How do I use Tor in Firefox
Installation is easy. You download the appropriate archive from the download page, unzip it and call the TorBrowser start script. Installation is not necessary.
The TorBrowserBundle can be copied to a USB stick and used on the go, the software is portable. More detailed instructions are available under Installation.
Use TorBrowserWhen starting for the first time, the control panel opens first. Here you can configure settings to bypass firewalls in the event of problems (e.g. if a firewall only allows connections to certain ports through) or you can use the Tor Daemon by clicking the button "Connect" start without further configuration.
Size of the browser window
Since the size of the browser window and the size of the screen are used as tracking features, you should not (!) Change the preset size of the browser window.
The following examples of successful attacks refer to the FBI because there are reports of them. But these are only examples (not only the NSA and FBI have capable hackers).
Since December 2016, Rule 41 has allowed the FBI to hack Tor and VPN users en masse, regardless of the country in which the Tor users are located.
- 2015 used the FBI as part of the operation Playpen a zero-day exploit in the TorBrowser to slip a Trojan on visitors to certain websites and thereby deanonymize Tor users. It is not known which vulnerability in Firefox was exploited. TorProject.org and Mozilla did their best, but the information was given with reference to the "National security"classified as secret.
At the start you will be informed that you can adjust the security settings. TorBrowser starts with the lowest security level "Default"in order to limit the surfing experience as little as possible. If necessary, the security level should be increased.
For security-conscious users, the reverse is recommended. By default, you can have the highest security level "Safest" surfing and if it requires a login to a website, to the middle level "Safer" switch. Almost all websites that require a login (e-mail provider, etc.) can be accessed with the level "Safer" use it without any problems.To adjust the security level, click on the symbol with the shield (2nd symbol to the right of the URL bar) and in the menu that opens "Advanced Security Settings". The settings page will then be opened in the browser.
When you have the security on "Default" malicious exit nodes could insert unsightly things into the HTML code of websites that are loaded via unencrypted HTTP connection. That is not recommended. In addition to the NSA and the FBI, other intelligence agencies also operate malicious Tor Exit Nodes. A leak in data from the Russian secret service provider Systec showed that the FSB also uses this method.
The "surveillance density" and the aggressiveness of the attackers is much higher in the Tor network than in the normal Internet. Therefore, the necessary protective measures should be set significantly higher than with a normal browser.
sslstripe attacks Bad Tor Exit Nodes, which were demonstrated at the Black Hack Conference in 2009, are still a current problem in 2020.
The TorBrowser contains the add-on as protection against these attacks HTTPSEverywherewhich uses rules to convert HTTP addresses to HTTPS for lots enforces popular websites (but not for all Websites that support HTTPS).
Conceptually, the use of rules downloaded from servers presents some avenues of attack that the developers of HTTPSEverywhere are aware.
An attacker could insert malicious rules and e.g. & hairsp; "www.privacy-handbuch.de" on the malicious side "https: //www.privacy-hanbduch.de " redirect or similar ...
That is why the developers of HTTPSEverywhere before standard rates from third parties:
Alternative: Since Firefox 78.5 ESR, the HTTPS-only mode works satisfactorily. This means that when the URL is entered, it is rewritten to HTTPS for all Forced websites that support TLS encryption. Also will "mixed content" completely blocked on websites loaded via HTTPS. If an upgrade to an HTTPS connection is not possible, a warning is displayed and you could still access the unencrypted HTTP page if you really want to and accept the risk.
You could therefore use the add-on HTTPSEverywhere Deactivate in the add-on management (i.e.: deactivate (!) and not remove, otherwise it will be active again after the next update from TorBrowser) and under "about: config" Activate the following options: A tracking service cannot detect whether the user "https://www.privacy- Handbuch.de" entered or whether the abbreviated entry of "privacy- Handbuch.de" was rewritten by the HTTPS-only mode. But there is a slight difference to the behavior of the original TorBrowser, since the developers at TorProject.org decided to use "passive mixed content" (Images, CSS, fonts ...) on HTTPS websites do not try to upgrade to HTTPS and do not block it. However, this does not result in an individual tracking feature, since other users also use these settings.
I do not see any threat to anonymity and the advantages in terms of security outweigh this. (cane)
AdBlocker and tracking protectionThe TorBrowser does not contain an AdBlocker and all tracking protection features of Firefox are completely deactivated. The concept of the TorBrowser is not to block advertising and tracking scripts but to guarantee privacy through anonymity.
- The anonymity concept of the TorBrowser prevents users from being individually recognized and being tracked while surfing.
- Many websites are financed by online advertising. TorProject.org does not want a confrontation on this point in order not to burden the acceptance of the browser.
- Tor needs a lot of cover traffic to keep secret operations less noticeable, as Roger Dingledine said at the Wizards of OS conference in 2004:
The US government cannot use an anonymization system just for itself. Then every time there was a connection, people would say, "Oh, there's another CIA agent looking at my website." when they are the only ones using the network.
It is recommended to follow the concept of TorProject.org. An AdBlocker is easy to recognize and different filter lists can be used as a feature for fingerprinting. It is almost impossible to build an anonymity group with identical filter lists.
Cookies and EverCookiesYou don't have to worry about tacking cookies and EverCookies with the TorBrowser. The security concept implemented by the developers "Cross-Origin Identifier Unlinkability" reliably protects against tracking and de-anonymization with cookies or EverCookies without significantly impairing the surfing experience.
- A surf container is automatically created for each domain called. In an isolated environment, this container contains all data that is stored locally in the browser by a website (cookies, HTML5 storage, IndexedDB, cache, TLS sessions ...). These data then form the so-called "context".
- Access to data in another "context" or another surf container is not possible. This means that different tracking markings are set in the various "contexts" when different domains are called up.
- When restarting or when you select the menu item "New Identity" If you select the onion in the toolbar, all containers will be deleted. For one "New Identity" a new route through the Tor network with another Tor exit node is also used.
PDFs and other documentsOn the download page of the TorBrowserBundle you will find some safety information below, including on PDFs and other documents:
PDFs and other Office documents can contain tracking bugs that are loaded from a server when the document is opened. If you open them in a PDF reader while you are online, then you can be deanonymized.
Don't open documents downloaded through Tor while online
You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address.
If you must work with DOC and / or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails.
By default, TorBrowser opens PDFs in its own viewer PDF.js. You shouldn't be able to be deanonymized with this, but the server can at least register the opening of the document, not nice either. In addition, there are always bugs in Mozilla's PDF.js that can be used for an exploit (e.g. mfsa2015-69 from July 2015).So that you don't always have to remember to right-click on a PDF link and "Save as..." you can change the setting in TorBrowser for PDF documents and click on "To save" put.
According to a rule of thumb, anonymity depends only 10% on the technology, 30% on the user's knowledge of how to use the technology, and 60% on the discipline to adhere to the necessary rules.
In addition to the TorBrowserBundle, most readers will also use a normal browser that has been configured for low-trace surfing. Mam has to be clear about when you really want to remain anonymous, which identities, which accounts are anonymous and which topics you want to surf anonymously. These rules must then be strictly adhered to. A single mistake can be enough to deanonymize a pseudonym.
References between anonymous surfing with TorBrowser and low-trace surfing with the normal browser must be avoided at all costs, this can lead to de-anonymization. In particular, copying links between the two browsers is an epic fail. Links can contain individual IDs (such as in a Google search) or other features.
Compatibility of different websites with Tor
There are many references to websites that do not like Tor, cannot be used with Tor, or explicitly block Tor Nodes. Wikipedia does not allow anonymous edits with Tor, some e-mail providers block Tor or reject e-mails sent via Tor as spam, search engines temporarily block the top exit nodes from time to time, Wordpress does not like it when you use Tor Comments writes ....
Some notes from readers can be verified, others are apparently only temporary or only affect a few high-performance exits. You can't check websites all the time. The problem will always be there and a list will become out of date faster than you can type.
If a web service doesn't like Tor, it's best to look for an alternative. The web is big and there is a substitute for everything that can be used via Tor.
On the USB stick
The TorBrowserBundle can also be taken along on the USB stick. If the TorBrowser is started from the USB stick, it leaves no traces on the computer.
Under Linux, some distributions mount USB sticks that have been formatted with the Windows file system vFAT with the attribute "noexec". Of course, the start script no longer works. Either you format the USB stick with a Linux file system (ext2 | 3 | 4) or you change the mount options for vFAT formatted data carriers.
You can also encrypt USB sticks. Veracrypt is recommended for Windows, under Linux you can also use Veracrypt or dm-crypt / LUKS.
- Nature shows her law to everyone
- Why did someone ignore my question
- How do we value ecosystem services
- Has the Indominus Rex Mosasaurus DNA
- Why do I always jump to conclusions
- Why is the president's office oval
- What does Pothys
- When do I use a punctuation mark?
- Who invented the first sailboat
- Why can kidney failure cause hallucinations
- Is your pug picky
- What's after 12th in biology
- What is the Verizon Tower update number
- What are the best baby bath products
- How can I invest in Shanghai Sto
- What's the best Wally West Feats
- What is a limpet
- What is the best recipe for seaweed soup
- What are carbon nanotubes used for?
- How healthy is organic milk and why
- How do I monetize a celebrity blog
- What is existential sociology
- Who discovered rare earth metals in China
- What does Mod Podge do