|
Although TOR includes a 3 step encrypted connection to keep you anonymous, violating the following rules would make their efforts useless and could get you exposed. These are important OPSEC rules to consider when you are using the Tor Browser. Some rules written below contain multiple points, all useful OPSEC.
|
|
1. First rule of the Tor Browser is Do not talk about Tor Browser. No one can be trusted with secrets, Not your mother, not your child, not your partner, not your counselor, everyone talks eventually. Perhaps you know this by now. What isn't said, isn't heard. Keep it to yourself. Privacy is power.
|
|
2. Second rule is DO. NOT. TALK. ABOUT. TOR BROWSER. I want you to pretend you are the average ignorant person who believes that Firefox focus and brave browser are the best privacy browsers available. Loose Lips Sink Ships. Keep your Tor Browser activities to yourself and keep quiet. Period.
|
|
3. Keep your browser, OS and related apps updated to the latest version. Tor Browser, Tails and other privacy applications come with many vulnerabilities. Patches and feature updates solve these vulnerabilities so keep your software updated every single day to prevent compromises.
|
|
4. Use a password manager like KeepassXC. Create one master password with over 20 characters or a master passphrase with at least 7 randomly generated words. Use this to to unlock KeepassXC. Once unlocked you can create/save strong new passwords for each new activity you do.
|
|
5. Always use open source, end to end encrypted software and services. Trusting proprietary services is never worth it. A Windows or Mac user can never know what information is being sent back to either company. Both of these operating systems could be storing all of your keystrokes.
|
|
The alternative operating system that is recommended by almost everyone for Tor Browser is Tails OS. Tails comes with a toolbox of privacy enhancing applications and forces you to use good OPSEC. Remove the internal hard drives from your computer before booting into Tails. Tails or Jails.
|
| It's also worth noting here that before using tails you should enter your BIOS and disable WiFi, Bluetooth, webcam and speakers. Always use Ethernet cables when you can, it's safer and it's a faster connection. If you must use WiFi consider using a disposable usb dongle which has WiFi capabilities.
|
|
6. Keep changing identities of your Tor Browser by clicking 'New Identity' in-between activities. When it matters use Tails and restart your computer in-between activities. This resets the circuits which protect your anonymity in case an adversary was using the exit node to track you.
|
|
7. Don’t connect to any external device when you are using Tor Browser like WiFi printers or cellular phones or Bluetooth devices. Isolate everything. An exception to this is if you are running a clean install of GrapheneOS on an up to date Pixel phone. It should be safe to tether via USB.
|
|
8. Always use Tails OS in order to randomize your MAC address. This is critical if you are using TOR while connected to a public network. Randomizing MAC address means that no one knows who on that network is using TOR. This is enabled by default in Tails.
|
|
9. Why make it obvious to your ISP and AI guided traffic analysis that you are using TOR? Use an obfs4proxy bridge at all times. You might consider trying a Snowflake bridge as well.
|
|
10. Don't lock the screen and walk away. Don’t put your computer on sleep mode. Don't get up and take a shower while your wallet is synchronizing. Get in and out. Leave no trace.
|
|
11. Do not install browser extensions or implement any sort of customization. The more extensions, plugins and themes you add the more unique you make your browser fingerprint.
|
|
12. Do not browse anything related to what have you searched on the clearnet. Isolate your activities. This is important because although TOR and Tails keep you as anonymous as possible, you can blow the lid on yourself by revealing who you are from your search patterns.
|
|
13. Talk less than you have to. Even on an E2E encrypted chat service. Even with a trusted person. This is because if that guy’s computer is compromised your adversary can see those chats and you could be in trouble for whatever you said. If you think talking details is necessary talk in code.
|
|
14. Do not download files from suspicious websites. Be it even a .png file, once opened the virus has infected your system. Do not download or open PDF files which can break your anonymity.
|
|
15. Don’t reuse your usernames or passwords. KeepassXC can generate/save both usernames and passwords so you have no excuse for reusing usernames or passwords. Stay within onion sites as much as possible, jumping from onion to onion. When you visit other sites like .com sites it can be risky.
|
|
16. Most important rule - Manually disable JavaScript and set TOR to the safest mode under privacy and security. Never enable JavaScript. The quest to find services that work in Tor Browser without JavaScript is a worthwhile endeavor. Try the website 'kycnot.me' as a starting point.
|
| If you are interested in going a step beyond this install DD-WRT on your router and block JavaScript and cookies using the DD-WRT router. It's best to get a newer more expensive DD-WRT compatible router for this purpose. In fact you should be using DD-WRT at all times. Learn to configure it for security. |
|
17. Don’t be dumb. Resist the urge to listen to sites telling you to violate these laws. An example could be a website telling you to download software or enable JavaScript. Websites like these are often used to expose you.
|
|
18. Don’t admit to using Tor Browser. Zip it! If you are ever approached by an adversary you ask the questions. Ask them 'Am I under arrest', if the answer is no ask them 'Am I being detained' if the answer is no once again than you are within your rights to walk away.
|
|
19. Guard your electronics. Do you want the men in black to sneak into your house when you aren't home and plant a bug in your router or your computer? I didn't think so. Better get some big dogs and a fool proof surveillance system. Buy a large safe. Do whatever you have to do to stay safe.
|
|
20. Always use E2E encrypted email services such as mailfence and Tutanota. I have had some trouble trying to sign up for these free services when using Tor Browser. Guerrilla mail and Onionmail.org/Thunderbird work with Tor Browser and without JavaScript but will only allow you to receive emails.
|
| The quest to find a free email service that just works in Tor Browser without Java Script is ongoing. Another option is to create a website anonymously by paying with crypto. You should get an email associated with this website. You can use this email with the anonymous Thunderbird email application in Tails.
|