Tor Security Guide
This Tor security guide will increase the reader's awareness with available security and privacy measures.
- 1 Homepage
- 2 Blocking Scripts Globally
- 3 Downloading
- 4 TorChat
- 5 Tails
- 6 Removing logs, cookies, and cache
- 7 Accessing Tor on other devices
- 8 Using Public/Hacked WiFi
- 9 Windows 8 is not recommended at all!
- 10 Media Players
- 11 TOR Exit Nodes
- 12 Cookies - How NSA is using Cookies to Track Tor users ?
- 13 Tor2Web
- 14 VPNs/Proxies services (non-Tor)
- 15 Spyware/Malware protection (Windows Only)
- 16 Encryption
- 17 Bitcoins
- 18 Image Metadata/EXIF Removal
- 19 See Also
Although the default homepage about:tor for the Tor Browser (or about:blank for any other) is boring, don't change your homepage. about:tor shows important information upfront such as available updates and threat awareness. Regardless, having a homepage could put you at some risk for correlation by a watchful eye, and unless you're sure you use that homepage every time you start up your browser, consider for your personal situation if it's really worth the ease of use.
Blocking Scripts Globally
When you first install Tor Browser Bundle, scripts via NoScript are globally allowed. This is very dangerous to your privacy and should be turned OFF. You can right click the NoScript icon (the blue "S" snake icon in a white circle next to address bar) and select Options, navigate to the General tab, and uncheck the "Scripts Globally Allowed" box.
Blocking Plugins and Embeds
Block embedded scripts (which again are allowed by default) by going to NoScript options again, this time navigating to Embeddings and clicking all the boxes to forbid Java, Flash, Silverlight, Plugins, Audio/Video, IFrames (note many sites make use of these still), Frames, and font-face and click OK.
Blocking HTTP Referer headers (about:config) (Optional)
Referers provide information about which websites you came from to the websites you visit from hyperlinks. Although the Tor Browser attempts to mitigate the risk of leaked information by sandboxing referers only to their respective tabs, simply because some websites depend on referers to prevent automated scripts, you may fully turn referers OFF to fully protect your privacy. Go to
about:config?filter=network.http.sendRefererHeader, double click on the result, and change the value from 2 to 0. So next time you open up a link, itâll block the referer URL and the new website won't know where you came from.
Please note again: this is optional, and turning referers off may prevent you downloading from some clouds like anonfiles etc.
A lot of people keep asking about the download warning in Tor. When you click to download something you are given a warning followed by two options: one is to OPEN the file, and the other is to SAVE it. You should NEVER pick the option to 'open', this has a chance to expose your real IP address (not Tor IP) to the website. So ALWAYS select Save and you remain hidden. If you go to TorBrowser Options (by clicking on the top left corner of your browser) Then go to Options>Options>Applications tab you can change the settings automatically. This will prevent you from accidentally opening a file in the browser instead of saving it. Since opening files will expose your IP address, you don't want to make that mistake. And change 'Portable Document Format (PDF)' from 'Preview in Tor Browser' to 'Save File' and click OK. You could also as the warning message says use a VM such as Tails to help protect your downloads even more.
TorChat is a free, decentralized anonymous instant messenger, that depends on the Tor Network. No need to sign up or give out personal information or registration process. Torchat has not been updated in some time, so it is advised to follow the update advice below after first installing TorChat and every time Tor Browser Bundle is updated as well.
The only issues with TorChat is you can't block users. It also allows people who know your TorChat ID to see when your online; that is, when TorChat is active at your end. For these reasons, only give out your TorChat handle to those which you wish to keep in contact. Keep in mind that if you log off regularly, your logon / logoff times can be correlated to your daily activity.
TorChat Download [ Clearnet link! ]
TorChat suggests to all Windows users to upgrade Tor each time a new Tor Browser is released by following these simple instructions:
- Close TorChat
- Download the official Tor Browser Bundle from Tor Project
- Extract Tor Browser Bundle to: C:\
- Copy: C:\Tor Browser\Tor\ files to C:\TorChat\bin\Tor\
- Start TorChat: C:\TorChat\bin\torchat.exe
Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to use the Internet anonymously and circumvent censorship. All connections to the Internet are forced to go through the Tor network; leave no trace on the computer you are using unless you ask it explicitly; and use cryptographic tools to encrypt your files, emails, and instant messaging.
It is an extra layer of protection that a lot of people trust and use. To learn more go to their official website [ Clearnet link! ].
For those with little IT knowledge that are currently using Windows and want to install Tails, you will find a really easy, step by step guide at The Giftbox Exchange
No "secure overwrite" method will overwrite your deleted files completely. You are better off to fully encrypt your system if you are concerned about privacy leaks, but if you are casually removing cookies, cache, Internet history, and system logs to save disk space or to clean up, check out the following utilities for Windows:
- CCleaner (for regular users)
- CCEnhancer (for advanced users) - Put in same folder as CCleaner is in, then click the 'download latest' button on CCEnhancer and then check the new application boxes in CCleaner). Credit to TP @ BV4 for CCEnhancer info.
- PrivaZer - Compatible with: XP, Vista, Win7, Win8/8.1 (both x86 and x64 architectures) only.
For Linux, check /var/log -- removing anything with a number (.1) or .gz at the end is safe and won't break anything. Type
sudo find /var/log -iname '*.gz' -delete and give your user password if necessary. For future logs, read
man logrotate and edit its configuration file (usually at /etc/logrotate.conf) if necessary. logrotate is the most commonly used mechanism on Linux to control how logs are created and managed, and it can be configured to archive or remove old log files with ease. A few logs are essential for debugging purposes should something go awry, but logs of course have sensitive information and should be removed when they are no longer needed.
(I am not aware of any Linux utilities that act like CCleaner and clean a wide array of caches and history, but scripts can easily be made for this purpose.) Check behind your installed programs and remove unnecessary data such as Firefox history and anything else you deem a nuisance.
Accessing Tor on other devices
People keep asking if its safe to access Tor from mobile devices such as phones and tablets. The answer is no.
Yes, there is software that allows you to connect to Tor from such devices; however, it is not full software and has inherent shortcomings. Not to mention, these type of devices have unwanted software, backdoors, and telemetry, all which cannot be removed without heavy alteration to your device -- it is doubtful that more than a handful of experts know their way around the system enough to "clean" it from all this. This means that your IP address (and of course your phone number, if it's a phone) will likely be leaked by some app, and even if you don't have the device registered under your name, it is fairly easy to trace a device's location even without GPS enabled. This info is (in most countries US/EU) legally kept for two years, so they know where you go, where you live, work, or go to school. (Some universities even keep connection logs to their networks so that they may use it later to track where a person has been, if necessary.) Just because Tor is on your phone or tablet does not make it safe.
Using Public/Hacked WiFi
Using someone else's Wifi connection technically is no less safer than using your own (if accessing both over Tor and following the norm security advice). keep in mind i only mean the encrypted data is no less safer on public connection, not the act of doing it. However I wouldn't advice using public or hacked wifi for the following reasons.
1. The connection would still be encrypted from the wifi owner, but they could still work out where you were from from the wifi signal strength. And they could also know that your using Tor (from the packets) as well as how much data you're using. Which could lead to them investigating you more closely. They will also get your MAC address (Physical Address) of your Ethernet adapter (auto logging process when you access someone else's router), which could be used against you in court, if they ever get physical access to your computer.
2. As said public places have the Public, I read 20+ news reports of people using public or hacked wifi in public places as well as outside someones house (who's had their wifi hacked) and been caught red handed by chance mostly. One guy traveled 40 miles to hack someones wifi late at night in his car to download cp, however his screen was spotted by a dog walker who called police and the guy was arrested. You can never be sure who can see your screen, or who may come up to your computer/ look over your shoulder to get a peek or ask a question.
3. Eyes in the sky is also a risk since most public places these days have a lot of security camera's that are hidden and others in plain view. As well as the public with camera on their cellphones etc, so you can never be 100% sure your screen cant be viewed. Or if someone can take a quick photo proving what you've been up to and using it as evidence against you later or even blackmail you.
4. It came out last year that an encryption company ran a test on computer encryption and basically broke what was said to be the worlds strongest encryption. How? By simply using audio devices to LISTEN to the sounds the computers made while someone was inputting their encryption passphase. Tho this would be unlikely to be used often even with the 100% success rate its claimed to have, and probably only used on terrorists under surveillance. However if you use the same public wifi connections often and have raised suspicion in the past, its possible this new technique could be used against you. Which would basically render even full disk encryption useless. This only breaks computer encryption when inputting passwords for it and do not however break any tor encrypted data traveling over the wifi.
5. Another thing people forget about when accessing someones WiFi connection for illegal purposes is Cell Phones. And you can bet LEA will contact all phone companies to order a list of all phones that where on and in that area at the time (If a criminal investigation is started). Even if a person hasn't registered the phone itself the person can still be traced in many ways. The main being they know and log all a phones movements via their phone signals, they can determine where the person is living from those records alone. On top of that the phone company still retains ownership over the SIM card in peoples phones, so if a person has contacts saved on SIM card, the phone company can send that information back to themselves, thus getting peoples home phone numbers, work numbers etc. As well and more than likely being about to trace how the cellphone was topped up, eg where the person brought the credit from and with what method.. So the key point is don't have a cellphone with you if you use other peoples WiFi for illegal purposes, or if you do turn it off before going near the WiFi area. Keep in mind some older phones don't totally turn off when you switch them off, it's been said some older phone basically go into power saving mode and are still on and check for updates etc. So best not to bring them at all or remove the battery instead.
Windows 8 is not recommended at all!
All Windows 8 machines contain a chip called Trusted Platform Module (TPM), this chip is meant to block access to software and hardware which could be harmful to your system or avoid software conflicts (that's the good news). The bad news is it also allows Microsoft FULL access to every Win 8 machine remotely, the chip cannot be turned off in win 8 nor will a firewall, anti-virus protect your system from Microsoft having full control over your system. Which of course means NSA and alike can also get access to machines/monitor cams, take screen shots and record users, undermine other security programs like encryption. The NSA tried making a backdoor chip, law years ago, meaning it would be illegal to own a machine without such a backdoor chip, however due to privacy the courts didn't allow this law to pass. And now with Windows 8 comes with the chip that does just what the NSA wanted. Its not law that you have to use it, so don't. If you doubt this or think I'm being paranoid have a read of this.
Please Note: If you want to check if your PC has TPM chip you can hold the Windows button and press R. That should bring up the "Run" console. then type in "tpm.msc". Now you should have a form which tells you wether or not you have a TPM installed in your PC. Credit to Raykom @ H2TC for info.
When playing on topic stuff in your media player its recommended to be offline OR have that program blocked in your firewall from outgoing connections. Media players have a nasty habit of connecting directly to the internet (by passing tor network). They're normally checking for updates, but can also in some cases send back information including Real IP Address, file names, descriptions, and Hash codes of the files themselves. Some offer free built-in subtitle searches, which basically copy to hash code of the file your playing, send it to their server and they scan it for a match to provide subtitles. However Interpol and other agency's offer some large and small companies lists of all hash codes of known cp files to Microsoft and alike, and when they do a subtitle search they could also check the hash code of the file your playing against the known cp hash database as well. Microsoft are already using this Technology to search cloud servers like Skydrive for CP hash matches, This could apply to all media players not just Microsoft's, so its recommended to be offline or block outgoing connections from media player/s you use for topic stuff in firewalls. If you pick to block the media player instead of being offline while viewing topic stuff on it, don't forget to check for updates for the player (since blocking outbound connections will prevent auto updates).
TOR Exit Nodes
All traffic over Tor is encrypted and ISP's cant see what your doing, however after your requests have been bounced around to the different tor nodes the last node/computer on the tor network your connected to (known as a Exit Node), can see the traffic in plain text. They Do NOT see your real IP address, that is still hidden and was replaced with a tor ip from the first node (on connecting to the tor network you were given). But the exit node can find out where you have been, what sites you have been looking at and if you input usernames/passwords they can see them as well. Some exit nodes have no logs, some however are run by companies and people who actively record/log the exit node data. And of couse it's known some exit nodes are run by Governments around the world. So keep in mind they can see the information you request however cannot see your real ip address. So its advised not to link your tor identity to your real identity, so NO shopping online or logging into your real email accounts etc. As from there they can see the information and link you to your real identity, or LEA can for example request your account information/ip address of the user who owns that Amazon/ebay/youtube/gmail or other accounts. They can only see this information if the connection was not over a https (encrypted), so if there is a second layer of encryption they cant view that information. However its always my advice to avoid using tor even over https connection to access accounts that could possibly be linked back to your real identity.
Update: NSA & GCHQ have broken/cracked SSL encryption used for 'https' connections and can decrypt that data. The information was leaked by Ed Snowden. So again don't mix up personal life with tor life even over https/SSL connections its not safe, and we know this for a fact now.
Cookies - How NSA is using Cookies to Track Tor users ?
Let's suppose that there is a famous online shopping website, owned or controlled by NSA. When a normal user will open that website from his own real IP address, the website creates a cookie on the user ' browser and stores real IP address and other personal information about the user. When the same user will again visit the same NSA owned website, enabling Tor this time on the same browser - website will read last stored cookies from browser, which includes the user' real IP address and other personal Information. Further website just needs to maintain a database of Real IP addresses against the Tor Proxy enabled fake IP addresses to track anonymous users. More Popular the site is, More users can be tracked easily. Documents show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the internet.
How you can avoid Cookie tracking ?
One browser can't read the cookies created by other browser (As far as we know at the moment but this may change in the future, or become public). So Don't use Tor on the same browser, that you use for regular use with your real IP address. Only use the standard Tor Browser Bundle instead for Anonymous activities. You should always clear the cookies (with ccleaner or alike) after youâre done so any stored information, such as login information â will not be stored on that computer. If you're doing something very interesting, you should use Tor on a virtual machine with the live OS so that cookies and cache and other OS data are dumped when the machine is closed.
VPNs/Proxies services (non-Tor)
A virtual private Network (VPN) service basically are meant to do the same job as tor but offer faster speeds (normally), they're job is to replace your IP address with one of their own and encrypt your connection. The very important difference with VPNs vs Tor is that VPN know your real IP address, Tor does not. VPN's are required by law to hand over your information if demanded to do so by the courts. VPN services are also required by law in most counties to log users data, just like other ISPs are for currently a min of two years. So you see using VPN's for illegal purposes doesn't work as you would think. Some VPNs try to hide they keep no logs by saying 'We hold no content logs', content logs are basically all the URLs you visited and data you uploaded and downloaded while using the service. LEA don't need 'content logs' all they need and want are you persons IP address, and IP addresses are logged by law and not part of the 'content logs' the VPNs refer to. So they will and do mislead paying users, even lulzsec members (hacking group) got busted because they too trusted a VPN called 'HideMyAss'. 'HideMyAss' also claimed to have no logs, after they handed over IP addresses to the UK police who then handed over the data to the FBI, this VPN admitted it legally still had to keep ip address data. Some will also mislead people by saying they use IP-sharing services, meaning 10-30 customers will be given the same VPN IP address at the same time. And the VPNs that use this claim this will protect the users, because LEA may come to them and say for example this IP address was downloading CP on this date and time. And the VPN then can say well 20 people where using that same IP address at the same time, so we don't know which one was downloading the CP. However LEA can then simply legally order all logs for those IP addresses on the list that shared that same IP connection. From there they can then match other CP downloads at different times and see which real IP address keeps coming up on the list of people using the VPN to download CP. So basically it may take LEA a bit longer to work out but even if the VPN uses shared ip-address services the people behind them can still be found out. So Tor is still your best bet for the reasons given, some people may use free VPNs AFTER connecting to tor, which means the VPN only ever gets your Tor ip address and since its free it holds no subscriber info as well. Keep in mind if you use tor with other proxies/VPNs then your connection speeds will be slower tho. NEVER trust VPNs or subscribe to them or connect to them before connecting to Tor. Some VPN services now ask for min details or even fake name, address etc and offer payments via Bitcoins etc. Again this is misleading since yet again they will and do by law keep your real IP address on record, which is all the LEA normally need or want to locate the person under investigation.
Spyware/Malware protection (Windows Only)
Of course you should have an anti-virus and firewall product updated and installed on your system, but as an extra layer of protection you should always have and use at least one spyware scanner program. I cant recommend software for other operating systems because i dont use them so wont recommend something i havent used. However if your not using windows i'd recommend doing a search yourselves and see whats out there for your operating system. As said spyware scanners are an extra layer of protection and often find things that could be a threat to your privacy that a AV product wont. If your only going to use one I'd say malwarebytes is currently the best free anti-malware product available for windows at the moment. Spy-Bot used to be the best years ago and i used to love it, however since they started doing a paid for version as well as a free one, the free one is more bloated and doesn't ofter the same detection rates it used to.
Malwarebytes Anti-Malware - https://www.malwarebytes.org/downloads/ System requirements: Windows 8.1Â®, Windows 8Â®, Windows 7Â®, Windows VistaÂ®, Windows XPÂ® (32-bit, 64-bit)
Spybot - Search & Destroy - http://www.safer-networking.org/mirrors/ Available on Windows 7/8/Vista/XP
Please note: You should use any spyware scanner while Offline, just in case they ever start searching for MD5 child porn matches in the future. Always backup registry before removing suspect files with anti-malware products and send items to Quarantine instead of deleting suspect files. Spyware scanner's do often result in a lot of false positives, so you may need to recover files that may have been ID'ed as Malware by mistake. So always use caution when using products like this, just as you would with registry cleaners and alike. Also if you use keygens or hacking software (port scanners etc) just like AV software spyware/malware scanners will normally flag/give false positives for such software/programs.
In this game Encryption is a must! I would recommend Truecrypt to encrypt your Whole hard disk. Truecrypt doesn't offer full disk encryption for Linux only containers, in which case for Linux users use Linux Unified Key Setup (LUKS) instead for full encryption. Full hard drive encryption will encrypt all files on your HDD (doh) but that also includes all deleted files as well. If you have files deleted that were not shredded/overwritten before installing turecrypt then you need to run the 'free space' shredder option. This option will come up during the encryption process when using the program to encrypt your drive for the first time. There are step by step instructions how to use the full disk encryption on the net. Again full disk encryption can be used to encrypt everything including any footprints/history/cache etc (which is good), some people only bother to use encrypted 'containers', which will NOT encrypt logs and other footprints by itself. Personally I use Truecrypt full disk encryption and also have encrypted container with my topic stuff in it, two layers of encryption is best.
Update: Leaked by Ed Snowden that Both NSA & HCHQ have broken 'https' SSL based encryption used for banking/shopping/clouds/mail sites. It's also possible they have broken TLS based encryption (used for tor connections). But if they have broken internet connections encryption its also possible they're trying to use the same methods to break AES encryption. AES is used with all major encryption packages including truecrypt, given this information i'd advice anyone who has encrypted their drives with AES-only encryption to change the type of encryption used as a precaution. Truecrypt and alike allow you to use different types of encryption when encrypting drives, at the moment the combo of AES/Twofish-Serpent Algorithm is probably the strongest to use. Keep in mind if you do opt for combo algorithm then its safer, however the read/writing of that disk will be slower since it has more work to do by encrypting/decrypting data (which is why most just use AES because it was strong years ago and fast). Also that even if they could break AES as well as SSL (which has not been confirmed nor mentioned by Snowden), I doubt they would use this crack very often against AES. I'm guessing like with other things, this would only be used against top level targets like drug lords/ other counties communications or terrorists than us, to prevent public knowledge that they could break AES. (Information pre-dated Heartbleed bug going pubic by at least 3 months).
Windows Users Only - Truecrypt's homepage is http://www.truecrypt.org Download version 7.1a from TC fork project after TC site stopped the project (Do NOT download version 7.2 from TC site its a suspect decryption version only) 7.1a is and the bottom of this page - http://truecrypt.ch/downloads
Linux Users Only - Linux Unified Key Setup (LUKS) - https://code.google.com/p/cryptsetup Credit to Prince@H2TC
Mac Users only - Currently unavailable, TC doesnt offer full disk encryption to Mac users only unsafe containers, and LUKS doesn't work on Macs. So without an open source full disk encryption software available to Mac users it's unsafe.
Also a side note there is only one loophole in Truecrypt, and that's one option is not on as default. This can be manually changed/corrected in seconds. After installing the prog and installing the full disk encryption, click on the Truecrypt icon task manager click on Settings>Preferences then tick the boxes 'user logs off','Screen Saver is launched' and 'Entering Power saving mode' and click ok. This now means that truecrypt will also encrypt/protect the hibernate file (which could store/leak passwords).
EDIT: Windows Hibernate file can save things in memory like passwords and usernames (even TrueCrypt password) to the hibernate file in plain text (unencrypted). You can turn the Hibernate file off in Windows altogether for extra safety. Press Windows button then type 'cmd', cmd should pop up in the programs list then right click it and select 'Run as Administrator'. Then type 'powercfg /hibernate off' this should turn the hibernate file off, Credit to TP @ BV4.
Bitcoins etc are meant to be an anon way to pay for services and are used regularly by people all over Tor for sites/services like Silk Road. Please keep in mind Bitcoins are NOT truly anon currency and there are indeed ways to track transactions. Bitcoins like all the e-currencies have public records that shows people what address/account number holds how many bitcoins, and this public record can be followed by LEA etc to the time you payout the coins into a bank account.
Bitcoins are also regularly targeted by hackers and indeed bitcoin banks themselves have been suspected of just stealing the coins they where meant to be looking after. Bitcoins are not backed by any governments, so they're not insured like normal money is in banks and such. So once stolen, that's it you lost your money.
There are "services" on Tor that offer to Launder your coins for a fee, these services can also just steal your coins or take a cut for their 'service' and give you back the same coins without laundering them at all. So use them at your own risk.
Image Metadata/EXIF Removal
For anyone producing original images or videos one of the post-process jobs you should carry out before uploading/sharing them is to remove metadata. Metadata can include clues that could help LEA in trying to track down people, even to the point it leads them straight to your door. Metadata in images contains the make and camera model, date the image was taken, the software used to edit the images, with videos it can also include the language version or editing software used. And by far the worst is GPS location data, being included in images metadata taken with internet accessing devices such as cellphones. We've seen so many producers spending years being careful what they say and do only for them to share a few images they took on their IPhones that included GPS data. And remember this is not only important to producers, i recently saw a tactic used asking for pedos to post dick pix of their own dicks. Again NEVER forget to remove metadata from images shared even if they're only of body parts of yours or kids. Its a common LEA tactic to ask for dick photos of pedos on Tor, and thats the reason why. They hope you will take an image on a cellphone and will have GPS data embedded within the photo that you share with them, and thus being traced.
There are many programs that will remove metadata just listing one as an example - xnview - xnview.com
As for video recording its harder to remove their more hidden metadata because there is currently no set standard with dealing with video formats metadata. But that data can be very revealing as well and can include language information about the editing software used, as well as the date of creation listed within the data. And if downloaded of places like Youtube etc youtube embed their own unique ID within videos that are uploaded, so that they can be tracked. The only current way i know of to remove video metadata is to convert the videos file format, which wipes the metadata clean.
Mediainfo is a little program that will give you access to most of the embedded metadata within video (but wont let you change it) - www.mediaarea.net