How to use TOR as normal user

What is TOR

TOR is an network that provides a service to anonymize connection metadata and provides some additional security features on top of that. It’s called The Onion Router, hence TOR. It can build arbitrary TCP connections and route them encrypted via multiple hops.

Development and funding

TOR has been developed since the early year 2000 and has it’s origins at the university of Cambridge. It has been available since 2002 and has been supported (in it’s early years from 2001 to 2006) by the United States Naval Research Laboratory, the Office of Naval Research as well as the Defense Advanced Research Projects Agency. This heavy support by the US military originates from their need to use covert communication with troops and administration in foreign territory and there are rumors that intelligence agencies are also using the facilities that TOR provides to run their covert operations. Till 2011 about 60 percent of the money the TOR project gathered was founded by the US government.

Since about 2014 also larger services like Facebook have been available via TOR.

How does the system work

Clearnet communication with metadata anonymization

TORs ability to built anonymized TCP connections into the clearnet is one of its major features. This works by using the TOR daemon as a socks4a or socks5 proxy server. All network packets are encrypted two times for different relay and exit nodes. One can imagine that as taking the original traffic and encrypting it once so the exit node can decrypt it, use that enveloped data that nobody else than the exit node can decrypt and encrypt it again so that only a relay node can read it. The only information that a relay node will see is from whom the packet originates and to which exit node it should pass the packet. The relay is incapable of reading any clear data. As soon as the packet reaches the exit node the exit node can decrypt data as it will be passed from the clearnet but will only see the relay node as originator and not the original user. The name onion routing originates from this two crypto layers that are applied.

Since the clearnet target only sees the exit node as communication partner, the exit node only sees the relay and the clearnet partner and the relay only sees the user and the exit node nobody has a complete link between the user and the clearnet node - hence metadata anonymization.

Since anyone can run an relay and an exit node one should never trust them. One should never use unencrypted and unauthenticated traffic (like for example HTTP without TLS (i.e. only HTTPS), unauthenticated and unencrypted SMTP, etc.) via TOR into the clearnet except one really has strong reasons to do so (and doesn’t leak any information that way).

Note: You are highly encouraged to run your node as relay - this is also perfectly legal and never does you harm. If you have the ability it’s also encouraged to run an Exit node but be awar that this might be legally challenging. One is of course not liable for the traffic that originates the traffic node but law enforcement might do investigations and even confiscicate IT equipment or perform house searches when some illegal activity is tunneled via an Exit. So you should only really run an exit node if you are legally knowing what you are doing and most certainly don’t want to do that from home but from an rented our housed dedicated server that does nothing else than run an TOR exit node. Running a relay on the other hand is highly encouraged to prevent timing analysis or bandwidth analysis on your traffic - except when you are running hidden services then running a relay is disencouraged because there are situations that might deanonymize you as the operator of the service.

One can use nearly aribtrary services via TOR - only some like raw port 25 (SMTP) are blocked to prevent abuse as spamming anonymization tool.

One should always adhere to some basic rules mentioned later when using TOR!

Hidden Services

Hidden services are the second major service TOR provides. Using the clearnet access facilities via Exit Nodes one can hide the consumer of a service but not the provider. Hidden Services add anonymization of the service operator, are only accessible via TOR clients and provide some additional security features.

TOR hidden services come in two flavours:

• Basic traditional services that are accessible for everyone who use an internal relay with which they register themselves. One can enumerate all existing basic hidden services via the service registry. Since the onion URIs are also hashes or fingerprints of the used public keys one also can be sure that the service that one is contacting via onion URI really has control over the given key (i.e. there is no need for a certificate authority). Traffic reaching the hidden service is also encrypted so there is no need (and under some circumstances it may even do harm) to use features like SSL on top of the hidden service protocol (i.e. use HTTP, not HTTPS for that).
• Stealth hidden services. These are only used by a controlled subset of users who are required to know an authentication secret. The hidden service descriptors that are required to locate the connection point are encrypted for each enduser. They fetch the encrypted descriptors - so it’s not possible to enumerate all stealth hidden services. They are mostly used to provide entry points into private services or remote management systems. They provide the confidence that the contacted service has control over it’s private key (i.e. proofs the authenticity of the remote service) and also that the user who’s contacting the service knows the authentication secret (i.e. authenticated the user itself).

If you want to run your own hidden service I’ve got another article about that.

How to use (MS Windows, MacOS X, Linux)

When you’re using Microsoft Windows or MacOS and just want to access websites or hidden services via their website you should really use the TOR browser bundle. This is a highly modified and preconfigured variant of the Firefox browser bundeled with the TOR daemon. The browser is configured in a way to facilitate safe browsing (see guidelines below). The only thing you should really care about is:

• Do not release personal information about yourself via this browser
• Do not enable scripts or plugins via the preconfigured browser addons
• Do not resize the browser window
• Do not install additional fonts or plugins

You can simply run the installer and are good to go to use the browser.

To test your installation you can either use the official check page of the TOR project or access an hidden service like this page via http://jugujbrirx3irwyx.onion/.

On Android?

You can also use TOR on Android. There is either the Tor Browser available via Google Play - or better via direct download. When using the version from the Playstore you get automatic updates - but on the other hand you would have to check validity of the APK every single time it changes.

Be aware that you can use other applications via TOR too (that might even help to prevent an evil wireless provider or cell communications provider to evesdrop on your communication) - but anonymity with Android deviecs is really hard to achieve. If you are running TOR in VPN mode some services will leak your personal information when you are for example running with Google’s Location Services, any Play Services, any stuff that is doing automatic synchronization, using assisted GPS, etc. On a mobile if you want to achieve anonymity carefully select the applications that you are using via TOR. If you want to use TOR to protect yourself from your WiFi / GSM provider go ahead and use VPN mode.

How to use (FreeBSD)

There is no preconfigured browser package for this operating system. You can install the TOR client via the security/tor package or ports.

pkg install security/tor

or

cd /usr/ports/security/tor
make install clean

You can configure TOR via /usr/local/etc/tor/torrc. Normally you want to to only listen on a local loopback address (default is 127.0.0.1:9050). Be aware of that if you are using TOR inside a jail - since loopback is then most of the time a public interface bound to the public IP of the jail!

Normally the default policy should be acceptable for client only usage and running as a relay.

To start the client add tor_enable="YES" to your /etc/rc.conf and then run /usr/local/etc/rc.d/tor start to startup immediately. If you just want to try TOR without starting on every boot use /usr/local/etc/rc.d/tor onestart without modifying your rc.conf

Then you have to configure your browser. Since this is browser specific the steps you should take are:

• Configure the socks4a or socks5 proxy for all connections.
• Configure the browser so DNS resolution is done via the proxy, not via the operating system or an embedded resolver.

On Firefox (you can install Firefox via www/firefox package or port) you do this by using Tools/Options (or about:preferences URI), scrolling down to network proxy and choose settings. Then you can select manual proxy configuration and enter the SOCKS proxy 127.0.0.1 on port 9150. Select SOCKS5 and make sure that you are ticking the Proxy DNS when using SOCKS 5 option. If you don’t do this you will leak metadata to your ISP and your network via DNS queries.

After that disable Javascript. This is done via the about:config page. The option is called javascript.enabled and should be set to false. If you keep JS enabled you are clearing the way for way to many browser fingerprinting techniques, sidechannels, etc.

Good practice when using TOR

• Use only services that you know that do not leak any information about your network connection or identity to the outside world. Do not use browsers that have been connected to your cloud user accounts, be aware that many VoIP applications use ICE methods that expose your real public address, etc.
• Do not use the same TOR session for stuff that doesn’t belong together. Modern TOR browser uses a different circuit for every different domain but most other applications don’t. Either select a different circuit manually or restart TOR client when you are unsure and are switching from activities that require anonymity or should be separated
• Be paranoid: Do not execute executables downloaded from sources that shouldn’t know your identity, do not open documents that might contain scripts (i.e. Microsoft Office, any other Office Suites; PDFs in reader applications that supports scripts, etc.).
• Do never ever execute JavaScript on webpages. This allows for advanced browser fingerprinting, sidechannels for extracting information of other applications on your computer (see cache sidechannels / timing sidechannels) and also potentially injecting malware (for example via rowhammer) into your computer. Never ever run scripts or plugins.
• Do not install any additional plugins into the browser you are using for anonymous usage
• If you are using services via that system that know your identity do not use them at the same time as services that should not know your identity even in a proper configured browser. Do such stuff sequentially (for example don’t keep facebook’s onion page open while doing some other research that nobody should know about)
• Do not use unencrypted traffic when accessing resources via exit nodes (i.e. don’t use HTTP, clear SMTP or IMAP or other services that transmit cleartext passwords). Some rouge exit nodes try to spy on you, others try to inject malware. Even though there is monitoring do never ever trust any component of this network.

• Please run your node as a relay if you are not running hidden services. That helps you to prevent traffic analysis and the more relays are up and running the better the network works.

• Don’t do illegal stuff. Be aware that most people get caught even when using TOR. Either because they are dumb on the technical side or because (and thats more often the case) because every criminal makes a mistake sometimes (either money flow, speaking with people, leaving a trail somewhere else, etc.). And especially don’t do the stuff we all don’t speak but hear permanently about when it’s about the darknet - people don’t like others that do so there either and there are really capable people out there who don’t like that behaviour …

This article is tagged:

• Cryptography
• Security
• Computer