How to Use Tor Safely

How to Use Tor Safely

How to use Tor safely? Though Tor provides security and anonymity for its users, it does not guarantee this protection unless its users use it correctly.

In this article, we explain how to use Tor safely to strictly protect their online privacy, Tor users should follow carefully the tips and guidelines outlined in this article.

What is Tor?

Tor (short for The Onion Router) is an open source project and a free software that aims to provide online privacy and anonymity for browsing the Internet. Tor achieves this privacy and security by routing Internet traffic through specially crafted relays that encrypts and decrypts transient data in a layered fashion. Fundamentally, it hides the IP addresses of its users (anonymity) in addition to encrypting (secrecy) the traffic while browsing online.

The relays, a.k.a. onion routers, are non-proprietary and operated by thousands of volunteers around the world. This mechanism of exchanging traffic over a number of onion routers makes it extremely hard for anyone to identify the source of the information. Additionally, encrypting data multiple times in layers further prevents prying eyes from eavesdropping and analyzing your data.

In addition to surfing anonymously and in secrecy, Tor also allows for hosting specially designed hidden websites, a.k.a., onion sites, that are accessible only through Tor network.

Who Created Tor?

Tor (The Onion Router) was developed during the early 2000s by Naval Research Lab and the Defense Advanced Research Projects Agency (DARPA). The project was mostly funded by the US State Department and Department of Defense (DoD), though there were other supporters too, such as Electronic Frontier Foundation, Knight Foundation, and Swedish International Development Cooperation Agency. After its public release in 2002, it has transformed into what is now known as Tor Project, an open source anonymity service project.

Quote by Martina Navratilova
Quote by Martina Navratilova

Security used to be an inconvenience sometimes, but now it’s a necessity all the time.

Martina Navratilova

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

How Tor Works?

To provide anonymity for its users, Tor browser does not connect to the web server directly. Instead, it constructs a virtual circuit that consists of a random set of 3 onion routers. Connection is established through this path and web surfing traffic exchanged over it.

Tor browser encrypts any data in 3 layers before sending the packets to the first onion router, a.k.a. the guard node. Guard node decrypts the first encryption layer only to find out to which middle node it needs to transfer the packet. Then the middle node decrypts the second layer of encryption before passing it to the last onion router, a.k.a. the exit node. Lastly, the exit node decrypts the last encryption layer on the packet to determine the IP of the website and then forwards it to the destination.

This model provides perfect security against third party actors interfering with the communication. If any traffic is captured between the source (web browser) and the first node, no information can be deduced about the final destination, that is the website. Regarding the traffic exchanged between the middle node and the other nodes, it is not possible to gather any information about both the web browser and the website. Lastly, the traffic between exit node and the web server hides the source (the web browser) successfully.

In this model, the website can not detect the IP of the web browser either, since it is masked by the IP of the exit node. The Tor browser also takes additional measures to prevent any unintentional data leaks. For this purpose, it disables scripts (such as Java Script), plugins and cookies, and blocks transfer of any data (such as user’s operating system, screen resolution etc.) that could help identify a user uniquely.

To learn more about how Tor works, you could also watch the following YouTube content.

How Tor Works

How Secure Is Tor?

Tor has been designed securely and currently there is no publicly known attack to break its security and anonymity functionality. However, it should be kept in mind that a number of governments are developing and trying repeated attacks against it.

For instance, NSA has revealed that they could de-anonymize a small fraction of Tor users, though they couldn’t and will never be able to de-anonymize all of the users. However, through other practical attacks, such as infecting the computers or exploiting the vulnerabilities on users’ machines, it is possible to identify the Tor users and reveal their secret communications.

How to Use Tor Safely?

Though Tor provides security and anonymity for its users, it does not guarantee this protection unless its users use it correctly. To strictly protect their online privacy, Tor users should follow the tips and guidelines explained below carefully.

Tip 1: Use HTTPS Only

The first thing you should know about Tor is, only the traffic between the router and the exit node (last onion router) is secured with the onion encryption mechanism. Thus, the traffic between the exit node and the web server shall be transmitted in clear if HTTP is used instead of HTTPS. In this case, though it is not possible to determine the IP of the user, the data transferred can be sniffed, analyzed or even modified by the malicious third parties.

State it differently, Tor provides an additional encryption mechanism inside the Tor network, but it doesn’t encrypt the traffic once it is outside the Tor network (between the exit node and the web server). Thus, you should strictly avoid connecting to HTTP web sites and only use HTTPS when browsing the Internet.

Tip 2: Use a Secure Host System

As any other software, Tor browser simply runs on top of an operating system. Thus, it is not only your browser, but also the operating system and the firmware running on your computer that matter to achieve a strict anonymity protection. Obviously, if your computer’s operating system is compromised, Tor by itself can’t protect your privacy.

For this purpose, you should use an up-to-date operating system and make sure that your computer is free of any malware that could secretly compromise your anonymity to the malicious actors trying to detect your identity.

Tip 3: Use a Privacy Based Operating System

Though using Tor above ordinary operating systems, such as Windows, MacOS, Linux, increases online privacy, it is still possible that your anonymity could be compromised through information leaked by these operating systems or other applications running on top of them.

For this reason, you should consider running Tor on privacy enhanced Linux distributions, such as Tails or Whonix. These operating systems provide a security gateway where all network connections are forced to go through it and tariffed before routed to the Internet.

Tip 4: Disable Active Content

Active content such as JavaScript, ActiveX. VBScripts, Java, Flash, QuickTime etc. run with the user’s privileges in your browser and they can collect and share data that could compromise your anonymity severely. They are used prevalently by websites to collect information on their users and track them. If active content is enabled, Tor by itself cannot protect your data. Thus they should be disabled in your Tor configuration.

For this purpose, you should change the security level on the Tor browser to Safest to make sure JavaScript and other plugins are disabled, so that no unexpected information leakages can occur.

Tip 5: Do not Provide Any Personally Identifiable Information

To defend against threats posed by the websites, no personally identifiable information (PII) should be disclosed while browsing, even in the HTTPS mode. In other words, Tor can anonymize connections, but still users are responsible for keeping themselves anonymous. For instance, if you provide any credentials to the website or give out your real email, obviously no encryption mechanism can hide your identity from the website.

Tip 6: Use Anonymity Compliant Search Engines

You should avoid using Google to search the Internet, since it is known for collecting lots of information on users’ browsing and search habits, besides the data about the computer and browser being used for surfing the web. Instead, anonymity oriented search engines that do not collect and store users’ data, such as DuckDuckGo or Startpage should be considered as alternative services.

Tip 7: Do not Use P2P

Bear in mind that neither P2P services are Tor compliant, nor Tor has been designed for P2P. As a rule of thumb, you should avoid using torrenting with Tor since it is not anonymous by its nature. Moreover, it will only serve to slow down the speed for others using the Tor network.

Final Remarks

Tor is a great tool to provide security and anonymity while surfing the Internet. However, Tor by itself can’t protect its users if the users are not careful enough to protect their privacy. Technical measures provided by Tor can be negated by simple human errors. Thus, the tips and best practices outlined above should be taken into account to achieve strict anonymity while using Tor.

To get more insights about Tor, you could also read our article What is Tor?