Jump to: navigation, search

DoNot

This page contains changes which are not marked for translation.

Other languages:
English • ‎中文

Things NOT to Do[edit]

Visit your Own Website when Anonymous[edit]

"I wonder what my site looks like when I'm anonymous?" [1]

It is best to avoid visiting personal websites where either real names or pseudonyms are attached, particularly if they have ever been tied to a non-Tor connection / IP address. Very few people are likely to visit your personal website over Tor, meaning the user may be the only unique Tor client to do so.

This behavior leads to weak anonymity because once the website is visited the Tor circuit is "dirty". If the site is not popular and does not receive much traffic, the Tor exit relay can be fairly certain that the visiting individual is the user. After that point, it can be reasonably assumed that further connections originating from that Tor exit relay also come from the user's machine.

Source: [2]

Login to Social Networks Accounts and Think you are Anonymous[edit]

Don't login to personal Facebook or other social network accounts over Tor. Even if a pseudonym is used instead of a real name, the account likely has linked friends who know the account's true owner. As a result, the social network can reasonably guess who the user really is.

No anonymity solution is perfect. Online anonymity software may reliably hide IP addresses and location data, but Facebook and similar corporations do not need this information. Social networks already know: who the user is, associated friends, the content of "private" messages sent and so on. This data is at least stored on social network servers, and no kind of software can delete it. Only social networking platforms and hacking groups could remove it. [3]

Users who log into personal Facebook and other accounts only get location privacy, but not anonymity.

This is not well understood by some social network users: [4]

mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.

Never Login to Accounts Used without Tor[edit]

Always assume that each time a website is visited, logging by the destination server will include: [5]

  • Client IP address / location.
  • Request date and time.
  • Specific webpages requested.
  • HTTP code.
  • Number of bytes served to the user.
  • The user's browser agent.
  • The referring website (referrer).


Also assume that the Internet Service Provider (ISP) will at a minimum log total online time and the client IP address / location. The ISP may also log the IP address / location of visited destinations, how much traffic (data) was generated, and what was sent and retrieved. Unless Internet traffic is encrypted, the ISP will be able to see exactly what activities were performed, and the information sent or received.

The following tables provide a simplified overview of how those logs may appear to administrators.

Table: ISP Log

Name Time IP/location Traffic
John Doe 16:00 - 17:00 1.1.1.1 500 MB

Table: Extended ISP Log [6]

Name Time IP/location Traffic Destination Content
John Doe 16:00 - 17:00 1.1.1.1 1 MB google.com Searched for thing one, thing two...
John Doe 16:00 - 17:00 1.1.1.1 490 MB youtube.com Viewed video 1, video 2, ...
John Doe 16:00 - 17:00 1.1.1.1 9 MB facebook.com Encrypted traffic

Table: Website Log

Name Time IP/location Traffic Content
- 16:00 - 16.10 1.1.1.1 1 MB Searched for thing one, thing two...

It is clear that uniform logging by websites and ISPs enables the user's activities and interests to be easily determined.

An account is compromised and tied to the user if even a single login originates from a non-Tor connection / IP address. Singular mistakes are often fatal and have lead to the downfall of many "anonymous" users.

Do not Login to Banking or Online Payment Accounts[edit]

Logging into banking, PayPal, eBay or other important financial accounts registered in the user's name is not recommended. Where money is involved, use of Tor risks the account being suspended due to "suspicious activity" by the fraud prevention system. The reason is hackers sometimes use Tor for committing fraud.

Using Tor with online banking and payment accounts is not anonymous for reasons already outlined. It is pseudonymous and only offers location privacy and a circumvention method in the event access to the site is blocked by the ISP. The difference between anonymity and pseudonymity is covered in a later chapter.

If a user is blocked, in many cases the service's support division can be contacted in order to have the account unblocked. Some services will even allow the fraud protection policy to be relaxed for the user's account.

Whonix developer Patrick Schleizer is not opposed to using Tor for circumvention and/or location privacy. However, the user should appreciate that banking or other online payment accounts risk getting (temporarily) suspended. Other outcomes are also possible (service bans, account deletion and so on) as mentioned in warnings on this page and throughout the Whonix documentation. Users who are aware of the risks and who feel comfortable using Tor in their personal circumstances are of course free to ignore this advice.

Do not Switch Between Tor and Open Wi-Fi[edit]

Some users mistakenly think open Wi-Fi is a faster, safe "Tor alternative" since the IP address / location cannot be tied to their real name.

For reasons explained below, it is better to use open Wi-Fi and Tor, but not open Wi-Fi or Tor.

The approximate location of any IP address can be estimated to the city, region or even street level. Even if a user is away from their home address, open Wi-Fi still gives away the city or approximate location since most people do not switch continents.

The person running the open Wi-Fi router and their policies are also unknown variables. They could be keeping logs of the user's MAC address and linking it with the activity being sent in the clear through them.

While logging does not necessary break user anonymity, it does reduce the circle of suspects from the entire global population, a continent, or the country, down to a specific region. This effect strongly degrades anonymity. Users should always keep as much information as possible to themselves.

Prevent Tor over Tor Scenarios[edit]

Note: This is a Whonix-specific issue.

When a transparent proxy is used (like in Whonix), it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "Tor over Tor" scenario.

This happens when installing Tor inside Whonix-Workstation or when using Tor Browser without configuring it to use a SocksPort instead of the TransPort. This is covered in further detail in the Tor Browser entry.

Doing so produces undefined and potentially unsafe behavior. In theory, the user could get six hops instead of three in the Tor network. However, it is not guaranteed that the three additional hops received are different; the user could end up with the same hops, possibly in reverse or mixed order. The Tor Project opinion is that this is unsafe: [7]

We don't want to encourage people to use paths longer than this — it increases load on the network without (as far as we can tell) providing any more security. Remember that the best way to attack Tor is to attack the endpoints and ignore the middle of the path. Also, using paths longer than 3 could harm anonymity, first because it makes "denial of security" attacks easier, and second because it could act as an identifier if only a few people do it ("Oh, there's that person who changed her path length again").

Users can manually choose an entry or exit point in the Tor network, [8] but the best security relies on leaving the route (path) selection to Tor. Overriding the choice of Tor entry and/or Tor exit relays can degrade anonymity in ways that are not well understood. Therefore, Tor over Tor configurations are strongly discouraged.

License of "Prevent Tor over Tor scenarios.": [9]

Do not Send Sensitive Data without End-to-end Encryption[edit]

As already explained on the Warning page, Tor exit relays can eavesdrop on communications and man-in-the-middle attacks are possible (even with HTTPS). Using end-to-end encryption is the only way to send sensitive data to a recipient without it being potentially intercepted and disclosed to hostile third parties.

Do not Disclose Identifying Data Online[edit]

De-anonymization is not only possible with connections / IP addresses, but also via social threats. Here are some recommendations to avoid de-anonymization suggested by Anonymous:

  • Do not include personal information or interests in nicknames.
  • Do not discuss personal information like location, age, marital status and so on. Over time, discussions about something inane like the weather could lead to an accurate idea of the user's location.
  • Do not mention one's gender, tattoos, piercings, physical capacities or disabilities.
  • Do not mention one's profession, hobbies or involvement in activist groups.
  • Do not use special characters on the keyboard which only exist in your language.
  • Do not post information to the regular internet (clearnet) while anonymous.
  • Do not use Twitter, Facebook and other social network platforms. This is easy to correlate.
  • Do not post links to Facebook images. The image name contains a personal ID.
  • Do not connect to same destination at the same time of the day or night. Try to vary connection times.
  • Remember that IRC, other chats, forums, mailing lists and so on are public arenas.
  • Do not discuss anything personal whatsoever, even when securely and anonymously connecting to a group of strangers. The group recipients are a potential hazardous risk ("known unknowns") and could have been forced to work against the user. It only takes one informant to destroy a group.
  • Heroes only exist in comic books and are actively targeted. There are only young heroes and dead heroes.


If any identifying data must be disclosed, treat it as "sensitive data" as outlined in the previous point.

License: From the JonDonym documentation (Permission).

Do Use Bridges if Tor is Deemed Dangerous or Suspicious in your Location[edit]

This recommendation comes with an important caveat, since Bridges are not a perfect solution: [10]

Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress an adversary might make in identifying Tor users.

Do not Maintain Long-term Identities[edit]

The longer the same pseudonym is used, the higher the probability that mistakes are made which reveal the user's identity. Once this occurs, an adversary can go back and link all activity related to the pseudonym. As a precaution, regularly create new identities and stop using old ones.

Do not Use Different Online Identities at the Same Time[edit]

Managing contextual identities online is increasingly difficult and fraught with mistakes. Different online identities can be easily correlated if used simultaneously, since Tor may reuse circuits in the same browsing session or information could potentially leak from the Whonix-Workstation. Whonix does not magically separate different contextual identities.

Also read the points below.

Do not Login to Twitter, Facebook, Google etc. Longer than Necessary[edit]

Restrict the logged in time for Twitter, Facebook, Google and any other account-based services (like web forums) to the absolute minimum required. Immediately log out after reading, posting, blogging and other tasks are complete. Following log out, it is safest to then shut down Tor Browser, change the Tor circuit using a Tor Controller, wait for 10 seconds until the circuit has changed and then restart Tor Browser. For better security follow the recommendations to use multiple VM Snapshots and/or use multiple Whonix-Workstations.

This behavior is necessary because many websites include one or more of the many integration buttons, such as Facebook's "Like" button and Twitter's "Tweet This". [11] In fact, in the top 200,000 Alexa websites, Facebook and Twitter social widgets are included in around 47% and 24% of those, respectively. Google third-party web services are included in around 97% of the same sample, mainly comprising Google analytics, advertisements and CDN services (googleapis.com). [12] [13] If a user is still logged into a service, those buttons tell the originating service that the website was visited. [14]

The danger of third-party resources to privacy should not be underestimated: [15] [16]

Every time a user’s browser is instructed to fetch a third-party resource, that third-party server is given the ability to deliver tracking scripts and associate the first-party website with the bearer of third-party cookies and browser fingerprints. This tracking of online behavior allows for the construction of increasingly detailed user profiles, including sensitive information such as a user’s political views and medical history.

Users should also read the chapter above.

Do not Mix Anonymity Modes[edit]

Do not mix modes of anonymity! These are outlined below.

Mode 1: Anonymous User; Any Recipient[edit]

  • Scenario: Posting messages anonymously in a message board, mailing list, comment field, forum and so on.
  • Scenario: Whistleblowers, activists, bloggers and similar users.
  • The user is anonymous.
  • The real IP address / location stays hidden.
  • Location privacy: The user's location remains secret.

Mode 2: User Knows Recipient; Both Use Tor[edit]

  • Scenario: The sender and recipient know each other and both use Tor.
  • Communication occurs without any third party being aware of this activity or having knowledge that the the sender and recipient are communicating with each other.
  • The user is not anonymous. [17]
  • The user's real IP address / location stays hidden.
  • Location privacy: The user's location remains secret.

Mode 3: User Non-anonymous and Using Tor; Any Recipient[edit]

  • Scenario: Logging in with a real name into any service like webmail, Twitter, Facebook and others.
  • The user is obviously not anonymous. As soon as the real name is used for the account login, the website knows the user's identity. Tor can not provide anonymity in these circumstances.
  • The user's real IP address / location stays hidden.
  • Location privacy. The user's location remains a secret. [18]

Mode 4: User Non-anonymous; Any Recipient[edit]

  • Scenario: Normal browsing without Tor.
  • The user is not anonymous.
  • The user's real IP address / location is revealed.
  • The user's location is revealed.

Conclusion[edit]

It is not wise to combine modes 1 and 2. For example, if the user has an instant messenger or email account and uses that via mode 1, it is inadvisable to use the same account for mode 2. The reason is the user is mixing absolute anonymity (mode 1) with selective anonymity (mode 2; since the recipient knows the user).

It is also unwise to mix two or more modes inside the same Tor session, because they could share the same Tor exit relay, leading to identity correlation.

It is also possible that other mode combinations are dangerous and could lead to the leakage of personal information or the user's physical location.

License[edit]

License of "Do not Mix Anonymity Modes": [9]

Do not Change Settings if the Consequences are Unknown[edit]

It is usually safe to change user interface settings for applications which do not connect to the internet. For example, checking a box like "Don't show any more daily tips" or "Hide this menu bar" will have no effect on anonymity.

Before changing any settings you are interested in, first read the Whonix documentation. If the change is documented and recommended against, then try to persevere with the defaults. If the change is undocumented, then carefully research the proposed action before proceeding.

Changing settings for applications which connect to the internet (even user interface settings) should be thoroughly reviewed. For example, removing a menu bar or maximizing the screen in Tor Browser is recommended against. The latter is known to modify the detectable screen size, which worsens the user's web fingerprint.

Modification of network settings should only be undertaken with great care, and if the consequences are known. For example, users should avoid all advice pertaining to "Firefox Tuning". If the settings are believed to be sub-optimal, then changes should be proposed upstream so they change for all Tor Browser users with the next release.

Do not Use Clearnet and Tor at the Same Time[edit]

Using a non-Tor browser and Tor Browser at the same time runs the risk of confusing them at one point, and de-anonymizing yourself.

Using clearnet and Tor at the same time also risks simultaneous connections to a server that are anonymous and non-anonymous. This is recommended against for the reasons explained in the point below. The user can never be sure when they are visiting the same page anonymously and non-anonymously at the same time, because only the URL is visible, not how many resources are fetched in the background. Many different websites are hosted in the same cloud. Services such as Google analytics are present on the majority of all websites and therefore see a lot of anonymous and non-anonymous connections.

If this advice is disregarded, then the user should have at least two different desktops to prevent confusing one browser with the other.

Do not Connect to a Server Anonymously and Non-anonymously at the Same Time[edit]

It is strongly recommended against creating Tor and non-Tor connections to the same remote server at the same time. In the event the internet connection breaks down (and it will eventually), all the connections will break simultaneously. Following that event, it is easy for an adversary to determine which public IP address / location belongs to which Tor IP address / connection, potentially identifying the user directly.

This scenario also enables another form of attack by web servers. The speed of either the non-Tor or Tor connection can be increased or decreased, to see if there is a correlation. That is, if either connection gets faster or slower in unison, then the relationship between a non-Tor and Tor link can be established.

License of "Do not connect to any server anonymously and non-anonymously at the same time!": [9]

Do not Confuse Anonymity with Pseudonymity[edit]

This chapter explains the difference between anonymity and pseudonymity. Defining terms is always a difficult topic because a majority consensus is required.

An anonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP address / location) of that connection nor to associate an identifier [19] to it.

A pseudonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP address / location) of a connection, but can associate it with an identifier. [19]

In an ideal world, perfection would be achieved by the Tor network, Tor Browser, computer hardware, physical security, the underlying operating system, and so on. For example, in this utopia the user could fetch a news website, and neither the news website or the website's ISP would have any idea if the user had ever made contact before. [20]

In contrast, the imperfect scenario results when software is used incorrectly, like when stock Firefox is used over the Tor network instead of the "Tor-safe" Tor Browser. The unfortunate Firefox user still protects their original connection (IP address / location) from discovery, but an identifier (like cookies) can be used to make that connection pseudonymous. For example, the destination website could log "user with id 111222333444 viewed Video Title A at Time B on Date C and Video Title D at Time E at Date F.". This information can be used for profiling, which over time becomes more and more comprehensive. The anonymity set is gradually reduced, and in the worst case leads to de-anonymization.

As soon as a user logs into a website with a username for activities like forum posting or webmail, the connection is by definition no longer anonymous, but pseudonymous. The origin of the connection (IP address / location) is still hidden, but the connection can be associated with an identifier [19]; in this case, an account name. Identifiers can be used to keep a log of various things: when a user wrote something, the date and time of login and logout, what a user wrote and to whom, the IP address used (useless if it is a Tor exit relay), the recorded browser fingerprint and so on.

Maxim Kammerer, developer of Liberté Linux [21], has disparate ideas on anonymity and pseudonymity which should not be withheld from the reader: [22]

I have not seen a compelling argument for anonymity, as opposed to pseudonymity. Enlarging anonymity sets is something that Tor developers do in order to publish incremental papers and justify funding. Most users only need to be pseudonymous, where their location is hidden. Having a unique browser does not magically uncover user's location, if that user does not use that browser for non-pseudonymous activities. Having good browser header results on anonymity checkers equally does not mean much, because there are many ways to uncover more client details (e.g., via Javascript oddities).

Do not Spread your Own Link First[edit]

Do not be tempted to be one of the first people to advertise your new anonymous project! For example, it is inadvisable to spread links if the user:

  • Created an anonymous blog or hidden service.
  • Has a twitter account with lots of followers.
  • Runs a big clearnet news page or similar.


The more identities are separated, the better. Of course, at some point the user may or even must be "naturally" aware of the new project, but extreme caution is sensible at this juncture.

Do not Open Random Files or Links[edit]

If the user is sent any type of file or a link to the file (or a random internet URL/resource), either by email or another method, caution is recommended regardless of the file format. [23] That sender, mailbox, account, or key could be compromised and the file or link may have been prepared to infect the user's system when opened with a standard application.

It is safer not to open the file with the default tool that is expected by the file's creator. For example, a PDF should not be opened with a PDF viewer, or if the content is public, a free onilne PDF viewer could be used. Greater security would involve sanitizing the PDF in Qubes-Whonix, or opening the file or link in a DisposableVM so that it cannot compromise the user's platform.

Do not Use (Mobile) Phone Verification[edit]

Websites such as Google, Facebook and others will ask for a (mobile) phone number if attempting to login over Tor. Unless the user is really clever or has an alternative, this information should not be provided.

Any phone numbers that are provided will have already been logged. The SIM card is most likely registered in the user's name. Even if this is not true, receiving an SMS gives away the user's location. Users can try to anonymously buy a SIM card far away from their usual home address, but there is still a risk: the phone itself. Each time the phone logs into the mobile network, the provider will log the SIM card serial number [24] and the phone serial number. [25] If the SIM card is bought anonymously, but not the phone, it is not anonymous because these two serials will get linked.

If a user really wants to do mobile verification, then a location far away from home is recommended, along with a fresh phone and a new SIM card. Afterwards, the phone must be turned off, and immediately both the phone and the SIM card should be completely destroyed. This may necessitate burning the items or other inventive (guaranteed) methods of destruction.

Users could try to find an online service that will receive a personal SMS on their behalf. That would work and would be anonymous. The problem is this method probably won't work for Google and Facebook, because they actively blacklist such numbers for verification. Another option is trying to find someone else to receive the SMS for you, but that would only shift the risk to the other person. [26]

Rationale[edit]

The reader can skip this section.

This page risks stating things that are obvious. But the question must be asked: "Obvious to whom?". The above points may only be common sense to developers, hackers, geeks and other people with technological skills.

The above-mentioned groups tend to lose contact with non-technical users. It is useful to sometimes read usability papers or the feedback from people who do not post on mailing lists or in forums.

For example:

mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.

Footnotes[edit]

  1. https://lists.torproject.org/pipermail/tor-dev/2012-April/003472.html
  2. Tor Browser should set SOCKS username for a request based on referrer
  3. The former is unlikely to ever delete data, since profiling is the primary method of monetizing users with "free" accounts. Profiling is used for targeted advertising and to generate large user databases that can be on-sold for profit to third parties.
  4. To Toggle, or not to Toggle: The End of Torbutton
  5. https://en.wikipedia.org/wiki/Server_log
  6. https://en.wikipedia.org/wiki/Deep_packet_inspection
  7. https://www.torproject.org/docs/faq.html.en#ChoosePathLength
  8. https://www.torproject.org/docs/faq.html.en#ChooseEntryExit
  9. 9.0 9.1 9.2 This was originally posted by adrelanos (proper) to the TorifyHOWTO (w) (license) (w). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as this DoNot page.
  10. bridges#If_Tor_Use_is_Dangerous_or_Deemed_Suspicious_in_your_Location
  11. Notably, Facebook also keeps records on everyone who views a page with a Facebook like button.
  12. https://www.securitee.org/files/trackblock_eurosp2017.pdf
  13. The top 15 third party services are: doubleclick.net, google.com, googlesyndication.com, googleapis.com, gstatic.com, admob.com, googleanalytics.com, googleusercontent.com, flurry.com, adobe.com, chartboost.com, unity3d.com, facebook.com, amazonaws.com and tapjoyads.com
  14. For example, Twitter's Tweet, Follow and embedded tweets are used to record browsing history. When a page is visited containing one or more of these, the browser makes a request to Twitter servers which contains a header informing of the site visited. A unique cookie allows Twitter to build a profile of browsing history, even if the user is not a Twitter user (for example, when Tor Browser is not used).
  15. https://www.securitee.org/files/trackblock_eurosp2017.pdf
  16. For instance, advanced adversaries are known to piggyback on third-party tracking cookies to de-anonymize Tor users and to identity targets for exploitation.
  17. Since they are known by the recipient.
  18. But this information can be easily ascertained via ISP records which link Internet service accounts with a registered name and address. Alternatively, this information is leaked by the real (clearnet) IP address that was originally used to register for the service in the first place, since Tor registration is regularly blocked.
  19. 19.0 19.1 19.2 For example, an identifier could be a (Flash) Cookie with a unique number.
  20. Unfortunately, fingerprinting defenses are not yet perfect in any browser and there are still open bugs. See tbb-linkability and tbb-fingerprinting.
  21. http://dee.su/liberte
  22. Quote (w)
  23. For instance: PDF, word processing document, bitmapped images, audio or video files and so on.
  24. IMSI
  25. IMEI
  26. Notwithstanding that the person receiving the SMS is likely only a few degrees of separation from the end-user (at best).

Attribution[edit]

Thanks to intrigeri and anonym, who provided feedback and suggestions for this page on the Tails-dev mailing list.


Random News:

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)