Tor is a renowned must in the anonymity field, and the first fundamental step in your fight for privacy. You could think that the only thing that you need to hide your identity while surfing the web is to download the Tor browser bundle, but this is not enough. There are, in fact, wrong behaviours that can reveal your real identity and location even if you’re using Tor, as well as tricks to keep you safe and stealth. In this article, I will explain the basics to introduce you to the Onion world, teaching you how to not get betrayed by your bad habits.
The Tor Network
The Tor network, made by servers run by volunteers, allow users to hide their identity from the sites they visit and prevent eavesdroppers to watch their traffic. Your communications are encrypted and bounced from a relay to another, lastly arriving to their destination. Combined with https, Tor provides end-to-end encryption, making it impossible even for the Tor volunteers to read your traffic, and your source IP is well masked by the last relay’s IP. So what could go wrong? Why are these security measures are not enough to keep you safe and anonymous?
To start correcting your browsing habits, we can follow a few suggestions:
- Use exclusively the Tor browser. Even if it is possible to make every browser connect to the Tor network, it is recommended to use the Tor browser that is fine tuned with this purpose in mind. The other browsers, in fact, all have issues with their configurations, that could lead to your identity leakage.
- Don’t torrent over Tor. It is well known that the torrent file-sharing applications can ignore proxy settings, giving away your real IP to the external world. A further reason, is that torrenting over Tor can heavily slow down the entire network.
- Use HTTPS Everywhere. The Tor browser has a plugin called HTTPS Everywhere, that forces the supported websites to use HTTPS, if possible. This results in end to end encryption for you. Check the EFF’s interactive page to better understand this key concept.
- Don’t enable or install extra browser plugins. The only plugins that you need are included in the Tor browser. Other plugins could reveal your real identity, making completely useless your usage of Tor.
- Don’t open documents downloaded with Tor when you’re online. If you open a document downloaded with Tor, it could contain links that connect to a website without passing through Tor. This would reveal your identity.
- Disable referers. Go to about:config and disable “network.http.sendRefererHeader” (turn it from 2 to 0). The referer header tells the browser where you come from (from which page), so for privacy reasons you may want to disable it.
- Disable iframes. Go to about:config and disable “noscript.forbidIFramesContext” changing its value to 0. Iframes can be used to spread a malware through your browser. Like the case of JS, they are used everywhere so, disabling them, it’s an extreme measure.
- Use bridges. While the observation of the above precautions will let you surf the internet anonymously, it won’t mask the fact that you are using Tor, thus, a traffic watcher could be notice that you are using Tor even ignoring sites you are visiting. If you are concerned about this problem, I strongly suggest to use Tor bridges. Let’s see together what Tor bridges are and how to configure them.
Configuring Tor Bridges
If Tor does not work, click on “configure” in the main window, and skip the proxy phase:
Then, click on “yes” in the following screen and choose “obfs4” as the default transport type:
In the case that your Tor browser works, follow this other procedure: click on the onion button:
then, select “Tor is censored in my country”:
next, choose the transport type “obfs4”:
Well, at the end of this procedure, it will be more difficult for anyone to know that you are using Tor.
Let’s Clarify What We Did
- First, we discussed what is a Tor bridge and why should it help us remain anonymous. A Tor bridge is an entry node of the Tor network that is not listed in the main Tor directory. While “normal” nodes are publicly available, the bridges are “hidden”, so no one, watching that you are connecting to a certain bridge’s IP, can know that you are using Tor.
- What is a pluggable transport? The government can identify that your traffic belongs to the Tor network, blocking it using your ISP. The Tor volunteers then invented pluggable transport, a system that obfuscates your traffic making it similar to an innocuous traffic, making harder, for the government, to decide to block you. Going on with the time, many transports have been identified, so always newly available ones are developed. The current, recommended one, is obfs4, but other types exist. It is also possible to obtain your custom bridges sending an email to this address with the line “get bridges” in the body of the mail. You must send this mail from a Gmail, Yahoo!, or Riseup! Account, because only these providers are supported.