Things NOT to do[edit]

I wonder what my site looks like when I'm anonymous.[edit]

"I wonder what my site looks like when I'm anonymous" ^[1]

It's best not to visit your own personal website where either real names or pseudonyms (which have ever been tied to a non-Tor connection/IP) are attached. Because how many people are visiting your personal website? 90% of all Tor users, or just you, or just very few other people? That's weak anonymity. Once you visit a website your Tor circuit gets dirty. The exit relay knows that someone visited your website and if the site is not that popular, it's a good guess that 'someone' was you. It wouldn't be hard to assume that further connections originating from that exit relay come from your machine.

Source: ^[2]

Login into your real life Facebook account and think you are anonymous.[edit]

Don't login into your personal Facebook account. No matter if your real name is attached or only a pseudonym. You most likely added your friends and they know who the account belongs to. Through your social network Facebook can guess who you are.

No anonymity solution is magic. Online anonymity software may reliably hide your IP/location. But Facebook does not need your IP/location. They already know who you are, who your friends are, which private messages you send and so on. All those data is at least stored on Facebook's server. No kind of software can delete that data. Only Facebook and crackers could.

So if you log into your personal Facebook account you only get location privacy. No anonymity.

Quoted from "To Toggle, or not to Toggle: The End of Torbutton"^[3]:

mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.

Never login into accounts you ever used without Tor.[edit]

Always assume that each time you visit a website, that they will log the IP/location which visited the website, at which time and what you did.

Also assume, that each time you're online your ISP (Internet Service Provider) will log your online time, IP/location and perhaps traffic. Your ISP could also log to which IPs/locations you connected, how much traffic and what you send and retrieved. (Unless it's encrypted, then they'll see only garbage.) The following tables should give you an simplified overview what those logs could look like.

ISP Log:

Extended^[4] ISP Log:

Website Log:

You'll see, when websites and ISP keep logs, no one needs Sherlock Holmes to conclude.

If you mess up for one time, and login with a non-Tor connection/IP, which can be tied to you, then the whole account is compromised.

Don't login into your bank account, paypal, ebay or other important personal accounts unless...[edit]

Logging into your bank, paypal, ebay or other important personal accounts registered on your name where money is involved could risk, that your account gets suspended, due to "suspicious activity" by the fraud prevention system. This is because crackers sometimes use Tor for committing fraud. That's probably not what you want.

It's not anonymous for reasons already explained. It's pseudonymous and offers circumvention (in case access to the site is blocked by your ISP) and location privacy. The difference of anonymity and pseudonymity is covered in a later chapter on this page.

In many cases you will be able to contact the support and to get your account unblocked again or on request, even the fraud protection policy gets relaxed for your account.

Whonix developer adrelanos is not against using Tor for circumvention and/or location privacy, you just should know the risk of your account getting (temporarily) suspended and the other things mentioned on this page and the other warnings from the Whonix documentation. So if you know what you are doing, feel free.

Don't alternate Tor with open WiFi.[edit]

You may think open WiFi is faster and equally safe as Tor since the IP/location cannot be tied to your real name, right?

It's better to use an open WiFi AND Tor, but not an open WiFi OR Tor.

The approximate location of any IP address can be tied down to a city, region or even a street. Even if you are away, you still gave away your city or approximate location since most people don't switch continents.

You don't know who is running the open WiFi router or their policies. They could be keeping logs of your MAC address and tie it with the activity you are sending in the clear through them.

While this doesn't break your anonymity, the circle of suspect has decreased from the entire world, a continent, or the country to a region. This strongly hurts your anonymity. Keep as much information as possible to yourself.

Prevent Tor over Tor scenarios.[edit]

Whonix specific.

When using a transparent proxy (Whonix includes one), it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "Tor over Tor" scenario.

This happens when installing Tor inside Whonix-Workstation or when using the Tor Browser Bundle without configuring it to use a SocksPort instead of the TransPort. (Covered in the Tor Browser article.)

Doing so produces undefined and potentially unsafe behavior. In theory, however, you can get six hops instead of three, but it is not guaranteed that you'll get three different hops - you could end up with the same hops, maybe in reverse or mixed order. It is not clear if this is safe. It has never been discussed.

You can choose an entry/exit point ^[5], but you get the best security that Tor can provide when you leave the route selection to Tor; overriding the entry / exit relays can mess up your anonymity in ways we don't understand. Therefore Tor over Tor usage is highly discouraged.

License of "Prevent Tor over Tor scenarios.": ^[6]

Don't send sensitive data without end-to-end encryption.[edit]

As already explained on the Warning page, Tor exit relays can eavesdrop on communications and other Man-in-the-middle attacks can happen. The only way to get sensitive data from the sender to the recipient while withholding it from third parties, is using end-to-end encryption.

Don't disclose identifying data about yourself.[edit]

Deanonymsation is not only possible with connections/IP addresses but by social threats too. Some recommendations to avoid deanonymisation collected by Anonymous:

• Do not include personal informations in your nickname
• Do not discuss personal informations, where you are from...
• Do not mention your gender, tattos, piercings or physical capacities.
• Do not mention your profession, hobbies or involvement in activist groups.
• Do not use special characters on keyboard, which are existent only in your language.
• Do not post informations to the regular internet while you are anonymous. Do not use Twitter and Facebook. This is easy to correlate.
• Do not post links to facebook images. The image name contains a personal ID.
• Do not connect to same destination at the same time. Try to alternate.
• IRC, other chats, forum, mailing list, etc. are public, keep that in mind.
• Heroes only exist in comic books keep that in mind! There are only young heroes and dead heroes.

If it's a must to disclose identifying data about yourself, treat it as "sensitive data" in the point above.

License: From the JonDonym documentation (Permission).

Do use bridges if you think Tor usage is dangerous/suspicious in your country.[edit]

Quoted from the Bridges page: "Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress that an adversary could do to identify Tor users."

Don't use different online identities at the same time.[edit]

They easily correlate. Whonix doesn't magically separate your different contextual identities.

Also read the points below.

Don't log into Twitter, Facebook, Google, etc. longer than necessary.[edit]

Restrict the time your are logged in accounts for Twitter, Facebook, Google and any other account based services (web forum etc.) to the time you are using them. After you are done with reading, posting and so on, log out. At least log out, shut down Tor Browser, change your Tor circuit using a Tor Controller, wait a few seconds until the circuit changed, restart Tor Browser. For better security follow the Recommendation to use multiple VM Snapshots and/or to use multiple Whonix-Workstations.

This is because many websites include one or more of the many integration buttons, such as "I like" and "twitter this" and Google analytics, adsense etc. Those buttons tell the originating service that you visited that website because you were still logged into their service.

Also note the chapter "Don't use different online identities at the same time." above.

Do not mix Modes of Anonymity![edit]

Let us begin with an overview of the different Modes of Anonymity:

mode(1): user anonymous; any recipient[edit]

• Scenario: post anonymously a message in a message board/mailing list/comment field
• Scenario: whistleblower and such
• You are anonymous.
• Your real IP/location stays hidden.
• Location privacy: your location remains secret.

mode(2): user knows recipient; both use Tor[edit]

• Scenario: both sender and recipient know each other and both use Tor.
• They can communicate with each other without any third party being wise to their activity or even to the knowledge that they are communicating with each other.
• You are NOT anonymous.
• Your real IP/location stays hidden.
• Location privacy: your location remains secret.

mode(3): user with no anonymity using Tor; any recipient[edit]

• Scenario: login with your real name into any services, such as webmail, Twitter, Facebook, etc...
• You are obviously NOT anonymous. As soon as you log into an account where you entered your real name the website knows your identity. Tor can not make you anonymous in these situations.
• Your real IP/location stays hidden.
• Location privacy. Your location remains secret.

mode(4): user with no anonymity; any recipient[edit]

• Scenario: normal browsing without Tor.
• You are NOT anonymous.
• Your real IP/location gets revealed.
• Your location gets revealed.

Conclusion[edit]

It's not wise to combine mode(1) and mode(2). For example, if you have an IM or email account and use that via mode(1), you are advised not to use the same account for mode(2). We have explained previously why this is an issue.

It's also not wise to mix two or more modes inside the same Tor session, as they could share the same exit relay (identity correlation).

It's also possible that other combinations of modes are dangerous and could lead to the leakage of personal information or your physical location.

License[edit]

License of "Do not mix Modes of Anonymity!": ^[6]

Don't change settings if you don't know their consequences.[edit]

Changing user interface settings for applications, which do not connect to the internet, mostly safe. For example, checking a box "don't show this tip of the day anymore" or "hide this menu bar" will have no effect on anonymity.

Look into the Whonix documentation, if changing the settings you are interested in, is documented or recommended against; try to live with the defaults.

Changing settings for applications, which connect to the internet, even user interface settings, has to be thoroughly reviewed. For example removing a menu bar or using Full Screen in Tor Browser is recommended against. The latter is known to modify the screen size, which is bad for the web fingerprint.

You should only modify network settings with great care if you know their consequences. For example, you should stay away from the advice related to "Firefox Tuning". If you believe the settings are suboptimal, the changes should be proposed upstream, so they get changed for all Tor Browser users with the next release.

Do not use clearnet and Tor at the same time.[edit]

Using your non-Tor browser and Tor Browser at the same time, risks that you at some point confuse one for the other and deanonymize yourself.

Using clearnet and Tor at the same time also risks that you connect to a server anonymously and non-anonymously at the same time, which is recommended against. The reason for this is explained in the point below. You never know when you visit the same page anonymously and non-anonymously at the same time, because you only see the url you're visiting, not how many resources are fetched in background. Many different websites are hosted in the same cloud. Services such as google analytics are on the majority of all websites and therefore see a lot anonymous and non-anonymous connections.

If you really want not to follow this recommendation, use at least two different desktops to prevent confusing one browser for another.

Do not connect to any server anonymously and non-anonymously at the same time![edit]

It's highly recommended that you do not connect to any remote server in this manner. That is, do not create a Tor link and a non-Tor link to the same remote server at the same time. In the event your internet connection breaks down (and it will eventually), all your connections will break at the same time and it won't be hard for an adversary to put the pieces together and determine what public IP/location belongs to what Tor IP/connection, potentially identifying you directly. Another attack a webserver could do is increasing or decreasing the speed of the either non-Tor or Tor link and then see if there is a correlation of either connection getting faster or slower, thereby concluding which non-Tor link belongs to which Tor link.

License of "Do not connect to any server anonymously and non-anonymously at the same time!": ^[6]

Do not confuse Anonymity with Pseudonymity.[edit]

This chapter explains the difference between anonymity and pseudonymity. Word definitions are always a difficult topic because a majority of people has to agree with it.

An anonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP/location) of that connection nor to associate and an identifier ^[7] to it.

A pseudonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP/location) of a connection, but can associate it with an identifier ^[7].

In an ideal world, the Tor network, Tor Browser (and the underlying operating system, hardware, physical security, etc.) is perfect. For example the user could fetch a news website and neither the news website nor the website's ISP has any idea if that user has ever contacted the news website before. ^[8]

The opposite of this, when using software incorrectly, for example using Firefox instead of the Tor-safe browser Tor Browser, the original (IP/location) of a connection is still hidden, but an identifier (for example Cookies) can be used to make that connection pseudonymous. The destination website could log for example "user with id 111222333444 viewed video title a at time b on date c, video title d at time e at date f.". These information can be used for profiling. Over time these profiles become more and more comprehensive, which reduces anonymity, i.e. in worst case it could lead to de-anonymization.

As soon as someone logs into a website (for example into a forum or e-mail address) with a username the connection is by definition no longer anonymous, but pseudonymous. The origin of the connection (IP/location) is still hidden, but the connection can be associated with an identifier ^[7], i.e. in this case, an account name. Identifiers can be used to keep a log of various things. When a user wrote what, date and time of login and logout, what a user wrote, to whom the user wrote, IP address (useless, if it's a Tor exit relay), browser fingerprint etc.

Maxim Kammerer, developer of Liberté Linux ^[9], has a interesting different opinion. ^[10] I don't want to withhold from you:

I have not seen a compelling argument for anonymity, as opposed to pseudonymity. Enlarging anonymity sets is something that Tor developers do in order to publish incremental papers and justify funding. Most users only need to be pseudonymous, where their location is hidden. Having a unique browser does not magically uncover user's location, if that user does not use that browser for non-pseudonymous activities. Having good browser header results on anonymity checkers equally does not mean much, because there are many ways to uncover more client details (e.g., via Javascript oddities).

Don't be the first one to spread your own link.[edit]

You created an anonymous blog or hidden service? Great. You have a twitter account with lots of followers, run a big clearnet news page or similar? Great. Do not be tempted to be one of the first ones to advertise your new anonymous project! The more you separate identities, the better. Of course, at some point you may or even must be "naturally" aware of it, but be very careful at this point.

Don't open random files or links.[edit]

Someone sent you an pdf by mail or gave you a link to a pdf? That sender/mailbox/account/key could be compromised and the pdf could be prepared to infect your system. Don't open it with the default tool you were expected use with by the creator. For example, don't open a pdf with a pdf viewer. If the content is public anyway, try using a free online pdf viewer.

Don't do (mobile) phone verification.[edit]

Websites such as Google, Facebook and others will ask for a (mobile) phone number if you login over Tor. Unless you are really clever or have an alternative, you shouldn't do it.

Reason: The number you give away will be logged. The SIM card is most likely registered on your name. And even if not, receiving an SMS gives away your location. Even if you anonymously bought a SIM card and do it from a point far away from your home, there is still a risk: the phone itself. Each time the phone logs into the mobile network, the provider will log the SIM card serial number ^[11] AND the phone serial number ^[12]. If you bought the SIM card anonymously, but not the phone, it's not anonymous, because these two serials will get linked. If you really want to do mobile verification, you need a spot far away from your home, a fresh phone, and a fresh SIM card. Afterwards, you must turn off the phone, and burn both the phone and the SIM card right after doing it.

You could try to find an online service receiving SMS for you. That would work and would be anonymous. The problem is, that it most likely won't work for Google and Facebook, because they actively blacklist such numbers for verification. Or you could try to find someone else receiving the SMS for you, but that would only shift the risk from you to the other person.

Why this page?[edit]

You can skip "Why this page?".

This page highly risks to state obvious things. Obvious to whom? Developers, hackers, geeks, etc. may call that common sense.

Those groups tend to lose contact to actual non-techy users. It's good sometimes to read usability papers or feedback from people who do not post on mailing lists or in forums.

For example:

• Quoted from "To Toggle, or not to Toggle: The End of Torbutton"^[13]:

mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.

• tor-dev First-time tails/tor user feedback
• Eliminating Stop-Points in the Installation and Use of. Anonymity Systems
• Quote, North Korea: On the net in world's most secretive nation (w): ""In order to make sure the mobile phone frequencies are not being tracked, I would fill up a washbasin with water and put the lid of a rice cooker over my head while I made a phone call," said one interviewee, a 28-year-old man who left the country in November 2010."

Footnotes[edit]

1. Jump up ↑ https://lists.torproject.org/pipermail/tor-dev/2012-April/003472.html
2. Jump up ↑ Tor Browser should set SOCKS username for a request based on referer
3. Jump up ↑ https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton The Tor Blog
4. Jump up ↑ https://en.wikipedia.org/wiki/Deep_packet_inspection
5. Jump up ↑ https://www.torproject.org/docs/faq.html.en#ChooseEntryExit
6. ↑ ^{Jump up to: 6.0 6.1 6.2} This was originally posted by adrelanos (proper) to the TorifyHOWTO (w) (license) (w). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as this DoNot page.
7. ↑ ^{Jump up to: 7.0 7.1 7.2} An identifier could be for example a (Flash) Cookie with an unique number.
8. Jump up ↑ Fingerprinting defense isn't perfect yet in any browser. There are still open bugs. See tbb-linkability and tbb-fingerprinting.
9. Jump up ↑ http://dee.su/liberte
10. Jump up ↑ Quote (w)
11. Jump up ↑ IMSI
12. Jump up ↑ IMEI
13. Jump up ↑ https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton The Tor Blog

Attribution[edit]

Thanks to intrigeri and anonym, who provided feedback and suggestions for this page on the Tails-dev mailing list.