Know your onions


Tor is a browser you should add to your desktop if you want to surf anonymously. It was originally developed to protect government communications — the US Navy, no less — but can be used to protect anyone against a common form of internet surveillance called “traffic analysis“.

But before we get into that, try it out for yourself.

First off, visit this site, in your regular, day-to-day browser.

You’ll find it returns a surprising amount of data under five different tabs, including your location, operating system name, browser type and version, even your screen resolution. All of this can be used to uniquely fingerprint your browser, but the most telling detail is your IP address.

Now install Tor. It’s free and available for Linux, Mac and Windows. You’ll find full instructions on the site.

With Tor running, click on the Test Tor Network Settings link, or try this one. It’ll return a message saying whether Tor is working (or not!) and what your new IP address is.

If you revisit you’ll find all your details suggest your browser is now located somewhere else on the planet.

Woot, anonymity!


How it works

Tor uses a process called “onion routing”. (In fact its name was originally an acronym for “The Onion Router”.) The eye-watering bit refers to its layers, nested like the layers of an onion, that distribute your traffic around numerous places on the internet so that your data packets take random pathways through various relays. The result is that no observer at any single point can tell where traffic has come from or where it’s going to.

There’s a full illustrated explanation of the system here.


Bad habits

Of course no system is foolproof — because fools are ingenious — so there are one or two things to watch out for that may compromise your anonymity.

Don’t torrent over Tor
File-sharing applications often ignore proxy servers and invariably send out your real IP address in tracker GET requests. That’s how torrents work, so layering on Tor will give you no protection.

Don’t add other browser plugins
The Tor browser actively blocks plugins like Flash, RealPlayer and Quicktime because they absolutely compromise your anonymity. Other plugins may do likewise. So that means YouTube videos are blocked by default, but YouTube do have an opt-in feature, which you can enable here. It seems to work fine with Tor.

Lookout for HTTPS sites
The ‘S’ stands for ‘Secure’ and Tor tries to enforce that end-to-end encryption by using the HTTPS Everywhere plugin. Most major sites support HTTPS, but double-check the URL bar if you’re asked for sensitive information.

Don’t open the documents you download while on Tor
This particularly applies to DOC and PDF files which can contain internet resources that will be downloaded outside of Tor. That will of course reveal you non-Tor IP address. Here’s what the Tor site has to say on the matter:

If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled.

Browser fingerprinting

browser_fingerprintsBrowser fingerprinting is yet another subtle way of spying on users. Every time your browser connects to a website, it offers up some helpful information about itself — like the timezone it’s in, your browser brand and version, plugins installed, screen size, system fonts used, etc.

This can be used to “fingerprint” your browser.

To check yours out, check this link out.

That will take you to Panopticlick, an Electronic Frontier Foundation website to test your browser.

Of the 4.6 million tested so far, my browser was unique:


That adds up to yet another way of tracking users on the web.

As the report detailing the technique says:

Browser fingerprinting is a powerful technique, and finngerprints must be considered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability.

… browsers reveal so much version and configuration information that they remain overwhelmingly trackable. There are implications both for privacy policy and technical design.