Getting Started with Tor Browser

Monday, November 19, 2018

Tor Browser routes your browsing traffic through multiple anonymous servers, protecting your physical location and (most of your) browsing activities. This blog post will go through Tor Browser and some best practices.

What is Tor?

“Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.” (source)

Tor stands for “The Onion Routing” (Network).

Tor Browser is a modified version of Firefox specially developed to route all browsing traffic through the Tor network. It is designed in such a way where the more people use it, the more secure everyone is (think of a needle in a haystack).

If the thought of having your browsing activities routed not through just 1, not 2, but 3 servers across the world before being sent to the site you are visiting fascinates you, you’ll enjoy Tor Browser:

Below is a 2 minute video on Tor:

For a more in-depth overview: https://www.torproject.org/about/overview.html.en

How to Install:

  1. Go to https://www.torproject.org/download/download-easy.html.en
  2. Usually you can click on the first purple “Download” button on the download page. The webpage attempts to detect your operating system and recommends a version of Tor Browser to download. If you want to download a specific version visit this page
  3. Once Tor Browser finishes downloading to your computer, you can double-click on it to install it (Linux users will need to extract it to a folder)
  4. Once installed/extracted, run Tor Browser. In 99% of cases you can click on “Connect” in the dialog that appears when you run Tor Browser for the first time

General Overview:

You’ll notice that it looks exactly like Firefox, but with a few small visual changes (and a ton of behind-the-scenes tweaks enhancing privacy/security):

  1. The Tor Menu – here you can generate a new identity, configure Tor Browser’s security settings, network settings, and check for updates
  2. A customized site tooltip – click on this to show the Tor circuit your browsing traffic to the current site took:
  3. In the hamburger menu – “New Identity” and “New Circuit for this Site” (found in #1 and #2 above, respectively)

I keep most settings as they come out of the box, with a few changes, listed below.

Tips:

1) Get used to not browsing in a maximized window:

The first thing you might notice is that if you maximize the Tor Browser window a warning toolbar appears saying that maximizing Tor Browser may allow websites to determine your monitor size.

What I do is simply drag one of the corners of the window and make it as large as possible without maximizing the window fully.

2) Use Tor Browser for general browsing, not for streaming or anything highly sensitive:

95% of my browsing is done through Tor Browser.

The other 5% of my usage that I don’t do through Tor is work-related browsing, online shopping, online banking, streaming, web dev, and anything with personally-identifiable data in the URL address:

  • No work-related browsing: I don’t want to route any work-related requests through the Tor network
  • No online shopping/online banking: retailers/financial institutions may flag/block my account because it is being accessed by an IP address from another country (or a blacklisted IP address)
  • No streaming: I don’t stream videos/music through Tor simply because of the slower download speeds (keep in mind that the data is being sent to 3 servers across the world between you and the site!)
  • No web development: I am wary of the fact that I might be working on and accessing backend systems.
  • No personally-identifiable data in the URL address: I avoid visiting addresses like https://www.domain.com/?uid=a8fgk23ngklasdlkjsdlks to not give exit nodes this data

3) Import bookmarks from existing browser:

  1. Go to the hamburger menu => Library => Bookmarks => Show All Bookmarks
  2. Click on “Import and Backup” and then “Import Data from Another Browser…” (or “Import Bookmarks from HTML…” if you’ve exported your bookmarks to a .html file before)
  3. By default the bookmarks will be imported under the “Bookmarks Menu” in this dialog, you can move them out into the correct folder

4) Block all unencrypted requests:

To ensure you avoid one of the serious dangers of using Tor – the danger being logging in or sending data to a site over a non-HTTPS connection (which can expose your username/password/data to the last Tor relay (exit node), Internet service provider and/or government security agency) – I highly recommend blocking all unencrypted (non-HTTPS) requests by following the below steps:

  1. Hamburger menu => “Customize”
  2. Drag and drop the “HTTPS Everywhere” icon to the browser toolbar
  3. (optional) Change “Density” to “Compact” (personal preference)
  4. Click on “Done”
  5. Left-click on the HTTPS Everywhere icon that is now in the browser toolbar
  6. Enable “Block all unencrypted requests”

5) Change search engine to DuckDuckGoOnion:

The default search engine in Tor Browser is DuckDuckGo, but DuckDuckGo actually offers a .onion service which is more secure:

  1. Hamburger menu => “Preferences”
  2. Click on “Search”
  3. Set “Default Search Engine” to “DuckDuckGoOnion”

6) (optional) Install an adblocker and tracking token stripper:

This is marked optional as Tor Project actually recommends to not install any other Firefox add-ons because it gives you a more unique browser fingerprint (more easily distinguishable from people who use Tor Browser without any other Firefox add-ons), but out of personal preference I use two other Firefox add-ons:

  1. uBlock Origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
    1. Rationale: block ads/trackers to reduce bandwidth and CPU usage
  2. Tracking Token Stripper: https://addons.mozilla.org/en-US/firefox/addon/utm-tracking-token-stripper/
    1. Rationale: some sites append unique tracking tokens to links (e.g. Facebook); this browser extension removes them and protects you from accidentally copy/pasting the link with the unique tracking token included

.onion sites (aka the “dark web” or “deep web”):

.onion sites are sites that can only be accessed through Tor. The key benefit of using a .onion site instead of the regular domain (e.g. protonirockerxow.onion vs protonmail.com) is increased anonymity and security (end-to-end encryption). Here is an overview of what happens in the background when you visit a .onion site.

To summarize:

  • when you visit a non .onion site (aka “cleartext” site): your request is sent through 3 Tor relays before the last relay (aka the exit node) sends your request to the site (e.g. protonmail.com)
  • when you visit a .onion site: your request is sent through 3 Tor relays and then sent through 3 subsequent Tor relays directly to the .onion site (e.g. protonirockerxow.onion)

I would personally recommend using only well-known .onion sites as there are many out there with nasty things.

Below is a list of some .onion sites:

Want to learn more?

Tor Browser makes it all look easy. There’s a ton of technical information on Tor; you can go through the general FAQs page for more info.