Using Tor Correctly: Anonymous Browsing Edition

by Tim McCormack - reprinted with permission of the author

http://www.brainonfire.net/2006/10/21/tor-best-practices-anonymous

Tor is a popular system for sending Internet traffic anonymously. It is mainly used for three purposes: hiding one's identity, hiding the identity of the site one is visiting, and hiding the data that one is sending and receiving. However, using Tor without some basic precautions is worse than not using Tor at all, leading to privacy violations, data theft, and security concerns. Here, I cover browser security with respect to preventing identity and data leakage when using the Tor network. If you are only using it to defeat web filtering, feel free to read only the section called, "Locking yourself down."

At the end is an executive summary. Use it as a guideline, but make sure to read this entire article first -- it contains important instructions on how to change your browsing habits.

Security is a mindset

Anonymity, security, and privacy are not all-or-nothing. Each is a continuum, and the goal of the security-conscious individual is to move a reasonable distance towards the secure end of the spectrum. How far an individual decides to go depends on the specific circumstances: the importance of the data or identity being protected, the consequences of a breach, the likelihood of an attack, the resources of the attacker, and the resources of the individual. In this guide I am concentrating on defeating automated attacks by a casual attacker. Anything beyond that likely falls outside of the realm of Tor security, and more into the realm of application, data, and physical security. Besides, it would be silly to put in place any security measures more robust than Tor itself -- remember that Tor is experimental software.

I will first discuss the Tor threat model, and only then provide suggestions as to how to alleviate threats. You need to understand the system you are using before you can really rely on it, otherwise you will develop a false sense of security. So hang in there.

What you need to know about Tor

Tor uses a client-peer model. The client is what you install on your computer. It accepts connections from other programs on your computer (such as web page requests from your browser) and sends the data out to the Tor network. (Any responses also come back through the Tor client.) Note that the Tor client is data-blind, meaning that it does not check the data flowing through it for potential identity leaks or malware.

Any program that wants to use the Tor network has to be configured to do so.

Simply installing the Tor client is not enough.

Each of the peers is a computer like your own, but running an extra part of Tor: the server. These computers are referred to as "nodes" or "onion routers", and your data flows through them. When data leaves the Tor client, it passes through a randomly predetermined chain of these nodes. Due to the Tor algorithms, each node only knows who is immediately before and after it in the chain. Only the first one knows who you are, and only the last one knows where your data is going. Only the last one (the "exit node") can read the data you are sending out. Note that it can also alter the data you are sending and receiving. Therefore, the trustworthiness of the websites you contact is not relevant, since the data you and they send has to pass through an untrusted third party.

Threat model

Attacks can be launched against the Tor network itself, such as timing attacks, but we're not concerned about that here. The goal is to secure the data that is flowing through the pipes, and let the Tor programmers secure the pipes themselves. Here are the threats you need to be concerned about:

• Personally identifiable information (PII) that you send out
• Code sent to you that will reveal your identity from inside Tor, and
• Code sent to you that will reveal your identity from outside Tor.

Locking down Firefox

Make sure you have the latest stable version of Mozilla Firefox installed. Older versions have known security holes.

For several reasons, you should create another Firefox account. (Another reason is to keep you mindful of when you are using Tor and when you are not.) The best way of doing this is to create another user on your computer specifically for Tor browsing. If you can't do that, learn how to use the Firefox profile manager. The rest of these instructions will assume you are using that new Firefox account.

Locking yourself down

Ultimately, you are the weakest link in the chain of security. Here's the proper mindset for browsing through Tor: Assume that the URLs of the pages you ask for and any data you send or receive is being broadcast to the entire world. Assume that the exit node has secretly altered the page you are looking at, or even altered your request to secretly go to a different website. Since the data you send and receive can be altered and read by an untrusted third party, how can you do anything at all? There's one trick that will defeat a malicious exit node: SSL. When a page's URL begins with https://, that means that SSL is in effect. SSL prevents the exit node from reading the data going back and forth or altering it. (It can only see three things: the site you are talking to, the timing of the data, and the size of the data.) If you visit a site and the browser tells you that the SSL certificate may be invalid, don't trust it! If there is any doubt about the authenticity of the SSL certificate, pretend the site isn't using SSL at all, and act accordingly.

This means never log in to a site if the login does not use SSL. Otherwise, your password will be stolen.

Just to be on the safe side, turn on warnings for secure and insecure sites. At the Firefox configuration URL (type about:config into the address bar and press Enter), find the keys beginning with security.warn_. Set all of them to true, except for the ones ending in .show_once, which should be set to false. Then set security.warn_entering_secure to false -- you really don't need to be alerted to that.

I recommend installing a theme from mozilla.org that is somewhat different from your usual theme. This will help you remember that you are using Tor (and should therefore browse defensively.)

Additionally, if you are using Tor for anonymity... don't send any information that can identify you. Don't use your real name or email address, for instance.

Keeping PII out of the data

Now that you have a clean slate to work from, let's make sure it doesn't get dirtied up. In Firefox, open the Preferences window (Mac: Firefox -> Preferences, Linux: Edit -> Preferences, Windows: Tools -> Options.)

Websites are allowed to store bits of information (called "cookies") on your computer, so they know who you are when you come back. This is great for regular browsing, but not when you want to dissociate from your real identity. (A website might notice that your real identity and Tor identity are using the same cookie, meaning you're the same person.) Since you've already created a new Firefox account, you won't need to worry about crossover. However, you do have to worry about cross-site cookies. Under Preferences -> Privacy -> Cookies, allow cookies for the originating website only, and have them kept only until Firefox is closed. You may wish to disable cookies altogether, and use the Exceptions button to allow specific sites.

Remove internal leaks

Leaks within the Tor channel are generally caused by plugin technologies such as Java and Flash. These can share information about you across sites, and more importantly they know your real IP address and can communicate this back to their home server. Install the following extensions from mozilla.org:

• FlashBlock: Blocks Flash objects by default.
• NoScript: Block javascript and plugins, allow selectively. In the NoScript options, disallow everything (for now). Disabling Java here is equivalent to disabling Java in the Firefox Preferences window.

Remove external leaks

Webpage requests are not the only data that are sent out when you visit a URL. Your browser also has to determine what the IP address of the server is, a process called DNS resolution. To force DNS requests into the Tor channel, visit the special URL about:config and find the key network.proxy.socks_remote_dns. Set it to true.

Summary

(I sure hope you read all the stuff above this and didn't just skip down here right away.)

1. Create a new Firefox account (use the profile manager or a new user account in your OS)
2. Assume someone is maliciously reading and altering everything not sent through an https:// connection with a good certificate.
3. In about:config, turn the security.warn_* alerts on, and the one-time options off.
4. Set the about:config property network.proxy.socks_remote_dns to true.
5. Use a different Firefox theme.
6. Allow cookies for the originating site, and only until Firefox is closed. You might turn cookies off.
7. Install the FlashBlock and NoScript extensions, and configure them to disallow everything.

Oh, and now would be a good time to install the TorButton extension, configure it to display the way you like, and turn it on. Once you've done that, go to Preferences -> Privacy and use the Clear Private Data tool.

This set of guidelines is not complete, but following it will probably put you ahead of the majority of Tor users. Armed with some knowledge of how the Tor network functions, you will be able to make better choices. Safe browsing!

Top