How to Get the Most Out of Tor in 2020

Tor is a magnificent beast. Despite the stories you've undoubtedly heard, it's not just for ne'er-do-wells and miscreants (though they are certainly present). If you are wondering what exactly a “Tor” is, we should look no further for explanation than to the Tor Project themselves:

“The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Along the same line, Tor is an effective censorship circumvention tool, allowing its users to reach otherwise blocked destinations or content. Tor can also be used as a building block for software developers to create new communication tools with built-in privacy features.” 1

In this post, I'm gonna keep things relatively brief and go over some of the ways you can incorporate Tor into your digital life. The Tor Project team has done some remarkable work on making Tor as secure and private as possible without requiring much, if any, user tinkering. If you're new to this sort of thing, don't be intimidated—you'll pick it up fast. If you've been around the block with Tor in the past, then I hope this post introduces you to some new tools or strategies.

Please note that Tor alone will not make you completely anonymous. It will protect the transport of your data, it will disguise you against trackers online, and it will help you to beat censorship in your region; however, it will not simply allow you to act illegally or immorally without repercussion. There is still a need for common sense and decency. That said, the Tor network will be an indispensible tool to you in the fight for privacy online in this year of 20XX—the future.

The Tor project is open source, freely available, and powered solely on donations. If you get a lot out of it and you have the means, it would be mighty fine of you to give back by making a donation or buying some radical swag to help support the project. It's also helpful to spread the word—the more Tor users there are, the more anonymous we all become. Please feel free to share this post with friends and family, or just enthusiastically relay the best bits to them yourself. Bonus points if you imitate what you think my voice might sound like—I assure you, it is silly.


LAST UPDATED: 10/20/2020 (See Changes)


Configuring the Tor Browser

If I'm being honest, there's not much to do here. The Tor browser is configured by default as such for very specific reasons, and it's generally good practice to avoid using any additional add-ons or making any tweaks to the configuration. The main reason (of many) that it's touchy to change things around, is because any changes will make your fingerprint more unique. A unique fingerprint means trackers will have an easier time identifying you as you move from site to site. Ideally, you want the most run-of-mill, least conspicuous fingerprint you can possibly have so that you blend in with the crowd. If your data points all look basically the same as every other Tor user, we all collectively gain that much more anonymity.

In light of this, there are really only two things I recommend tweaking:

1. Change your security level – In Tor, there are three Security Level settings to choose from. I recommend Safest, both because of—and in spite of—the fact that it is the most restrictive setting of the bunch. This can always be tweaked if you happen across a site that is broken by this setting, but for normal activity, this will give you the best protection against the ever watchful eye of Big Daddy Data and his unsavory pals (there's a free band name for you, you're welcome). If you do go the Safest route, you'll want to learn how to use NoScript. If you've used it before, you'll know that you can normally kind of “train” it as you browse, but this is not the case with the Tor browser as your settings are (very intentionally) reset with each fresh start of the program. As such, you'll want to understand how it works and be able to make changes on the fly. If this is too complicated for now (or if you can't be arsed to learn), or if often-used sites are breaking for you, then go with the Safer setting. This will be much less restrictive than Safest and still provide more protection than default.

2. Prioritize Onion Services – Under the Privacy and Security tab in the Settings menu, you can set Prioritize Onion Services to Always. This will make it so that when you visit a clearnet site, Tor will check if there is a known Onion version of the site and redirect you to the Tor version. This feature seems to be hit or miss, as in my testing, it didn't always detect a Tor version of a site; however, when it does work, it's a great way to increase your security while browsing. If you don't set this feature, it will simply ask if you'd care to switch when it comes across a site with an available Onion domain, so it's not completely necessary to set this, though I personally find it much more convenient to have it do this for me automatically.

3. (Optional) Creatorrc – With Creatorrc, you can generate a more secure torrc file (the “sector” profile) for the Tor Browser. This will prevent your browser from utilizing relays known to use out-of-date software or have other security flaws that could be exploited to de-anonymize you. Please note that this tool is not endorsed nor recommended by The Tor Project. It is also worth noting that using this may have an effect on your speeds and/or how often you encounter CAPTCHAs, and it is not currently compatible with Tails users. I am personally a fan of the sector profile, but I highly encourage you to do your own homework before diving in.

That's it! You're good to go. Feel free to explore the interwebs in peace.


Use Good OPSEC

OPSEC is short for Operations Security. In the simplest terms, “common sense.” I won't delve in to this too deeply, but if you're looking to maximize your anonimity, here are some basic tips:


Sending Files with OnionShare

OnionShare is a cool utility to send files of any size securely and anonymously over the Tor network. This will be an essential tool for journalists, whistleblowers, and individuals under oppressive regimes, but it's something we can all benefit from in this age of mass surveillance.

To use it, simply install the program and launch it. You will be able to drag and drop files, and then the program will generate a unique Onion URL for you to share. Remember, the security of your files is ONLY as secure as the means that you use to send this link. Make sure to share the link only with the trusted recipient over end-to-end encrypted communications. Once the recipient has the link, they will only need the Tor browser in order to visit the link and download the attached files. The receiving party is not required to use OnionShare.


Send Emails over Tor with TorBirdy

TorBirdy is a relatively simple add-on for Mozilla Thunderbird that will allow you to sync your inbox and send emails via the Tor network. This would pair well with an Onion-based email provider and Enigmail for PGP encryption.

Alternatively, you can simply use ProtonMail's Onion Site (.onion link) to send encrypted emails with PGP (or directly to other ProtonMail users), all from the comfort of your own Tor Browser.

If you are using a system like Tails or Whonix (covered below), you will not need this.


Torify the Whole Damn System!

With an OS pre-configured to use Tor by default—such as Tails, Whonix (or Qubes + Whonix), or Subgraph OS (Alpha)—all of the web traffic from your entire system, not just the web browser, will be protected by the Tor network. It's also possible to rig up Tor as a proxy, but this can be detrimental if not properly configured and you are missing out on the security benefits provided by a hardened system.

With something like Tails on a USB drive, you can boot into a secure OS from that drive on almost any system. This means that you don't necessarily have to have a separate drive or partition specifically for this, you can simply plug in the little drive and boot it up. You can read more about how Tails works here, and you can find a guided setup here. The beauty of tails is that it's non-persistent, so every time you shutdown or reboot, it wipes everything clean. If you so choose, you can set up an encrypted persistent partition very easily that will allow you to save only specific files and configurations that you want to keep on the drive.

Whonix is intended to be used as a virtual machine. It is not, by default, an amnesiac system like Tails. Instead, it is a persistent, hardened operating system that helps to compartmentalize your activity. The Whonix Workstation can be run in “live” mode or used in conjunction with VirtualBox's snapshot feature to have a similar amnesiac presence to Tails, but it is intended to be used as a convenient daily-driver and is therefore an excellent alternative to Tails depending on your own personal needs. Some will even use both for different circumstances—it's not about picking the best OS, but about what works for you.

SubgraphOS is in alpha and is not currently recommended, but it's got a very promising feature set that's worth keeping an eye on.


Take Tor With You

Mobile Apps

You can use Tor on your Android phone! You can either use the Tor Browser app on its own, or you can use Orbot to run multiple apps/all of your device's connections through Tor. Both apps are available from F-Droid or Google Play.

iOS does not currenty have an official Tor app, but Onion Browser from the app store is a good soluton for now.

Tails USB

By installing Tails to a USB drive (as mentioned above), you can boot into a secure operating system that routes all traffic through Tor by default on basically any computer, anywhere. The only requirement is that the computer in question does not have secure boot enabled, though this can pretty easily be disabled if you have access to the bios.

TorBox

If you feel like busting out the glue sticks and pipe cleaners to get your DIY on, you can turn a Raspberry Pi into a portable Tor router using TorBox. Just follow the instructions closely and it's fairly easy to pull off. This is a handy little thing to carry around and protect your web traffic over public wifi. It's also great to have at home, if you want to route an IoT device like your Smart TV or game console through the Tor network (note that this will almost certainly have a negative impact on your streaming/gaming performance).


Useful Onion Sites

Finally, here is a list of sites you can only access via the Tor network. Bookmark these bad boys! Onions come and go all the time, so I apologize if any of these links are broken by the time you read this. I will try to keep them as up-to-date as I can.

Directories

If you, like Booker T., find yourself needing mo' onions, here are some good resources:


Sources

1 https://2019.www.torproject.org/about/overview.html.en

2 https://www.wired.com/2016/11/block-ultrasonic-signals-didnt-know-tracking/

3 https://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/

4 https://www.cbsnews.com/news/google-removes-apps-that-use-ultrasonic-frequencies-to-track-users/


Changes

POSTED 10/19/2020


Contact Me

failsafeprivacy (at) protonmail (dot) ch (PGP) Keyoxide | Mastadon | Reddit


Tags

#tutorial #privacy #security #browser #tor #software #opensource