editing capability.

File Sharing

• Onion Share (Linux/Mac/Windows) [FOSS] – Onion Share uses the Tor network to securely and anonymously share files of any size. The other party does not even need to have Onion Share, as long as they have the Tor browser.
• SwissTransfer (Web) [Free] – Temporary file transfer solution for files up to 50 GB. Free and does not require registration. The service is based in Switzerland, so it is protected by Swiss privacy laws.
• Blackhole (Mac/Windows) [FOSS] – BlackHole is a blockchain-based file sharing protocol.

Encrypting Your Files

System Drives

Android

See here.

iOS

See here.

Linux

See here.

Note that you can also opt to encrypt your system during the installation of basically any Linux OS.

Mac

See here.

Windows 10

See here.

You might also consider using VeraCrypt.

Flash Drives / External Drives

For this, you will use a cross-platform, open source piece of software called VeraCrypt. Just fire it up and let the program guide you. For more detailed information, see the official Veracrypt documentation.

Folders / Partitions

VeraCrypt can handle this, as well.

Hiding Files and Secret Messages in Plain Sight with Steganography

(Coming Soon!)

For my last trick, I'm gonna introduce you to some serious spy movie biz. We're going to learn how to use a form of encryption to hide files and messages inside of other more inconspicuous files. This portion of the guide is not yet finished, and will become available in the near future; however, Android users can get started easily with an app called PixelKnot that will allow you to embed hidden messages in image files. More to come!

Changes

11/01/2020:

• Updated link for instructions on encrypting emails in Thunderbird, as previous link had outdated information. It is no longer required to use Enigmail, as Thunderbird supports PGP encryption by default in recent versions.
• Added link to cloud storage service Cryptee.
• Added link to self-hosted sync service Syncthing.
• Added link to CryFS as possible alternative to Cryptomator.

ORIGINALLY POSTED 10/26/2020.

Contact Me

failsafeprivacy (at) protonmail (dot) ch (PGP) Keyoxide | Mastadon | Reddit

Tags

#guide #tutorial #privacy #security #encryption #software #apps #vpn #tor #stego #opensource

“The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Along the same line, Tor is an effective censorship circumvention tool, allowing its users to reach otherwise blocked destinations or content. Tor can also be used as a building block for software developers to create new communication tools with built-in privacy features.” ¹

In this post, I'm gonna keep things relatively brief and go over some of the ways you can incorporate Tor into your digital life. The Tor Project team has done some remarkable work on making Tor as secure and private as possible without requiring much, if any, user tinkering. If you're new to this sort of thing, don't be intimidated—you'll pick it up fast. If you've been around the block with Tor in the past, then I hope this post introduces you to some new tools or strategies.

Please note that Tor alone will not make you completely anonymous. It will protect the transport of your data, it will disguise you against trackers online, and it will help you to beat censorship in your region; however, it will not simply allow you to act illegally or immorally without repercussion. There is still a need for common sense and decency. That said, the Tor network will be an indispensible tool to you in the fight for privacy online in this year of 20XX—the future.

The Tor project is open source, freely available, and powered solely on donations. If you get a lot out of it and you have the means, it would be mighty fine of you to give back by making a donation or buying some radical swag to help support the project. It's also helpful to spread the word—the more Tor users there are, the more anonymous we all become. Please feel free to share this post with friends and family, or just enthusiastically relay the best bits to them yourself. Bonus points if you imitate what you think my voice might sound like—I assure you, it is silly.

LAST UPDATED: 10/20/2020 (See Changes)

Configuring the Tor Browser

If I'm being honest, there's not much to do here. The Tor browser is configured by default as such for very specific reasons, and it's generally good practice to avoid using any additional add-ons or making any tweaks to the configuration. The main reason (of many) that it's touchy to change things around, is because any changes will make your fingerprint more unique. A unique fingerprint means trackers will have an easier time identifying you as you move from site to site. Ideally, you want the most run-of-mill, least conspicuous fingerprint you can possibly have so that you blend in with the crowd. If your data points all look basically the same as every other Tor user, we all collectively gain that much more anonymity.

In light of this, there are really only two things I recommend tweaking:

1. Change your security level – In Tor, there are three Security Level settings to choose from. I recommend Safest, both because of—and in spite of—the fact that it is the most restrictive setting of the bunch. This can always be tweaked if you happen across a site that is broken by this setting, but for normal activity, this will give you the best protection against the ever watchful eye of Big Daddy Data and his unsavory pals (there's a free band name for you, you're welcome). If you do go the Safest route, you'll want to learn how to use NoScript. If you've used it before, you'll know that you can normally kind of “train” it as you browse, but this is not the case with the Tor browser as your settings are (very intentionally) reset with each fresh start of the program. As such, you'll want to understand how it works and be able to make changes on the fly. If this is too complicated for now (or if you can't be arsed to learn), or if often-used sites are breaking for you, then go with the Safer setting. This will be much less restrictive than Safest and still provide more protection than default.

2. Prioritize Onion Services – Under the Privacy and Security tab in the Settings menu, you can set Prioritize Onion Services to Always. This will make it so that when you visit a clearnet site, Tor will check if there is a known Onion version of the site and redirect you to the Tor version. This feature seems to be hit or miss, as in my testing, it didn't always detect a Tor version of a site; however, when it does work, it's a great way to increase your security while browsing. If you don't set this feature, it will simply ask if you'd care to switch when it comes across a site with an available Onion domain, so it's not completely necessary to set this, though I personally find it much more convenient to have it do this for me automatically.

3. (Optional) Creatorrc – With Creatorrc, you can generate a more secure torrc file (the “sector” profile) for the Tor Browser. This will prevent your browser from utilizing relays known to use out-of-date software or have other security flaws that could be exploited to de-anonymize you. Please note that this tool is not endorsed nor recommended by The Tor Project. It is also worth noting that using this may have an effect on your speeds and/or how often you encounter CAPTCHAs, and it is not currently compatible with Tails users. I am personally a fan of the sector profile, but I highly encourage you to do your own homework before diving in.

That's it! You're good to go. Feel free to explore the interwebs in peace.

Use Good OPSEC

OPSEC is short for Operations Security. In the simplest terms, “common sense.” I won't delve in to this too deeply, but if you're looking to maximize your anonimity, here are some basic tips:

• Don't use your real name, common aliases, email addresses, etc. outside the Tor network.
• Conversely, don't use aliases you use within the Tor network elsewhere online.
• Don't log in to existing accounts, like Facebook or Twitter, from the Tor network.
• Make as few accounts as you can.
• Use a unique email/username for each account that you create (Guerilla Mail and AnonAddy are helpful for this).
• Put to use a reliable password manager (like KeePassXC or Bitwarden) with unique passwords for all accounts and use 2FA wherever possible.
• Don't use Tor and another browser at the same time.
• Generate “New Identities” within Tor semi-frequently.
• Be wary of other devices on your network; for example, sometimes, advertisements might contain an inaudible frequency that can be picked up by your phone to confirm that you were exposed to the ad. This is a method of cross-tracking utilized by marketers, and it can be used to de-anonymize you. I know this sounds tinfoil-hatesque, but I assure you, it's been covered by legitimate news outlets on multiple occasions. ^{2 3 4}
• Utilize metadata anonymization tools before uploading photos, videos, audio files, or other documents online. I would recommend MAT2 or EXIFCleaner for PC/Mac users, or Scrambled EXIF (F-Droid, Play Store) for Android.

Sending Files with OnionShare

OnionShare is a cool utility to send files of any size securely and anonymously over the Tor network. This will be an essential tool for journalists, whistleblowers, and individuals under oppressive regimes, but it's something we can all benefit from in this age of mass surveillance.

To use it, simply install the program and launch it. You will be able to drag and drop files, and then the program will generate a unique Onion URL for you to share. Remember, the security of your files is ONLY as secure as the means that you use to send this link. Make sure to share the link only with the trusted recipient over end-to-end encrypted communications. Once the recipient has the link, they will only need the Tor browser in order to visit the link and download the attached files. The receiving party is not required to use OnionShare.

Send Emails over Tor with TorBirdy

TorBirdy is a relatively simple add-on for Mozilla Thunderbird that will allow you to sync your inbox and send emails via the Tor network. This would pair well with an Onion-based email provider and Enigmail for PGP encryption.

Alternatively, you can simply use ProtonMail's Onion Site (.onion link) to send encrypted emails with PGP (or directly to other ProtonMail users), all from the comfort of your own Tor Browser.

If you are using a system like Tails or Whonix (covered below), you will not need this.

Torify the Whole Damn System!

With an OS pre-configured to use Tor by default—such as Tails, Whonix (or Qubes + Whonix), or Subgraph OS (Alpha)—all of the web traffic from your entire system, not just the web browser, will be protected by the Tor network. It's also possible to rig up Tor as a proxy, but this can be detrimental if not properly configured and you are missing out on the security benefits provided by a hardened system.

With something like Tails on a USB drive, you can boot into a secure OS from that drive on almost any system. This means that you don't necessarily have to have a separate drive or partition specifically for this, you can simply plug in the little drive and boot it up. You can read more about how Tails works here, and you can find a guided setup here. The beauty of tails is that it's non-persistent, so every time you shutdown or reboot, it wipes everything clean. If you so choose, you can set up an encrypted persistent partition very easily that will allow you to save only specific files and configurations that you want to keep on the drive.

Whonix is intended to be used as a virtual machine. It is not, by default, an amnesiac system like Tails. Instead, it is a persistent, hardened operating system that helps to compartmentalize your activity. The Whonix Workstation can be run in “live” mode or used in conjunction with VirtualBox's snapshot feature to have a similar amnesiac presence to Tails, but it is intended to be used as a convenient daily-driver and is therefore an excellent alternative to Tails depending on your own personal needs. Some will even use both for different circumstances—it's not about picking the best OS, but about what works for you.

SubgraphOS is in alpha and is not currently recommended, but it's got a very promising feature set that's worth keeping an eye on.

Take Tor With You

Mobile Apps

You can use Tor on your Android phone! You can either use the Tor Browser app on its own, or you can use Orbot to run multiple apps/all of your device's connections through Tor. Both apps are available from F-Droid or Google Play.

iOS does not currenty have an official Tor app, but Onion Browser from the app store is a good soluton for now.

Tails USB

By installing Tails to a USB drive (as mentioned above), you can boot into a secure operating system that routes all traffic through Tor by default on basically any computer, anywhere. The only requirement is that the computer in question does not have secure boot enabled, though this can pretty easily be disabled if you have access to the bios.

TorBox

If you feel like busting out the glue sticks and pipe cleaners to get your DIY on, you can turn a Raspberry Pi into a portable Tor router using TorBox. Just follow the instructions closely and it's fairly easy to pull off. This is a handy little thing to carry around and protect your web traffic over public wifi. It's also great to have at home, if you want to route an IoT device like your Smart TV or game console through the Tor network (note that this will almost certainly have a negative impact on your streaming/gaming performance).

Useful Onion Sites

Finally, here is a list of sites you can only access via the Tor network. Bookmark these bad boys! Onions come and go all the time, so I apologize if any of these links are broken by the time you read this. I will try to keep them as up-to-date as I can.

• The Tor Project – http://expyuzz4wqqyqhjn.onion/
• DuckDuckGo (Search Engine) – https://3g2upl4pq6kufc4m.onion/
• ProtonMail (Email Provider) – https://protonirockerxow.onion/
• Cock.li (Email Provider) – http://cockmailwwfvrtqj.onion
• Onion Mail (Email Provider) – https://en.onionmail.info/directory.html (Clearnet, links to multiple instances hosted on Onions)
• Mail2Tor (Email Provider) – http://mail2tor2zyjdctd.onion/
• Guerilla Mail (Temporary Burner Email Addresses) – http://grrmailb3fxpjbwm.onion/
• PrivacyTools (Privacy Org. with Many Tools and Resources) – http://www.privacy2zbidut4m4jyj3ksdqidzkw3uoip2vhvhbvwxbqux5xy5obyd.onion/
• Snopyta (Privacy Org. with Multiple Tools) – http://cct5wy6mzgmft24xzw6zeaf55aaqmo6324gjlsghdhbiw5gdaaf4pkad.onion/
• RiseUp Onion Services (Privacy Org. with Multiple Tools) – http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/en/security/network-security/tor#riseups-tor-onion-services (Multiple Tools)
• Systemli Onion Services (Privacy Org. with Multiple Tools) – http://7sk2kov2xwx6cbc32phynrifegg6pklmzs7luwcggtzrnlsolxxuyfyd.onion/en/service/onion.html (Multiple Tools)
• Calyx Institute (Privacy Org. with Multiple Tools) – http://ijeeynrc6x2uy5ob.onion (Multiple Tools)
• BBC News (News) – https://www.bbcnewsv2vjtpsuy.onion/
• Associated Press (News) – http://3expgpdnrrzezf7r.onion/
• The New York Times (News) – https://www.nytimes3xbfgragh.onion/
• ProPublica (News) – https://p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion/
• Business Insider (News) – http://doaxi7t7lkctvq5i.onion/
• Buzzfeed News (News) – https://bfnews3u2ox4m4ty.onion/
• Internet Archive (Archives) – http://archivebyd3rzt3ehjpm4c3bjkyxv3hjleiytnvxcn7x32psn2kxcuid.onion/
• Archive.is (Archives) – http://archivecaslytosk.onion
• OnionShare (Software) – http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion/
• Mullvad VPN (Software) – http://xcln5hkbriyklr6n.onion
• Tails (Software) – https://tails.boum.org/index.en.html
• Qubes OS (Software) – http://www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/
• Whonix (Software) – http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/
• Debian (Software) http://sejnfjrq6szgca7v.onion/

Directories

If you, like Booker T., find yourself needing mo' onions, here are some good resources:

• Alec Muffett's Real World Onion Sites List (Clearnet)
• List of Tor Onion Services on Wikipedia (Clearnet)
• /r/Onions on Reddit (Clearnet)

Sources

¹ https://2019.www.torproject.org/about/overview.html.en

² https://www.wired.com/2016/11/block-ultrasonic-signals-didnt-know-tracking/

³ https://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/

⁴ https://www.cbsnews.com/news/google-removes-apps-that-use-ultrasonic-frequencies-to-track-users/

Changes

POSTED 10/19/2020

• Edit 10/20/2020: Added “Prioritize Onion Services” to the Configuring the Tor Browser section

• Edit 10/19/2020: Minor Formatting Revisions, added “Contact Me” section

Contact Me

failsafeprivacy (at) protonmail (dot) ch (PGP) Keyoxide | Mastadon | Reddit

Tags

#tutorial #privacy #security #browser #tor #software #opensource