How do I use Tor in Firefox

Privacy manual

The TorBrowserBundle contains a modified Firefox browser as well as the Tor Daemon and a control panel. The website provides the TorBrowserBundle for different operating systems and in different languages.

RECOMMENDATION: you should English version of the TorBrowser (en-US) use. In the last few years, bugs in the TBB have repeatedly made it possible to find information on the localization of the browser, e.g. via Javascript date.tolocale () Function (# 5926) or via information from the HTTP Accept-Language header (# 628) or via resource:// URI (# 8725), as the Browserleaks test demonstrated:
If you use the German localized version of the TorBrowser, you may give an indication of German origin, and you want to avoid that when surfing.

Install TorBrowser

Installation is easy. You download the appropriate archive from the download page, unzip it and call the TorBrowser start script. Installation is not necessary.

The TorBrowserBundle can be copied to a USB stick and used on the go, the software is portable. More detailed instructions are available under Installation.

Use TorBrowser

When starting for the first time, the control panel opens first. Here you can configure settings to bypass firewalls in the event of problems (e.g. if a firewall only allows connections to certain ports through) or you can use the Tor Daemon by clicking the button "Connect" start without further configuration.
When a connection to the Tor network has been established, the TorBrowser opens.

Size of the browser window

The TorBrowser starts with a specified size of the browser window. The window width should be a multiple of 200px (max. 1000px) and the height a multiple of 100px. The window size is also provided as the screen size via Javascript.

Since the size of the browser window and the size of the screen are used as tracking features, you should not (!) Change the preset size of the browser window.

Security settings

The following examples of successful attacks refer to the FBI because there are reports of them. But these are only examples (not only the NSA and FBI have capable hackers).

Since December 2016, Rule 41 has allowed the FBI to hack Tor and VPN users en masse, regardless of the country in which the Tor users are located.

  1. In 2016, a Javascript bug was posted on the Tor mailing list that the FBI exploited to install Trojans that deanonymize Tor users. The use was proven on the onion site "Giftbox", which was seized by the FBI.
  2. 2015 used the FBI as part of the operation Playpen a zero-day exploit in the TorBrowser to slip a Trojan on visitors to certain websites and thereby deanonymize Tor users. It is not known which vulnerability in Firefox was exploited. and Mozilla did their best, but the information was given with reference to the "National security"classified as secret.
  3. In the summer of 2013, thousands of Tor users were infected with the FBI Trojan "Magneto" infected. The exploit to install the Trojan used a Javascript bug in the TorBrowser. The installed Trojan sent the IP address, the MAC address and the name of the computer to an FBI server in order to deanonymize Tor users.
  4. The Snwoden documents show that the NSA was able to automatically attack the TorBrowserBundle based on Firefox 10 esr via a bug in E4X (an XML extension for Javascript) and deanonymize users.
The Tor developers decided the tradeoff between ease of use and security in the default settings in favor of ease of use. However, it is also recognized that these settings are a security risk. The FAQ says:
There's a tradeoff here. On the one hand, we should leave JavaScript enabled by default so websites work the way users expect. On the other hand, we should disable JavaScript by default to better protect against browser vulnerabilities (not just a theoretical concern!).

At the start you will be informed that you can adjust the security settings. TorBrowser starts with the lowest security level "Default"in order to limit the surfing experience as little as possible. If necessary, the security level should be increased.

For security-conscious users, the reverse is recommended. By default, you can have the highest security level "Safest" surfing and if it requires a login to a website, to the middle level "Safer" switch. Almost all websites that require a login (e-mail provider, etc.) can be accessed with the level "Safer" use it without any problems.

To adjust the security level, click on the symbol with the shield (2nd symbol to the right of the URL bar) and in the menu that opens "Advanced Security Settings". The settings page will then be opened in the browser.

When you have the security on "Default" malicious exit nodes could insert unsightly things into the HTML code of websites that are loaded via unencrypted HTTP connection. That is not recommended. In addition to the NSA and the FBI, other intelligence agencies also operate malicious Tor Exit Nodes. A leak in data from the Russian secret service provider Systec showed that the FSB also uses this method.

The "surveillance density" and the aggressiveness of the attackers is much higher in the Tor network than in the normal Internet. Therefore, the necessary protective measures should be set significantly higher than with a normal browser.

HTTPS security

sslstripe attacks Bad Tor Exit Nodes, which were demonstrated at the Black Hack Conference in 2009, are still a current problem in 2020.

The TorBrowser contains the add-on as protection against these attacks HTTPSEverywherewhich uses rules to convert HTTP addresses to HTTPS for lots enforces popular websites (but not for all Websites that support HTTPS).

Conceptually, the use of rules downloaded from servers presents some avenues of attack that the developers of HTTPSEverywhere are aware.

An attacker could insert malicious rules and e.g. & hairsp; "" on the malicious side "https: // " redirect or similar ...

That is why the developers of HTTPSEverywhere before standard rates from third parties:

But are the rule sets of the default download servers trustworthy? Even if you trust the quality of the rule sets maintainers, you can never 100% rule out the possibility that a hacker will start at this point and manipulate something ...

Alternative: Since Firefox 78.5 ESR, the HTTPS-only mode works satisfactorily. This means that when the URL is entered, it is rewritten to HTTPS for all Forced websites that support TLS encryption. Also will "mixed content" completely blocked on websites loaded via HTTPS. If an upgrade to an HTTPS connection is not possible, a warning is displayed and you could still access the unencrypted HTTP page if you really want to and accept the risk.

You could therefore use the add-on HTTPSEverywhere Deactivate in the add-on management (i.e.: deactivate (!) and not remove, otherwise it will be active again after the next update from TorBrowser) and under "about: config" Activate the following options: A tracking service cannot detect whether the user "https://www.privacy-" entered or whether the abbreviated entry of "privacy-" was rewritten by the HTTPS-only mode. But there is a slight difference to the behavior of the original TorBrowser, since the developers at decided to use "passive mixed content" (Images, CSS, fonts ...) on HTTPS websites do not try to upgrade to HTTPS and do not block it. However, this does not result in an individual tracking feature, since other users also use these settings.

I do not see any threat to anonymity and the advantages in terms of security outweigh this. (cane)

AdBlocker and tracking protection

The TorBrowser does not contain an AdBlocker and all tracking protection features of Firefox are completely deactivated. The concept of the TorBrowser is not to block advertising and tracking scripts but to guarantee privacy through anonymity.
  1. The anonymity concept of the TorBrowser prevents users from being individually recognized and being tracked while surfing.
  2. Many websites are financed by online advertising. does not want a confrontation on this point in order not to burden the acceptance of the browser.
  3. Tor needs a lot of cover traffic to keep secret operations less noticeable, as Roger Dingledine said at the Wizards of OS conference in 2004:
    The US government cannot use an anonymization system just for itself. Then every time there was a connection, people would say, "Oh, there's another CIA agent looking at my website." when they are the only ones using the network.

It is recommended to follow the concept of An AdBlocker is easy to recognize and different filter lists can be used as a feature for fingerprinting. It is almost impossible to build an anonymity group with identical filter lists.

Cookies and EverCookies

You don't have to worry about tacking cookies and EverCookies with the TorBrowser. The security concept implemented by the developers "Cross-Origin Identifier Unlinkability" reliably protects against tracking and de-anonymization with cookies or EverCookies without significantly impairing the surfing experience.
  • A surf container is automatically created for each domain called. In an isolated environment, this container contains all data that is stored locally in the browser by a website (cookies, HTML5 storage, IndexedDB, cache, TLS sessions ...). These data then form the so-called "context".
  • Access to data in another "context" or another surf container is not possible. This means that different tracking markings are set in the various "contexts" when different domains are called up.
  • When restarting or when you select the menu item "New Identity" If you select the onion in the toolbar, all containers will be deleted. For one "New Identity" a new route through the Tor network with another Tor exit node is also used.
You should follow the TorBrowser anonymity concept and occasionally delete all cookies and other local data by clicking on the onion next to the URL bar and "New Identity" chooses. It is particularly advisable to remove the traces after logging in to a website.

PDFs and other documents

On the download page of the TorBrowserBundle you will find some safety information below, including on PDFs and other documents:

Don't open documents downloaded through Tor while online

You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address.

If you must work with DOC and / or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails.

PDFs and other Office documents can contain tracking bugs that are loaded from a server when the document is opened. If you open them in a PDF reader while you are online, then you can be deanonymized.

By default, TorBrowser opens PDFs in its own viewer PDF.js. You shouldn't be able to be deanonymized with this, but the server can at least register the opening of the document, not nice either. In addition, there are always bugs in Mozilla's PDF.js that can be used for an exploit (e.g. mfsa2015-69 from July 2015).

So that you don't always have to remember to right-click on a PDF link and "Save as..." you can change the setting in TorBrowser for PDF documents and click on "To save" put.
The documents downloaded via Tor can be saved in a special folder. Then you keep an overview and know that you can only open these documents if you have pulled the network plug or the WLAN connection has been switched off.

Own behavior

According to a rule of thumb, anonymity depends only 10% on the technology, 30% on the user's knowledge of how to use the technology, and 60% on the discipline to adhere to the necessary rules.

In addition to the TorBrowserBundle, most readers will also use a normal browser that has been configured for low-trace surfing. Mam has to be clear about when you really want to remain anonymous, which identities, which accounts are anonymous and which topics you want to surf anonymously. These rules must then be strictly adhered to. A single mistake can be enough to deanonymize a pseudonym.

References between anonymous surfing with TorBrowser and low-trace surfing with the normal browser must be avoided at all costs, this can lead to de-anonymization. In particular, copying links between the two browsers is an epic fail. Links can contain individual IDs (such as in a Google search) or other features.

Compatibility of different websites with Tor

There are many references to websites that do not like Tor, cannot be used with Tor, or explicitly block Tor Nodes. Wikipedia does not allow anonymous edits with Tor, some e-mail providers block Tor or reject e-mails sent via Tor as spam, search engines temporarily block the top exit nodes from time to time, Wordpress does not like it when you use Tor Comments writes ....

Some notes from readers can be verified, others are apparently only temporary or only affect a few high-performance exits. You can't check websites all the time. The problem will always be there and a list will become out of date faster than you can type.

If a web service doesn't like Tor, it's best to look for an alternative. The web is big and there is a substitute for everything that can be used via Tor.

On the USB stick

The TorBrowserBundle can also be taken along on the USB stick. If the TorBrowser is started from the USB stick, it leaves no traces on the computer.

Under Linux, some distributions mount USB sticks that have been formatted with the Windows file system vFAT with the attribute "noexec". Of course, the start script no longer works. Either you format the USB stick with a Linux file system (ext2 | 3 | 4) or you change the mount options for vFAT formatted data carriers.

You can also encrypt USB sticks. Veracrypt is recommended for Windows, under Linux you can also use Veracrypt or dm-crypt / LUKS.