My #TA3M talk on Tor, Onion Services, and why browser plug-ins and VPNs don’t protect your privacy

This presentation was given at the University of Washington on January 18, 2016 and is publicly available on Google Docs. If I get worthwhile feedback, I will update the presentation. Like the rest of my blog, the presentation and images are CC-BY. I will include the images at the end of this article (pending).

01 of 31, title

TA3M Seattle, January 2016 - 01

This quote is from Edward Snowden, from October 2015, via Micah Lee’s interview from The Intercept.

This talk is for everyone. You don’t need to be an activist, journalist or a lawyer to have to need Tor. Even the most boring, uninteresting person in the world should be defending their rights to privacy and freedom of expression by using Tor.

The aim of this ~30 minute talk (plus Q/A) is to help make understanding of Tor and Onion Services easier. It is not a highly technical talk, but it is technical. I expect that users that wish to gain knowledge of how technical systems work, to take advantage of them, must learn technical material.

The talk discusses how the Tor network works to protect your privacy by juxtaposing plain HTTP, HTTPS, and also mainstream VPN technology. I will be discussing why the advertising industry is an even greater threat than even the NSA (to most people) and why VPNs just can’t cut it. Lastly, I will discuss how Onion services is a paradigm shift from standard client-server communications, how it works to protect your privacy, and why Onion services is an important application for service providers concerned about uptime and security.

02 of 31, sources

TA3M Seattle, January 2016 - 02

Most of the content of my talk is sourced from these two blog posts of mine.

https://yawnbox.com/index.php/2016/01/04/use-tor-browser-or-harden-firefox-for-privacy/

https://yawnbox.com/index.php/2015/10/25/comparing-http-https-vpn-and-tor-with-snail-mail-metaphors/

03 of 31, http / postcard

TA3M Seattle, January 2016 - 03

As you probably know, sending a postcard in the mail allows anyone that handles the postcard to view and retain both the metadata (activity records of who, when, and where) and content. Plain HTTP is no different, except digital content is much easier and cheaper to collect and store.

04 of 31, http / postcard

TA3M Seattle, January 2016 - 04

This clear-text content and metadata is represented here in purple. It is completely defenseless in transit. Anyone connecting to, for example, bbc.co.uk allows anyone between you and the BBC service provider to view, retain, and maybe even change the metadata or content in transit.

05 of 31, https / letter

TA3M Seattle, January 2016 - 05

Sending a letter in the mail has one layer of protection, the envelope, and is analogous to HTTPS. The NSA considers HTTPS encrypted traffic “clear text” because metadata is still clear text, and a lot can be learned about the content of HTTPS encrypted traffic through automated analysis.

06 of 31, https / letter

TA3M Seattle, January 2016 - 06

HTTPS protected content is represented here by a red circle protecting the purple content at the center. Connecting to yandex.ru, even though encrypted with (presumably) high-grade HTTPS, still divulges a great deal of information (metadata) to anyone handling your traffic as it traverses the Internet.

07 of 31, virtual private network… 1-hop proxy

TA3M Seattle, January 2016 - 07

VPNs are largely one-hop proxies. It is possible to set up your own multi-hop VPN proxies, just like you can set up your own private Tor network if you have the time, expertise, and money. But mainstream VPN providers, to keep the time it takes to send your traffic back and forth across the Internet, only use one proxy. In other words, VPN providers, to keep most people happy, focus on speed rather than privacy.

Purchasing a private PO BOX or mailbox from a UPS store is analogous to purchasing VPN service from a provider. You are paying someone to “one-hop” proxy your mail so that the destination of your mail cannot know your real home address.

08 of 31, vpn / postcard

TA3M Seattle, January 2016 - 08

In this example, you are using the Ipredator (ipredator.se) VPN service provider in order to connect to amazon.com. Amazon still does not provide transport security and thus privacy for users of their service when searching for products to buy. Your Amazon-bound Internet traffic has one layer of protection, the orange circle, only up until the VPN service provider. Once your Amazon-bound traffic leaves the VPN provider (the one-and-only one-hop proxy), Amazon searches are as naked as postcards.

If network adversaries observing the Amazon searches somewhere between the VPN provider and Amazon may also be able to determine who is doing the searches based on the content of the Internet traffic, because these Amazon searches are just like sending postcards in the mail. Said adversaries can view, record, and change any of the metadata or content.

09 of 31, vpn / letter

TA3M Seattle, January 2016 - 09

In this example, when connecting with HTTPS to Wikipedia.org and using the Ipredator VPN service, the data (purple) is protected by by a layer of HTTPS (red) and also the VPN (orange). Once the Wikipedia-bound Internet traffic is proxied by Ipredator, it loses the VPN-encrypted (orange) layer, and your traffic’s content is still protected by Wikipedia’s HTTPS-encrypted (red) layer.

10 of 31, vpn circuits

TA3M Seattle, January 2016 - 10

As previously discussed, VPNs are one-hop proxies. The “circuit” that is made between you and the VPN service provider is static — the operator and the IP subnet never changes. The “IP subnet” of the VPN provider determines the IP address that your Internet traffic uses and is constrained by the pool of available IP addresses the VPN provider has available.

The one-hop proxy / circuit design is purposeful in order to maintain minimal latency (the time it takes for your traffic to reach the VPN provider), and to maximize bandwidth (how much you can download or upload per second).

11 of 31, the onion router… 3-hop proxy

TA3M Seattle, January 2016 - 11

Tor is more complex and can generally be described as a three-hop proxy. It would be like purchasing PO BOX services from three different, globally diverse mail proxy service providers, and each of those providers automatically works with each other to relay your mail to maximally protect your home address and maybe even your identity.

When sending mail communications, the first mail proxy knows who you are and also knows who the second mail proxy is. The second mail proxy only knows who the first and third mail proxies are. By the time your mail gets to the third and final mail proxy, your home address is not in any of the metadata that is destined for the recipient. And unless you disclosed your identity in the content of your communications, the recipient cannot know your identity, either.

12 of 31, tor / postcard

TA3M Seattle, January 2016 - 12

1. Tor encrypts your Ebay-destined traffic in three layers before leaving your computer.

2. Green circle: the Tor encrypted traffic from your computer to the Tor guard relay. The guard relay removes this first layer of encryption.

3. Yellow circle: the Tor encrypted traffic from the guard relay to the middle relay. The middle relay removes the second layer of encryption.

4. Orange circle: the Tor encrypted traffic from the middle relay to the exit relay. The exit relay removes the last layer of encryption and sends your traffic on to Ebay. Naked.

Connecting to ebay.com over Tor and searching Ebay does not disclose your IP address or your identity unless you log in to Ebay. Logging in to Ebay would disclose your identity to Ebay and thus may disclose the probability of your physical location if you gave Ebay or PayPal your home address as a shipping destination. If you browse Ebay without logging in but search for things that could allow an adversary to identify who is doing the searches, then you may disclose your identity that way, too.

If network adversaries observing the Ebay searches somewhere between the Tor exit relay and Ebay may also be able to determine who is doing the searches based on the content of the Internet traffic, because these Ebay searches are just like sending postcards in the mail. Said adversaries can view, record, and change any of the metadata or content.

13 of 31, tor / letter

TA3M Seattle, January 2016 - 13

1. Tor encrypts your Twitter-destined traffic in three layers before leaving your computer. Then, because Twitter requires that you use HTTPS to connect to Twitter, the first connection to Twitter establishes HTTPS (red), and then all of your Twitter-bound traffic will be encrypted in four layers of encryption.

2. Green circle: the Tor encrypted traffic from your computer to the Tor guard relay. The guard relay removes this first layer of encryption.

3. Yellow circle: the Tor encrypted traffic from the guard relay to the middle relay. The middle relay removes the second layer of encryption.

4. Orange circle: the Tor encrypted traffic from the middle relay to the exit relay. The exit relay removes the last layer of encryption and sends your traffic on to Twitter. Because of HTTPS, the content of your Twitter-bound traffic is still protected.

Connecting to twitter.com over Tor and searching Twitter does not disclose your IP address or your identity unless you log in to Twitter. Logging in to Twitter would disclose your identity to Twitter. If you browse Twitter without logging in but search for things that could allow an adversary to identify who is doing the searches, then you may disclose your identity that way, too.

Network adversaries observing Twitter searches somewhere between the Tor exit relay and Twitter can not determine who is doing the searches, because these searches are like letters in the mail. Said adversaries can still view and record any of the metadata but not the content.

14 of 31, tor circuits

TA3M Seattle, January 2016 - 14

Unlike VPN circuits, Tor circuits are generated randomly by your local Tor client. Tor circuits are required to have significant international hops in order to minimize the threat of surveillance or attack from a potentially malicious volunteer operator operating multiple relays in different IP subnets. In addition to Tor circuit randomness when starting Tor Browser, circuits are automatically and randomly changed every 10 minutes.

The downsides of using Tor is that, due to the required use of three geographically diverse hops, each of which likely has limited bandwidth, both high-latency and low-bandwidth experiences are high probabilities.

This is more of a positive than a negative, especially versus a typical VPN, but a Tor user must trust a random selection of roughly 2,000 guard relay operators and roughly 1,000 exit relay operators per circuit. Further, the Tor specification requires that relays belonging to the same operator cannot be used within the same circuit, presuming any given volunteer operator is not using different IP subnets.

15 of 31, tor circuits

TA3M Seattle, January 2016 - 15

By now, it should be clear that the number of relay operators is critical to the success of Tor and its users. Similarly, because all Tor traffic generally looks the same, it is similarly critical for the success of the Tor network for there to be a high number of users and services (Onion services).

Most purchasable Internet security services are built using a controlled set of infrastructure. This is a form of centralization. Tor is powerful exclusively because of the decentralized nature of the Tor network and the requirements of the Tor protocol. No other centralized security service can come close to having all of the security and privacy properties as Tor.

16 of 31, ads vs. nsa

TA3M Seattle, January 2016 - 16

We know that there are two active and constant threats to the Internet and thus its users: governments with intelligence agencies that are bent on the presumption that mass surveillance is valuable, and advertising agencies that are bent on collecting as much information about people as possible in order to sell them products. It just so happens that intelligence agencies are leveraging the work of advertising agencies because of their already deep integration into the large majority of the public Internet. Thus, the “biggest threat” to any Internet user is being attacked by advertising agencies.

However, we know that the NSA and FVEY (Five Eyes) focuses on traffic analysis leaving the Tor network, so it is highly probable that the same focus occurs for IP subnets associated with VPN service providers.

https://medium.com/message/the-hypocrisy-of-the-internet-journalist-587d33f6279e

https://www.eff.org/deeplinks/2013/12/nsa-turns-cookies-and-more-surveillance-beacons

17 of 31, vpn behavior

TA3M Seattle, January 2016 - 17

18 of 31, vpn behavior

TA3M Seattle, January 2016 - 18

These are examples of two connections to two random Internet services via a one-hop proxy in Sweden. It should be quite obvious how simple this is and how trivial it would be for a global adversary to track low-latency, one-hop proxy connections.

19 of 31, vpn behavior

TA3M Seattle, January 2016 - 19

VPN services might feel safe. Especially when you pull out your credit card, you expect to get what you think you’re buying. But its largely false if your goal is to defend personal privacy. VPNs are still really powerful for getting around censorship, sometimes. VPNs are also still really powerful for file sharing. But both advertising agencies and intelligence agencies are not slowed by technologies that are trivial to undermine with automatic network and data analysis.

Also important to understand is that when you hire one corporate entity to safeguard your privacy, you create one target for an adversary to legally or technically attack. Nobody can assure that VPN services do not maintain connection logs; we know that they are required to maintain payment logs, and we know that some service providers have handed over connection information while also advertising that they do not store connection information.

20 of 31, tor behavior

TA3M Seattle, January 2016 - 20

21 of 31, tor behavior

TA3M Seattle, January 2016 - 21

These examples of two Tor circuits demonstrates why adding complexity to network connections is valuable, especially compared to standard options (HTTP, HTTPS, or VPN).

22 of 31, tor behavior

TA3M Seattle, January 2016 - 22

I included this slide again to further stress the importance of diversity of the Tor network.

23 of 31, onion services

TA3M Seattle, January 2016 - 23

Common client-server connections entails you making a request to a server, to see if that server is available, and to request digital resources if the server is available. This is done by communicating directly with the server. Onion services do not work this way.

Onion services, like the ProPublica Onion site, is like a permanent Tor user that is constantly connected to the Tor network. You, the client, and ProPublica, the server both inform the Tor network of your hidden identities. The only difference is that you, the client, makes an anonymous request to the Tor network to ask if the ProPublica server is available. The Tor network, automatically and anonymously, connects the two of you through a random rendezvous point inside the Tor network. You never actually talk directly to the ProPublica Onion site, and you both have your own three-hops to protect your IP address. Since none of this traffic ever leaves the Tor network, Onion services are not vulnerable to standard forms of passive Internet surveillance.

24 of 31, onion services

TA3M Seattle, January 2016 - 24

In addition to being free from passive Internet surveillance, Onion services have significant security properties.

It is important for user-focused security to be default, such as high-grade HTTPS. It is also important to empower users by offering a diversity of security properties. It is important to remember that it is impossible for any one organization to fully grasp each personalized threat model for every one of their users.

Aside from the obvious user-focused security benefits of providing Onion services, there are obvious organization-focused security benefits. For example, many Fortune 1000, 500, or 100 companies commonly have website outages because of problems with DNS, BGP, or their CA. Providing Onion services helps mitigate losing access to Web resources because of these failure points.

25 of 31, onion services

TA3M Seattle, January 2016 - 25

The quote on slide 24 is from Roger Dingeldine as stated in his 32C3 talk, “Tor Onion Services: More Useful Than You Think”. It is a very informative talk and covers deeper issues, problems, and opportunities for the future of Onion services.

https://media.ccc.de/v/32c3-7322-tor_onion_services_more_useful_than_you_think

Every “State of the Onion” presentation is worth watching and would be an excellent primer into understanding the nature of Tor and the quality of the people behind it.

https://media.ccc.de/v/32c3-7307-state_of_the_onion

26 of 31, onion services behavior

TA3M Seattle, January 2016 - 26

This example of a client accessing an Onion service demonstrates the complexity and importance of Onion services. Because both the client and the server makes independent Tor circuits, both maintain anonymity while also providing end-to-end encryption.

27 of 31, onion services hosting

TA3M Seattle, January 2016 - 27

If you are interested in learning about or advocating for the use of Onion services, these are some useful resources.

https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices

https://storify.com/AlecMuffett/tor-tips

https://www.facebook.com/notes/alec-muffett/how-to-get-a-company-or-organisation-to-implement-an-onion-site-ie-a-tor-hidden-/10153762090530962

28 of 31, tor browser

TA3M Seattle, January 2016 - 28

If you are brand new to Tor, or generally need assistance with using a personal computer, these step-by-step guides are perfect for Tor Browser installation and basic use.

https://ssd.eff.org/en/module/how-use-tor-windows

https://ssd.eff.org/en/module/how-use-tor-mac-os-x

29 of 31, tor browser

TA3M Seattle, January 2016 - 29

Tor Browser, when juxtaposed to normal Web browsers, has significant advantages when the goal is to minimize identity exposure and the effects of Web tracking. Browser plug-ins cannot accomplish these privacy-focused goals, and many of these problems are identity-divulging browser features that advertising agencies always exploit.

30 of 31, tor applications

TA3M Seattle, January 2016 - 30

This list is a list of Tor related software applications for different platforms. It is not an exhaustive list, and in my talk I briefly described the purpose of each one.

31 of 31, questions?

TA3M Seattle, January 2016 - 31

If you use a version of this presentation, be sure to leave ample time for questions!

GlobaLeaks and SecureDrop: which is right for you?

GlobaLeaks and SecureDrop are both secure and anonymous document submission systems. However, there are important differences between the two that must be understood before choosing either.

TL;DR

Use SecureDrop to best defend legally privileged work, or when utmost security is needed.

Use GlobaLeaks if:

  • You or your organization needs an internal auditing and/or whistleblowing platform, a survey/questionnaire platform, or a file submission platform.
  • You or your organization does not have dedicated technical support to properly manage SecureDrop.
  • You or your organization wants to trial-run a secure and anonymous document submission system to understand the policy and procedural impacts before investing in SecureDrop.
  • You or your organization cannot monetarily afford the SecureDrop infrastructure.

Similarities

  • Both systems are free software.
  • Both are regularly audited by independent software security firms, and the audit results are published.
  • Both use the Tor network to support user anonymity.
  • Both require consistent administration and updates to maintain software security.
  • Both require careful thought about the system’s physical security.
  • Both require careful thought about organizational policy changes and the organizational procedural changes.

Differences

There are many important consequences of their usability decisions. Always perform a careful threat assessment before deploying, and periodically after deployment.

GlobaLeaks

Docs: https://github.com/globaleaks/globaleaks/wiki

GlobaLeaks aims for ease-of-use for both the administrator and users. GlobaLeaks only requires one small Ubuntu 14.04 x86-64 system with root or sudo privileges for installation and system updates. Anyone with basic Linux systems administration can install GlobaLeaks onto, for example, a $200 laptop. Freedom of the Press foundation recommends the Intel NUC for SecureDrop, and that is a good system choice for GlobaLeaks, too.

The administrator needs to be able to install GlobaLeaks onto an Ubuntu system, either Virtual Machine (VM) or computer. After Ubuntu is installed, the GlobaLeaks install script is super simple. Once the install script has completed, the end of the install script will report the Onion site for submissions and administraiton.

GlobaLeaks is incredibly flexible. An administrator could choose to install their GlobaLeaks instance in “the cloud” (someone else’s computer). But there are many security and legal consequences if you have someone else manage the service. The security consequences include the risks associated with hosting sensitive material in a virtual machine that is shared with an unknown amount of unknown people or organizations. Shared virtual hosting environments are notorius, especially if you are trying to keep the location of your Onion service hidden. Additionally, if your work is threatening to any adversary, getting services shutdown or losing access to materials is a higher risk if a 3rd party manages it.

My first encounter with GlobaLeaks was in 2012 when I met one of the core developers at a Tor hackathon. I was so inspired by the project that I wrote the first GlobaLeaks Wikipedia article to help bring attention to the project. Since I’m not a developer, information activism is one of the best things that I can do to support free software and the amazing people that choose to work on free software.

I’ve deployed GlobaLeaks for several small projects. One of the projects needed a secure and anonymous document submission system (non- privileged, professional work), and another needed a secure and anonymous questionnaire to support a privacy-technology workshop.

SecureDrop

Docs: https://securedrop.readthedocs.org/en/latest/

SecureDrop aims to be as secure as possible for both the administrator and users. Administration requires intermediate Linux systems administration expertise. Once SecureDrop has been deployed, administration can only be performed locally and is command line only. Further, it is ideal for there to be an administration team, but not everyone needs to have technical skills. It is very important to understand the different systems needed and the roles they play.

SecureDrop requires, at a minimum, four independent but low-power x86-64 computer systems. The four computer systems are necessary to properly compartmentalize specific SecureDrop properties for ideal security via defense-in-depth.

One of these computer systems is connected to the Internet, the SecureDrop web server. Contrary to the default option in GlobaLeaks, the SecureDrop web server is only accessible via Onion services. A second computer system connects to the web server for the sole purpose of event reporting. This is necessary so that if the web server experiences any issues, a dedicated, compartmentalized system will be alerted of trouble. The other two computer systems needed for SecureDrop should never be networked and are called “air-gapped”. One of the air-gapped computer systems is needed to perform administrative functions; namely, the creation of Tails Linux USB drives. The second air-gapped computer system is solely used for reviewing SecureDrop submissions. Both of the air-gapped computer systems run Tails linux.

My first and only SecureDrop deployment was for the ACLU of Washington, which is really incredible. ACLU-WA was many firsts:

– The first non- journalist organization in the world.
– The first ACLU organization.
– The first legal organization.
– The first organization in the Pacific Northwest.

At ACLU-WA, there was a desire to begin experimenting with secure submission systems as an alternative to existing, common forms of communication like e-mail and HTTPS forms that come with inherent vulnerabilities. This decision was made without a fully developed sense of what the myriad internal policy implications would be. We knew ahead of deployment that a system like SecureDrop would pose certain organizational policy and procedural consequences, but waited until after receiving our first submission to finalize all our administrative practices. Most importantly, we know that existing legal intake methods used by legal organizations pose concrete risks because they all depend on communication systems that are not designed to withstand certain passive surveillance systems.

I was not part of ACLU-WA staff or part of the technical team that installed SecureDrop. My voluntary role at ACLU-WA was to design the landing page, to create our advanced threat modeling page, to advise on website and SecureDrop hardening, and to advise on organizational policy changes.

An open letter for organizations to support Tor onion services

DRAFT 1

There was a time when organizations used to ask the question, why would we want to use the Internet? There were no easy paradigms for business leaders to understand the implications. Early adopters of the Web slowly learned the value and effects of persistent information broadcasting, including reach into new and unexpected audiences. These organizations not only seeded their presence in online communities, but online communities started to shape the motivations and goals of organizations.

Following the early adoption phase, mass adoption took hold and organizations deepened their understanding. It became clear that connecting with people on this extraordinary level is not without risk and that businesses need to incorporate organizational information assurance policies. Since the beginning, encryption has been critically important to protect business interests.

Organizations are still in the process of adapting to new paradigm shifts. We take for granted TCP protocols that make web pages show up, complete, on user’s screens, because we consider that satisfactory. We take for granted the increasing affordability of data storage because we can do more for less. We not only ignore the effects of billion-dollar industries the are built and driven by the collection of personal data, but we support those industries by focusing on usability and profit. At what point do we ask the question, how much do we actually love our users?

In 2013, a significant opportunity opened up that allows organizations that use Information and Communication Technologies to understand the unintended consequences of clear-text content and metadata sharing. As more and more users depend on the services that organizations provide, organizations are learning more and more about how their technology and policy choices affect their users.

We have reached a point that it is no longer ethically acceptable to claim that our services, and thus our users, do not require both default security and also a choice in security technologies. It is no longer ethically acceptable to prioritize the security of our databases over the security and empowerment of our users.

Employing high-grade HTTPS is step one in adapting to the use of open standards and protocols. However, HTTPS reinforces the use of centralized trust authorities that, fundamentally, have deep security problems of their own. Organizations have long had the opportunity to leverage a free and decentralized security technology, and that technology is called Tor onion services.

Tor onion services mitigate many wide-spread security concerns including Certificate Authority attacks, Border Gateway Protocol attacks, and Domain Name System attacks. Adopting Tor onion services also happens to empower our users by giving them greater autonomy and control of their data and information. We can never understand individualized threat models for all our users; it is our responsibility to first admit that we will never understand such a complex landscape, and second we must employ this free and adaptive technology that raises the bar of security best practices.

Signed,

Use Tor Browser, or harden Firefox, for privacy?

Welcome 2016! This is my first post of the new year, and my first post from Germany and from Europe (following an amazing #32C3).

I routinely see people concerned about their personal privacy and computing security as it relates to web tracking. If you are one of these people, thank you for taking the first step toward a world that designs its information systems with privacy and security first. Asking which browser plugins to install is asking the right type of question, but it is not the right question to ask.

From Quinn Norton’s The Hypocrisy of the Internet Journalist:

I could build a dossier on you. You would have a unique identifier, linked to demographically interesting facts about you that I could pull up individually or en masse. Even when you changed your ID or your name, I would still have you, based on traces and behaviors that remained the same — the same computer, the same face, the same writing style, something would give it away and I could relink you. Anonymous data is shockingly easy to de-anonymize. I would still be building a map of you. Correlating with other databases, credit card information (which has been on sale for decades, by the way), public records, voter information, a thousand little databases you never knew you were in, I could create a picture of your life so complete I would know you better than your family does, or perhaps even than you know yourself.

In this context, advertising agencies are no different from the NSA. From NSA Turns Cookies (And More) Into Surveillance Beacons:

[S]py agencies are keen to find any available way to recognize a particular user by their devices’ behavior on the Internet, and that cookies sent with unencrypted web requests are one of the easiest and most straightforward ways of picking out an individual device even as it moves from network to network.

Thinking that you can simply install an app to solve your privacy and security problems is wishful thinking. Have you tested your configuration? Not just once in an ideal scenario, but also when you allow Javascript because you need it?

https://panopticlick.eff.org/

A better question to ask is, what do trackers track?

Can your browser change your public IP address? Can your browser change or lie about your internal IP address? Can your browser change or lie about your browser resolution? Can your browser hide or lie about your screen resolution? Can your browser hide which browser and version you’re using, the browser plugins and versions you’re using, and the browser extensions and versions you’re using? Proably not, nor can plugins.

These are the types of things that Tor Browser fixes when you use Tor Browser correctly. The right answer to “what plugins support my computing security and personal privacy?” is to not install any plugins and to use Tor Browser.

The default installation of Tor Browser is the most anonymous way to browse the web because it holistically addresses most of the hardest problems to solve when it comes of web tracking.

And don’t go and install more plugins into Tor Browser thinking you are safer. Changing the configuration in any way makes it easier to re-identify you. Get to know the “security slider“, it will be your best friend when using Tor Browser. Learn and understand how and why Tor circuits are used.

Fundamentally, when you install a plugin into Firefox or Chrome, you make your fingerprint more unique, because most people don’t add pugins let alone a unuqie combination of them. Most people also don’t change their public IP address, so most tracking mechanisms can trivially track you based on IP and the subnet of your IP address that your ISP likely dynamically assigns you. Most people sign into de-anonymizing services, and linking your session data to de-anonymized data is trivial. Even if you visit your personal web page via Tor Browser, and you continue to access other sites in the same session, it is probable that it is you visiting and thus probable that the other session data is yours.

From Whonix: Things NOT to do

It’s best not to visit your own personal website where either real names or pseudonyms (which have ever been tied to a non-Tor connection/IP) are attached. Because how many people are visiting your personal website? 90% of all Tor users, or just you, or just very few other people? That’s weak anonymity. Once you visit a website your Tor circuit gets dirty. The exit relay knows that someone visited your website and if the site is not that popular, it’s a good guess that ‘someone’ was you. It wouldn’t be hard to assume that further connections originating from that exit relay come from your machine.

This gets down into operational security. Privacy is not just a matter of information security. You must conciously choose to help yourself by installing and using Tor Browser for nearly 100% of your browsing. You must take the responsibility of telling your service providers not to censor Tor users. You must change your habits if you wish to maintain privacy and thus autonomy. If you need Windows for your work, install an afforable Tails Linux or Whonix laptop next to your main workstation. Don’t give up.