Anonymity in Tor: what not to do

Visit your own site in anonymous mode

“I wonder what my site looks like when I'm anonymous?” ^[1]

It is better to avoid visiting personal sites to which real names or pseudonyms are attached, especially if they were ever connected to other than Tor / with a real IP address. Probably very few people visit your personal site via Tor. This means that the user may be the only unique Tor client to do this.

This behavior leads to a leak of anonymity, because after visiting the website the whole Tor scheme becomes “dirty”. If the site is unpopular and does not receive much traffic, then Tor's output nodes can be almost certain that the site’s visitor is the site owner. From this point on, it is reasonable to assume that subsequent connections from this Tor exit node also come from this user's computer.

')

Source: ^[2]

Log in to social networking accounts and think that you are anonymous

Do not log into your personal Facebook account or other social network through Tor. Even if an alias is used instead of a real name, the account is probably associated with friends who know you. As a result, a social network can put forward a reasonable guess who the user really is.

No system of anonymity is perfect. Software for online anonymity can hide IP addresses and locations, but Facebook and similar corporations do not need this information. Social networks already know the user, his friends, the contents of "private" messages between them, and so on. This data is stored at least on social network servers, and no software can delete them. They can only be removed by social networking platforms themselves or hacker groups. ^[3]

Users who log into their Facebook accounts and other accounts receive only location protection, but not anonymity.

This is not well understood by some social network users: ^[4]

Mike, will I be completely anonymous if I log into my Facebook account? I use Firefox 3.6 with Tor and NoScript on a Windows 7 machine. Thank you.

Never log into the accounts you used without Tor.

Always assume that at each visit the server log saves the following: ^[5]

Client IP address / location.
The date and time of the request.
Specific addresses of the requested pages.
HTTP code.
The number of bytes transferred to the user.
Agent browser user.
Referring site (referrer).

Also assume that your Internet Service Provider (ISP) records at least online time and the client’s IP address / location. The provider can also record the IP addresses / locations of visited sites, how much traffic (data) is transmitted and what exactly was transmitted and received. As long as the traffic is not encrypted, the ISP will be able to see exactly what actions were taken, the information received and sent.

The following tables give a simplified view of how these logs can look to administrators.

Table : ISP Log

Name	Time	IP / location	Traffic
John doe	16:00 - 17:00	1.1.1.1	500 MB

Table : Extended ISP log ^[6]

Name	Time	IP / location	Traffic	Address	Content
John doe	16:00 - 17:00	1.1.1.1	1 MB	google.com	Search query 1, query 2 ...
John doe	16:00 - 17:00	1.1.1.1	490 MB	youtube.com	I watched video 1, video 2
John doe	16:00 - 17:00	1.1.1.1	9 MB	facebook.com	Encrypted traffic

Table : Website Log

Name	Time	IP / location	Traffic	Content
-	16:00 - 16:10	1.1.1.1	1 MB	Search query 1, query 2 ...

It is clear that the same type of logging by websites and Internet service provider makes it easy to determine user actions.

The account is compromised and attached to the user, even in the case of a single authorization via a connection that is not protected by Tor, from the real IP address. Single errors are often fatal and lead to the disclosure of many "anonymous" users.

Do not log in to online banking or payment systems if you are not aware of the risks.

Authorization in online bank, PayPal, eBay and other important financial accounts registered in the user name is not recommended. In financial systems, any use of Tor threatens to freeze an account due to “suspicious activity”, which is registered by the fraud prevention system. The reason is that hackers sometimes use Tor to commit fraudulent acts.

Using Tor with online banking and financial accounts is not anonymous for the reasons given above. This is a pseudonymity that only hides the IP address, or a trick to access the site blocked by the provider. The difference between anonymity and pseudonymity is described in the corresponding chapter .

If a user is blocked, in many cases you can contact customer support to unlock your account. Some services even allow weakening fraud rules for user accounts.

Whonix developer Patrick Shleizer doesn’t mind using Tor to bypass a site lock or hide an IP address. But the user must understand that a bank or other payment account can be (temporarily) frozen. In addition, other outcomes are possible (permanently blocking the service, deleting the account, etc.), as stated in the warnings on this page and in the Whonix documentation. If users are aware of the risks and feel it is appropriate to use Tor in specific personal circumstances, of course, they can ignore this advice.

Do not alternate Tor and Open Wi-Fi

Some users mistakenly think that open Wi-Fi is a faster and safer “alternative to Tor”, since the IP address cannot be tied to a real name.

Below we explain the reasons why it is better to use open Wi-Fi and Tor, but not open Wi-Fi or Tor.

The approximate location of any IP address can be calculated to the city, district or even street. Even if the user is far from his home, open Wi-Fi still gives out a city and an approximate location, since most people do not travel across continents.

The identity of the owner with open Wi-Fi and the settings of the router are also unknown variables. There may be a log of MAC addresses of users with the corresponding activity of these users on the Internet, which is open to the owner of the router.

Although logging does not necessarily violate the user's anonymity, it narrows the circle of suspects from the entire global population of the Earth or the continent, or the country, to a specific area. This effect greatly worsens anonymity. Users should always keep as much information as possible.

Avoid the Tor-Tor-Tor scripts.

Note : this is a problem specific to the Whonix service.

When using a transparent proxy (such as Whonix), you can run Tor sessions simultaneously on the client side and on a transparent proxy, which creates a Tor-to-Tor script.

This happens when installing Tor inside Whonix Workstation or when using the Tor Browser, which is not configured to use SocksPort instead of TransPort. Read more about this in the Tor Browser article.

These actions create uncertainty and are potentially unsafe. In theory, traffic goes through six onion-routing nodes instead of three. But there is no guarantee that the three additional nodes differ from the first three; these may be the same nodes, possibly in reverse or mixed order. According to Tor Project experts, this is unsafe: ^[7]

We do not encourage the use of longer paths than the standard ones - this increases the load on the network without (as far as we can judge) increasing security. Remember that the most effective way to attack Tor is to attack exit points and ignore the middle of the path. In addition, using a route longer than three nodes may impair anonymity. First, it simplifies denial of service attacks. Secondly, such actions can be perceived as a user ID, if only a few will do so (“Oh, look, again the guy who changed the length of the route”).

Users can manually specify a Tor entry or exit point, ^[8] but from a security point of view, it’s best to leave a choice of route to choose from Tor. Resetting a Tor entry or exit point may impair anonymity in ways that are not well understood. Therefore, configurations of Tor through Tor are strongly discouraged.

License of the chapter “Avoid the Tor-Tor-Tor-Scenarios”: ^[9]

Do not send confidential data without encryption.

As already explained on the “ Warning ” page, Tor's output nodes can listen to communications and launch intermediary attacks (MiTM), even when using HTTPS. Using terminal encryption is the only way to send sensitive data to the recipient, avoiding the risk of interception and disclosure to hostile third parties.

Do not disclose identifying data online

Deanonimization is possible not only with connections and IP addresses, but also in social ways. Here are some recommendations for Anonymous de-anonymization protection:

Do not include personal information or personal interests.
Do not discuss personal information such as place of residence, age, marital status, etc. Over time, silly conversations such as discussing the weather can lead to an accurate calculation of the user's location.
Do not mention sex, tattoos, piercings, physical abilities or imperfections.
Do not mention a profession, hobby, or participation in activist groups.
Do not use special characters on the keyboard that exist only in your language.
Do not publish information on the regular Internet (Clearnet), being anonymous.
Do not use Twitter, Facebook and other social networks. You will easily be associated with a profile.
Do not post links to Facebook images. The file name contains your personal ID.
Do not visit one site at the same time of day or night. Try to vary the time of sessions.
Remember that IRC, other chats, forums, mailing lists are public places.
Do not discuss anything personal at all, even with a secure and anonymous connection to a group of strangers. Recipients in a group represent a potential risk (“known unknowns”) and can be made to work against the user. We need only one informant to break up the group.
Heroes exist only in comics - and they are actively hunted. There are only young or dead heroes.

If it is necessary to disclose any identification data, consider it as confidential information described in the previous section.

License: From JonDonym documentation ( permission ).

Use bridges if the Tor network seems dangerous or suspicious in your area.

This recommendation comes with important caution, since bridges are not the ideal solution: ^[10]

Bridges are important tools and in many cases work well, but they are not an absolute defense against technological advances that an adversary can use to identify Tor users.

Do not work for a long time under the same digital identity.

The longer the same pseudonym is used, the higher the probability of an error that will reveal the identity of the user. Once this has happened, the adversary can study the history and all the activity under this pseudonym. It is prudent to regularly create new digital identities and stop using old ones.

Do not use multiple digital personalities at the same time.

Using pseudonyms depending on the context over time becomes more difficult and fraught with errors. Different digital identities are easy to associate if they are used at the same time, because Tor can reuse chains in the same surfing session or a potential leak of information from Whonix Workstation can occur. Whonix cannot magically separate different digital personalities depending on the context .

See also point below.

Do not stay logged in to Twitter, Facebook, Google, etc. for longer than necessary.

Keep the time of authorization in Twitter, Facebook, Google and other services with accounts (like web forums) to the absolutely necessary minimum. Immediately exit your account as soon as you read, post information, or complete other necessary tasks. After logging out, it is safe to close the Tor Browser, change the Tor chain using the Tor Controller , wait 10 seconds before changing the chain - and then restart the Tor Browser. For better security, follow the guidelines for using multiple virtual machines and / or multiple Whonix-Workstation .

This behavior is necessary because many websites host one or more integration buttons, such as the Facebook Like button or Twitter Tweet This. ^[eleven] In reality, out of the 200,000 most popular sites rated by Alexa, social widgets for Facebook and Twitter are set at 47% and 24%, respectively. Google’s third-party web services are installed on about 97% of sites, mainly Google analytics, advertising and CDN services (googleapis.com). ^[12] ^[13] If the user keeps the authorization in the service, then these buttons tell the owner of the service about visiting the site. ^[14]

Do not underestimate the threat of privacy from third-party services: ^[15] ^[sixteen]

Each time a user's browser accesses a third-party service, this third-party server gets the ability to deliver tracking scripts and binds the original site with a third-party cookie and browser fingerprint. Such online behavior tracking allows users to replenish user profiles, including confidential information, such as the user's political views and their medical history.

Users should also read the chapter above .

Do not mix anonymity modes

Do not mix anonymity modes! They are outlined below.

Mode 1: anonymous user; any recipient

Scenario: Anonymous posting on bulletin board, mailing list, comments, forum, etc.
Scenario: informers, activists, bloggers and similar users.
User is anonymous.
The real IP address / location of the user is hidden.
Hiding location: the user's location remains secret.

Mode 2: the user knows the recipient; both use tor

Scenario: The sender and receiver know each other and both use Tor.
No third party knows about the fact of communication and does not receive its content.
User is not anonymous. ^[17]
The real IP address / location of the user is hidden.
Hiding location: the user's location remains secret.

Mode 3: the user is not anonymous and uses Tor; any recipient

Scenario: Signing under the real name in any service like webmail, Twitter, Facebook and others.
The user is obviously not anonymous. As soon as the real name is used to log into the account, the website knows the user's identity. Tor cannot provide anonymity in such circumstances.
The real IP address / location of the user is hidden.
Hiding location: the user's location remains secret. ^[18]

Mode 4: the user is not anonymous; any recipient

Scenario: Normal surfing without Tor.
User is not anonymous.
The real IP address / location of the user is disclosed.
User location is revealed.

Conclusion

It’s not the best option to mix modes 1 and 2. For example, if a person uses an IM manager or a mail account in mode 1, then it’s unwise to use the same account in mode 2. The reason is that the user mixes absolute anonymity (mode 1) with selective anonymity (mode 2; because the recipient knows the user).

It is also not the best option to mix two or more modes in the same Tor session , because they can use the same output node, which leads to the correlation of personalities.

It is also likely that combinations of different modes will be dangerous and may lead to leakage of personal information or the physical location of the user.

License

License for the section “Do not mix anonymity modes”: ^[9]

Do not change the settings if the consequences are unknown.

It is usually safe to change the interface settings for applications that do not connect to the Internet. For example, checkboxes “Do not show more daily tips” or “Hide this menu bar” will not affect anonymity.

Before changing any settings that are of interest, first check your Whonix documentation. If the change is made to the documentation and is not recommended, then try to adhere to the default settings. If the change is not made to the documentation, then carefully review the proposed action before implementing it.

Changing the settings for applications that connect to the Internet (even the interface settings) should be carefully studied. For example, removing the menu bar in the Tor Browser to increase the page viewing area is not recommended. This changes the detectable screen size, which degrades the user's fingerprint.

Changing network settings can be tolerated with great care, and only if the consequences are known precisely. For example, users should avoid any tips that relate to “setting up Firefox”. If the settings are considered non-optimal, then the changes should be proposed in the release and applied to all users of the Tor Browser in the next version.

Do not use clean web and Tor at the same time.

Using a non-Tor browser and the Tor Browser at the same time, you run the risk of confusing them and de-anonymizing yourself once.

When using a pure web and Tor at the same time, there are also risks of simultaneous connections to the server via anonymous and non-anonymous channels. This is not recommended for the reasons stated in the next section. The user can never feel safe visiting the same page at the same time through anonymous and non-anonymous channels, because he sees only the URL, but not how many resources are requested in the background. Many different sites are hosted in the same cloud. Services like Google Analytics are presented on most sites and therefore see a lot of anonymous and non-anonymous connections.

If this advice is ignored, then the user must have at least two different desktops to prevent confusion between browsers.

Do not connect to the server anonymously and non-anonymously at the same time.

It is strongly recommended not to create Tor and non-Tor connections to the same remote server at the same time. In case of disconnection with the Internet (and this will happen over time), all connections will be disconnected simultaneously. After such an event, the adversary will easily determine which public IP address / location belongs to which IP address / Tor connection, which potentially directly identifies the user.

Such a script also makes it possible to conduct another type of attack from the web server. The speed of Tor and non-Tor connections can be increased or decreased to check for correlation. So, if both connections speed up or slow down in unison, then you can establish the relationship between the Tor and non-Tor sessions.

License for the section “Do not connect to the server anonymously and non-anonymously at the same time”: ^[9]

Do not confuse anonymity and pseudonymity

This section explains the difference between anonymity and pseudonymity. Definition of terms is always difficult because a majority consensus is required.

An anonymous connection is considered to be a connection to the destination server when this server is unable to either establish the origin (IP address / location) of this connection or assign an identifier to it ^[19] .

A pseudonymous connection is considered to be a connection to the destination server when this server is unable to establish the origin (IP address / location) of this connection, but can assign an identifier to it ^[19] .

In an ideal world, you can achieve perfect anonymity using the Tor network, the Tor Browser browser, computer hardware, physical security, the operating system, and so on. For example, in such a utopia, a user may enter a news site, and neither the news site nor the site’s Internet provider will have any idea whether this user has logged in before. ^[20]

On the other hand, a non-ideal scenario is possible if the software is used incorrectly, for example, when using the standard Firefox browser on the Tor network instead of the secure Tor Browser. An unhappy Firefox user will still protect their original connection (IP address / location) from detection, but identifiers (like cookies) can be used to turn the connection into a pseudonymous one. For example, the destination server can make a log entry that “a user with id 111222333444 watched Video A at Time B on Date C and Video D at Time E on Date F”. This information can be used for profiling, which will eventually become more and more comprehensive. The degree of anonymity is gradually reduced, and in the worst case, this can lead to deanonymization.

As soon as a user logs into an account on a web site under his own username, for example, in a web mail or on a forum, then the connection is no longer anonymous by definition, but becomes pseudonymous. The origin of the connection (IP address / location) is still hidden, but an identifier can be assigned to the connection ^[19] ; in this case, the account name. Identifiers are used to log various things: the time when the user wrote something, the date and time of entry and exit, what the user wrote and to whom, the IP address used (useless if it is a Tor output node), the stored browser fingerprint, and so on .

Maxim Kammerer, developer of Liberté Linux ^[21] , there are fundamentally different ideas about anonymity and pseudonymity that cannot be withheld from the reader: ^[22]

I did not see a convincing argument for anonymity versus pseudonymity. Expanding anonymity is what Tor developers are doing to publish new scientific articles and justify funding. Most users need only pseudonymity, which is hidden location. Having a unique browser does not magically reveal the user's location, if that user does not use this browser for non-pseudonymous sessions. Having a good browser header also means a little anonymity, because there are many other ways to reveal more information about a client (for example, through differences in Javascript execution).

Do not distribute your link first.

Resist the temptation to be one of the first to advertise your anonymous project! For example, it is impractical to distribute links if the user:

Created an anonymous blog or hidden service.
Has a twitter account with a large number of followers.
Maintains a great news page on a clean web or something similar.

The more individuals are separated, the better. Of course, at some point the user may or should even be “in the know” of a new project, but this point must be chosen with extreme caution.

Do not open random files and links.

If the user is sent a file of any type or a link to a file (or a random URL / resource) by email or other means, care is required regardless of the file format. ^[23] The sender, mailbox, account or key can be compromised, and the file or link could be specially prepared to infect the user's system when opened in a standard application.

It is safer not to open the file with a standard tool that is supposed to be used by the creator of the file. For example, PDF cannot be opened by the PDF viewer, or if the file is publicly available, you can use the free online PDF viewing service. For greater security, there is the option to disinfect PDF in Qubes-Whonix or open a file or link in DisposableVM , so that it will not be able to compromise the user's platform.

Do not use verification by (mobile) phone

Websites like Google, Facebook and others will ask for a (mobile) phone number as soon as you try to log in via Tor. Unless the user is exceptionally smart or has an alternative, this information cannot be provided.

Any phone numbers will be logged. The SIM card is most likely registered to the username. Even if this is not the case, the receipt of the SMS gives the location. Users can try to anonymously buy a SIM card far from their usual home address, but still there is a risk: the phone itself. Each time you register on the cellular network, the provider saves the serial number of the SIM card ^[24] and the serial number of the phone. ^[25] If the SIM card is purchased anonymously, but the phone is not, then there will be no anonymity, because two serial numbers will be linked together.

If the user really wants to pass verification on the mobile phone number, it is recommended to go far away from home, to find a fresh phone with a new SIM card. After verification, the phone should be turned off, and immediately after that, the phone and the SIM card must be completely destroyed. This is done by burning or other inventive (reliable) methods of destruction.

Users can try to find an online service that will receive a personalized SMS on their behalf. This will work and provide anonymity. The problem is that in Google and Facebook this method is unlikely to work, because they are actively blacklisting such verification numbers. Another option is to find someone who will receive an SMS instead of you, but this will only transfer the risks to another person. ^[26]

Argument

The reader may skip this section.

This article risks stating obvious things. But the question should be asked: “Obvious for whom?” All of the above may just be common sense for developers, hackers, geeks and other people with technological skills.

But these groups of people tend to lose contact with non-technical users. Sometimes it’s helpful to read usability guides or feedback from people who never appear on mailing lists or forums.

For example:

To Toggle, or Not to Toggle: The End of Torbutton:

Mike, am I completely anonymous if I go into my Facebook account? I use Firefox 3.6 via Tor with NoScript on a Windows 7 machine. Thank you.
[tor-dev] Testimonials from Tails / Tor First Users
"Eliminating obstruction points when installing and using anonymous systems: evaluating the usability of the Tor set"
"North Korea: in the network of the most secret nation in the world" :

To make sure that the frequencies of the mobile phone are monitored, I fill the sink with water and cover my head with a pot lid during a telephone conversation, said one of the interviewees, a 28-year-old man who fled the country in November 2010.

Notes

1. ↑ https://lists.torproject.org/pipermail/tor-dev/2012-April/003472.html

2. ↑ Tor Browser should set the SOCKS user name for the request based on the referrer

3. ↑ The former are unlikely to ever delete data, since profiling is the main method of monetizing users with “free” accounts. Profiling is used for targeted advertising and for building up a large user database that can be sold to a third party for profit.

4. ↑ To Toggle, or Not to Toggle: The End of Torbutton

5. ↑ https://en.wikipedia.org/wiki/Server_log

6. ↑ https://en.wikipedia.org/wiki/Deep_packet_inspection

7. ↑ https://www.torproject.org/docs/faq.html.en#ChoosePathLength

8. ↑ https://www.torproject.org/docs/faq.html.en#ChooseEntryExit

9. ↑ ^9.0 ^9.1 ^9.2 This was originally published adrelanos (proper) in TorifyHOWTO ( w ). Adrelanos does not protect copyright, so the text can be reused here. It is published under the same license as the DoNot page.

10. ↑ Bridges # If_Tor_Use_is_Dangerous_or_Deemed_Suspicious_in_your_Location

11. ↑ In particular, Facebook keeps records of all who view pages with the Like button from Facebook.

12. ↑ https://www.securitee.org/files/trackblock_eurosp2017.pdf

13. ↑ 15 largest third-party services: doubleclick.net, google.com, googlesyndication.com, googleapis.com, gstatic.com, admob.com, googleanalytics.com, googleusercontent.com, flurry.com, adobe.com, chartboost. com, unity3d.com, facebook.com, amazonaws.com and tapjoyads.com.

15. ↑ For example, Twitter tweets, Follow and embedded tweets are used to record the history of browser pages visited . If you visit a page where there is one of the above, the browser makes a request to Twitter servers containing the title of the visited page. A unique cookie allows Twitter to build a history of visited pages, even for those who are not Twitter users (for example, if the Tor Browser is not used).

15. ↑ https://www.securitee.org/files/trackblock_eurosp2017.pdf

16. ↑ For example, advanced adversaries rely on third-party tracking cookies to de-anonymize Tor users and identify targets for hacking.

17. ↑ Since they are known to the recipient.

18. ↑ But this information is easy to establish by the records of an Internet provider that links Internet accounts with a registered name and address. Alternatively, this information flows away through the real (clearnet) IP address that was originally used to register with the service, since registration via Tor is usually blocked.

19. ↑ ^19.0 ^19.1 ^19.2 For example, the identifier may be a (flash) cookie with a unique number.

20. ↑ Unfortunately, protection against fingerprinting is not ideal yet in any browser, and there are still unclosed bugs. See tbb-linkability and tbb-fingerprinting .

21. ↑ http://dee.su/liberte

22. ↑ Quote (w)

23. ↑ For example: PDF, Word document, bitmaps, audio and video files, etc.

24. ↑ IMSI

25. ↑ IMEI

26. ↑ However, the recipient of the SMS is probably just a few “handshakes” from the end user (at best).

Attribution

Thanks to intrigeri and anonym for sending feedback and suggestions for this page on the mailing list Tails-dev.

Permanent link to wiki version of May 27, 2017

Source: https://habr.com/ru/post/329756/

All Articles