All About Tor

Agenda

  • Fill in this section
  • With your agenda for the day
  • To help your audience stay focused!

Let's begin

  • Do you use Tor?
  • If not, why not?
  • If yes, do you have any questions, concerns, issues, or doubts about using it?
  • Do you teach others about Tor?

What is Tor?

  • Tor is free software and an open network.
  • Mitigates against tracking, surveillance and censorship.
  • Run by a US non-profit and volunteers from all over the world.
  • It's Tor, not TOR.

Why do we need Tor?

  • Government mass and targeted surveillance.
  • The business model of the Internet: big data, advertising, non-consensual tracking.
  • Surveillance threats from family, bosses, bad people on the Internet.

Why do you need Tor?

  • Let's discuss the work you do
  • Adversaries and challenges
  • Mitigations
  • How Tor can help

little-t Tor or core tor

  • Tor the network daemon (a computer program)
  • Presents a SOCKS or http proxy
  • Location and source anonymity, similar to a VPN or regular proxy (but better!)
  • Network of relays in many parts of the world

How Tor relays work

How Tor relays work

Who can see your activity without Tor or HTTPS?

Who can see your activity with Tor and HTTPS?

Tor Browser

  • little-t tor plus patched Firefox
  • Anyone snooping can't see the websites you visit
  • Websites can't track you or see other sites you visit (cross-tracking)
  • Prevents other privacy violations like fingerprinting or 3rd party cookies
  • Writes nearly nothing to disk
  • No browser history
  • Cross platform: Windows, macOS, Linux and Android

Tor Browser features

Tor Browser features

Tor Browser

Tor Browser 10

Tor Browser in other languages

  • Go to https://torproject.org
  • Select the language on dropdown menu
  • Or select "Download in another language or platform"

Downloading Tor Browser

Running Tor Browser for the first time

Tor Browser connection screen

Running Tor Browser for the first time

Tor Browser connection screen

Using Tor Browser

  • Default search engine: DuckDuckGo
  • Bundled with NoScript, HTTPS Everywhere
  • You should not add any other extensions nor enable any plugins (eg Flash)!
  • Best practices
  • Websites won't know anything about you unless you login and tell them.

Changing your Tor circuit

Clicking on the padlock will show your current Tor circuit (and "New Circuit for this site" option)

Updating Tor Browser

Updating Tor Browser

Uninstalling Tor Browser

  • Uninstalling Tor Browser is as easy as moving the folder to the trash! Then, empty the trash.
  • Default Tor Browser folder locations:
  • Windows: desktop
  • macOS: move the Tor Browser application to Trash and also the TorBrowser-Data folder ~/Library/Application Support/
  • Linux: home, or look for a name like "tor-browser_en-US"

Troubleshooting Tor Browser

More Tor Browser

Tor settings

  • Tor settings: censorship mitigation options; access to Tor log

Security Level

Security Level

NoScript

  • It's not advisable to change settings in the NoScript "options" menu.
  • For example, adding sites to the "whitelist" can result in fingerprinting.
  • Instead, only "temporarily trust" blocked objects, or use security slider (Standard, Safer, Safest)

Noscript example

DuckDuckGo

DuckDuckGo Onion site

Plugins, add-ons, JavaScript

  • Do not add any new add-ons/extensions to Tor, and don't enable any plugins.
  • For example, Flash plugin can reveal your real location.
  • JavaScript is enabled by default, but is sanitized to preserve anonymity.
  • To prevent possible JavaScript vulnerabilities, use the "safest" setting in the security slider.

Mobile Tor

Things to know about mobile Tor

  • The design of mobile devices makes full privacy impossible.
  • Mobile Tor is best for censorship prevention.
  • Can also provide better privacy for some threat models.
  • We're making it better all the time and better options for mobile devices are coming out soon.

Tor Browser for Android

  • You don't need to install two APPs (Orbot and Orfox) anymore.
  • Find it in the Google Play.
  • Or Guardian Project repository in F-Droid.
  • Or download the apk.

Onion Browser

  • Tor Browser for iOS
  • Find it in the App Store
  • Lots of fake Tor Browsers for iOS
  • Crashes on sleep

Orbot

Orbot

Using Orbot

  • Tor proxy for Android
  • Find it on the Play Store or F-Droid
  • Use it to run other Apps through Tor (like Twitter)
  • Click start to run
  • You can choose your exit country if you want (some countries don't have exits!)

Using Orbot

  • Toggle "VPN mode" on main screen
  • Then click "Orbot-enabled apps"
  • Then select the apps you want to proxy with Tor

How do I get help using Tor?

Help using Tor

If you find a bug in Tor

Circumventing censorship with Tor

What to do when Tor is blocked?

I downloaded Tor Browser, but it won't connect

  • If this screen takes a long time and does not connect, you may need a bridge or pluggable transport Tor connection screen

When torproject.org is blocked

  • Mirrors
  • https://tor.eff.org/
  • http://tor.calyxinstitute.org/ (if https is blocked)
  • GetTor email: gettor@torproject.org
  • Contact from a Gmail or Riseup account
  • Flash drive with Tor on it from someone you trust
  • Get the EXE, DMG, tar.xz, don't copy the installed folder
  • Downloading Tor Browser from a non-official source is dangerous!

Bridges and pluggable transports

  • Bridges are relays that are not listed publicly
  • Get bridges directly from Tor Browser (moat)
  • Or from the website https://bridges.torproject.org or send an email to bridges@torproject.org from a Gmail, or Riseup.net account
  • Or get a bridge address from a trusted person
  • Pluggable transports can be used like bridges to disguise Tor traffic (also called "built-in bridges")

Bridges and pluggable transports

Bridges and Pluggable Transports

Request a bridge

Request a bridge

Or select a built-in bridge

Built-in bridge

Pluggable transports

  • obfs4: makes Tor traffic look random; works in many situations including China (if not, try meek).
  • meek-azure: makes it look like Microsoft traffic; works in China.
  • snowflake: proxies traffic through temporary proxies using WebRTC. https://snowflake.torproject.org

OONI

  • Open Observatory of Network Interference: https://ooni.torproject.org
  • Country-level reports of specific censorship tools in use on certain websites
  • View their reports: https://explorer.ooni.org/
  • Or use your own OONI Probe to test websites: available in App Store and Google Play.

Sharing content anonymously with Tor

What are Onion Services?

The regular internet allows adversaries to see what you are sharing and with whom, whether you're using Dropbox etc, downloading it from email or through your browser...

...so Tor devised a sneaky way to hide both the file data and the related metadata!

Onion Services

  • Protection for both the user and the server
  • User learns about xyz.onion
  • Client and service meet at rendezvous point in the Tor cloud
  • End-to-end encrypted without HTTPS
  • Connections never go out to the "vanilla" internet

ProPublica Onion site

OnionShare

  • Secure, private, anonymous file sharing done easy, built on top of the Tor network.
  • Uses onion services to securely send files.
  • Creates an onion service where the file can be downloaded.
  • No need to trust third parties like Dropbox.
  • Download from https://onionshare.org

OnionShare

  • Click "Start sharing" to share files. Or select another option: host a static website, receive files, anonymous chat.
  • Your contacts only need to have Tor Browser installed.

OnionShare

  • Once the file is added, click "start sharing".
  • Tip: To allow downloading more than once, e.g. for you group, uncheck the first box.

OnionShare

  • Copy and share the address with your contacts (e.g. chat room, Signal group).

OnionShare

  • When they finish downloading, you'll see a notification alert in OnionShare's history.

Thank you!

PGP FINGERPRINT

name - email@example.com
torproject.org