Tor Browser

From LinuxReviews
Jump to navigationJump to search
Tor.png

The Tor Browser is a web browser bundle distributed by the non-profit Torproject organization which includes a customized version Firefox ESR, some Firefox extensions and a Tor client for accessing the traffic analysis resistant Tor anonymity network. The Tor Browser sends your web traffic through the Tor network so the websites you visit will see a Tor exit nodes IP address instead of your actual IP address.

Features And Usability

Tor Browser 9.0.5.jpg
The Firefox ESR version included in the Tor Browser Bundle has some additional Tor-specific features and Tor-specific configuration.

The Tor Browser is just like the Firefox ESR (the long term support version) with one notable exception: The Tor Browsers sends the web traffic through the traffic-analysis resistant Tor network. This prevents any local or remote adversaries from seeing your network traffic. This is very useful if you are searching for sensitive personal information like medical information. It is also highly useful if you write about or want to research political information in countries such as Norway where they will torture you if you write something critical about the NATO alliance, the local regime or other sensitive subjects.

Tor Tor Browser is not just Firefox configured to use Tor as a socks proxy. There are quite a few Tor-specific patches which enhance security in the Tor Browser version of Firefox ESR. There is also a special configuration page just for Tor.

Using the Tor Browser has two practical problems which are quite annoying. Speed is a immediately noticeable problem, going through the Tor network it is much slower than going to websites directly. It is not so slow that it isn't usable, but it is noticeable. The second huge problem with the Tor Browser is not immediately noticeable yet it is a huge problem: Some websites either do not work or they will only work if you enable JavaScript and repeatedly fill out CAPTCHAs. Sites blocking Tor isn't really something which can be solved, if a website owner decides to block Tor (due to abuse in most cases) then it's blocked and there is nothing to do about it. Sites that are behind Cloudflare tend to not work when you are coming from the Tor network - and there are a lot of sites like that.

The Tor browser uses Duck Duck Go (actually Bing) as its default search engine.

The Tor browser has JavaScript enabled by default even though it comes bundles with NoScript. It seems a bit strange that they would include NoScript with a configuration which makes it run all scripts unless they are manually turned off on a per-site basis. Further, the NoScript icon isn't shown by default. It is possible to right-click the toolbar and choose Customize and drag the NoScript icon to the toolbar to get JavaScript control. Clicking on the NoScript icon and the Options icon (looks like a snake with a red circle and a toolbar) makes it possible to disable execution of scripts as well as media, webgl and so on by default. Installing Ublock Origin to filter out web garbage is advisable if you leave JavaScript enabled by default.

JavaScript is probably allowed by default because it allows more web pages to work, some pages do break if it is disabled. However, there are some privacy risks with JavaScript and WebGL - even if traffic is piped through Tor. It seems like a somewhat odd decision.

Verdict And Conclusion

The Tor Browser is a very powerful privacy tool. Using it has some very clear advantages. However, there are also some clear disadvantages: Websites load slower and some do not work. If you will be happy using it as your primary web browser is therefore a question of how much time and patience you have. If you value your privacy and you have time to use a much slower browser in order to preserve it then the Tor Browser is likely for you.

You should change the on-by-default JavaScript setting and install a web filter like Ublock Origin if you intend to use the Tor Browser as your everyday browser.

Using The Tor Browser With A Local Tor Client

The Tor Browser is distributed as a bundle meant for people who do not know that much about computers. It includes a Tor client which is started automatically Tor client unless you already have a Tor client running which is listening on the same Tor control-port as the Tor Browser. The Tor Browser will stupidly fail to start and refuse to let you change any settings or do anything at all with the default settings if a system-wide Tor client instance is running. However, it can be configured to use a Tor system service.

  1. Stop any local Tor client you have configured.
  2. Start the Tor browser bundle with its ./start-tor-browser script
  3. Go to about:config and type/paste in extensions.torlauncher.start_tor
  4. Set extensions.torlauncher.start_tor to false. This is important as the Tor Browser bundle will refuse to launch the browser so you can change this setting if it can't launch the bundled Tor client
  5. change the setting extensions.torlauncher.control_port to 9051 (it defaults to 9151 which Tor can not use without changing SELinux settings on RHEL/Fedora)
  6. change the setting network.proxy.socks_port from 9150 to 9050
  7. Run tor --hash-password mysecret and get a password hash (mysecret would be your passord)
  8. Edit your /etc/tor/torrc and make sure you have the following settings:
SOCKSPort 9050
SOCKSPolicy accept 127.0.0.1
SOCKSPolicy reject *
ControlPort 9051
HashedControlPassword 16:8EF8CB2FD++

You will have to specify the Tor control port password with a variable called TOR_CONTROL_PASSWD= set in the environment or in the ./start-tor-browser file. The password must be given in double quotes inside single quotes or it won't work. If your password is mysecret you need to start the Tor browser with:

TOR_CONTROL_PASSWD='"mysecret"' ./start-tor-browser

or set

TOR_CONTROL_PASSWD='"mysecret"'

in the start-tor-browser script.

Kemonomimi rabbit.svg
Note: The Tor Browser will, unlike plain Firefox, foolishly refuse to work if it has a working SocksPort (what it needs) if it can not control Tor using a ControlPort.

Links

The Tor Browser bundle can be downloaded from torproject.org/download/.

There is a helpful support page at support.torproject.org.

There is a blog with announcements at blog.torproject.org.

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.