Tor Security: NSA Slides & Best Practices

TL;DR

Recent NSA slides reveal techniques to deanonymise Tor users. This guide provides practical steps to improve your security when using Tor, focusing on browser configuration, avoiding common pitfalls, and understanding the risks.

1. Browser Choice & Configuration

1. Use Tor Browser: It’s pre-configured for privacy and security. Don’t use regular browsers with Tor as a proxy unless you *really* know what you are doing.
2. Security Level: Set your Tor Browser security level to ‘Safest’. This disables JavaScript on non-HTTPS sites, reducing attack surface. You can find this in the Tor Browser settings (Shield icon) → Privacy & Security → Security Level.
3. NoScript: If you need JavaScript, use NoScript (built into Tor Browser). Allow scripts only from sites you trust and understand. Be cautious!
4. HTTPS Everywhere: Ensure HTTPS is enabled for all connections whenever possible. Tor Browser includes this by default. Check the shield icon to confirm a site uses HTTPS.
5. Browser Plugins: Disable *all* browser plugins (Flash, Java, etc.). They are major security risks and can bypass Tor’s protections. Tor Browser disables these automatically.

2. Avoiding Common Pitfalls

1. Don’t Torrent over Tor: Torrenting reveals your IP address. Use a VPN specifically for torrenting, *not* Tor.
2. Avoid Logging In: Logging into accounts (Gmail, Facebook, etc.) ties your activity to your identity. Consider using dedicated, disposable email addresses and avoid linking them to personal information.
3. Don’t Maximise the Browser Window: Fingerprinting can reveal screen resolution and other details. Keep the Tor Browser window at its default size.
4. Be Careful with Downloads: Only download files from trusted sources. Scan all downloads with a virus scanner before opening them.
5. Don’t Change Your Tor Circuit Unnecessarily: Frequent circuit changes can make you more identifiable. Let Tor handle the circuit selection automatically. You can request a new circuit by clicking the onion icon in the address bar and selecting ‘New Identity’. Use this sparingly.

3. Understanding the Risks (Based on NSA Slides)

1. Timing Attacks: The NSA can correlate timing information to deanonymise users. Using bridges and relays in different geographical locations helps mitigate this risk, but isn’t a complete solution.
2. Entry/Exit Node Correlation: They monitor entry and exit nodes. This is why using multiple layers of encryption (like HTTPS) is crucial.
3. Browser Fingerprinting: Even with Tor Browser, advanced fingerprinting techniques can identify you based on browser configuration and behaviour. Avoid customisations that deviate from the default Tor Browser profile.
4. JavaScript Vulnerabilities: JavaScript remains a significant risk. Disabling it or using NoScript is highly recommended.

4. Advanced Considerations

1. Bridges: Use bridges if your connection to the Tor network is blocked. You can request bridges from Tor Project.
2. Obfs4 Bridges: Obfs4 bridges are harder to detect than standard bridges, offering better protection against censorship.
3. Petrel (Avoid): The NSA’s Petrel tool is designed to exploit vulnerabilities in Tor clients. Using the latest version of Tor Browser protects you from known Petrel exploits.
4. VPN with Tor: While debated, using a reputable VPN *before* connecting to Tor can hide your initial IP address from your ISP. However, it doesn’t protect against exit node correlation and adds another layer of trust. Choose a no-logs VPN provider carefully.

5. Checking Your Setup

1. Check Your IP Address: Before using Tor, note your public IP address. After connecting to Tor, verify that your IP address has changed. You can use websites like check.torproject.org.
2. WebRTC Leak Test: Ensure WebRTC isn’t leaking your real IP address. Tor Browser disables WebRTC by default, but it’s good to check. Use a test like browserleaks.com/webrtc.