Tuesday, May 24, 2011

Ditching Tor Browser Bundle & Vidalia or The Right Way To Use Tor

Current versions of Tor Browser Bundle include additional Firefox privacy bug fixes that not yet included in Firefox mainline such as fixes to HTML5 information leaks.  Using the Browser Bundle and upgrading immediately when updates come out is currently the recommended way to use Tor.
Vidalia itself has been obsoleted and should no longer be in use.

I leave the below tutorial for historical purposes only


In this I will cover how and why to move away from depending and trusting in Vidalia and the Tor Browser Bundle for your security as well as a number of important common sense tactics to employ when using Tor. Actually, this post intends to be a semi-complete crash course on Tor safety.  While the last half is meant for Linux users, Windows and Mac OS X Tor users should still follow the Firefox setup and plugins section below. In fact even if you don't use Tor you should already be doing much of this anyways.

For those not in the know or have stumbled here on accident, Tor is an incredible application that if used properly that can provide a high level anonymity online allowing you to browse websites as well as "Hidden Services" (.onion sites which are special Tor-only web pages inaccessible to those not using Tor) by hiding your identity by routing your traffic through other nodes around the globe and preventing your web traffic from being able to be traced back to your machine.
More info can be found at the Tor homepage: https://www.torproject.org/index.html.en

Now this all fine and great and we all love Tor, but far too many people are not using it properly and are actually putting themselves in greater danger by using it.  Let's get one thing clear, you don't need Tor Browser Bundle.  They provide that cause they don't think most people will do all the below stuff on their own (If there are important tweaks I'm missing please let me know).  The problem is that the Tor Browser Bundle lags too far behind in updating Firefox versions, leaving you vulnerable with an outdated Firefox.
First Ill cover the general things everyone should be doing while using Tor whether using Windows, Linux, or Mac OS X. Even non-Tor users should be doing the things described in the Firefox plugins section for general online security.

Number one, use Firefox.  Firefox is simply the only safe browser to use with Tor.  The Tor developers themselves have repeatedly stated this and while they are trying to work with the Chrome developers to improve Chrome's privacy features, it simply isnt up to par yet. Safari, Opera, IE are out of the question. Don't even think about it

Ok, now that you are using Firefox, realize that Tor can not protect you from bad websites. If you goto an untrusted site (and with all the ads online that pretty much means almost every website since the ads they serve can be coming from anywhere)  Aside from the usual Adaware, Anti-Virus, Non-admin Windows accounts, etc, you need to be using the No-Script Firefox plugin.  This is non-negotiable as almost all malware uses Javascript to dump malware onto your system.  Really you should be using this Tor or no Tor.

Next, Tor works by routing your traffic so ultimately the machine that fetches the web page for you could be anyone and should be considered untrusted at all times. This means dont log into any sites that are tied to your real world person.  This means no Facebook. LinkedIn, your normal email accounts, game accounts, whatever dont do it.  The last computer in the route can possibly steal your session even if its ssl and shovel a forged ssl cert to you and grab your password. Even if they don't, they can see who you are if you do this cause your visiting your friends pages so they can prob figure out who you are based on friend list comparisons and since your on Tor, your probably not the hot blond veterinarian whose interests include volleyball, Grey's Anatomy, and Lady Gaga.  Also, don't search for dumb stuff like London Weather Forecast in unencrypted Google on Tor.  Guess what, feds and hackers also run Tor and now they know you're in London.  Be smart

Ok, now that thats out of the way, we need to lock down Firefox so it doesnt leak any private information.  There are good plugins for this and the ones I recommend are Cookie Monster, Better Privacy, Ref ControlUser Agent Switcher, and Foxy Proxy. There used to be Nevercookie Anonymizer but that doesn't work with Firefox 4.  Cookie Monster along with Better Privacy should do the same thing.

Of course just installing these Add-Ons isn't enough.  Yes, you need to actually configure them. Starting with:

No Script: Go through the Whitelist and remove it all. You can add as you go although always use "Temporarily Allow" when a site doesnt display properly or you are having odd issues.  Also make sure to go to the Embeddings tab and select the check box for Forbid IFrame. Some malware likes to use these to dump stuff onto your machine. Make sure Flash, Silverlight, Java, Audio, other are selected. The rest of the defaults should suffice as far as I'm aware.  Throw me comment if anyone has any other No-Script hints.
Better Privacy. In the Better Privacy preferences remove any LSO cookies found and then switch to the Options & Help tab.  Make sure "Delete Flash cookies on Firefox Exit" and "Disable Ping Tracking" are selected.
Cookie Monster: Make sure "Block 3rd party cookies" is selected.  Block All cookies if you are truely paranoid.
Ref Control: Make sure the "Default for sites not listed" is set to "Block"
User Agent Switcher: grab the user agent list here http://techpatterns.com/downloads/firefox/useragentswitcher.xml and import into User Agent Switcher overwriting the previous list. Pro-Tips:  I like to set my UA to Linux-> Console Browsers -> Elinks or Lynx since Ive never in my life heard of malware for those.  Also, when you find a website that trys to make you pay to see contents that Google results seemed to have a clip of, switch your UA to Google Bot and enjoy the site for free ;)
Foxy Proxy: This is covered later as there are some pretty nifty things to do with it and you need to get your  Firefox shields up and operational before you run Tor (*Edit: I'll post this one tomorrow in a separate post, as it is such a good plugin it deserves a post by itself*) 

Next, in Firefox make sure to go to the Privacy tab and set it to "Permanent Private Browsing Mode." In Advanced tab under General choose "Tell websites I don't want to be tracked."
I also changed my homepage to https://torcheck.xenobite.eu/ which gives me full info about what my browser is leaking and whether Tor is being used or not.

Lastly, go to the Security tab and deselect "Remember passwords for sites."  Seriously people, if you don't do this, then any website that manages to get into your browser will potentially get ALL YOUR PASSWORDS. Don't.  I put my passwords into a text file on a usb drive and then gpg encrypt them. Do what you like but don't store your stuff in the browser, the browser interacts directly with the Internet so its the first thing that gets attacked. Bad.  

Now that that is all done double check that in the Tools menu "Clear history" is grayed out (you shouldn't have anymore history) and Start Private Browsing is selected.  

I think thats about it for Firefox adjustments.  Now a few things NOT to do while using Tor. Aside from not logging into important accounts, anything Flash and Java and such can leak information about you, not to mention that you shouldn't be streaming stuff like Youtube and Vimeo on Tor.  Its a waste of  Tor network resources and it'll be slow anyways.  And really if all you do online is Youtube and Facebook, then what the heck do you need Tor for? Plus, Flash is a bug-ridden ownage machine with one of the worst security records out there.  
If your using Flagfox, disable it.  Sorry, its a great plugin, don't know but but Ive heard it leaks DNS queries. It can also be used to track you since you have to tell it every site you go to.  
If your using the ANT Flash downloader plugin, get rid of it. Its been shown to track its users.  
Basically remove any plugins you don't absolutely need and trust. 
Oh yeah, don't use the new Firefox Sync feature or any online bookmark sync junk. I think that one should be obvious.  

Ok, that concludes the OS independent stuff, from here on I will be talking about further security enhancements for those on Linux .  So if you're using Windows or OSX you're on your own now.

Now comes Vidalia.  This part is unfortunate because although its a great program, it shares a problem with Tor Browser Bundle. Namely running Tor as your regular user. If Tor gets compromised or exploited, the exploit will be able to run with your full user account privileges and potentially compromise/steal/destroy important files and information of yours. Using Vidalia I believe increases this risk cause its just one more program connected to Tor that can be targeted.  The basic security tenant of "If you don't need it, don't use it" applies here. So what you want to do instead is run Tor as a special tor user account with limited privileges. Or even better, follow the instructions in my last blog about chroot jails with jailkit and modify it to run Tor.  (Thats on my to-do list and if I run into any special issues I'll post them). This gives you another layer of security in an increasingly hostile Tor environment. 
To run Tor under the tor user, first make sure you have a tor user and group on your machine.  Archlinux was nice enough to create them for me.
Then in the /etc/tor/torrc file make sure this section is as appears below
## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line.
RunAsDaemon 1
User tor
Group tor
Now as root start the tor service in /etc/init.d/tor or /etc/rc.d/tor
Archlinux uses rc.d but I know Ubuntu and Debian use init.d
I use Arch so I just enter
/etc/rc.d/tor start 

Doing this for polipo isn't quite so straightforward, but fortunately the Arch Wiki has provided a great how-to on how to do this which should apply to most Linux distributions and any adjustments to the instructions should be pretty minor.
This comes straight from https://wiki.archlinux.org/index.php/Polipo#Run_Polipo_as_designated_user which is made available for distribution under the GNU Free Documentation License 1.2:
Polipo should run as an unpriviledged user. Such a user can either be created or reused:

mkdir /var/cache/polipo
groupadd -r polipo
useradd -d /var/cache/polipo -g polipo -r -s /bin/false polipo 
While other daemons start as root and drop priviledges as soon as possible, polipo runs as the user that invoked it. If polipo is invoked from /etc/rc.d/polipo, change the invokation line from 
/usr/bin/$DAEMON $ARGS >/dev/null 2>&1 

su -c "/usr/bin/$DAEMON $ARGS" -s /bin/sh polipo >/dev/null 2>&1
It is then also necessary to change ownership and/or permissions of several files and directories written by polipo.  *I found that if these files dont exist, they must be created using mkdir or the touch command and the chown polipo:polipo on them or polipo will fail to start:
  • the log file /var/log/polipo.  The Arch Wiki states that a better choice is to create a directory but for me creating a polipo log directory was giving polipo problems and I just used the regular log file.
  • /var/log/polipo owned by the designated user and set polipo's log file to /var/log/polipo/polipo.log via the logFile variable in the config file. (I set this to chown polipo:log . Check the other files in the /var/log/directory to see if there they are assigned to a "log" group)
  • the pid file at /var/run/polipo/polipo.pid and the directory that hosts it
  • the cache directory /var/cache/polipo and all of the contained files 
Also, make sure to grab the polipo config for Tor here: https://gitweb.torproject.org/torbrowser.git/blob_plain/HEAD:/build-scripts/config/polipo.conf
Make any changes you need and put it in /etc/polipo/config/polipo.conf

Ok, so once you've got all this ready and running, all you need to do know is just fire up Firefox and change your proxy settings (found in Advanced -> Network -> Connections) to Manual Proxy at and port 8118 for HTTP and HTTPS, nothing for ftp (unless your going to use that) and the Socks box.  I also have localhost, for the "No Proxy for" section but I'm not sure if that is default or required or what.
Either way, next post will be on Foxy Proxy where we will take proxy settings to a whole new level!

But, before you run off make sure to go here with Tor and add the the list of bad Tor nodes to your torrc to make sure Tor refuses to use these:
These Tor nodes have been shown to be doing dangerous or sketchy things with traffic, such as modify your SSL traffic in order to steal your passwords and snoop your information. Not good.  Some are believed to be NSA nodes spying on Tor users, some are hackers trying to steal your information, and some just have bad configurations that put can put you at risk.
The people behind this site run software to constantly scan and monitor Tor nodes 24/7 to detect malicious or bad Tor nodes and publish them on the site.
Basically what you do is go down to the section "Create ExcludeNodes" and select all the options that have a value of 1 or more, then make sure "Fingerprints" is selected, then click the "Create ExcludeNodes" button and paste the entire output into your torrc configuration file.
Restart Tor so its using the new torrc and you are ready to go.
Make sure to check back every time you use Tor to get the latest updates.

And thats about all I can think of at the moment aside from general common sense.
If anyone has anything they think I should add, drop a comment or send an email and I'll check it out and probably put it in.

I will try to always keep this updated as I find new tips or new information.

In the mean time, if its not already bookmarked, here is the Tor-only "Hidden Wiki"
And when your there, try to remember your morals...