How to take your first steps with Tor

By Toby Deemer|Published On: November 28th, 2016|Tags: Open Source|

Why would anyone care about being anonymous online?

I do my best to protect my online presence. I use HTTPS everywhere (ensures all website connections run over encrypted SSL if available), NoScript (disables all site Flash, Java, and JavaScript by default), uBlock Origin (ad blocking), and Privacy Badger (ad and cross-site activity tracker blocking), for everyday browsing. For any account that allows it, I have Two Factor Authentication setup. I create different complex passwords across the various websites I use — and store these passwords in an encrypted file on my laptop, which is also encrypted. These things do an acceptable job of protecting my user accounts and minimizing impact for instances of website data compromise and account attack attempts.

But these things don’t hide the fact that I’ve actually visited or looked at any of those sites.

So this is where we start thinking about anonymization — the practice of hiding your tracks. Political dissent and organization, engaging in illicit trades, trying to make connections with other members of a vulnerable group, conducting research on a sensitive subject matter for a school project — these are a few among a wide variety of reasons someone may wish to keep their true identity hidden while online. Now the ethics of all this — from the political and security concerns, to the criminal uses of anonymization — is really a separate discussion. The fact is that there are legitimate uses, and knowing how to do it correctly can aid in the fight to stay protected while online.

Which brings us to talking about Tor…

See, I’ve recognized that I should know it and use it, but I’ve been a bad SOCmonkey and just never gotten around to it. So here I’ll go about trying to get it right, which will include understanding how it’s easy to get it wrong.

There are many, many pages of information about Tor all over the web, so I’m not going to go too far into the minutiae. But an easy metaphor for what Tor does is to think of your web traffic like a chain. In a normal, non-anonymized browser session, your traffic from your physical location to your desired website is logged by each device in the chain. Even if it’s encrypted SSL traffic, your visit to that site is visible.

Using Tor your traffic is passed into a “forgetful chain” — meaning each link only knows which link to receive from, and which link to forward to. No single link knows the full path of the traffic. For instance, if I want to visit DuckDuckGo anonymously so I can run a search for a sensitive subject, my traffic enters the Tor network, is bounced around a bit, and then ends up at DuckDuckGo appearing as if it’s come from, say, The Netherlands.

Installing the necessary client software and using Tor is rather simple. To access the Tor network you need the Tor Browser, which is a modified version of Firefox. You download the browser, fire it up, and… do a couple things first to make sure you’re going to actually be anonymous.

1.) First, check for updates.

Click the little Tor button in the toolbar and then click “Check for Tor browser updates”. Those who wish to be really sanitary will do this every time they start it up. If an update is found, install it, and relaunch. Updates are necessary because they’ll apply any new security patches to the Firefox instance.

Many de-anonymizations of Tor traffic have occurred through browser compromise. So this step is important. The updates check may take a while, and it can feel tedious when we’re used to broadband internet speeds and fast computers and seeing what we want right away. But if you really want to cover your tracks, don’t skip this step.

2.) Second, click the little link on the Tor Browser landing page that says “Test Tor Network Settings”.

This will verify that your traffic is entering the Tor network, and will test the path of your traffic. If successfully connected, it will display an IP address. Your destination websites will see your traffic as having originated at this address.

My latest IPs showed up as Germany and the UK.

Each new tab you open for browsing to another site will have another unique Tor network path. You see this by clicking the Tor button again once a page has loaded up. The section “Tor circuit for this site” shows the active path for that traffic.

3.) Third, and perhaps most importantly, keep your browsing as “clean” as possible.

That’s not in regard to whether you decide to look at any questionable content, but rather segregating your Tor network browsing from all of your other web activity. Do not, under any circumstances, log into any of your real accounts while on Tor. This will break your anonymization. Tor comes with NoScript enabled by default. Leave it enabled unless absolutely necessary for a site to work. And frankly, if the content you want from a site can’t be seen with NoScript enabled, do you need to be looking at that site via Tor anyway? Having NoScript enabled prevents Flash, Java, and JavaScript from accidentally revealing your true IP address to an upstream device or to the visited site. Things like a Flash Video Player operate outside the browser’s own permissions realm, so they can make direct outbound queries if they need to.

Improper configs, bad behavior, and poison nodes can lead to de-anonymization.

Things to keep in mind:

Don’t forget about the fact that some websites will block known Tor exit nodes from accessing their pages. Many companies prevent outbound Tor network traffic.
Don’t open documents that you’ve downloaded with Tor until you’re offline again. Many document formats, such as PDF or .docx can have embedded macros that may accidentally reveal your actual address with an outbound request to load remote content or check for application updates, etc.
In the same vein of don’t-open-documents is an even bigger, yet weirdly common, mistake: Don’t torrent over Tor. Torrenting by design needs to use your actual IP address in order to establish the peer connections that make it work.
Don’t use Windows. While it’s possible to use Windows and stay safe (just ask Bruce Schneier), it’s just more complicated to make sure it stays that way. And just so we’re not being needlessly inflammatory, here are a few reasons why, with further links:
- Windows-on-Tor has been a specific target of malware. [link]
- Windows has many things that phone home automatically and there are increasingly few ways around them with each new version. [link]
- The architecture of Windows means it caches a lot of information about your usage habits. And since most malware is targeted at Windows, if your box does get popped, there’s a lot of nice info there to be had. [link]
- When you start reading about “user privacy on Windows”, you may begin to notice that lots of articles will have a rather alarmist tone, sometimes quite over the top. Try to look past that and just sift out the actual information that will help you.
Don’t log into personal accounts. I touched on this, but keep mindful of fully separating your Tor activity from your real world ‘normal’ web presence.

Clearnet sites or .onion sites? This is where the potential to accidentally de-anonymize starts to ramp up. If you’re using Tor to visit only .onion sites, then the likelihood is much smaller. But, all traffic to the Clearnet has to pass a Tor exit node. So, if you do need to anonymously visit a Clearnet site, make sure it’s over HTTPS.

Further, don’t enable scripts for the site, don’t use a real world login account (HTTPS or not). When your traffic to the Clearnet leaves a Tor exit node, it is susceptible to snooping by that node. If someone sets up a malicious exit and you’re sending sensitive data, it may be intercepted. So at minimum, HTTPS is a must at all times. Also avoid sending over the wire any data that isn’t already encrypted.

To abate some of this, you can use anonymous services or encrypted services on top of Tor. There are anonymous mail and chat services, file drop and pastebin services, search engines, and many other things running directly on the .onion network. It’s possible to use only these things and stay completely off the Clearnet.

This then puts you onto the onion-routed network to use a non-tracked, anonymized search engine. Finding dual layers of security whenever possible only adds to the overall online footprint being safe.

Extended use from a single location can eventually, maybe more quickly than you might expect, become an issue. If you continue to use Tor from a single location, your traffic could eventually be correlated to your destinations. That’s why many of the more paranoid users will never use Tor from their homes, and will always use it from a different location each time. This is cumbersome and can quickly exhaust your cache of local wifi hotspots. But for the truly paranoid, or to those for whom Tor is a life-or-death tool, this is not an unreasonable requirement.

But Tor is not a magic bullet, so you must stay careful.

Tor has had some known issues and compromises. This only starts to scratch the surface, but Tor is software. And just like any software, there have been issues. Tor is also a particularly desirable target for obvious reasons. This is why I mentioned running updates on Tor Browser every time you start it.

Here are just a couple examples:

Next Up: Discussing some alternatives to Tor.

So all told, Tor can still be effective, but are there workable alternatives? Of course. In the next two parts, we’ll look at some alternatives to Tor itself, and operating systems specifically designed with anonymization and security in mind.

Tor-style network traffic anonymization tools:

Operating Systems with Tor or other anonymization tools built in:

Additional resources and links:

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.