Category Archives: Tor Browser

Preserving your privacy on the net is no easy task nowadays with so many security risks and potential prowlers out there.

Tor Browser is a toolset that's designed for anyone who wants to improve their safety and security on the Internet. It can help you anonymize web browsing and publishing, instant messaging, and other applications that use the TCP protocol. For business users, it means that confidential exchanges of information can be kept from prying eyes and for more general users, it means that ISPs, keyloggers and other types of malware can't track your activities easily.

It works by bouncing traffic around a distributed network of servers which it calls "onion routers" (hence the logo). The Tor Browser interface allows you to easily toggle it on and off based on when you need to go online anonymously - there's no need to restart your computer when you've done so. If you want, you can also choose from various proxy tunnels based on a world map which displays exactly where each one is located.

To check it's working, you can use the online Tor detector to see if you're surfing anonymously or not. Connection can take some time depending on how many users are logged onto the network at any one time but usually its very quick. The Tor onion logo turns from yellow to green in your taskbar when a successful connection has been made.

Tor is simple, well organized and effective tool for anyone worried about security or invasions of privacy online.

Follow this link:
Tor Browser Download

Open network of private data tunnels, which preserves anonymity and fights censorship

TOR is a software that is used by people who wish to protect their anonymity while they participate in online activities. The TOR software allows for anonymity by directing online traffic through a series of relays that thwarts any surveillance attempts. By doing so, it becomes very difficult, if not entirely impossible, to trace a TOR user's online activities. The NSA has called TOR the leader in Internet anonymity software, with no other immediate contenders to their throne.

TOR uses several different layers of encryption, TOR is actually an acronym for The Onion Router. TOR enables users to hide their IP address by sending traffic through a series of digital relays. Each relay further increases the level of obscurity until it becomes virtually impossible to trace back the traffic to the actual user. This is all done without the original IP address ever being revealed.

Pros:

Cons:

Developed by AnchorFree, this software application lets people connect to the internet via Virtual Private Network

FREE 10GB VPN: ZPN Connect VPN for WiFi Hotspot

At the time of downloading you accept the EULA and privacy policies stated by Jaleco. The download will be executed through a download manager that belongs to Jaleco. The mentioned download manager doesn't have any relationship with the author. It can be downloaded as well freely from the author's website. Jaleco aims to offer downloads free of viruses and malware.

The download manager is part of our virus and malware filtering system and certifies the file's reliability. Additionally, the download manager offers the optional installation of a toolbar.

View original post here:
Tor Browser - Free Download

Tor Browser Bundle is a web browser based on Firefox ESR (Firefox with extended support), configured to protect users' privacy and anonymity by using Tor and Vidalia, tools that come bundled with it. The bundle also includes 4 Firefox extensions: TorButton, TorLauncher, NoScript and HTTPS-Everywhere.

When launching TorBrowser, it automatically starts the bundled Tor, anonymizing the origin of your traffic and encrypting everything inside the Tor network. Because the traffic between the Tor network and its final destination is not encrypted, Tor Browser ships with HTTPS-Everywhere, an extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation that encrypts your communications with many major websites, making your browsing more secure.

Once you close TorBrowser, the list of visited websites and the cookies are deleted.

Tor Browser Bundle is easy to run on Ubuntu / Linux, but to make it integrate with the menu / Dash and for easier updates (since you must manually download and install newer versions), I've created an Ubuntu PPA so you can easily install and stay up to date with the latest Tor Browser Bundle.

But that's not something you need to worry about, as everything is done in the background so all you have to do is add the PPA, install Tor Browser Bundle and start the browser from the menu / dash, like with any other application.

To add the WebUpd8 Tor Browser Bundle PPA and install the application in Ubuntu / Linux Mint and derivatives, use the following commands in a terminal:

Removing Tor Browser Bundle requires, besides removing the installed package, to also remove the ~/.tor-browser-en folder - that's where the package is installed after you run it from the menu / Dash for the first time. So if you want to remove Tor Browser Bundle, close it and use the following commands:

Read the rest here:
Tor Browser Bundle - Web Upd8: Ubuntu / Linux blog

It is recommended[1], that you use only Tor Browser for browsing the web in Whonix.

Tor Browser[2] is a fork[3] of the Mozilla Firefox[4] web browser, optimized[5] and designed[6] for anonymity, developed by The Tor Project[7]. Given Firefox's popularity, many of you have probably used it before and its user interface is like any other modern web browser.

Here are a few things worth mentioning in the context of Whonix.

When you were to use other browsers than Tor Browser, your IP/DNS would still be protected by Whonix, but you wouldn't profit from Tor Browser's protocol level cleanup. Using other browsers would be pseudonymous rather than anonymous.

Tor Browser in comparison to other browsers is optimized for anonymity, it contains privacy enhancing patches[8] and add-ons[9]. There are no other browsers other than Tor Browser capable of protocol level cleanup. When you use Tor Browser, you will blend in and share the Fingerprint of other Tor Browser users, which is a good thing.

Using HTTPS instead of HTTP encrypts your communication while browsing the web.

All the data exchanged between your browser and the server you are visiting are encrypted. It prevents the Tor exit relay to eavesdrop on your communications.

HTTPS also includes mechanisms to authenticate the server you are communicating with. But those mechanisms can be flawed, as explained on our warning page.

For example, here is how the browser looks like when we try to log in an email account at lavabit.com[10], using their interface[11]:

Notice the small area on the left of the address bar saying "lavabit.com" on a blue background and the address beginning with "https://" (instead of "http://"):

These are the indicators that an encrypted connection using HTTPS[12] is being used.

You should try to only use services providing HTTPS when you are sending or retrieving sensitive information (like passwords), otherwise it's very easy for an eavesdropper to steal whatever information you are sending or to modify the content of a page on its way to your browser.

HTTPS Everywhere[13] is a Firefox extension shipped in Tor Browser and produced as a collaboration between The Tor Project[14] and the Electronic Frontier Foundation[15]. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

To learn more about HTTPS Everywhere you can see:

Tor alone is not enough to protect your anonymity and privacy while browsing the web. All modern web browsers, such as Firefox, support JavaScript[16], Adobe Flash[17], cookies[18] and other features which have been shown to be able to defeat the anonymity [19] provided by the Tor network.

In Tor Browser all such features are handled from inside the browser, because it's a modified version of Firefox Patches[20] and it contains an extension called Torbutton[21]. These do all sorts of things to prevent the above type of attacks. But that comes at a price: since this will disable some functionalities and some sites might not work as intended. Don't worry too much about this, the vast majority of websites works very well.

To learn more about Torbutton you can see:

To learn more about Data Collection Techniques, Fingerprinting you can see:

The New Identity button on Tor Browser isn't perfect yet (NOT a Whonix issue), there are open bugs.[22]

How.

Please understand New Identity and Tor circuits to learn what this actually does and what its limitations are.

Having all JavaScript disabled by default would disable a lot of harmless and possibly useful JavaScript and render unusable many websites. This would scare away lots of potential users "because it just doesn't work". Torbutton disables all potentially dangerous JavaScript. On the other hand, having a big user base is important for good anonymity as this very interesting mail by Roger Dingledine explains.[23]

That's why JavaScript is enabled by default in Tor Browser. We consider this as a necessary compromise between security and usability and as of today we are not aware of any JavaScript that would compromise Whonix anonymity.

For more technical details you can refer to the Torbutton design document.[24] Another related discussion justifying why JavaScript is enabled by default in Tor Browser was on tor-talk, "Tor Browser disabling Javascript anonymity set reduction".[25]

NoScript also comes with Tor Browser and provides many protections, even though JavaScript is enabled by default. You shouldn't mess with NoScript settings in Tor Browser unless you exactly know what you are doing.

For more information you can refer to the NoScript website and features.

It might be better for privacy and anonymity not to maximize the Tor Browser window.

The regular Tor Browser Bundle and Tor Browser in Whonix slightly differ. The environment Tor Browser is running in has been adjusted by Whonix to work behind the Whonix-Gateway. The network and browser fingerprint however, is the same.

Tor Browser's internal update check mechanism is untouched and works fine. Default homepage is currently blank instead of original about:tor. [26]

Short: You don't need to change any proxy settings in Tor Browser.

Long: [27]

For better isolation of different identities. For advanced users. Moved to the Advanced Security Guide.

As of Whonix 11, you will be notified about new Tor Browser versions by whonixcheck - this will be deprecated in Whonix 12 (no more need).

Tor Browser's Internal Updater, built in stock update notification mechanism also works in Whonix. Use it.

Tor Browser Updater (Whonix) does not yet notice upgrades done by the internal updater. This will be fixed in Whonix 12.

The Tor Project configured Tor Browser since version 5.0 to update itself. [28]

Additionally it might also be wise to subscribe to blog of the creators of Tor Browser https://blog.torproject.org for news.

Tor Browser Downloader (Whonix) was previously called Tor Browser Updater (Whonix). It has/will be renamed in Whonix 12 to Tor Browser Downloader (Whonix), because it is incapable of keeping user data, for example bookmarks and passwords. If you would like to keep your user data, use Tor Browser Internal Updater instead.

Here are some (older) Tor Browser Downloader (Whonix) Screenshots.

(Also available as CLI version.)

Tor Browser version check and update (after confirmation) in Whonix can be done with:

Helps to keep you safe.

There is currently no reliable way for a program to securely determine the latest stable version of Tor Browser with reasonable certainty. [29][30] When the version format changes, the automated parser of version information could falsely suggest, a still considered secure, stable version that is not the latest stable version, an alpha, beta or rc (release candidate) version. Rather, you could be the target of a denial of service, indefinite freeze or rollback (downgrade) attack. [31][32]

Therefore the intelligence of the user is utilized as a sanity check. The Download Confirmation Screen enables users to detect such situations and abort.

Version numbers you see under Online versions come from the Tor Browser online RecommendedTBBVersions versions file that is provided by The Tor Project and parsed by Whonix's Tor Browser Updater. All versions listed in that file are considered up to date, i.e. no upgrade required by The Tor Project.

TODO: expand

Helps to keep you safe.

There is currently no reliable way for a program to securely determine if your download of Tor Browser was a target of an indefinite freeze or rollback attack with reasonable certainty. [33][34]

When verifying cryptographic signatures there are multiple important aspects.

By the time you see the Installation Confirmation Screen, the verification of the signature [36] already succeeded, but again the intelligence of the user has to be utilized to make sure there the user is not target of an indefinite freeze or downgrade attack.

Previous Signature Creation Date: When Tor Browser was previously installed by tb-updater, then tb-updater will have stored the creation date of the accompanying signature the signed Tor Browser. The Previous Signature Creation Date field shows you that date.

Last Signature Creation Date: This field shows you the date of the creation of the signature that was just downloaded.

Here is a screenshot:

[37][38]

TODO: Expand.

A future update of Tor Browser by The Tor Project might make Whonix's Tor Browser Updater or Tor Browser running in Whonix-Workstation unusable. In case Tor Browser (Updater) inside Whonix-Workstation breaks, a news with instructions on how to fix the issue will be posted within a few days. If not, the Whonix developers are not aware of the issue.

If the Tor Browser update script is ever broken, you are advised to update manually, see Manually Updating Tor Browser.

Tor Browser's Internal Updater Popup Screenshot:

Tor Browser's Internal Updater Wizard Screenshot:

Here you can see a screenshot of Tor Browser's menu bar that contains Tor Browser's Internal Updater Update Symbol:

Tor Browser's Internal Updater Update Symbol: The following symbol is quite useful. It indicates, that Torbutton has found out, that there is an update.

A screenshot of about:tor, that is as useful as the above symbol:

Tor Browser is not installed by default anymore. If you are interested in the reasons why, see footnote. [39]

Note, accessing 127.0.0.1 using Tor Browser is no longer possible due to a change in Tor Browser by The Tor Project. You could set to transparent torification, but then you would be vulnerable to fingerprinting issues. See Tor Browser, Local Connections for more information and a workaround.

A proxy exception in TBB must be configured to interact with software listening on localhost, for example, YaCy. TBB blocks communication with localhost to mitigate some fingerprinting attacks[40]. Note that this exception means a small trade-off in privacy but is much safer than using another browser [41]. Read on about steps to further minimize the risks.

To add an exception click on:

Proxies have different instructions and will not work with these steps, see Tor Browser Proxy Configuration.

Threat Details

According to this Firefox ticket, JavaScript can be abused to scan internal networks, fingerprint devices, and make malicious commands to those devices if they have a web interface.

Analysis

There are no embedded devices attached to a Whonix internal network, its isolated and untrusted. However malicious JavaScript (JS) will be able to tell an attacker that a service is running on a localhost port. This can reduce your anonymity set.

Malicious misconfiguration of daemons listening on localhost is possible but with limited impact because traffic is still forced through Whonix-Gateway.

Recommendations

Possible extra actions would be to:

Misc

Due to a bug in Tor Browser [42], extra steps are required to use proxies with Tor Browser. Note that these instructions do not apply to accessing local web-interfaces.

1. Install FoxyProxy add-on in Tor Browser

2. Change Tor Browser Settings:

See Browser Plugins.

If you want the browser interface in a different language than English, see Language.

To protect the system and your data from some types of attack against Tor Browser, you could consider to install Whonix's Tor Browser AppArmor profile.

As a consequence, it can only read and write to a limited number of folders. This is why you might face Permission denied errors, for example if you try to download files to the home folder. You can save files from Tor Browser to the ~/Downloads folder that is located in the home folder. If you want to upload files with Tor Browser, copy them to that folder first.

This is an advanced topic.

As reported, setting a custom homepage in Tor Browser settings might not work.

Technical background: [43]

To set a custom homepage, you could try to purge the whonix-welcome-page package. [44] But this is difficult due to technical limitations as explained on the Whonix Debian Packages page.

Alternatively, could modify /usr/lib/whonix-welcome-page/env_var.sh, but these changes would be reverted after upgrade. [45]

Or you could set environment variable TOR_DEFAULT_HOMEPAGE to a custom value. Doing so would be similar setting environment variables as explained in #Transparent Torification - No Proxy - System Default.

This is an advanced topic. You most likely only need it in custom configurations, such as when using a Whonix-Custom-Workstation.

First of all, should it have failed, TorButton should notice, that it could not connect to Tor's ControlPort and should report, that giving a new identity failed. If you don't get such an error popup, it is a good indication, that there are no issues.

After the browser restarted, on the about:tor page, click "Test Tor Network Settings". It will lead to https://check.torproject.org (check.tpo) (or manually visit check.tpo, it doesn't matter.). In most cases (Not all! [46]) you should have a new exit relay. Check.tpo should report different IP.

On Whonix-Gateway, watch Control Port Filter Proxy's log while using TorButton's New Identity feature.

If you see something like this.

Then Control Port Filter Proxy received the request from Tor Browser and got Tor's okay, that it worked.

This is an advanced topic. You most likely only need it in custom configurations, such as when not using Control Port Filter Proxy.

Simulate, what TorButton would do.

1. Close Tor Browser. 2. Get new identity on Whonix-Gateway using arm. 3. Start Tor Browser again. 4. Done.

This is an advanced topic. You most likely only need it for advanced tunneling scenarios.

Go here to see the original:
Tor Browser - Whonix

Description

Onion Browser is a Tor-powered web browser that helps you access the internet with more privacy.

Featured in: The New York Times, The Guardian, Salon, TechCrunch, Gizmodo, Boing Boing, Lifehacker, Macworld, & others.

--------------------

Internet access tunneled over the Tor network: - Websites do not see your real IP address. - ISPs and insecure wireless networks cannot see your browsing. - Access .onion websites: anonymous "hidden service" sites only accessible through Tor. - Can access websites, even behind some types of internet filters and censors. (See DISCLAIMERS below.)

Fight online tracking: use a new IP address and clear your cookies/history/cache in one button.

Block third party cookies or all cookies.

Disable scripts and multimedia content that can be used to track you.

DISCLAIMERS: Web browsing is much slower than through a normal web browser due to relaying through the Tor anonymization network.

Multimedia can bypass Tor and compromise your privacy; video files and video streams are not supported and are blocked by default.

Onion Browser does not function in China, Iran, and other locations that actively block Tor with "deep packet inspection" technology. Internet providers who use such filtering/censorship technology may also prevent Onion Browser from working. If you find that the app does not work, visit the Help/Support page to see what you can do.

Onion Browser is open-source software and relies on other projects including The Tor Project and OpenSSL. Use of Onion Browser is at your own risk; sensitive data does not always belong on a mobile device. More information is always available at onionbrowser.com

Allow pasting in the bridges.torproject.org text blob to set bridges, like the Tor Browser launcher.

Allow scanning QR code from bridges.torproject.org to set bridges.

On first run, allow user to configure bridges before trying to connect to Tor.

Tor updated to 0.2.6.5-rc.

OpenSSL updated to 1.0.2a.

Redesigned "Connecting..." prompt when opening the app.

I've been using Onion Browser for 2+ years, and I can say that it's truly the BEST implementation of Tor on the iPhone, from a security standpoint. It's stable, it works (I'm looking at you, reviewer who claimed it didn't), the features that leak the most information and stray data are turned off (video and audio streaming, among other things), and Mr. Togas promptly updates OB when new versions of Tor are released.

What some are seeing are most likely the messages that indicate that a Tor site has been taken down by it's owner. These are not an indication of the browser not working, these are dead sites.

This is the only TOR client I would trust in my iPhone since it is open source, peer reviewed and been through 3rd party security audits. The reviewers that say this app doesn't work are doing something wrong (I suggest you try bridging) because I have no problem with this app, and you can even run it on top of a trustworthy VPN service to add an additional layer of security if so desired

Been a big fan but core needs to be updated to latest version. Major update promised in March has not materialized.

This is the only TBB though that's been through a security audit with a 3rd party firm. All the others are not as secure as you think.

By nature Tor browser is slow. If it doesn't work, chances are your ISP or network are blocking Tor. Not the browsers fault! Same thing would happen with any other available on the App Store

Continue reading here:
Onion Browser on the App Store on iTunes - Apple

Tor Browser is a web browser based on Mozilla Firefox and configured to protect your anonymity. Given the popularity of Firefox, you might have used it before and its user interface is like any other modern web browser.

Some frequently asked questions about the browser can be found in the FAQ.

Here are a few things worth mentioning in the context of Tails.

Tor Browser in Tails is confined with AppArmor to protect the system and your data from some types of attack against Tor Browser. As a consequence, it can only read and write to a limited number of folders.

This is why you might face Permission denied errors, for example if you try to download files to the Home folder.

You can save files from Tor Browser to the Tor Browser folder that is located in the Home folder. The content of this folder will disappear once you shut down Tails.

If you want to upload files with Tor Browser, copy them to that folder first.

If you have activated the Personal Data persistence feature, then you can also use the Tor Browser folder that is located in the Persistent folder. In that case, the content of this folder is saved and remains available across separate working sessions.

To be able to download files larger than the available RAM, you need to activate the Personal Data persistence feature.

Using HTTPS instead of HTTP encrypts your communication while browsing the web.

All the data exchanged between your browser and the server you are visiting are encrypted. It prevents the Tor exit node to eavesdrop on your communication.

HTTPS also includes mechanisms to authenticate the server you are communicating with. But those mechanisms can be flawed, as explained on our warning page.

For example, here is how the browser looks like when we try to log in an email account at riseup.net, using their webmail interface:

Notice the padlock icon on the left of the address bar saying "mail.riseup.net" and the address beginning with "https://" (instead of "http://"). These are the indicators that an encrypted connection using HTTPS is being used.

You should try to only use services providing HTTPS when you are sending or retrieving sensitive information (like passwords), otherwise its very easy for an eavesdropper to steal whatever information you are sending or to modify the content of a page on its way to your browser.

HTTPS Everywhere is a Firefox extension included in Tor Browser and produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

To learn more about HTTPS Everywhere you can see:

Tor alone is not enough to protect your anonymity and privacy while browsing the web. All modern web browsers, such as Firefox, support JavaScript, Adobe Flash, cookies and other services which have been shown to be able to defeat the anonymity provided by the Tor network.

In Tor Browser all such features are handled from inside the browser by an extension called Torbutton which does all sorts of things to prevent the above type of attacks. But that comes at a price: since this will disable some functionalities and some sites might not work as intended.

In Tails, the circuit view of Tor Browser is disabled because we are not sure whether it would have security implications in the particular context of Tails (see #9365 and #9366). This feature is safe to use outside of Tails.

You can see the Tor circuits in the network map of Vidalia.

Having all JavaScript disabled by default would disable a lot of harmless and possibly useful JavaScript and render unusable many websites.

That's why JavaScript is enabled by default in Tor Browser.

But we rely on Torbutton to disable all potentially dangerous JavaScript.

We consider this as a necessary compromise between security and usability and as of today we are not aware of any JavaScript that would compromise Tails anonymity.

To understand better the behavior of Tor Browser, for example regarding JavaScript and cookies, you can refer to the Tor Browser design document.

You can use the security slider of Torbutton to disable browser features as a trade-off between security and usability. For example, you can use the security slider to disable JavaScript completely.

The security slider is set to low by default. This value provides the default level of protection of Torbutton and the most usable experience.

To change the value of the security slider, click on the button and choose Privacy and Security Settings.

The New Identity feature of Tor Browser:

This feature is not enough to strongly separate contextual identities in the context of Tails as the connections outside of Tor Browser are not restarted.

Shutdown and restart Tails instead.

For more details, see the design and implementation of the Tor Browser.

To allow more control over JavaScript, for example to disable JavaScript completely on some websites, Tor Browser includes the NoScript extension.

By default, NoScript is disabled and some JavaScript is allowed by the Torbutton extension as explained above.

For more information you can refer to the NoScript website and features.

See original here:
Tails - Browsing the web with Tor Browser

Are you a frequent visitor of thedeep web? Is the Tor Network a necessity for youronline anonymity?

You must download the new release for the Tor Browser,Tor Browser 4.5, that was designed with a variety of improvements. The developers at the Tor Project have introduced a number of security, privacy and usability enhancements in theTor Browser 4.5.

On theprivacyfront, theTor Browser 4.5 improves thefirst party isolationfeature that is designed to prevent third party company tracking online activities of the Tor users.

First party isolation provides the property that third party advertisements, like buttons, and mashup content that is included on one site will only know about your activity on that site, and will not be able to match it to your activity while you are on any other site. In other words, with first party isolation, Facebook, Twitter, and Google+ cant track you around the entire web using theirinfamous like buttons. reads a blogpostaboutTor Browser 4.5.

Additionally, the Tor Browser 4.5improves the resolution and locale fingerprinting defenses, developers have disabled thedevice sensor and video statistics APIs.

On the security front, the TorBrowser 4.5 comes with a new Security Slider designed to provide a user-friendly vulnerability surface reduction and allow users to choice the proper security level.

The slider is available from the menu item Privacy and Security Settings.

The Security Slider provides user-friendly vulnerability surface reduction as the security level is increased, browser features that were shown to have a high historical vulnerability count in the iSec Partners hardening study are progressively disabled. continues the post.

Another featurethat enhances the security of the Tor Browser 4.5 is the digital signature of the Windows packages with a hardware token donated by DigiCert CA.

The Tor Browser 4.5 also introduces anew obfs4 obfuscation protocol, which improve resistance for DPI and probing and prevents automated scanning for Tor bridges.

The new Tor Browser 4.5 also cames withDisconnectsearch engine by default, which provides private Google search results without Captchas or bans.

Dont waste time, download the newTor Browser 4.5!

PierluigiPaganini

(Security Affairs Tor Browser 4.5, Deep Web)

See the original post here:
Tor Browser version 4.5 - Security Affairs

An attack against Tor Browser users on Windows machines was discovered this Sunday, and there is speculation that the uncovered malware was used by a law enforcement agency to harvest the IP addresses of users of several hidden services hosted by Freedom Hosting. The malware exploits a serious JavaScript security vulnerability affecting Firefox and other products that share the same code base, including the Tor Browser.

If you are using software based on Firefox major version 21 or earlier, Thunderbird 17.06 or earlier, or SeaMonkey 2.18 or earlier, please update your software immediately. Tor Browser Bundle users who have not updated to the most recent version are also at risk, and so we've provided a screenshot tutorial for how to update the Tor Browser Bundle below.

Tor and the Tor Browser: Security and the Importance of Updating

Tor is a powerful anonymity tool that allows human rights activists, dissidents and whistleblowers to use web services anonymously to avoid harassment, imprisonment and in some cases death. Tor also allows users to circumvent several forms of surveillance and censorship. The Tor Browser is a modified version of Firefox that ships with the Tor Browser Bundle to provide users with an easy way to browse with Tor without any configuration required.

Given the importance of Tor to users around the world, the security of both Tor and the Tor Browser are absolutely critical. This type of attack cannot be narrowly focused on particular Tor or Tor Browser users suspected of breaking the law, and leaves vulnerable the multitude of other users worldwide who depend on these tools for anonymity. In this case, all users of older versions of the Tor Browser Bundle are potentially vulnerable and the issue requires immediate attention.

What Can Users Do?

Tor does not provide automatic security updates. Instead, the Tor Browser currently requires users to manually download and install the update of the Tor Browser Bundle. The Tor Project is working on a fix for this, and this attack highlights the importance of allowing users to auto-update. For now, if you are using an outdated version of the Tor Browser, you should update your Tor Browser Bundle software immediately. Here are detailed instructions for Windows users:

1. Open your current Tor browser, and determine what version of Firefox is running by clicking the "TorBrowser" button:

2. Click on "Help" -> "About TorBrowser" to determine your version. If it below 17.07, then you are vulnerable:

3. Click the TorButton icon and go to "Download Tor Browser Bundle Update":

4. You should be taken to the Tor Browser Bundle homepage, where you click to download the executable file:

5. Download this executable file. Click through the warning about launching the executable file:

6. Once the file is downloaded, extract the application either to the same directory where Tor exists or a new directory for this version:

7. Launch the "Start Tor Browser" executable from the same directory where you extracted the application and check the version to make sure that you're up to date.

If you see Firefox version 17.0.7 or greater, then you're up to date.

This particular attack appears to affect only Windows users who have not updated to the most recent version of the Tor Browser Bundle. Because of this and a variety of other reasons that make it challenging to use Windows securely, Tor advises that "switching away from Windows is probably a good security move." If moving to a different platform is not practical, it is especially important to keep up with software updates. The advisory also recommends that users concerned about their security consider disabling JavaScript and installing the Firefox add-on Request Policy, which allows you to control which origins are loaded from a given website.

Read more:
Tor Browser Attacked, Users Should Update Software Immediately ...

1 of 17

Use to navigate.

(Image Tor Project).

This tutorial was last updated on December 3, 2013.

With increased scrutiny by employers, schools and even governments becoming more commonplace, anonymity while browsing the Web has become a priority. Many users looking for an enhanced sense of privacy are turning to Tor (The Onion Router), a network originally created by the U.S. Navy and now used by countless Web surfers across the globe.

Motives for utilizing Tor, which distributes your incoming and outgoing traffic through a series of virtual tunnels, can range from reporters aiming to keep their correspondence with a secret source private to everyday Internet users wishing to reach websites that have been restricted by their service provider.

While some choose to exploit Tor for nefarious purposes, most Web surfers simply want to stop sites from tracking their every move or determining their geolocation.

The concept of Tor, as well as how to configure your computer to send and receive packets over the network, can prove overwhelming even to some Internet veterans. Enter the Tor Browser Bundle, a software package that can get you up and running on Tor with minimal user intervention. An open-source grouping of Tor combined with the graphical controller Vidalia and a modified version of Mozilla's Firefox browser, Tor Browser Bundle runs on Windows, Mac, Linux, and Android platforms.

This tutorial walks you through the process of obtaining and running Tor Browser Bundle so that your Web communications can once again become your business and yours alone.

Please note that no anonymization method is completely foolproof, and that even Tor users can be susceptible to prying eyes from time to time. It is wise to keep that in mind and always proceed with caution.

Mac users should skip directly to Step 10 at this point.

Go here to see the original:
How to Use Tor Browser for Anonymous Web Browsing

You need to change some of your habits, as some things won't work exactly as you are used to.

Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.

Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that's how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.

The Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy.

Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, the Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website. Also see EFF's interactive page explaining how Tor and HTTPS relate.

The Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.

Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you're using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!

Be smart and learn more. Understand what Tor does and does not offer. This list of pitfalls isn't complete, and we need your help identifying and documenting all the issues.

See the article here:
TOR Bundle Download - Tor Project: Anonymity Online