
Tor Anonymity: Things Not to Do - transpute
https://www.whonix.org/wiki/DoNot
======
Jerry2
Here's one they missed: do not resize your window! If you do, your browser
instance has a potential to have a unique viewport size and hence, there's a
probability you can be tracked. Whatever size window Tor opens, do not re-size
it.

I do not use Tor myself but few years ago I've analyzed an anonymized data
site and was amazed how easy it was, with a high degree of probability, to
track someone just based on screen resolution + viewport size (i.e. size of
your browser window). Almost every viewport size was unique (when correlated
with screen resolution).

~~~
frankzinger

      > Here's one they missed: do not resize your window!
    

Under the "Don't change settings if you don't know their consequences."
section:

    
    
      For example removing a menu bar or using Full Screen
      in Tor Browser is recommended against. The latter
      is known to modify the screen size, which is bad
      for the web fingerprint.
    

Also, the current version of the Tor Browser warns you when you resize the
window.

~~~
temp
>Also, the current version of the Tor Browser warns you when you resize the
window.

I believe it only warns you if you maximize the window, not if you resize it.

~~~
corin_
Resizing it isn't a problem. It doesn't open at a magically untrackable size,
the point of this advice is that if you are fullscreen you will be the same
size always and therefore potentially trackable between sessions, if you are
resizing it yourself even if you try to resize to roughly the same size as
last time you won't be exactly the same. (Window management features like
snapping to half screen instead of full screen of course would be the same as
going full screen.)

~~~
IanCal
Interesting. I'd have thought custom sizing would be bad for between-site
tracking as it's much more likely to be unique, whereas fullscreen wouldn't
have been much of a problem since resolutions are pretty standardised.

~~~
corin_
Hmm, my thinking was that Tor browser would randomly pick a size, but maybe it
only has a certain number of options to make sure every user crosses with
plenty of other users too? In which case resizing of any sort would make you
more unique, just within the session. (I'm no expert on Tor/browser.)

~~~
ethbro
For those with knowledge of how window size affects page layout, is there any
technical reason for Tor browser not to fuzz with a random +/\- 5 pixels while
in a single session (say, on every page load)?

Similar to what the nosleep utility does with jiggling the mouse by an
unnoticable +/\- a few pixels.

~~~
JoshTriplett
Too easy to average that away.

Could make sense to do so on a session-by-session basis, though.

------
nikcub
Many of these points can be summarised in one word: compartmentalisation

Your personas are isolated and segregated. They share no information, hobbies,
interests and at a tech level they don't share connections, machines,
browsers, apps.

Your anonymous personas use Tor in an isolating proxy configuration, where
traffic is explicitly allowed and proxied rather than routing all by default
(NAT) with explicit blocks (like a firewalls block all then allow vs allow all
then block)

If you look at Opsec failures (read thegrugq[1]) you'll find that a very large
number are the result of a lack of compartmentalisation and were found by
establishing link(s) between known and unknown personas

[1] [http://grugq.tumblr.com](http://grugq.tumblr.com)

~~~
lamby
A case for Qubes OS?

~~~
Zikes
Compartmentalization really needs to be a mindset as well. As noted in the
article, certain user behaviors can also create linkages between otherwise
disparate online personas, e.g. visiting a common subset of sites or visiting
sites with low traffic and highly identifiable demographics. It would be
difficult for Qubes OS to know that I shouldn't visit zikes.me while browsing
in my "anonymous" persona, for example.

------
parent5446
This is why, if you can, the best thing you can do is have a Tor computer.
Have it run a live CD of some sort with Tor built-in, and only use it for Tor.

Of course, this is not perfect, and still allows for breaking some of the
recommendations in the article, but it's a good start. Not to mention it's
easy to switch compartments: restart the computer (still not perfect, but
there's really no such thing as perfection here).

~~~
kpcyrd
If you use a live CD you're most likely running outdated software unless you
burn a new CD for each update.

~~~
puppetmaster3
Old software = good.

Newly patched software = who was it patched by exactly?

~~~
ggeorgovassilis
I suspect kpcyrd's point is that by not auto-updating, you stick out like a
fly in the milk. Software versions (like browser versions, plugin versions)
can be queried [1] and used to almost uniquely identify you.

[1] [http://detectmybrowser.com/](http://detectmybrowser.com/)

~~~
michaelt
Right - but if your browser and OS signature is "the latest version of tails"
[1] then presumably you look identical to other users of the same live CD?

[1] [https://tails.boum.org/](https://tails.boum.org/)

~~~
bartread
Yep, all four of them.

I (probably) exaggerate, but the problem is that your anonymity pool is now
very small.

------
aclissold
The perceived "if you're keeping quiet, you must have something to hide"
aspect of anonymity fascinates me.

Does anybody know if you might actually be safer from, say, a theoretical
surveillance program by "blending in" as a typical Internet user vs. using
Tor, where just one mistake might trigger a red flag?

I guess this technique wouldn't applicable if you _do_ have something to hide,
though... Hmm!

~~~
JupiterMoon
> by "blending in" as a typical Internet user

How do you blend in? By not visiting any "subversive" websites and by not
mentioning any "subversive" keywords. At that point you are a typical internet
user. But how do you know what is considered subversive? Animal
rights/environmental activists with no actual proof that they've done anything
or planned anything are under house arrest right now in France just because
the government wanted to free up resources to track Islamic extremist
terrorists.

> using Tor. where just one mistake might trigger a red flag?

Btw as a point of interest your username just triggered a red flag and got put
on a slightly elevated watch level by the US surveillance program. Why? You
mentioned the word "Tor" (Snowden files for details).

> wouldn't applicable if you do have something to hide, though... Hmm!

Do you have genitals? Do you like keeping tabs on who gets to see them?
Congratulations you have something to hide.

Would you like your boss to see what porn you watch? Congratulations you have
something to hide.

~~~
JumpCrisscross
> _Animal rights /environmental activists with no actual proof that they've
> done anything or planned anything are under house arrest right now in France
> just because the government wanted to free up resources to track Islamic
> extremist terrorists._

Source? All I could find were warrants issued for actual protests during a
state of emergency.

~~~
JupiterMoon
The Guardian and the Independent reported it.

As far as the reports stated the State of Emergency is ongoing.

------
TazeTSchnitzel
On the contrary, please do browse the web normally with Tor. The more normal
users Tor has, the more credibility it has.

------
Nzen
tl;dr Advice for lay users: Tor isn't an invisibility cloak. ex, visiting a
social media site through a 'tweet this' type link will leave an identifying
trace that others can use to narrow down my probable identity. Fifteen or so
concise admonitions with reasoning.

------
sandworm101
The OP makes many assumptions about why people are using Tor. Some people are
not looking for total protection from all the enemies Tor is meant to protect
against.

For instance someone looking to hide from a local tap, say while at work, can
safely use tor to login to account they would normally access directly. The
enemy isn't the website you are accessing, or some nation state with limitless
tapping resources. You just want Tor to hide what you are doing from the boss.
(But make sure you aren't sending your login details in the clear.)

~~~
jcrawfordor
Tor is a less than ideal solution to the problems of censorship or local
traffic monitoring. It would be more performant, and in some ways more
reliable, to use a VPN, SSH tunnel, SOCKS proxy with SSL, etc.

In many environments these are also less likely to be blocked or detected by
network operators, as they're a common component of business network traffic,
while Tor (identified by communications with publicly listed Tor nodes) is
not.

Tor was designed for anonymity, not circumvention. Circumvention is a side-
effect of Tor and some circumvention features have been added (namely
bridges), but there are significantly more elegant solutions for when only
circumvention is necessary.

~~~
sandworm101
Tor was not designed for circumvention? Bypassing censorship is a primary
design feature.

~~~
jcrawfordor
That's just what I'm saying - bypassing censorship is _not_ a primary design
feature. Tor's original design was only for low-latency anonymity.
Circumvention was initially a side-effect of Tor functioning as a (very slow)
proxy for its users, and later dedicated circumvention features were added
(unlisted bridges, obfsproxy, etc) to make Tor more durable in hostile
environments, for the purpose of making the anonymity features more available,
which of course reinforces the side-effect of Tor being useful for
circumvention.

Most recently, the rendezvous system and hidden services have been
particularly powerful in reducing censorship on the end of content publishers,
but this feature was added two years in, it is an area in which Tor performs
significantly more poorly than, e.g., i2p, and very few people are actually
talking about this when they discuss using Tor for censorship evasion.

I love the Tor project, but people should understand that it is an anonymity
system, not an anti-censorship system. When you are facing censorship on your
end (the reader's end) and do not require anonymity, just use a SOCKS proxy or
a VPN. They're radically faster, often easier to use, and there are a million
different options for evading blocking and detection - using DNS queries as a
covert channel is a popular one, but the sky's the limit.

If you need to evade censorship on the publisher's end, then this generally
comes down to an anonymity problem (the publisher must remain anonymous for
their protection) and so onion-routing becomes a reasonable approach. This is
relatively uncommon, though, and I believe people should more strongly invest
in other projects that originally built around this goal, rather than having
it added later. Some of these are more robust against attempts at direct
censorship (rather than just punishing the creator) as well, as Tor is
relatively centralized.

------
ianamartin
So basically, don't use the Internet while using Tor. Because people might
find out who you are. Got it.

~~~
blunte
This was also my takeaway after reading the list. In fact, it might be simpler
to write a guide of "here's what you can do and exactly how to do it - with
Tor".

~~~
tripzilch
Whitelist instead of blacklist, not a bad idea.

------
ekianjo
I like this line:

> Heroes only exist in comic books keep that in mind! There are only young
> heroes and dead heroes.

~~~
joosters
Very similar to: “There are old pilots, and there are bold pilots, but there
are no old, bold pilots.”

~~~
alxndr
Too bad we don't have a saying like that for driving cars.

------
garethrees
The conclusion I draw from this list is that it's almost impossible for an
ordinary person to maintain anonymity using the current tools. Who has the
discipline to maintain the level of operational security implied by this
article? I mean, these are just the top _twenty_ things you're not supposed to
do, and it's easy to think of more, for example:

* Don't type anything into an untrusted web page—you can be deanonymized by your typing patterns. Whenever you need to type anything, type it into a text editor and then copy and paste. [http://arstechnica.co.uk/security/2015/07/how-the-way-you-ty...](http://arstechnica.co.uk/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/)

* Don't move your mouse over the web page—you can be deanonymized by your mouse movements. So disconnect your mouse and interact via the keyboard only (always bearing in mind the problem of deanonymization via typing, of course). [http://dl.acm.org/citation.cfm?id=2046725](http://dl.acm.org/citation.cfm?id=2046725)

------
tobbyb
Tor is a project originally by the US Navy developed to protect US
intelligence. Given that background it would be a bit of a leap to trust
security or privacy to technology produced by the government unless it is
reasonable or rational to assume they will work against their own interests by
releasing it.

For a long time time before NSA was exposed, it had been working closely with
a lot of security related technologies, researchers, developers, companies,
and was a key part of the software security industry including standards. For
instance SeLinux is a NSA project pushed hard by a number of open source
companies including trying to integrate it into the Linux kernel but stymied
by Linux Torvalds. A lot of these technologies and companies often get a free
pass.

For anyone with serious anonymity or privacy needs it would be pragmatic to
think carefully before relying on technology that is linked to the US
government or US companies which basically rules out a lot of computing. Using
technology to fight an adversary with unlimited resources and access to
talent, and has been an integral part of the security industry is foolhardy
and seems difficult to win. We need to find alternatives.

~~~
mulander
Should we also avoid the Internet itself then?

\-
[https://en.wikipedia.org/wiki/Arpanet](https://en.wikipedia.org/wiki/Arpanet)

~~~
tobbyb
If your Internet needs are privacy or anonymity related perhaps. That's why I
said it rules out a lot of computing.

For those with a 'serious' as in life dependent need for privacy, for instance
whistle blowers or persons of interest it can be argued the Internet today
cannot deliver the level of anonymity they require.

------
natch
Things NOT to do:

\- Prevent Tor over Tor scenarios.

Sincere question:

Is that really what they meant to say? Do NOT prevent Tor over Tor scenarios?

~~~
mirimir
No. He means to avoid Tor over Tor. English is a difficult language ;)

~~~
tripzilch
I immediately had to think when he/she wrote "informations": likely French (or
sometimes Germans make the same error).

Since back in my demoscene days (which is a mostly European, non-native
English speaking crowd) that one always stood out to me, almost exclusively
French that made this mistake (pretty consistently, as well).

------
necessity
Is there a way to block non-Tor traffic via iptables or similar? That would be
really helpful since it's only human to make some mistake and leave another
connection open. To connect to my VPN I use a script that changes all iptables
policies to DROP and allows traffic only on lo and tun0. I still have to allow
traffic on eth0 to the VPN IP, but that's unavoidable I guess.

~~~
erhardm
Yes, it's possible. You run tor under its own user and block all
ingress/egress traffic except from tor's user. You talk to the outside world
proxying through tor.

------
murbard2
I've given some thought on what a safe browser for tor would be like. Since
it's hard to come up with the list of all possible information leaks, I
suggest not attempting to do so. The system goes like this:

1) You open a new tab in your favorite browser. At this point, a new instance
of a read-only, lightweight, virtual machine is resumed. The virtual machine
doesn't know about tor, but its entire network traffic is torrified by the
hypervisor.

2) The tab now displays a VNC connection to the virtual machine you just spun
up.

Now, it's possible that some things will leak through the VM, but it should
also be easier to control than an entire browser running in your OS. For
example, enforcing that the VM image be read-only ensures that once a tab is
closed, all sources of history are gone... no cookies, no history, no browser
settings. You only need to whack one mole.

Yes, there might be exploits that jump out of the hypervisor, but these aren't
as common as browser exploits and you would need both to jump out.

------
JupiterMoon
Someone made a point about grammar and spelling mistakes... They were rightly
flagged as their comment was non-constructively rude. However, it is a real
point. Grammar and spelling error patterns are something I would attempt to
fingerprint in order to correlate users across different forums if I were
running a surveillance programme with sufficient resources.

~~~
schoen
In anonymity research this general problem is known as stylometry, and
includes errors as well as other individual differences in how people use
language.

------
justcommenting
Kudos to the team for producing this! Perhaps the Tor Browser Bundle team
could even incorporate some of these details into a more usable/translated
draft of this information at the link provided when you start up the Tor
Browser Bundle, which for reference/comparison is available at
[https://www.torproject.org/download/download.html.en#warning](https://www.torproject.org/download/download.html.en#warning)

------
crapolasplatter
Don't cross contaminate passwords or utilize like passwords.

So don't use the same passwords while utilizing tor that you have used with
other accounts.

Or use similar passwords naming schemes. So if you are in the habit of using
'@' for 'a' then try to avoid that and use random schemes.

------
jokoon
Use the tor browser.

Someone should make a short gif to explain this: imagine someone with a Guy
Fawkes mask browsing facebook on his computer. Then some guy behind him look
at his screen him and tells him "hey Mark Dupont, what's up?"

~~~
anon4
You mean this? [http://forgifs.com/gallery/d/222661-2/Anonymous-
mom.gif](http://forgifs.com/gallery/d/222661-2/Anonymous-mom.gif)

~~~
jokoon
I meant that facebook is a website which is designed to identify people, so
tor and facebook are basically opposite things.

------
anon4
Interesting.. shouldn't you do use Tor for as much as possible, including
completely legal activities, so that when you do use Tor to legitimately hide
something, you wouldn't generate traffic out of the ordinary?

~~~
pc86
I think only as much as you can do so anonymously in the first place.
Regarding the resizing issue specifically, the use of "resolution + window
size" is sufficiently unique in fullscreen (especially if you have a vertical
toolbar like many devs do) that it can be deanonymized.

~~~
sathackr
I don't understand the risk of the window-size issue.

If I am running a normal Windows installation(say, Windows 7 Home) on a
commonly-sized screen (say, 1366x768) and have a normal sized taskbar, no odd
widgets, toolbars, or other screen-space taking things, it seems I am only
reducing the anonymity pool to those other users with the same features, which
I suspect is more than 4.

For a non-persistent live-boot situation such as Tails, I would expect the
risk to be even lower.

What am I missing, if anything? Was there some legal situation in which
browser window size was used to de-anonymize someone that warrants the
attention to browser window size? I understand it's another layer of
protection, defense-in-depth and all, but it seems to be getting a
disproportionate amount of attention.

~~~
pc86
You're exactly right. However, the concern comes from those who aren't using a
commonly-sized screen with a normal taskbar, etc. That's precisely why certain
versions of the Tor browser only resize to certain sizes/dimensions.

If (for example) you've got a vertical taskbar on a 4k monitor the pool will
be much lower. Add in one other slip up, such as visiting a low-traffic
website you've visited outside of Tor, and you've got a huge vulnerability for
deanonymization.

As far as legal, I don't think there has ever been such a case, no. However,
it definitely opens someone up to parallel construction, and there are always
certain agencies for which a legal case is not necessary their end goal (CIA,
NSA, etc).

