A Tor starter guide

In my previous post On VPNs, I named Tor as a better alternative to VPNs as far as privacy is concerned. However, getting any reliable information on Tor can be tough with all the clickbaity titles and outright misinformation going around, particularly on the likes of YouTube and TikTok where it’s popular to make claims such as “You should never visit Tor”.

The myths spread trough those videos are honestly worthy of their own post so I won’t get into them here, instead I want to talk about what Tor is, how it works, how it helps you stay anonymous, and how to use it correctly.

What is this “Onion Router”?

Tor’s name comes from the way it functions. “Onion Routing” uses multiple layers of encryption to help route your traffic in a manner that prevents tracking the connection from the outside.

As an example, let’s say you want to connect to Wikipedia using the Tor Browser. In this case, the Tor Browser will encrypt the traffic and send it to a node in the Tor Network. This node will decrypt a single layer, then send the rest to another node in the network. This second node then does the same, and the third node will usually decrypt the last layer, after which the traffic is sent to Wikipedia’s servers. The last node in a route going to the clearnet (the internet accessible without Tor or similar software) is usually referred to as an “exit node” since the connection exits the Tor network trough it.

The first node, named your “guard”, usually stays the same for a bit longer. All other nodes in the route, however, are different for every connection. So for the Wikipedia example, if you open 2 different articles the first one might take a route trough Germany, France, and the United States, while the other might take a route trough the Netherlands, Italy, and Switzerland.

Of note is that the countries are not necessarily different and might not be the ones listed here, though they are guaranteed to be different nodes and most often do end up being from different countries.

All of this routing might seem excessive, but it’s the bare minimum if you want anonymity.

By necessity, the guard knows your real IP, and that you’re connected to Tor, however it doesn’t know what you’re sending or where. In the case of a clearnet connection, the exit node knows what clearnet server you’re connecting to, and potentially what is being sent if the connection being routed wasn’t encrypted already (think HTTP vs HTTPS for the web), but it doesn’t know where that traffic is coming from.

And the nodes in between don’t know anything, they don’t know where the connection is coming from, they don’t know where it’s going, just that they’re routing Tor traffic.

All of this, along with routes changing constantly, means that even if someone were to set up a Tor node with the intention to log connections, there wouldn’t be much to collect. Most traffic would be encrypted and within the network, and even if occasionally your node acts as the exit node, it will be very hard to relate it to any other connections on the network.

Hidden Services

You might have noticed a certain flaw in the above model: that one end of the connection is always required to stay public. This is fine for things like Wikipedia, but what if your goal is to never leave Tor? Maybe you want to keep the server’s location a secret as well.

Well, in that case what you want to use is a “hidden service”. Hidden services are accessed using “.onion” links. These links are only accessible trough the Tor network, and are also what many refer to as “the Dark Web”.

Setting up a Tor hidden service goes out of the scope of this post, but I felt I had to mention them.

Also something I’d like to point out is that when you access a hidden service, the number of nodes in the route goes from a minimum of 3 to a minimum of 6. So if you need maximum privacy, go with hidden services.

The Tor Browser’s special sauce

In addition to all of the above routing, the Tor Browser does a few more things to help you stay anonymous.

The first thing the browser does to protect your anonymity is it lies (to websites).

Web standards define a number of ways for websites to request information about your system. They can learn what operating system you’re using, what version of it, what extensions you’re using, and in some cases even your laptop’s battery status (though this specific API is unimplemented in Firefox and, by extension, the Tor Browser).

Needless to say, all of this information can be used to create a unique fingerprint for you, as such the Tor Browser lies about a lot of it. It always says you’re using Windows 10, always reports the same screen size, etc.

Another thing it does to keep you anonymous (and this time something you’ll notice right away) is that when you launch the browser it always launches with a specific window size, and if you resize it then the website will get letter boxed.

Wikipedia being letterboxed in the Tor Browser

Why is that? Well, as it turns out, in addition to the information listed above, a lot of websites use your browser window’s size to fingerprint you.

And why not? The browser window size tends to be quite dynamic. Between browser UI being slightly different from browser to browser, user preferences hiding or showing different toolbars, operating system UI having slightly different sizes, and the user possibly running their browser in a window of arbitrary size as opposed to maximised or fullscreen, the website gets a wildly different amount of space to work with from user to user, making the size a great number to add to the pile of information to create a fingerprint.

As such, in order to prevent or at least limit this, the Tor Browser defaults to a specific size and letterboxes the website in one of a small handful of predefined sizes should you choose to resize the window (though it’s recommended you keep using Tor at the size it launched at).

There’s more that Tor does to prevent fingerprinting, but it’s far more than I can fit in this post, so instead if you want to learn more about fingerprinting and how the Tor Browser works I recommend you read this post on Tor’s blog.

How to use Tor correctly

Now you know how Tor works, but how do you use it correctly?

This might sound like I’m about to teach you some arcane arts, but it’s really not. All of what I’m about to say boils down to making sure you don’t stand out as much as possible.

As mentioned above, you should avoid resizing the Tor Browser window, instead just using it as it launches.

You should also avoid installing any browser extensions. Each extension increases the likelihood of your browser standing out enough for fingerprinting, as well as the chance of a website exploiting the extensions to deanonymise you.

As for the less technical side of things, you should also avoid giving out any information that could link your activity on Tor with you. The less information you give, the better.

Of course, this doesn’t apply if you already know and trust the people you’re communicating with over Tor, but you should always be mindful of what you share in any public places such as forums, chat rooms, or image boards

That’s it? No more tips?

While I’m advocating for the use of Tor for privacy, I’m already well aware many of you want to use Tor just to see what wacky stuff you can find on hidden services. And I really don’t blame you, from time to time I also browse Tor just to see what wacky stuff I can find.

But what pointers can I give you in this regard? Well, not many. Tor hidden services are very volatile. What’s around today might be gone for good tomorrow. As such, if I did give you any fun hidden services, they’d most likely be gone by the time you read this.

Instead I’ll point you to how I usually find my way onto hidden services: Ahmia (Clearnet | Tor Hidden Service)

Ahmia is a search engine for Tor. As you might expect, it’s rough. Lots of dead links, lots of links that are no longer what they claimed to be. But such is the nature of Tor. For a variety of reasons, hidden services come and go. In some ways, it’s like the internet of old, a wild wild west, waiting for brave explorers.

Enjoyed the article? Spotted a mistake? Send me your feedback on Fedi: @Reiddragon@fedi.reimu.info