Hacker News new | comments | show | ask | jobs | submit login
Tor Anonymity: Things Not to Do (whonix.org)
345 points by transpute 541 days ago | hide | past | web | 99 comments | favorite



Here's one they missed: do not resize your window! If you do, your browser instance has a potential to have a unique viewport size and hence, there's a probability you can be tracked. Whatever size window Tor opens, do not re-size it.

I do not use Tor myself but few years ago I've analyzed an anonymized data site and was amazed how easy it was, with a high degree of probability, to track someone just based on screen resolution + viewport size (i.e. size of your browser window). Almost every viewport size was unique (when correlated with screen resolution).


  > Here's one they missed: do not resize your window!
Under the "Don't change settings if you don't know their consequences." section:

  For example removing a menu bar or using Full Screen
  in Tor Browser is recommended against. The latter
  is known to modify the screen size, which is bad
  for the web fingerprint.
Also, the current version of the Tor Browser warns you when you resize the window.


At least some mitigation to this is in the pipeline. If you try "hardened" version (although, currently only available for Linux 64-bit) you'll see it will only resize and lettersized to a certain set of "common" screen size.

I don't know what their roadmap is, but I'm assuming, this will be eventually coming to the stable release for all platforms supported.


>Also, the current version of the Tor Browser warns you when you resize the window.

I believe it only warns you if you maximize the window, not if you resize it.


Resizing it isn't a problem. It doesn't open at a magically untrackable size, the point of this advice is that if you are fullscreen you will be the same size always and therefore potentially trackable between sessions, if you are resizing it yourself even if you try to resize to roughly the same size as last time you won't be exactly the same. (Window management features like snapping to half screen instead of full screen of course would be the same as going full screen.)


Interesting. I'd have thought custom sizing would be bad for between-site tracking as it's much more likely to be unique, whereas fullscreen wouldn't have been much of a problem since resolutions are pretty standardised.


Sure but you shouldn't be connecting as distinct psuedo-identities during the same Tor session (mentioned in the article); if a custom browser size is associated with a one-time-use anonymous session then it shouldn't be a problem except that it leaks information about what window sizes are possible on your system, and your custom resize is very unlikely to be random; probably predictably proportional to your actual screen size.


Hmm, my thinking was that Tor browser would randomly pick a size, but maybe it only has a certain number of options to make sure every user crosses with plenty of other users too? In which case resizing of any sort would make you more unique, just within the session. (I'm no expert on Tor/browser.)


For those with knowledge of how window size affects page layout, is there any technical reason for Tor browser not to fuzz with a random +/- 5 pixels while in a single session (say, on every page load)?

Similar to what the nosleep utility does with jiggling the mouse by an unnoticable +/- a few pixels.


Too easy to average that away.

Could make sense to do so on a session-by-session basis, though.


Randomly picking a size still gives a good chance of being able to track user connections across a single session.


Actually it does. Check window.innerHeight and window.innerWidth.

The specific values depend on the individual configuration of your browser - icon size, toolbars, themes ...

mine is: 1920 x 992

if I add the bookmark bar the sizeing turns: 1920 x 968

It's not identifying but individual.


Why doesn't Tor Browser just spoof a default screensize? Why is it necessary to tell websites what size the screen is? Would it be possible to still see responsive websites if a default screensize was chosen? Perhaps a few 'presets' could be created for different aspect ratios and then it would alright?

Just curious I guess, it's a shame that there are people out there who've likely done everything right except changing the size of their window, and maybe they got v& or even hurt because of this.


I think if you browse without JavaScript on, this information is not available to the sites you visit.


Viewport width can be obtained via CSS, e.g. by using a media query for every screen width:

    @media (min-width: 400px) {
      .thing {
        background-image: url(size-400.png);
      }
    }
    @media (min-width: 401px) {
      .thing {
        background-image: url(size-401.png);
      }
    }
You could combine this with pixel density for even more specificity.


The tor browser bundle does have settings to disable media queries for this reason, but it is still conceivable to be identified by browser size unless you completely disable all embeded media (including images). Perhaps the browser delays loading images that aren't visible on the screen.


This seems almost trivial for the browser to fix. Just load all CSS resources, regardless of media query matching.


IIRC TOR is already slow. I am now sure you want to do this.


Yeah, it's speed for anonymity, just like everything else about TOR.


What idiots thought this was a good idea? I swear, sometimes it seems like browser writers, standard writers, and website writers are actively colluding with advertisers and spies to make it easier to uniquely track everyone.


Well, the idea was to do stuff like

    @media(max-size: 200px) { #container { background: url(tiny_mobile.png); } }

    @media(max-size: 400px) { #container { background: url(small_mobile.png); } }

    @media(max-size: 800px) { #container { background: url(medium_tablet.png); } }

    @media(max-size: 2000px) { #container { background: url(large_desktop.png); } }

    @media(min-size: 2000px) { #container { background: url(retina.png); } }
Not always loading the same image is a good idea on mobile.


See my reply elsewhere. Background images are bad meaning this isn't a very compelling argument.


Often these aren't really background images, they're just using that to set image sources via CSS. These days you can do the same thing with srcset, which also allows someone to learn your screen resolution.


It's almost as if when your goal is to track someone you can use widely available, generally innocuous means to do so.

People being smart is the horse, and programmers colluding with "advertisers and spies" in a massive fashion is the zebra.


There's kind of a long-term issue about the web platform changing in ways that increase trackability, often without people thinking about it (or maybe in a few cases without people admitting that they thought about it).

There is a W3C TAG document that touches on this at

http://www.w3.org/2001/tag/doc/unsanctioned-tracking/

One problem is that there are so many ways of tracking user-agents in the web platform today that it can be hard to convince anyone that addressing one of them will improve the situation. :-(


You're the one who sent an HTTP request to a web server. They're only "tracking" requests your browser makes to them. If you don't want a site tracking you, stop sending them data.


I can and do control many of the requests a website tells my browser to make. I deny javascript. I deny cookies (strictly speaking I have cookies deleted when I close the page). I deny flash. I deny third-party objects. I do this because I have knowledge about them (and just the right amount of paranoia about other parties). I lament the fact that other people don't and bitch about it when appropriate.


Well, if I put a HD background picture on a website, I sure don't want it to load on a mobile and use all of this user's data. It only makes sense.


Don't put HD background images on your website! Desktops have bandwidth caps too and most people are only interested in the page text not frilly multimedia.


Indeed. Background images were bad in the geocities age, background images were bad in the myspace age, background images are bad in the current tumblr age.


Also, toolbar/dock/taskbar location matters. I'm aware that due to my vertical taskbar I have a rather unique viewport size. The usability improvements of not wasting limited vertical viewing area trump that though (and I don't use TOR).


Or just disable JavaScript? Seriously: why would you brows for with JavaScript enabled?


If you're setting up your browser to blend in, turning off JS, which nobody in the real world actually does, only serves to draw attention to yourself.


You're already on tor. JavaScript should be disabled by default in the tor browser bundle anyway.


That you are on Tor and that you are not using javascript are two unusual things that compound each other in making you uniquely identifiable.

One reason that it is still relevant even though you are already using Tor is that there are many ways to slip up and expose yourself. And when you do, you've paired this additional one in a hundred identifier to yourself. Might as well just use lynx.


It's trivial to distinguish a tor user from a regular user on both ends of the connection. Hiding the fact that you are using tor is not the goal, making yourself indistinguishable from other tor users is the goal.


Many of these points can be summarised in one word: compartmentalisation

Your personas are isolated and segregated. They share no information, hobbies, interests and at a tech level they don't share connections, machines, browsers, apps.

Your anonymous personas use Tor in an isolating proxy configuration, where traffic is explicitly allowed and proxied rather than routing all by default (NAT) with explicit blocks (like a firewalls block all then allow vs allow all then block)

If you look at Opsec failures (read thegrugq[1]) you'll find that a very large number are the result of a lack of compartmentalisation and were found by establishing link(s) between known and unknown personas

[1] http://grugq.tumblr.com


Yes, indeed, compartmentalisation!

There's another interesting feature. Carefully restricted privacy-focused personas for different people tend to be very similar.


A case for Qubes OS?


Compartmentalization really needs to be a mindset as well. As noted in the article, certain user behaviors can also create linkages between otherwise disparate online personas, e.g. visiting a common subset of sites or visiting sites with low traffic and highly identifiable demographics. It would be difficult for Qubes OS to know that I shouldn't visit zikes.me while browsing in my "anonymous" persona, for example.


This is why, if you can, the best thing you can do is have a Tor computer. Have it run a live CD of some sort with Tor built-in, and only use it for Tor.

Of course, this is not perfect, and still allows for breaking some of the recommendations in the article, but it's a good start. Not to mention it's easy to switch compartments: restart the computer (still not perfect, but there's really no such thing as perfection here).


If you use a live CD you're most likely running outdated software unless you burn a new CD for each update.


Live USB :)

Still have to update it, but shouldn't be as bad as burning a CD every time.


The problem with live USB is that you'd be better off using Whonix instead TAILS at that point. The point of TAILS is to be "read-only". USBs can't really be read-only.

I think TAILS should only be used in "one time/week only" situations, such as when you want to expose some information. It's not meant to be used on a regular basis. Qubes/Whonix, especially if you use it in a "disposable" (delete the VM) fashion should be generally more secure.


The point of Tails is not to be read-only, hence all the work they have put in to enable persistent storage. USBs can be read only, especially when using a device such as a forensic write blocker. It all depends on how much you trust the manufacturer of the hardware you are using. Even then, if you are truly paranoid you can build your own write blocker using something like USBProxy.


I believe Tails is able to update itself when it's a LiveCD[1]. I guess it's still not perfect (you need to run the older, less secure version of itself to update itself), but it's better than nothing.

[1] https://tails.boum.org/doc/first_steps/upgrade/index.en.html...


Old software = good.

Newly patched software = who was it patched by exactly?


I suspect kpcyrd's point is that by not auto-updating, you stick out like a fly in the milk. Software versions (like browser versions, plugin versions) can be queried [1] and used to almost uniquely identify you.

[1] http://detectmybrowser.com/


Right - but if your browser and OS signature is "the latest version of tails" [1] then presumably you look identical to other users of the same live CD?

[1] https://tails.boum.org/


Yep, all four of them.

I (probably) exaggerate, but the problem is that your anonymity pool is now very small.


One commonality among top security professionals is that they all update regularly (and they don't speak in platitudes like old = good)


Old software: which website that you just visited "patched" it to do things you don't want?


The perceived "if you're keeping quiet, you must have something to hide" aspect of anonymity fascinates me.

Does anybody know if you might actually be safer from, say, a theoretical surveillance program by "blending in" as a typical Internet user vs. using Tor, where just one mistake might trigger a red flag?

I guess this technique wouldn't applicable if you do have something to hide, though... Hmm!


Trying to stay safe by "blending in" has a name, and its called security by obscurity. It works until it doesn't, and then it all tend to fall apart like a house made from cards.

Everyone has something to hide, and everyone need the security that the right to privacy provides. If I am the victim of a crime, I do not wish that the lawyer of the criminal has every single detail of my life to dig through and find something to paint doubt in a judge/jury mind. I also do not wish that the criminal has total information about the judge and jury, which they could then use to figure out how to manipulate them to a different decision then the truth. As such, I do not only wish privacy for me, but privacy for every person who could end up as jury, judge, lawyer, victim or accused. Our justice system depend on privacy to protect the human beings involved from being manipulated.


I have very little knowledge of surveillance but I used to work in the ad industry. There are a lot of signals, all of them noisy in isolation, but taken together they paint a very clear picture of who you are. Even a "normal" browsing history is probably enough to identify most of your demographic characteristics - age, sex, sexuality, .... I'm not sure what exactly you might want to hide, but it's hard to imagine it wouldn't show up.


> by "blending in" as a typical Internet user

How do you blend in? By not visiting any "subversive" websites and by not mentioning any "subversive" keywords. At that point you are a typical internet user. But how do you know what is considered subversive? Animal rights/environmental activists with no actual proof that they've done anything or planned anything are under house arrest right now in France just because the government wanted to free up resources to track Islamic extremist terrorists.

> using Tor. where just one mistake might trigger a red flag?

Btw as a point of interest your username just triggered a red flag and got put on a slightly elevated watch level by the US surveillance program. Why? You mentioned the word "Tor" (Snowden files for details).

> wouldn't applicable if you do have something to hide, though... Hmm!

Do you have genitals? Do you like keeping tabs on who gets to see them? Congratulations you have something to hide.

Would you like your boss to see what porn you watch? Congratulations you have something to hide.


> Animal rights/environmental activists with no actual proof that they've done anything or planned anything are under house arrest right now in France just because the government wanted to free up resources to track Islamic extremist terrorists.

Source? All I could find were warrants issued for actual protests during a state of emergency.



The Guardian and the Independent reported it.

As far as the reports stated the State of Emergency is ongoing.


[flagged]


You're being downvoted because you're saying things you can't cite (people without warrants under house arrest). Unless you can provide a source, something like that is perceived not to be true.


We live in the internet age. People can click on the top link on google (search term: "State of Emergency France Independent") themselves. But here let me google that for you instead.

http://www.independent.co.uk/news/world/europe/france-state-...

http://www.independent.co.uk/news/world/europe/frances-state...


We live in the internet age, and as you say, it's trivial to locate sources. It's therefore considered at best discourteous and at worst peddling misinformation when you don't provide them yourself.

Burden of proof and all that. But thanks for coming through.


On the contrary, please do browse the web normally with Tor. The more normal users Tor has, the more credibility it has.


tl;dr Advice for lay users: Tor isn't an invisibility cloak. ex, visiting a social media site through a 'tweet this' type link will leave an identifying trace that others can use to narrow down my probable identity. Fifteen or so concise admonitions with reasoning.


The OP makes many assumptions about why people are using Tor. Some people are not looking for total protection from all the enemies Tor is meant to protect against.

For instance someone looking to hide from a local tap, say while at work, can safely use tor to login to account they would normally access directly. The enemy isn't the website you are accessing, or some nation state with limitless tapping resources. You just want Tor to hide what you are doing from the boss. (But make sure you aren't sending your login details in the clear.)


Tor is a less than ideal solution to the problems of censorship or local traffic monitoring. It would be more performant, and in some ways more reliable, to use a VPN, SSH tunnel, SOCKS proxy with SSL, etc.

In many environments these are also less likely to be blocked or detected by network operators, as they're a common component of business network traffic, while Tor (identified by communications with publicly listed Tor nodes) is not.

Tor was designed for anonymity, not circumvention. Circumvention is a side-effect of Tor and some circumvention features have been added (namely bridges), but there are significantly more elegant solutions for when only circumvention is necessary.


Tor was not designed for circumvention? Bypassing censorship is a primary design feature.


That's just what I'm saying - bypassing censorship is not a primary design feature. Tor's original design was only for low-latency anonymity. Circumvention was initially a side-effect of Tor functioning as a (very slow) proxy for its users, and later dedicated circumvention features were added (unlisted bridges, obfsproxy, etc) to make Tor more durable in hostile environments, for the purpose of making the anonymity features more available, which of course reinforces the side-effect of Tor being useful for circumvention.

Most recently, the rendezvous system and hidden services have been particularly powerful in reducing censorship on the end of content publishers, but this feature was added two years in, it is an area in which Tor performs significantly more poorly than, e.g., i2p, and very few people are actually talking about this when they discuss using Tor for censorship evasion.

I love the Tor project, but people should understand that it is an anonymity system, not an anti-censorship system. When you are facing censorship on your end (the reader's end) and do not require anonymity, just use a SOCKS proxy or a VPN. They're radically faster, often easier to use, and there are a million different options for evading blocking and detection - using DNS queries as a covert channel is a popular one, but the sky's the limit.

If you need to evade censorship on the publisher's end, then this generally comes down to an anonymity problem (the publisher must remain anonymous for their protection) and so onion-routing becomes a reasonable approach. This is relatively uncommon, though, and I believe people should more strongly invest in other projects that originally built around this goal, rather than having it added later. Some of these are more robust against attempts at direct censorship (rather than just punishing the creator) as well, as Tor is relatively centralized.


They have the "Do not mix Modes of Anonymity" section from the Tor docs. It clearly says that there's mode(3): only location privacy, no anonimity. The State of the Onion talk at 32C3 mentioned using Tor for non-anonymous usage, e.g. for securely getting to Facebook via their onion service.


Your boss would just have to put a keylogger or use something like Ammyy in silent mode to see what you're doing (I assume Tor usage is visible in the firewall logs hence making you suspect, but I really have no idea).

If "they" have physical access to a machine, you shouldn't trust it.


So basically, don't use the Internet while using Tor. Because people might find out who you are. Got it.


This was also my takeaway after reading the list. In fact, it might be simpler to write a guide of "here's what you can do and exactly how to do it - with Tor".


Whitelist instead of blacklist, not a bad idea.


I like this line:

> Heroes only exist in comic books keep that in mind! There are only young heroes and dead heroes.


Very similar to: “There are old pilots, and there are bold pilots, but there are no old, bold pilots.”


Too bad we don't have a saying like that for driving cars.


The conclusion I draw from this list is that it's almost impossible for an ordinary person to maintain anonymity using the current tools. Who has the discipline to maintain the level of operational security implied by this article? I mean, these are just the top twenty things you're not supposed to do, and it's easy to think of more, for example:

* Don't type anything into an untrusted web page—you can be deanonymized by your typing patterns. Whenever you need to type anything, type it into a text editor and then copy and paste. http://arstechnica.co.uk/security/2015/07/how-the-way-you-ty...

* Don't move your mouse over the web page—you can be deanonymized by your mouse movements. So disconnect your mouse and interact via the keyboard only (always bearing in mind the problem of deanonymization via typing, of course). http://dl.acm.org/citation.cfm?id=2046725


Tor is a project originally by the US Navy developed to protect US intelligence. Given that background it would be a bit of a leap to trust security or privacy to technology produced by the government unless it is reasonable or rational to assume they will work against their own interests by releasing it.

For a long time time before NSA was exposed, it had been working closely with a lot of security related technologies, researchers, developers, companies, and was a key part of the software security industry including standards. For instance SeLinux is a NSA project pushed hard by a number of open source companies including trying to integrate it into the Linux kernel but stymied by Linux Torvalds. A lot of these technologies and companies often get a free pass.

For anyone with serious anonymity or privacy needs it would be pragmatic to think carefully before relying on technology that is linked to the US government or US companies which basically rules out a lot of computing. Using technology to fight an adversary with unlimited resources and access to talent, and has been an integral part of the security industry is foolhardy and seems difficult to win. We need to find alternatives.


Should we also avoid the Internet itself then?

- https://en.wikipedia.org/wiki/Arpanet


If your Internet needs are privacy or anonymity related perhaps. That's why I said it rules out a lot of computing.

For those with a 'serious' as in life dependent need for privacy, for instance whistle blowers or persons of interest it can be argued the Internet today cannot deliver the level of anonymity they require.


Tor was open-source since 2004 and developed by the Tor Project group (which was funded in part by EFF).


Things NOT to do:

- Prevent Tor over Tor scenarios.

Sincere question:

Is that really what they meant to say? Do NOT prevent Tor over Tor scenarios?


No. He means to avoid Tor over Tor. English is a difficult language ;)


I immediately had to think when he/she wrote "informations": likely French (or sometimes Germans make the same error).

Since back in my demoscene days (which is a mostly European, non-native English speaking crowd) that one always stood out to me, almost exclusively French that made this mistake (pretty consistently, as well).


Is there a way to block non-Tor traffic via iptables or similar? That would be really helpful since it's only human to make some mistake and leave another connection open. To connect to my VPN I use a script that changes all iptables policies to DROP and allows traffic only on lo and tun0. I still have to allow traffic on eth0 to the VPN IP, but that's unavoidable I guess.


Yes, it's possible. You run tor under its own user and block all ingress/egress traffic except from tor's user. You talk to the outside world proxying through tor.


I've given some thought on what a safe browser for tor would be like. Since it's hard to come up with the list of all possible information leaks, I suggest not attempting to do so. The system goes like this:

1) You open a new tab in your favorite browser. At this point, a new instance of a read-only, lightweight, virtual machine is resumed. The virtual machine doesn't know about tor, but its entire network traffic is torrified by the hypervisor.

2) The tab now displays a VNC connection to the virtual machine you just spun up.

Now, it's possible that some things will leak through the VM, but it should also be easier to control than an entire browser running in your OS. For example, enforcing that the VM image be read-only ensures that once a tab is closed, all sources of history are gone... no cookies, no history, no browser settings. You only need to whack one mole.

Yes, there might be exploits that jump out of the hypervisor, but these aren't as common as browser exploits and you would need both to jump out.


Someone made a point about grammar and spelling mistakes... They were rightly flagged as their comment was non-constructively rude. However, it is a real point. Grammar and spelling error patterns are something I would attempt to fingerprint in order to correlate users across different forums if I were running a surveillance programme with sufficient resources.


In anonymity research this general problem is known as stylometry, and includes errors as well as other individual differences in how people use language.


Kudos to the team for producing this! Perhaps the Tor Browser Bundle team could even incorporate some of these details into a more usable/translated draft of this information at the link provided when you start up the Tor Browser Bundle, which for reference/comparison is available at https://www.torproject.org/download/download.html.en#warning


Don't cross contaminate passwords or utilize like passwords.

So don't use the same passwords while utilizing tor that you have used with other accounts.

Or use similar passwords naming schemes. So if you are in the habit of using '@' for 'a' then try to avoid that and use random schemes.


Use the tor browser.

Someone should make a short gif to explain this: imagine someone with a Guy Fawkes mask browsing facebook on his computer. Then some guy behind him look at his screen him and tells him "hey Mark Dupont, what's up?"



I meant that facebook is a website which is designed to identify people, so tor and facebook are basically opposite things.


Interesting.. shouldn't you do use Tor for as much as possible, including completely legal activities, so that when you do use Tor to legitimately hide something, you wouldn't generate traffic out of the ordinary?


I think only as much as you can do so anonymously in the first place. Regarding the resizing issue specifically, the use of "resolution + window size" is sufficiently unique in fullscreen (especially if you have a vertical toolbar like many devs do) that it can be deanonymized.


I don't understand the risk of the window-size issue.

If I am running a normal Windows installation(say, Windows 7 Home) on a commonly-sized screen (say, 1366x768) and have a normal sized taskbar, no odd widgets, toolbars, or other screen-space taking things, it seems I am only reducing the anonymity pool to those other users with the same features, which I suspect is more than 4.

For a non-persistent live-boot situation such as Tails, I would expect the risk to be even lower.

What am I missing, if anything? Was there some legal situation in which browser window size was used to de-anonymize someone that warrants the attention to browser window size? I understand it's another layer of protection, defense-in-depth and all, but it seems to be getting a disproportionate amount of attention.


You're exactly right. However, the concern comes from those who aren't using a commonly-sized screen with a normal taskbar, etc. That's precisely why certain versions of the Tor browser only resize to certain sizes/dimensions.

If (for example) you've got a vertical taskbar on a 4k monitor the pool will be much lower. Add in one other slip up, such as visiting a low-traffic website you've visited outside of Tor, and you've got a huge vulnerability for deanonymization.

As far as legal, I don't think there has ever been such a case, no. However, it definitely opens someone up to parallel construction, and there are always certain agencies for which a legal case is not necessary their end goal (CIA, NSA, etc).


I mean, use Tor non-anonymously alongside your anonymous usage. So do resize your regular browser with which you visit regular sites, just do it over Tor so it won't look suspicious when you run the actual anonymous browser to visit other sites over Tor anonymously.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: