Identify Tor Users: Can Websites Tell?

TL;DR

Websites can attempt to identify Tor users, but it’s not foolproof and relies on techniques that are constantly evolving. They look for specific headers, inconsistencies in browser data, and use services that maintain lists of known Tor exit nodes. Strong privacy practices (HTTPS Everywhere, NoScript) significantly reduce the chances of detection.

How Websites Try to Identify Tor Users

1. Checking Headers: The most common method involves looking for specific HTTP headers added by Tor Browser.
   • X-Tor-Exit-Node: This header is sometimes present, revealing the IP address of the Tor exit node used.
   • Via: Tor often adds a Via header indicating its presence.

   // Example HTTP request showing potential Tor headers
   GET /index.html HTTP/1.1
   Host: example.com
   X-Tor-Exit-Node: 127.0.0.1
   Vía: 1.1 socks4a 9050
   ...

2. JavaScript Fingerprinting: Websites use JavaScript to gather information about your browser and system, creating a unique ‘fingerprint’. Tor Browser tries to minimise this, but inconsistencies can still be detected.
   • Font Enumeration: Checking which fonts are installed.
   • Canvas Fingerprinting: Drawing hidden images on the canvas element and analysing subtle differences in rendering.
   • WebRTC Leakage: Detecting if WebRTC is enabled (Tor Browser disables it by default, but users can override this).

   JavaScript code examples are complex to show fully here, as they involve numerous libraries and techniques. Browser developer tools (F12) allow you to inspect JavaScript execution.

3. IP Address Blacklists: Websites subscribe to services that maintain lists of known Tor exit node IP addresses.
   • These lists are constantly updated but can be inaccurate due to shared IPs and dynamic nature of the Tor network.
4. Timing Attacks: Analysing the time it takes for data to be transferred. Tor’s routing adds latency, which might be detectable.
   • This is a more advanced technique and requires careful analysis of network traffic.

How to Reduce Your Chances of Being Identified

1. Use HTTPS Everywhere: Ensures all communication with websites is encrypted, preventing eavesdropping on headers.
   • Available as a browser extension for Chrome and Firefox.
2. Disable JavaScript (NoScript): Blocks JavaScript execution by default, preventing fingerprinting attacks.
   • Tor Browser includes NoScript pre-installed. Allow scripts only from trusted websites.
3. Keep Tor Browser Updated: Updates include security patches and privacy enhancements that address new tracking techniques.
4. Avoid Changing Your Tor Circuit Frequently: Frequent circuit changes can make you more identifiable.
   • Tor Browser automatically handles circuit rotation, but excessive manual changes should be avoided.
5. Use Bridges: Obfuscate your connection to the Tor network, making it harder to detect.
   • Useful if your ISP blocks connections to known Tor nodes.
6. Be Aware of WebRTC: Ensure WebRTC is disabled in Tor Browser settings (it should be by default).

Important Considerations

• No Method Is Perfect: Websites can only attempt to identify Tor users; they cannot guarantee 100% accuracy.
• Privacy is a Layered Approach: Combining multiple privacy tools and practices provides the best protection.
• cyber security relies on constant vigilance and adaptation as tracking techniques evolve.