Tor Anonymity: What You Can't Do

Transfer

Visit your own site anonymously

“I wonder what my site looks like when I'm anonymous?” ^[1]

It is better to avoid visiting personal sites to which real names or nicknames are attached, especially if they have never been connected to them through Tor / with a real IP address. Probably very few people visit your personal site through Tor. This means that the user may be the only unique Tor client to do this.

This behavior leads to an anonymity leak, because after visiting the website the whole Tor scheme becomes “dirty”. If the site is not very popular and does not receive much traffic, then the output Tor nodes can be almost sure that the visitor to this site is the owner of the site. From now on, it is reasonable to assume that subsequent connections from this output Tor node also come from this user's computer.

Source: ^[2]

Заходить в аккаунты социальных сетей и думать, что вы анонимны

Do not log into your personal Facebook account or other social network through Tor. Even if an alias is used instead of a real name, the account is likely connected with friends who know you. As a result, a social network can make a reasonable guess as to who the user really is.

No system of anonymity is perfect. Software for online anonymity can hide IP addresses and location, but Facebook and the same corporations do not need this information. Social networks already know the user, his friends, the contents of "private" messages between them and so on. This data is stored at least on the servers of the social network, and no software can delete it. They can only be removed by the social networking platforms themselves or hacker groups. ^[3]

Users who log into their Facebook accounts and other accounts receive only location protection, but not anonymity.

This is not well understood by some users of social networks: ^[4]

Mike, will I be completely anonymous if I log into my Facebook account? I am using Firefox 3.6 with Tor and NoScript on a Windows 7 machine. Thanks.

Never log into accounts you used without Tor

Always assume that at each visit, the server log saves the following: ^[5]

Client IP address / location.
Date and time of request.
The specific addresses of the requested pages.
HTTP code.
The number of bytes transferred to the user.
User browser agent.
Referring site (referrer).

Also assume that your Internet service provider (ISP) will record at least the time online and the IP address / location of the client. The provider can also record the IP addresses / locations of the sites visited, how much traffic (data) is transmitted and what exactly was transmitted and received. Until the traffic is encrypted, ISP will be able to see what specific actions were carried out, received and sent information.

The following tables give a simplified view of how these logs might look for administrators.

Table : ISP Log

Name	Time	IP / location	Traffic
John doe	16:00 - 17:00	1.1.1.1	500 MB

Table : Advanced ISP Log ^[6]

Name	Time	IP / location	Traffic	Address	Content
John doe	16:00 - 17:00	1.1.1.1	1 MB	google.com	Search request 1, request 2 ...
John doe	16:00 - 17:00	1.1.1.1	490 MB	youtube.com	I watched video 1, video 2
John doe	16:00 - 17:00	1.1.1.1	9 MB	facebook.com	Encrypted traffic

Table : Website Magazine

Name	Time	IP / location	Traffic	Content
-	16:00 - 16:10	1.1.1.1	1 MB	Search request 1, request 2 ...

It is clear that the same type of logging by websites and Internet service providers makes it easy to determine user actions.

The account is compromised and tied to the user even in the case of a single authorization through a connection that is not protected by Tor from a real IP address. Single errors are often fatal and lead to the disclosure of many "anonymous" users.

Do not log in to online banking or payment systems unless you are aware of the risks.

Authorization in online banking, PayPal, eBay and other important financial accounts registered in the username is not recommended. In financial systems, any use of Tor threatens to freeze your account due to “suspicious activity” that is recorded by the fraud prevention system. The reason is that hackers sometimes use Tor to carry out fraudulent activities.

Using Tor with online banking and financial accounts is not anonymous for the reasons given above. This is a pseudonymity that provides only hiding the IP address, or a trick to access a site blocked by the provider. The difference between anonymity and pseudonymity is described in the corresponding chapter .

If a user is blocked, in many cases you can contact support to unblock your account. Some services even allow for loosening of fraud rules for user accounts.

Whonix developer Patrick Schleizer is not opposed to using Tor to bypass site blocking or to hide an IP address. But the user must understand that a bank or other payment account may be (temporarily) frozen. In addition, other outcomes are possible (permanent blocking of the service, account deletion, etc.), as stated in the warnings on this page and in the Whonix documentation. If users are aware of the risks and feel it appropriate to use Tor in their particular personal circumstances, of course, they can ignore this advice.

Do not alternate between Tor and Open Wi-Fi

Some users mistakenly think that open Wi-Fi is a faster and safer “alternative to Tor,” since the IP address cannot be mapped to a real name.

Below we explain the reasons why it is better to use open Wi-Fi and Tor, but not open Wi-Fi or Tor.

The approximate location of any IP address can be calculated to a city, district or even street. Even if the user is far from home, open Wi-Fi still gives the city and an approximate location, since most people do not travel across the continents.

Owner identity with open Wi-Fi and router settings are also unknown variables. There you can keep a log of MAC addresses of users with the corresponding activity of these users on the Internet, which is open to the owner of the router.

Although journaling does not necessarily violate the anonymity of the user, it narrows the circle of suspects from the entire global population of the Earth or continent, or country, to a specific area. This effect greatly impairs anonymity. Users should always keep as much information as possible.

Avoid Tor through Tor Scripts

Note : this is a Whonix service specific issue.

When using a transparent proxy (such as Whonix), you can run Tor sessions on the client side and on the transparent proxy at the same time, which creates a “Tor through Tor” script.

This happens when Tor is installed inside the Whonix-Workstation or when using Tor Browser, which is not configured to use SocksPort instead of TransPort. Read more about this in the Tor Browser article .

These actions give rise to uncertainty and are potentially unsafe. In theory, traffic goes through six onion routing nodes instead of three. But there is no guarantee that the three additional nodes are different from the first three; these may be the same nodes, possibly in reverse or mixed order. According to Tor Project, this is unsafe: ^[7]

We do not encourage the use of longer paths than the standard ones - this increases the load on the network without (as far as we can judge) security improvements. Remember that the most effective way to attack Tor is to attack the exit points and ignore the middle of the path. In addition, using a route longer than three nodes can harm anonymity. First, it simplifies denial of service attacks. Secondly, such actions can be perceived as a user identifier, if only a few will do so ("Oh, look, again the guy who changed the length of the route").

Users can manually specify an entry or exit point on the Tor network, ^[8]but from a security point of view it’s best to leave the route choice to Tor. Reinstalling Tor's entry or exit point can degrade anonymity in ways that are not well understood. Therefore, Tor through Tor configurations are strongly discouraged.

License of the chapter “Avoid the scenarios of“ Tor through Tor ””: ^[9]

Do not send sensitive data without end encryption

As explained on the Warning page , Tor output nodes can listen for communications and carry out intermediary attacks (MiTM), even when using HTTPS. Using terminal encryption is the only way to send sensitive data to the recipient, avoiding the risk of interception and disclosure to hostile third parties.

Do not disclose identifying information online

Deanonymization is possible not only with connections and IP addresses, but also in social ways. Here are some guidelines for protecting against deanonymization from Anonymous:

Do not include personal information or personal interests in nicknames.
Do not discuss personal information such as place of residence, age, marital status, etc. Over time, silly conversations like discussing the weather can lead to an accurate calculation of the user's location.
Do not mention gender, tattoos, piercings, physical abilities or disabilities.
Do not mention a profession, hobby, or participation in activist groups.
Do not use special characters on the keyboard that exist only in your language.
Do not publish information on the regular Internet (Clearnet), being anonymous.
Do not use Twitter, Facebook and other social networks. You will easily be associated with a profile.
Do not post links to Facebook images. The file name contains your personal ID.
Do not visit the same site at the same time of the day or night. Try varying session times.
Remember that IRC, other chats, forums, mailing lists are public places.
Do not discuss anything personal at all, even with a secure and anonymous connection to a group of strangers. The recipients in the group represent a potential risk (“known unknowns”) and may be forced to work against the user. Only one informant is needed to break up the group.
Heroes exist only in comics - and they are actively hunted. There are only young or dead heroes.

If you need to disclose any identification data, then consider it as confidential information described in the previous section.

License: From JonDonym documentation ( permission ).

Use bridges if the Tor network seems dangerous or suspicious in your area

This recommendation comes with an important warning, as bridges are not an ideal solution: ^[10]

Bridges are important tools and in many cases work well, but they are not an absolute defense against technological advances that the adversary can use to identify Tor users.

Do not work for a long time under the same digital identity

The longer the same alias is used, the higher the likelihood of an error that will give out the user's identity. Once this has happened, the adversary can study history and all activity under this pseudonym. It will prudently regularly create new digital identities and stop using old ones.

Do not use multiple digital identities at the same time.

The use of aliases depending on the context over time is becoming more complicated and fraught with errors. Different digital identities are easy to associate if they are used at the same time, because Tor may reuse chains in the same surfing session or there may be potential information leakage from Whonix-Workstation. Whonix cannot magically separate different digital identities depending on context .

Also see paragraph below.

Do not stay logged in to Twitter, Facebook, Google, etc. for longer than necessary

Keep authorization time on Twitter, Facebook, Google and other services with accounts (like web forums) to an absolutely necessary minimum. Log out immediately as soon as you have read, published information or completed other necessary tasks. After logging out, it will be safe to close Tor Browser, change the Tor chain using the Tor Controller , wait 10 seconds before changing the chain - and then restart Tor Browser. For best security, follow the guidelines for using multiple virtual machines and / or multiple Whonix-Workstation .

This behavior is necessary because many websites host one or more integration buttons, such as the Like button from Facebook or the Tweet This from Twitter.^[eleven]In reality, of the 200,000 most popular sites rated by Alexa, Facebook and Twitter social widgets are set at 47% and 24%, respectively. Google’s third-party web services are installed on approximately 97% of sites, mainly Google analytics, advertising and CDN services (googleapis.com). ^[12]^[13]If the user saves authorization in the service, then these buttons tell the owner of the service about visiting the site. ^[14]

Do not underestimate the threat of privacy from third-party services: ^[15]^[sixteen]

Each time the user's browser accesses a third-party service, this third-party server receives the ability to deliver tracking scripts and binds the original site with the carrier of third-party cookies and the fingerprint of the browser. This tracking of online behavior allows you to replenish user profiles, including confidential information, such as the user's political views and his medical history.

Users should also read the chapter above .

Do not mix anonymity modes

Do not mix anonymity modes! They are outlined below.

Mode 1: anonymous user; any recipient

Scenario: Anonymous posting to messages on the bulletin board, mailing list, comments, forum, etc.
Scenario: informants, activists, bloggers, and the like.
The user is anonymous.
The real IP address / location of the user is hidden.
Hiding the location: the user's location remains secret.

Mode 2: the user knows the recipient; both use tor

Scenario: The sender and receiver know each other and both use Tor.
No third party knows about the fact of communication and does not receive its content.
The user is not anonymous. ^[17]
The real IP address / location of the user is hidden.
Hiding the location: the user's location remains secret.

Mode 3: the user is not anonymous and uses Tor; any recipient

Scenario: Logging in with a real name in any service like webmail, Twitter, Facebook and others.
The user is obviously not anonymous. As soon as the real name is used to enter the account, the website knows the identity of the user. Tor cannot provide anonymity in such circumstances.
The real IP address / location of the user is hidden.
Hiding the location: the user's location remains secret. ^[18]

Mode 4: the user is not anonymous; any recipient

Scenario: Normal surfing without Tor.
The user is not anonymous.
The real IP address / location of the user is disclosed.
The user's location is disclosed.

Conclusion

It’s not a good option to mix modes 1 and 2. For example, if a person uses an IM manager or an email account in mode 1, then it is unreasonable to use the same account in mode 2. The reason is that the user mixes absolute anonymity (mode 1) with selective anonymity (mode 2; since the recipient knows the user).

It is also not a good option to mix two or more modes in one Tor session , because they can use the same output node, which leads to a correlation of personalities.

It is also likely that combinations of different modes will be dangerous and may lead to leakage of personal information or the user's physical location.

License

License for the Do Not Mix Anonymity Modes section: ^[9]

Do not change settings if consequences are unknown.

It is usually safe to change the interface settings for applications that do not connect to the Internet. For example, the checkboxes “Do not show daily tips again” or “Hide this menu bar” will not affect anonymity.

Before changing any settings that are of interest, first check your Whonix documentation. If a change is made to the documentation and is not recommended, then try to adhere to the default settings. If no change has been made to the documentation, then carefully review the proposed action before implementing it.

Changing settings for applications that connect to the Internet (even interface settings) should be carefully studied. For example, removing the menu bar in Tor Browser to increase the page view area is not recommended. This changes the detectable screen size, which degrades the user's fingerprint.

Changing network settings can be allowed with great care, and only if the consequences are accurately known. For example, users should avoid any advice that pertains to “setting up Firefox.” If the settings are considered suboptimal, then the changes should be proposed in the release and applied to all Tor Browser users in the next version.

Do not use clean web and Tor at the same time.

Using both the non-Tor browser and the Tor Browser, you run the risk of confusing and deanonymizing them once.

When using pure web and Tor simultaneously, there are also risks of simultaneous connections to the server via anonymous and non-anonymous channels. This is not recommended for the reasons outlined in the next section. The user can never feel safe visiting the same page at the same time through anonymous and non-anonymous channels, because he sees only the URL, but not how many resources are requested in the background. Many different sites are hosted in the same cloud. Services like Google Analytics are available on most sites and therefore see a lot of anonymous and non-anonymous connections.

If this advice is ignored, then the user should have at least two different desktops to prevent confusion between browsers.

Do not connect to the server anonymously and non-anonymously at the same time

It is strongly discouraged to create Tor and non-Tor connections to the same remote server at the same time. In the event of a disconnection from the Internet (and this will happen over time), all connections will be interrupted simultaneously. After such an event, the adversary can easily determine which public IP address / location belongs to which Tor IP address / connection, which potentially directly identifies the user.

This scenario also makes it possible to conduct a different type of attack from the side of the web server. The speed of Tor and non-Tor connections can be increased or decreased to check for correlation. So, if both connections speed up or slow down in unison, then you can establish a relationship between Tor and non-Tor sessions.

License for the section “Do not connect to the server anonymously and anonymously at the same time”: ^[9]

Do not confuse anonymity and pseudonymity

This section explains the difference between anonymity and pseudonymity. Definition of terms is always difficult because consensus of the majority is required.

An anonymous connection is considered to be a connection with the destination server, when this server cannot establish the origin (IP address / location) of this connection or assign an identifier to it ^[19].

An alias connection is a connection to the destination server when this server cannot establish the origin (IP address / location) of this connection, but can assign an identifier to it ^[19].

In an ideal world, you can achieve complete anonymity using the Tor network, the Tor Browser, computer hardware, physical security, the operating system, and so on. For example, in such a utopia, a user can go to a news site, and neither the news site nor the Internet service provider of the site will have a clue whether this user has logged in earlier. ^[20]

On the other hand, an imperfect scenario is possible if the software is used incorrectly, for example, when using the standard Firefox browser on the Tor network instead of the secure Tor Browser. An unfortunate Firefox user will still protect his original connection (IP address / location) from being discovered, but you can use identifiers (like cookies) to turn the connection into an alias. For example, the destination server may record in the log that “the user with id 111222333444 watched Video A during Time B on Date C and Video D during Time E on Date F”. This information can be used for profiling, which over time will become more and more exhaustive. The degree of anonymity is gradually reduced, and in the worst case, this can lead to deanonymization.

As soon as a user logs into an account on a website under his username, for example, via webmail or a forum, the connection is by definition no longer anonymous, but becomes anonymous. The origin of the connection (IP address / location) is still hidden, but the connection can be assigned an identifier ^[19]; in this case, this is the account name. Identifiers are used to log different things: the time when the user wrote something, the date and time of entry and exit, what the user wrote to and to whom, the IP address used (useless if it is a Tor output node), a stored browser fingerprint, and so on .

By Maxim Kammerer, Liberté Linux Developer ^[21], there are fundamentally excellent ideas about anonymity and pseudonymity that cannot be hidden from the reader: ^[22]

I have not seen convincing arguments in favor of anonymity compared to pseudonymity. Enhanced anonymity is what Tor developers do to publish new scientific articles and justify funding. Most users only need a pseudonymity in which the location is hidden. Having a unique browser does not magically reveal the user's location if that user does not use this browser for non-aliased sessions. Having a good browser title also means a little to anonymity, because there are many other ways to reveal more information about the client (for example, through differences in Javascript execution).

Do not be the first to distribute your link

Resist the temptation to be one of the first to advertise your anonymous project! For example, it is not practical to distribute links if the user:

Created an anonymous blog or hidden service.
Has a twitter account with a large number of followers.
Supports a large news page on a clean web or something similar.

The stronger the personalities are separated from each other, the better. Of course, at a certain moment, the user may or should even be “in the know” of the new project, but this moment must be chosen with extreme caution.

Do not open random files and links

If a user was sent a file of any type or a link to a file (or a random URL / resource) by e-mail or in another way, caution is required regardless of the file format. ^[23]The sender, mailbox, account or key may be compromised, and the file or link may have been specially prepared to infect the user's system when opened in a standard application.

It is safer not to open the file with the standard tool that the creator is supposed to use. For example, PDF cannot be opened by the PDF viewer, or if the file is publicly available, you can use the free online PDF viewer service. For added security, there is an option to sanitize PDF in Qubes-Whonix or open a file or link in DisposableVM so that it cannot compromise the user's platform.

Do not use (mobile) phone verification

Websites like Google, Facebook and others will ask for a (mobile) phone number as soon as you try to log in via Tor. Unless the user is exceptionally smart or has an alternative, this information cannot be provided.

Any phone numbers will be logged. The SIM card is most likely registered in the username. Even if this is not the case, receiving an SMS gives you the location. Users can try to anonymously buy a SIM card far from their usual home address, but there is still a risk: the phone itself. Each time when registering in a cellular network, the provider saves the serial number of the SIM card ^[24]and serial number of the phone. ^[25]If the SIM card was purchased anonymously and the phone is not there, then there will be no anonymity, because the two serial numbers will be linked together.

If the user really wants to pass verification by mobile phone number, it is recommended to go far from home, find a fresh phone with a new SIM card. After verification, the phone should be turned off, and immediately after that the phone and SIM card must be completely destroyed. This is done by burning or other ingenious (reliable) methods of destruction.

Users can try to find an online service that will receive a personalized SMS on their behalf. This will work and ensure anonymity. The problem is that this method is unlikely to work on Google and Facebook, because they actively blacklist such verification numbers. Another option is to find someone who will receive an SMS in your place, but this will only transfer the risks to another person. ^[26]

Argumentation

The reader may skip this section.

This article runs the risk of stating obvious things. But the question should be asked: “Obvious to anyone?” All of the above may just be common sense for developers, hackers, geeks and other people with technological skills.

But these groups of people tend to lose contact with non-technical users. It is sometimes useful to read usability guides or feedback from people who never appear on mailing lists or forums.

For example:

To Toggle, or not to Toggle: The End of Torbutton:
Mike, am I completely anonymous if I log in to my Facebook account? I am using Firefox 3.6 through Tor c NoScript on a Windows 7 machine. Thanks.
[tor-dev] Testimonials for first time users of Tails / Tor
“Eliminating Obstacle Points in Installing and Using Anonymous Systems: Assessing the Usability of the Tor Kit”
"North Korea: in the network of the most secret nation in the world" :
To make sure that the frequencies of the mobile phone are not being monitored, I fill the sink with water and cover my head with a pan lid during a telephone conversation, said one of the interlocutors, a 28-year-old man who fled the country in November 2010.

Notes

1. ↑ https://lists.torproject.org/pipermail/tor-dev/2012-April/003472.html
2. ↑ Tor Browser must set the SOCKS username for the request based on the referrer
3. ↑ The first ones are unlikely to ever delete data, since profiling is the main method of monetizing users with "free" accounts. Profiling is used for targeted advertising and for building up a large database of users that can be sold to a third party for profit.
4. ↑ To Toggle, or not to Toggle: The End of Torbutton
5. ↑ https://en.wikipedia.org/wiki/Server_log
6. ↑ https://en.wikipedia.org/wiki/Deep_packet_inspection
7. ↑ https://www.torproject.org/docs/faq.html.en#ChoosePathLength
8. ↑ https://www.torproject.org/docs/faq.html.en#ChooseEntryExit
9. ↑ ^9.0 ^9.1 ^9.2 This was originally published by adrelanos (proper) in TorifyHOWTO ( w ). Adrelanos does not protect copyright, so text can be reused here. It is published under the same license as the DoNot page.
10. ↑ bridges # If_Tor_Use_is_Dangerous_or_Deemed_Suspicious_in_your_Location
11. ↑ In particular, Facebook keeps records of everyone who views pages with the Like button from Facebook.
12. ↑ https://www.securitee.org/files/trackblock_eurosp2017.pdf
13. ↑ The 15 largest third-party services: doubleclick.net, google.com, googlesyndication.com, googleapis.com, gstatic.com, admob.com, googleanalytics.com, googleusercontent.com, flurry.com, adobe.com, chartboost. com, unity3d.com, facebook.com, amazonaws.com and tapjoyads.com.
15. ↑ For example, on Twitter, tweets, Follow, and embedded tweets are used to record the history of visited browser pages . If you visit a page where there is any of the above, the browser makes a request to the Twitter servers containing the title of the visited page. A unique cookie allows Twitter to build a history of visited pages, even for those who are not Twitter users (for example, if Tor Browser is not used).
15. ↑ https://www.securitee.org/files/trackblock_eurosp2017.pdf
16. ↑ For example, advanced adversaries rely on third-party tracking cookies to deanonymize Tor users and identify hacking targets.
17. ↑ Because they are known to the recipient.
18. ↑ But this information is easy to establish from the records of the Internet provider, which associates Internet accounts with the registered name and address. Alternatively, this information leaks through the real (clearnet) IP address, which was originally used for registration in the service, since registration through Tor is usually blocked.
19. ↑ ^19.0 ^19.1 ^19.2 For example, an identifier may be (flash) cookies with a unique number.
20. ↑ Unfortunately, protection from fingerprinting is not yet ideal in any browser, and there are still unclosed bugs. See tbb-linkability and tbb-fingerprinting .
21. ↑ http://dee.su/liberte
22. ↑ Quote (w)
23. ↑ For example: PDF, Word document, bitmaps, audio and video files, etc.
24. ↑ IMSI
25. ↑ IMEI
26. ↑ However, the recipient of the SMS is probably only a few “handshakes” from the end user (at best).

Attribution

Thanks to intrigeri and anonym who sent feedback and suggestions for this page on the Tails-dev mailing list.

Permanent link to wiki version of May 27, 2017

Tags: