How to use Tor the right way. Best practices.

Discussions about Tor Network

How to use Tor the right way. Best practices.

Postby Admin » Tue Dec 17, 2013 7:05 pm

..


First read Tor Project's own warnings, but I will note that they are only a beginning, and are not adequate to protect you from different threats.



Your Computer

To date the NSA's and FBI's primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.

  1. Don't use Windows. Just don't. This also means don't use the Tor Browser Bundle on Windows. Vulnerabilities in the software in TBB figure prominently in both the NSA slides and FBI's recent takedown of Freedom Hosting.
  2. If you can't construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and a web browser, with all outgoing clearnet access firewalled, consider using Tails or Whonix instead, where most of this work is done for you. It's absolutely critical that outgoing access be firewalled so that third party applications cannot accidentally leak data about your location.
  3. If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt might be safe, though it's not nearly as well integrated into the OS. BitLocker might be safe as well, though you still shouldn't be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats.
  4. Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available.
  5. Be very reluctant to compromise on JavaScript, Flash and Java. Disable them all by default. If a site requires any of these, visit somewhere else. Enable scripting only as a last resort, only temporarily, and only to the minimum extent necessary to gain functionality of a web site that you have no alternative for.
  6. Viciously drop cookies and local data that sites send you. Neither TBB nor Tails do this well enough for my tastes; consider using an addon such as Self-Destructing Cookies to keep your cookies to a minimum. Of zero.
  7. Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed.
  8. Don't use Google to search the Internet. A good alternative is Startpage; this is the default search engine for TBB, Tails and Whonix. Plus it won't call you malicious or ask you to fill out CAPTCHAs.



Your Environment

Tor contains weaknesses which can only be mitigated through actions in the physical world. An attacker who can view both your local Internet connection, and the connection of the site you are visiting, can use statistical analysis to correlate them.

  1. Never use Tor from home, or near home. Never work on anything sensitive enough to require Tor from home, even if you remain offline. Computers have a funny habit of liking to be connected... This also applies to anywhere you are staying temporarily, such as a hotel. Never performing these activities at home
    helps to ensure that they cannot be tied to those locations. (Note that this applies to people facing advanced persistent threats. Running Tor from home is reasonable and useful for others, especially people who aren't doing anything themselves but wish to help by running an exit node, relay or bridge.)
  2. Limit the amount of time you spend using Tor at any single location. While these correlation attacks do take some time, they can in theory be completed in as little as a day. And while the jackboots are very unlikely to show up the same day you fire up Tor at Starbucks, they might show up the next day. I recommend for the truly concerned to never use Tor more than 24 hours at any single physical location; after that, consider it burned and go elsewhere. This will help you even if the jackboots show up six months later; it's much easier to remember a regular customer than someone who showed up one day and never came back. This does mean you will have to travel farther afield, especially if you don't live in a large city, but it will help to preserve your ability to travel freely.
  3. When you go out to perform these activities, leave your cell phone turned on and at home.



Your Mindset

Many Tor users get caught because they made a mistake, such as posting their real email address in association with their activities. You must avoid this as much as possible, and the only way to do so is with careful mental discipline.

  1. Think of your Tor activity as pseudonymous, and create in your mind a virtual identity to correspond with the activity. This virtual person does not know you and will never meet you, and wouldn't even like you if he knew you. He must be kept strictly mentally separated.
  2. If you must use public Internet services, create completely new accounts for this pseudonym. Never mix them; for instance do not browse Facebook with your real email address after having used Twitter with your pseudonym's email on the same computer. Wait until you get home.
  3. By the same token, never perform actions related to your pseudonymous activity via the clearnet, unless you have no other choice (e.g. to sign up for a provider who blocks Tor), and take extra precautions regarding your location when doing so.
  4. If you need to make and receive phone calls, purchase an anonymous prepaid phone for the purpose. This is difficult in some countries, but it can be done if you are creative enough. Pay cash; never use a debit or credit card to buy the phone or top-ups. Never insert its battery or turn it on if you are within 10 miles (16 km) of your home, nor use a phone from which the battery cannot be removed. Never place a SIM card previously used in one phone into another phone. Never give its number or even admit its existence to anyone who knows you by your real identity. This may need to include your family members.



Hidden Services

These are big in the news lately, with the recent takedown of at least two high-profile hidden services, Silk Road and Freedom Hosting. The bad news is, hidden services are much weaker than they could or should be. The good news is, the NSA doesn't seem to have done much with them (though the NSA slides mention a GCHQ program named ONIONBREATH which focuses on hidden services, nothing else is yet known about it).

In addition, since hidden services must often run under someone else's physical control, they are vulnerable to being compromised via that other party. Thus it's even more important to protect the anonymity of the service, as once it is compromised in this manner, it's pretty much game over.

The advice given above is sufficient if you are merely visiting a hidden service. If you need to run a hidden service, do all of the above, and in addition do the following. Note that these tasks require an experienced system administrator; performing them without the relevant experience will be difficult or impossible.

  1. Do not run a hidden service in a virtual machine unless you also control the physical host. Designs in which Tor and a service run in firewalled virtual machines on a firewalled physical host are OK, provided it is the physical host which you are in control of, and you are not merely leasing cloud space.
  2. A better design for a Tor hidden service consists of two physical hosts, leased from two different providers though they may be in the same datacenter. On the first physical host, a single virtual machine runs with Tor. Both the host and VM are firewalled to prevent outgoing traffic other than Tor traffic and traffic to the second physical host. The second physical host will then contain a VM with the actual hidden service. Again, these will be firewalled in both directions. The connection between them should be secured with IPSec, OpenVPN, etc. If it is suspected that the host running Tor may be compromised, the service on the second server may be immediately moved (by copying the virtual machine image) and both servers decommissioned.
    Both of these designs can be implemented fairly easily with Whonix.
  3. Hosts leased from third parties are convenient but especially vulnerable to attacks where the service provider takes a copy of the hard drives. If the server is virtual, or it is physical but uses RAID storage, this can be done without taking the server offline. Again, do not lease cloud space, and carefully monitor the hardware of the physical host. If the RAID array shows as degraded, or if the server is inexplicably down for more than a few moments, the server should be considered compromised, since there is no way to distinguish between a simple hardware failure and a compromise of this nature.
  4. Ensure that your hosting provider offers 24x7 access to a remote console (in the hosting industry this is often called a KVM though it's usually implemented via IPMI) which can also install the operating system. Use temporary passwords/passphrases during the installation, and change them all after you have Tor up and running (see below). The remote console also allows you to run a fully encrypted physical host, reducing the risk of data loss through physical compromise; however, in this case the passphrase must be changed every time the system is booted (even this does not mitigate all possible attacks, but it does buy you time).
  5. Your initial setup of the hosts which will run the service must be over clearnet, albeit via ssh; however, to reiterate, they must not be done from home or from a location you have ever visited before. As we have seen, it is not sufficient to simply use a VPN. This may cause you issues with actually signing up for the service due to fraud protection that such providers may use. How to deal with this is outside the scope of this answer, though.
  6. Once you have Tor up and running, never connect to any of the servers or virtual machines via clearnet again. Configure hidden services which connect via ssh to each host and each of the virtual machines, and always use them. If you must connect via clearnet to resolve a problem, again, do so from a location you will never visit again.
  7. Hidden services must be moved regularly, even if compromise is not suspected. A 2013 paper described an attack which can locate a hidden service in just a few months for around $10,000 in cloud compute charges, which is well within the budget of even some individuals. It is safer, though not at all convenient, to move the hidden service at least monthly. Ideally it should be moved as frequently as possible, though this quickly veers into the impractical. Note that it will take approximately an hour for the Tor network to recognize the new location of a moved hidden service.



Conclusion

Anonymity is hard. Technology alone, no matter how good it is, will never be enough. It requires a clear mind and careful attention to detail, as well as real-world actions to mitigate weaknesses that cannot be addressed through technology alone. As has been so frequently mentioned, the attackers can be bumbling fools who only have sheer luck to rely on, but you only have to make one mistake to be ruined.

We call them "advanced persistent threats" because, in part, they are persistent. They won't give up, and you must not.



Source
Admin
Site Admin
 
Posts: 10
Joined: Sat Mar 23, 2013 4:19 pm

Re: How to use Tor the right way. Best practices.

Postby Danja » Wed Dec 18, 2013 9:01 am

I think this text is far too paranoid.

Windows version of Firefox was broken only ONCE, when FBI took down the FreedomHosting. Other versions (Linux, MacOS) were broken zero times. This is 100% less, but this is also less by 1. So it's up to you to threat Windows as "totally insecure" or "almost secure". Bugs appear in any software. (but as for me, I prefer Linux :D)

Encrypting storage doesn't make sense, unless good guys break into your house. Contents of mounted truecrypt/luks volume are perfectly observable via internet, just like unencrypted ones. And you HAVE TO have it mounted almost all the time.

Disabling of Javascript, Flash & Java makes no sense if you use Virtual OS like Whonix. Even with root privilegies there is no way to determine your real IP from inside Whonix. Of course, there are small chances that mailicious software could break VirtualBox and pop-out from there, but, again, this is too paranoid.

And if you "set your mind" to 'pseudonymous', there is also no sense of disabling cookies and all that tracking software. Come on, you are casual user, with fresh 1-minute-ago-installed Debian, with no previously registered emails, nothing. This is your first time in the Internet. And the last one. So why should you hide any info?


"Never use Tor from home". Gods, Tor was designed for that! If you think Tor is not capable to hide your IP, then what's the point of using it? No, really?


I think all these measures are useful only if you run a service like SilkRoad, and the whole world hunts for you. For casual people Whonix on home computer is far enough. Just consider it as your 'Pseudonym', don't forget to switch these 'Pseudonyms' sometimes, and never put inside VirtualBox any information about your real identity.
Danja
 
Posts: 80
Joined: Sat Mar 23, 2013 7:19 pm

Re: How to use Tor the right way. Best practices.

Postby antaeus » Thu Dec 19, 2013 7:09 am

This is good advice for the paranoid but impractical for the vast majority of Tor users. Telling people to not use Windows is unhelpful. The JavaScript exploit that came to light in the wake of the Freedom Hosting takedown could easily have been written to target other OS's besides Windows. My guess is that Linux and Mac were not targeted simply because of their smaller user base. I would also point out that the exploit depended on the target using an outdated TBB AND having JavaScript enabled AND not using a VPN. As confirmed by Roger Dingledine simply using a VPN would have defeated this attack.
antaeus
 
Posts: 1
Joined: Thu Dec 19, 2013 7:05 am

Re: How to use Tor the right way. Best practices.

Postby Unnamed Entity » Wed Dec 25, 2013 10:29 am

This should be broken up into silver gold and ultraviolet security levels or something. It's all theoretically good advice, but "Turn off Javascript" and "never use Tor at home" aren't on the same scale.
Unnamed Entity
 
Posts: 71
Joined: Sun Nov 17, 2013 9:28 pm

Re: How to use Tor the right way. Best practices.

Postby blacknoir » Mon Mar 03, 2014 11:01 am

i mean someone like me, just wants to use tor, who downloads torrents and goes to some websites which has flash... what would 'that' type of person need to do?
blacknoir
 
Posts: 4
Joined: Mon Mar 03, 2014 10:46 am

Re: How to use Tor the right way. Best practices.

Postby usbok » Thu May 22, 2014 6:46 am

I give myself more paranoid pressure, the openssl has leaked all your password and web address and your computer IP address to the Tor entry nodes in last two years, the P2P download method makes anyone review your IP address when you downloading with it. can someone tell me that the TBB doesn't leak when your traffic in the tor network until rolling to exit nodes........?
usbok
 
Posts: 4
Joined: Tue Mar 25, 2014 4:34 am

Re: How to use Tor the right way. Best practices.

Postby EatOnionRings » Thu Apr 30, 2015 2:16 am

Why hasnt this been updated by author OR a newer edition been written?
New releases of Tor are always addressing security issues.
We all realize that for what ever reasons users choose Tor, privacy and
appropriate, intelligent use is paramount.
EatOnionRings
 
Posts: 7
Joined: Thu Apr 30, 2015 12:35 am

Tissues enhance correspondence Zymax

Postby PamelaBrower19 » Fri Jun 24, 2016 10:16 am

Revived nerves and tissues enhance correspondence Zymax with cerebrum. Mind discharges nitric oxide to unwind tissues and nerves in the male organ. When you are sexually stimulated, mended nerves and tissues in the male organ traps more blood and cause more full and more grounded erection.Revived nerves and tissues enhance correspondence with cerebrum. Mind discharges nitric oxide to unwind tissues and nerves in the male organ. When you are sexually stimulated, mended nerves and tissues in the male organ traps more blood and cause more full and more grounded erection.http://boostupmuscles.com/zymax-new-scam/
PamelaBrower19
 
Posts: 1
Joined: Fri Jun 24, 2016 9:41 am

http://www.healthbuzzer.com/total-cleanse-plus/

Postby PaulMartin » Wed Jun 29, 2016 7:58 am

Total Cleanse Plus Look around on auction sites as well as discount ones prior to buying an item from a big retailer's site. A lot of the time you'll find that a deal is better on these sites when compared to a big retailer's. There aren't a whole lot of "cons" to counterbalance the great big "prop" of saving money. However, you should check out the return policies. This can vary quite a bit depending on where you're shopping.


Read more >>> http://www.healthbuzzer.com/total-cleanse-plus/
PaulMartin
 
Posts: 2
Joined: Wed Jun 29, 2016 7:53 am

Re: How to use Tor the right way. Best practices.

Postby PaulMartin » Wed Jun 29, 2016 7:59 am

PaulMartin
 
Posts: 2
Joined: Wed Jun 29, 2016 7:53 am

Young or old, there's no limitation Muscle XTX

Postby tani524 » Tue Jul 19, 2016 10:05 am

Young or old, there's no limitation Muscle XTX to what the trendy lady can do when she sets her mind to it - whether it is arriving at the top in her occupation of choice or undergoing bodybuilder diet plans. Ladies these days are much more enlightened on the concept of self-betterment and a holistic self improvement, and that's why more and more females seem to be getting into training programs aimed at building their bodies in to slimmer, fitter examples of the wholesome, urban female.http://guidemesupplements.com/is-muscle-xtx-scam/
tani524
 
Posts: 1
Joined: Tue Jul 19, 2016 9:58 am

It allows to keep higher libido Bio Testosterone XR

Postby vanessa852 » Tue Jul 26, 2016 5:28 am

It allows to keep higher libido Bio Testosterone XR, electricity, and energy. Safed Musli is rich in alkaloids, fiber, carbohydrates, minerals, nutrients, proteins, polysachharides, and saponins. it's miles widely used inside the manufacture of sexual tonic. it's far a nervine tonic for the treatment of sexual weak point. It gives effective remedy for low sex drive and coffee sperm be counted. It also gives effective remedy for diabetes and arthritis. aside from the usage of http://boostupmuscles.com/bio-testosterone-xr/
Image
vanessa852
 
Posts: 1
Joined: Tue Jul 26, 2016 5:27 am

Re: How to use Tor the right way. Best practices.

Postby indutaurus » Mon Dec 12, 2016 8:27 am

Leo privacy is very good, it let you to lock your apps&videos and hide images. it also got great themes which makes my device to look very cool and different. Recommand all to use this app!And There is a new function. Private browsing. https://bit.ly/unique425
indutaurus
 
Posts: 108
Joined: Wed Dec 07, 2016 2:24 am

Re: How to use Tor the right way. Best practices.

Postby Malleshadmissionq » Fri Apr 14, 2017 5:26 am

Young or old, there's no limitation Muscle XTX to what the trendy lady can do when she sets her mind to it - whether it is arriving at the top in her occupation of choice or undergoing bodybuilder diet plans.
Total Cleanse Plus Look around on auction sites as well as discount ones prior to buying an item from a big retailer's site. A lot of the time you'll find that a deal is better on these sites when compared to a big retailer's. There aren't a whole lot of "cons" to counterbalance the great big "prop" of saving money. However, you should check out the return policies. This can vary quite a bit depending on where you're shopping.






































...............................
BMS Institute Of Technology Bangalore
CMR Institute of Technology Bangalore
MS Ramaiah Institute of Technology Bangalore
Nitte Meenakshi Institute of Technology Bangalore
PES University Bangalore Admission
RNS Institute of Technology Bangalore
RV College of Engineering Bangalore Admission
SJB Institute of Technology Bangalore
Malleshadmissionq
 
Posts: 2
Joined: Tue Feb 07, 2017 6:37 am

Euricana Ciara

Postby broudpeter » Mon Jun 19, 2017 8:03 am

When you are on online protection, each webpage that you see won't be recorded on History. No Cache, No Cookies, No History. In a general sense, its like best task help benefit going on web without anybody knowing you were on it. Essay Service 
broudpeter
 
Posts: 3
Joined: Mon Jun 19, 2017 7:55 am


Return to Technical Zone

Who is online

Users browsing this forum: No registered users and 2 guests