The Tor browser - a novice's guide

I believe it was Eugene Kaspersky (the Chairman and CEO of Kaspersky Lab) who stated that privacy on the Internet doesn't actually exist: as soon as you're online, your business is no longer just your own. Of course, the lack of privacy can, at times, lead to improved security, but that's a very long discussion, and we're not getting into that right now. Privacy should be a right given to everyone, so I've decided to show you how to take your first steps towards online anonymity.

Tor, also known as The Onion Router, is one of the most popular and effective privacy solutions that you can find. Founded by a branch of the American government in an effort to create an 100% safe way to communicate, Tor is an open source project available to anyone who needs it. But what is this project, and how does it work? When people say Tor, they could be talking about one of two things: either the network itself or a web browser based on Mozilla Firefox that lets you use the network.

In order to understand how Tor works, you will first need to have at least a basic level of understanding of how the Internet works. On the Internet that we know, most websites have addresses that are easy to read such as "google.com" or "yahoo.com", but these are just facades built to make it easier for the human brain. Machines actually communicate through numbers, so each user and website has a numerical address that makes them easy to identify. Whenever you visit a website, a pack of information travels from your IP address (let's say, 214.234.0.5, if you needed a random visual representation) to the website's address (114.104.12.123) and then back to your IP address. If the website in question is using end-to-end encryption, then seeing yourt activity on the website (the information pack) is a bit more difficult for all those who want to spy on you. However, anyone interested - authorities, Internet provider, hackers, etc. - can easily see what websites you've visited, when you did it and for how long you stayed.

To mask your Internet activity, the Onion network uses a number of computers known as nodes to redirect your traffic. This means that whenever you visit a website, the information is encrypted, then sent to a computer within the network which in turn re-encrypts it and sends it to the next computer and so on until your information is sent into the actual Internet to the website you wanted to access. This way, at least in theory, no one can see the websites that you visit or what you do when you're there. Unfortunately, Tor has its fair share of limitations and inconveniences:

  • Exit nodes: the last node that your information passes through before getting out of the Tor network and going to the Internet is called an exit node. The most popular way of 'breaking' Tor's privacy is by monitoring the exit nodes, and although the attackers won't be able to see the information that you sent, they will be able to measure the exact size of the packet. If they can match that number with the size of packet that left from your PC, your activities are no longer private. However, in order to do that, they would first have to specifically target your device or infect it with some kind of malware. As unlikely as it sounds, it already has happened on several occasions, so you should be aware of the possibility.
  • Users dependency: you can't be anonymous by yourself. If you're the only one wearing a costume at a party, then everyone is going to know that it's you, but if a lot of the people present are also wearing costumes, your identity has a better chance of remaining a secret. The Tor network functions on the same principle, and your level of privacy depends on the number of people using the anonymity service.
  • Visibility: while your ISP or other people interested in your activities might not see what websites you access or your activity, the fact that you are using Tor is clearly visible, so if the network is illegal in your country, you should rethink things.
  • Speed: I think that you already know by now that everything comes at a price, and although it won't cost you any money, using Tor will come with the price of your Internet speed. Since the network encrypts and redirects your data several times both when it's leaving and  returning to the PC, you will notice a significant drop in browsing speed.
  • Scripts: scripts generally represent the easiest way for attackers to gain access to your data or even your device. So, using Flash or Java while on Tor helps maintain your privacy just as much as ordering a Coke Diet along with two large burgers helps maintain your figure.
  • Downloading: when you download stuff on your PC, you expose you real IP to the website. While about 1% of the websites actually log the IP addresses of the downloads, and even fewer of them will take the time to replace your fake Tor address with your real IP in their logs, it can still happen. Additionally, the files that you download with Tor should be opened while you're offline and, if possible, in a secure environment such as a sandbox.
  • NO TORRENT: unfortunately, torrent files are a complete 'no, no' as they will ignore your proxy setting and directly reveal your IP to anyone interested.
  • Window size: to avoid screen-canvasing techniques, it is highly recommended that you don't use the Tor browser in full-screen, and if you have a device with a small screen, this may be a bit problematic.

I'm pretty sure that when you first saw the title of this story, you didn't expect such a long expose on Tor, and some of you might have gone into TL;DR mode (Too Long; Didn't Read). That's perfectly fine if you're someone who's just having a look around in a free country. However, if you're using Tor from a country that practices censorship, and you put your freedom on the online by using the Onion Router, you should read as much as possible about the service before trusting it. Now, let's get down to it:

Tor BrowserTor Browser

The first thing that you should do is to visit the Tor website, download the browser, install it on your PC and run it. In case the country that you live in has a problem with the privacy browser, direct download may not work, so the project also provides a GetTor service to help users circumvent censorship attempts. Select how you want to connect to the Onion network -either directly or through a proxy - and wait for the browser to connect to the Internet. Once it does, click on the little onion icon left of the address bar, then choose "Privacy and Security Settings" and use the slider to select the level of anonymity that you want to have, but remember that the more restrictions you select, the less websites will run as they were designed to.

You can use a bunch of IP solving services to see if they can detect you, but from my experience the easiest way to see if websites see you real IP is to visit yahoo.com or google.com and see the country domain you're bounced to. As you can see in the image above, Google thinks that I'm from Turkey, though I'm not, so I know it works. In case the random IP address you were given is too close to home, you can easily change it by clicking on the same onion icon and selecting the "New Identity" option, but that will restart your current navigation and close all the tabs that are currently open. Additionally, you can see the Tor Circuit that you're currently using and choose a new one from the same menu.

Once you're happy with your privacy settings, you can use Tor to navigate to any of the websites that you visit with your regular browser. Just take care when logging into services like Facebook, Twitter, Google, etc. - the ones that already associate your username with your IP address. However, what most find even more interesting are the websites that Tor lets you visit and that can't be accessed using any of the conventional browsers.

Some of you may be unaware of this, but the Internet that you know with websites like Google, Yahoo, Facebook, YouTube, etc., is called the surface Web and is just a small part of the total existing Internet. There's a whole other Internet 'dimension' called the deep Web, and it's a few thousands times larger than the surface Internet. The deep Web sites cannot be accessed with regular tools and aren't indexed by search engines, so you won't find them in your searches. Furthermore, they don't have human-friendly addresses, their names contain a series of random numbers and letter following this format: "http://3fhg56kasdas45.onion".

Nowadays, most people associate the deep Web with criminals, black markets and almost everything that's illegal, but in case you're a journalist who needs to tell the truth, for example, the deep Web also provides anonymous email and website hosting services, which can prove to be invaluable tools. To find them, just google the term 'hidden wiki' and you can go on from there. As I said, there are many people who use the deep Web for illegal activities, so I'm not willing to go any forward with this guide, but if you really want privacy, that's the place to be.

As a final thought on the matter, you should know that the TOR browser isn't a complete privacy solution, and when used by itself, it has many flaws that can be exploited. If you want complete anonymity, you should look into an operating system called Tails and a very reliable VPN service that doesn't save the real IPs of its users.

Comments