How to Configure and Use Tor Browser Securely: A Comprehensive Guide

The Tor Browser is a powerful tool designed to enhance online privacy and anonymity by routing your internet traffic through a series of encrypted relays (Tor nodes). However, to maximize the security and anonymity Tor can provide, it’s crucial to configure and use it properly. This article will guide you through the key steps in setting up and using Tor Browser securely.

What is Tor Browser?

Tor Browser is based on Mozilla Firefox, customized to use the Tor network for browsing the web. It conceals your location and activity from network surveillance and traffic analysis by bouncing your communications across a distributed network of relays.

However, simply using Tor Browser doesn’t make you completely anonymous. It’s vital to implement secure practices and configurations to minimize the risks associated with its use.

Downloading Tor Browser Safely

To ensure you’re downloading a legitimate copy of Tor Browser:

• Official Website: Always download Tor from the official website. Avoid third-party downloads to prevent installing modified versions with malware.
• Verify the Signature: Tor Project provides cryptographic signatures for verifying the integrity of the software. After downloading, follow the instructions on the website to verify the GPG signature, ensuring the file hasn’t been tampered with.

If your Internet Service Provider (ISP) or government blocks access to the official Tor Browser website, there are several methods you can use to bypass these restrictions and download the Tor Browser safely.

Use a VPN or Proxy to Access the Tor Website

A VPN (Virtual Private Network) or proxy service can help you bypass restrictions by masking your IP address and encrypting your traffic. When you connect to a VPN, your ISP will only see that you're connected to a VPN server, not the websites you're visiting, which can help you access blocked sites like Tor’s official website.

VPN: Choose a reputable, no-logs VPN provider. Connect to the VPN and then visit the Tor Project website.

Proxy: You can also try using an HTTP or SOCKS proxy service, though VPNs are generally more secure.

Download Tor via Mirrors

The Tor Project maintains a list of mirrors—alternative download sites that host the same files as the official website. If the main site is blocked, you can try downloading from one of these mirrors:

Visit the official list of mirrors at: https://support.torproject.org/ or directly search for Tor mirrors.

Make sure to verify the GPG signature after downloading the file from any mirror to ensure its authenticity.

Request Tor Browser via Email

If you’re unable to access the Tor Project website directly, you can request the Tor Browser via email:

Send an email to [email protected] and specify your operating system (Windows, macOS, Linux). The Tor Project will send you a direct download link in response. This method is useful if you have email access but can’t visit the Tor site.

Download from Trusted Repositories

In some cases, you might find the Tor Browser available through trusted software repositories. For instance, Linux users can download Tor via their distribution’s package manager (such as apt, dnf, or pacman):

Debian/Ubuntu: Install the Tor Browser from the official Tor Project repository by following their setup instructions. This method ensures you get an authenticated version of the software directly through your system's package manager.

Find the Official Tor Project Repository on GitHub

To ensure you're getting a legitimate copy of the Tor Browser, always look for an official repository or link provided by the Tor Project. Currently, the Tor Browser itself is not officially hosted on GitHub, but some components like Tor source code and tools related to the Tor network can be found in Tor’s GitHub repositories.

• The official Tor Project GitHub account can be found at: https://github.com/torproject.
• Look for repositories or links that are clearly from the Tor Project. If the Tor Browser is offered on GitHub in the future, it would likely be linked from here.

Bridges and pluggable transports

Bridges and pluggable transports are key features in Tor Browser that help users circumvent censorship and access the Tor network in countries or regions where it's blocked. These features are particularly useful if your Internet Service Provider (ISP) or network administrator is actively blocking access to Tor.

Tor Bridges

A bridge is a Tor relay that is not publicly listed, making it harder for censors to block access to the Tor network. Bridges are essentially “secret” entry points into the Tor network, often used to bypass government censorship or restrictions imposed by an ISP.

When to Use Bridges

If your connection to the Tor network is being blocked or throttled, you’ll need to use bridges. This is common in countries with strict internet censorship policies, such as China or Iran, where access to the Tor network is deliberately restricted.

How to Configure Bridges

1. Open Tor Browser Settings.

2. Request Bridges: Search for the “Bridges” section and click on the "Request bridges":

After that, you will be automatically connected to the bridge:

You can also get bridges by visiting https://bridges.torproject.org/ or by sending an email to [email protected] from a mail account with the subject line "get bridges." This method will provide you with non-public bridge IPs.

After the configuration, when to click on the "Tor Circuit" button, you will see the route your traffic goes (here you can see that the first node is a bridge):

Once you’ve enabled and selected a bridge, the Tor Browser will use it as an entry point to the Tor network. This can help you bypass censorship by avoiding known, blocked Tor entry relays.

Pluggable Transports

Pluggable transports are tools that disguise Tor traffic to make it look like regular, uncensored internet traffic. This makes it harder for censors to detect that you're using Tor, thus bypassing censorship mechanisms such as deep packet inspection (DPI).

What Do Pluggable Transports Do?

Pluggable transports obfuscate your traffic to make it less identifiable. Without a pluggable transport, Tor traffic has a specific signature that censors can detect and block. Pluggable transports change the appearance of this traffic, so it blends in with other internet activities, making it harder for filters to detect and block.

Popular Pluggable Transports

obfs4: The most widely used pluggable transport, obfs4 obfuscates your traffic to make it look random and difficult for censors to distinguish from regular internet traffic.

meek: Uses HTTP to disguise Tor traffic as regular web browsing. It often routes traffic through major websites like Google or Microsoft, making it harder to block.

snowflake: Uses WebRTC, a peer-to-peer protocol, to mask Tor traffic and circumvent censorship.

When you request a bridge in the Tor Browser, obfs4 is provided by default as the pluggable transport. This is because obfs4 is highly effective at bypassing censorship and is widely supported.

Check the connection

To check if you are connected to the Tor network, you can use the following methods:

Visit the Tor Check Website

The easiest way is to visit the official Tor check page: https://check.torproject.org/.

This page will automatically determine if you are using Tor. If connected, it will display a message saying, “Congratulations. This browser is configured to use Tor.” If you are not connected, it will indicate that you are not using Tor.

Check Your IP Address

When you connect to Tor, your IP address will change to one of Tor's exit nodes. To verify this:

Go to a site like https://whatismyipaddress.com/ before and after connecting to Tor.

If connected to Tor, your IP address should be different and show a location in a different country than your actual location (below we see that the service show another city, another ISP and detects that we use Tor).

Tor Browser’s Circuit

When you open Tor Browser, look at the "Tor circuit".

If you experience issues connecting, consider checking your firewall settings or trying to use a bridge if your connection is blocked.

Using the above methods, you can easily verify whether you are successfully connected to the Tor network.

Monitor for DNS Leaks

DNS (Domain Name System) leaks occur when your computer's real IP address is exposed via non-Tor DNS queries. Fortunately, Tor Browser is designed to prevent these leaks, but it’s good to double-check for added security:

• Use an Online DNS Leak Test: Visit dnsleaktest.com or a similar service through the Tor Browser and run a test. The results should show only Tor network IPs (not your real IP address or DNS servers).
• Verify DNS Settings: By default, Tor Browser handles DNS queries within the Tor network. If you see any requests going outside the Tor network, there might be a configuration issue.

Security Slider

The Tor Browser features a Security Settings slider that allows you to customize the level of security based on your needs. Here are the three levels available:

Standard

Features: All Tor Browser features are enabled, including JavaScript, images, and other media.

Use Case: This level is suitable for general browsing, but it may expose you to risks from scripts, ads, and other potentially harmful elements. Use this setting when browsing known and trusted websites.

Safer:

Features:

• Disables JavaScript on non-HTTPS sites.

• Blocks certain fonts and math symbols.

Use Case: This setting reduces the risk of exploitation by limiting the functionalities that can be executed in your browser. Choose this option when visiting sites you are less familiar with or when privacy is a greater concern.

Safest

Features:

• Blocks JavaScript entirely.
• Disables most media elements and complex visual features.

Use Case: This provides the highest level of protection against tracking and exploitation. However, many websites may not function properly with this setting. It is advisable to select this option when visiting potentially untrustworthy sites or conducting sensitive activities, such as online banking or communications.

Disable Add-ons

While it may be tempting to install additional browser add-ons to enhance functionality, it is highly advisable to avoid installing any extra add-ons or extensions in Tor Browser. Here’s why:

• Prevention of Leaks: The Tor Browser is specifically designed to prevent data leaks that could compromise your anonymity. Adding extra plugins can create vulnerabilities, allowing malicious actors to track your activities.
• Anonymity Risks: Many popular add-ons may not have been modified for Tor and could bypass Tor's protections, potentially exposing your real IP address or other identifying information.

NoScript Extension

Tor Browser comes with the NoScript extension pre-installed, which is a crucial tool for enhancing your security:

Functionality: NoScript blocks JavaScript, a common attack vector used by malicious websites. It allows users to enable scripts on a case-by-case basis.

Default Settings: By default, NoScript is configured based on the security level you have chosen:

At the Standard level, JavaScript is enabled for sites deemed safe.

At the Safer and Safest levels, JavaScript is disabled or highly restricted, especially on non-HTTPS sites.

Changing the Tor Circuit

Tor Browser allows users to change their connection route (circuit) through the Tor network. Each Tor circuit consists of multiple relays (usually three) that encrypt and relay your traffic, ensuring privacy and anonymity. Changing the circuit can help you:

• Avoid blocked or slow relays.
• Get a fresh connection for anonymity purposes.
• Access content that might be restricted by an exit node’s location.

New Identity

The New Identity feature in Tor Browser provides users with a completely fresh browsing session, ensuring that their online activity remains anonymous and separate from any previous activity. When you request a new identity, Tor Browser resets several critical elements to enhance your privacy.

Here’s a breakdown of what happens when you select New Identity:

Clears All Browsing Data.

Tor Browser deletes all temporary data, including:

• Cookies
• Browsing history
• Cache
• Session storage

This prevents websites from tracking your activity across multiple sessions and ensures that any data associated with your previous browsing is wiped out.

Closes All Open Tabs.

• All open tabs and windows will automatically close, and the browser will restart with a blank window.
• This ensures that any sites open in your current session are completely disconnected.

Establishes New Tor Circuits.

When you start a new identity, Tor Browser will build new circuits through the Tor network. This means:

• You’ll be assigned new entry, relay, and exit nodes.

• Websites will see you as a completely new user with a different IP address (the IP of the new exit node).

This helps dissociate any browsing activity from previous circuits, enhancing your anonymity.

Resets Browser Settings to Default.

• Any changes made to the browser during the session (e.g., permissions granted to websites, NoScript exceptions) are reverted to default settings.
• This prevents any site-specific permissions from being carried over to the new identity.

Why Use the New Identity Feature?

Anonymity Refresh: If you want to guarantee that your online activities are not linked across multiple sessions, requesting a new identity provides a fresh start.

Improved Security: If you suspect that your session or circuit may be compromised or tracked, resetting your identity helps you evade potential threats.

Overcoming Site Restrictions: Some websites may block specific IP addresses (Tor exit nodes). A new identity gives you a new IP, helping you bypass these restrictions.

Window Maximization in Tor Browser and Its Privacy Risks

Tor Browser includes several built-in security and privacy measures designed to protect users from tracking and fingerprinting. One such feature is window size management. By default, Tor Browser discourages users from maximizing their window size, as doing so can introduce privacy risks.

Websites can detect your screen resolution and browser window size. This information is used as part of a technique known as browser fingerprinting—an advanced tracking method that collects small details about your browser and system configuration to create a unique identifier.

For better anonymity, keep the Tor Browser window at its default size.

If you do need to resize the window, try to avoid dragging it to the edges of your screen, as this can still give away clues about your screen resolution.

HTTPS-Only Mode

HTTPS-Only Mode is a security feature in Tor Browser designed to ensure that your connection to websites is encrypted. When enabled, Tor Browser will attempt to connect to all websites using HTTPS (Hypertext Transfer Protocol Secure), which encrypts your communication with the site. If a site only supports HTTP (an unencrypted connection), the browser will block the connection or warn you before proceeding.

This feature is crucial for maintaining privacy and security, particularly when browsing anonymously through the Tor network.

Online Certificate Status Protocol (OCSP)

Online Certificate Status Protocol (OCSP) is a protocol used to check the revocation status of X.509 digital certificates, typically used in HTTPS connections. When a browser or application encounters a certificate, it can query an OCSP responder server to confirm whether the certificate is still valid, has expired, or has been revoked by the issuing Certificate Authority (CA).

OCSP is an essential protocol for confirming the validity of SSL/TLS certificates, ensuring that even certificates that appear valid haven't been revoked. Whether using tools like OpenSSL or relying on built-in browser mechanisms, OCSP querying helps protect users from compromised certificates.

Deceptive Content and Dangerous Software Protection

Deceptive Content and Dangerous Software Protection is a feature designed to safeguard users from harmful or misleading websites, such as phishing sites, sites distributing malware, or those attempting to scam users. While browsing, this protection helps identify potential threats before they can compromise your security or privacy.

In Tor Browser, this feature is tailored to provide privacy while maintaining a level of security against deceptive websites, but it is not enabled by default due to Tor’s focus on anonymity.

By doing this, you’re allowing Tor Browser to check the websites you visit against a list of known harmful sites, but you’ll need to balance this with your desire for privacy since the feature may require periodic communication with Google servers.

Managing Permissions in Tor Browser

In Tor Browser, permissions refer to the specific access that websites request from your browser, such as permission to use your location, access your camera, microphone, notifications, or cookies. Since Tor Browser is designed to enhance privacy, it minimizes the permissions granted to websites by default, but it allows users to manage and adjust these permissions manually.

Managing permissions in Tor Browser allows you to maintain control over what data websites can access while browsing. For enhanced security and anonymity, it's recommended to limit these permissions as much as possible, especially location, camera, microphone, and notifications. By doing so, you protect yourself against potential privacy leaks while still maintaining control over your online experience.

History

In most traditional browsers, your browsing history is stored locally on your device, including the websites you visit, cookies, cached files, and other browsing data. However, Tor Browser is designed to prioritize privacy and anonymity, and it handles history differently from mainstream browsers.

In Tor Browser, your browsing history is not saved, making it an excellent choice for privacy-focused users. While you can view your history during an active session, all data is wiped as soon as the browser is closed. This design ensures that no trace of your online activity remains on your device, helping to maintain both privacy and anonymity.

Conclusion

By implementing these strategies, users can effectively leverage Tor Browser’s capabilities to safeguard their online activities from prying eyes. This commitment to secure practices not only enhances personal privacy but also contributes to the broader goals of free expression and access to information in a digital landscape that can often be hostile to both.