Goal
Understand how Tor enables anonymous communication, install and configure Tor Browser securely, and learn the essential operational security practices for anonymous browsing.
Prerequisites: Weeks 1-6 (encryption, communications, networking)
This is Part 1 of 2 - Covers Tor fundamentals, installation, and basic OpSec.
Note on Responsible Use: Tor is a powerful privacy tool used by journalists, whistleblowers, activists, and ordinary people worldwide to protect their communications from surveillance. This lesson teaches Tor for legitimate privacy protection. Know your local laws and use these skills ethically.
1. What Is Tor?
Tor (The Onion Router) is a free, open-source network that enables anonymous communication by routing traffic through multiple volunteer-operated servers (relays) to conceal a user’s location and usage from network surveillance and traffic analysis.
Why Tor Exists
Legitimate use cases:
- Journalists protecting source identities
- Activists in repressive regimes evading censorship
- Whistleblowers reporting corruption safely
- Researchers accessing information without location tracking
- Ordinary users protecting privacy from ISPs, advertisers, governments
- Law enforcement conducting undercover investigations
- Domestic abuse survivors hiding online activity from abusers
How Onion Routing Works
The Three-Hop Circuit:
You → Guard Node → Middle Node → Exit Node → Destination
- Guard (Entry) Node - Knows your IP but not your destination
- Middle Node - Knows neither source nor destination (relay only)
- Exit Node - Knows destination but not your IP
Layered Encryption (like an onion):
- Your traffic is encrypted in three layers
- Each relay removes one layer (peels the onion)
- No single relay knows both source and destination
- Correlation requires compromising all three nodes
2. Installing and Verifying Tor Browser
Download Tor Browser
Official source ONLY:
# Visit torproject.org - DO NOT use third-party mirrors
firefox https://www.torproject.org/download/
For Linux (recommended method):
# Download from official site
cd ~/Downloads
# Extract
tar -xvf tor-browser-linux-x86_64-*.tar.xz
# Move to applications
mv tor-browser ~/Applications/
# Run Tor Browser
~/Applications/tor-browser/start-tor-browser.desktop
Verify GPG Signature (Recommended)
Why verify? Ensures the download hasn’t been tampered with.
# Import Tor Project signing keys
gpg --auto-key-locate nodefault,wkd --locate-keys [email protected]
# Download signature file (from torproject.org downloads page)
# Verify
gpg --verify tor-browser-linux-x86_64-*.tar.xz.asc tor-browser-linux-x86_64-*.tar.xz
Look for: “Good signature from ‘Tor Browser Developers’”
3. Tor Browser Configuration & Security Levels
First Launch
Connection screen options:
- Direct connection - Most users (if Tor isn’t blocked)
- Configure connection - If Tor is censored (uses bridges)
Security Levels
Access: Click shield icon → Settings → Security Level
Standard (Default)
- All browser and website features enabled
- Best usability, some fingerprinting risk
Safer
- JavaScript disabled on non-HTTPS sites
- Some fonts and symbols disabled
- Audio/video click-to-play
Safest (Maximum Security)
- JavaScript disabled on ALL sites
- All non-text media disabled
- Minimal fingerprinting surface
- Many sites will break
Recommendation: Start with Standard, use Safer for sensitive browsing, Safest for high-risk scenarios.
4. Tor OpSec - Critical Do’s and Don’ts
Never Do These Things Over Tor
❌ Login to personal accounts
- Gmail, Facebook, banking, etc. (defeats anonymity)
- Logging in links your real identity to the Tor session
❌ Use plugins or extensions
- Flash, Java, QuickTime can reveal real IP
- Tor Browser blocks these by default - don’t enable them
❌ Torrent over Tor
- Torrent clients ignore proxy settings and leak IP
- Congests the Tor network (unfair to other users)
❌ Resize browser window
- Unique window sizes create fingerprints
- Keep default Tor Browser size
❌ Download and open files while online
- PDFs, docs can phone home with your real IP
- Download → disconnect from Tor → open file offline
❌ Use Google for searches
- Google fingerprints and tracks even over Tor
- Use DuckDuckGo (default in Tor Browser)
Always Do These Things
✅ Keep Tor Browser updated
# Tor Browser auto-checks for updates
# Or manually check: Help → About Tor Browser
✅ Use HTTPS Everywhere
- Built into Tor Browser
- Encrypts traffic between exit node and destination
✅ Verify .onion addresses carefully
- No typos (phishing risk)
- Bookmark trusted .onion sites
✅ Use NoScript when in Safer/Safest mode
- Built into Tor Browser
- Blocks JavaScript selectively
✅ Create separate Tor identities for different activities
- New Identity button (broom icon) → new circuit
- Compartmentalize browsing sessions
5. Understanding Tor Circuits
View Current Circuit
Click the lock icon in address bar → Circuit Display
Example:
This Browser → Germany → France → Netherlands → example.com
Each site gets a different circuit for isolation.
Manually Get a New Circuit
For single site:
Click lock icon → New Circuit for this Site
For entire browser (New Identity):
Click broom icon (top right) → New Tor Circuit for this Browser
Warning: New Identity clears cookies, cache, and browsing history. Closes all tabs.
Circuit Failures
If a circuit fails:
- Tor automatically tries another route
- Usually resolves in seconds
- If persistent, one of the relays may be down
6. Accessing .onion Sites (Hidden Services)
What Are .onion Sites?
.onion addresses are Tor-exclusive sites that never leave the Tor network (no exit node required). Both client and server are anonymous.
Advantages:
- End-to-end encryption within Tor
- Server location hidden
- Censorship-resistant (no DNS, no IP)
Example .onion sites:
DuckDuckGo: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion
ProtonMail: https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion
The New York Times: https://ej3kv4ebuugcmuwxctx5ic7zxh73rnxt42soi3tdneu2c2em55thufqd.onion
How to find .onion sites:
- Torch (Tor search engine)
- The Hidden Wiki (directory - use caution, verify links)
- dark.fail (verified .onion mirrors of clearnet sites)
Verifying .onion Addresses
No certificate authorities for .onion
- Bookmark verified addresses
- Cross-reference with multiple sources
- Use Tor Project’s list of known .onion services
7. Practical Exercises
Exercise 1: Install and Configure Tor Browser
cd ~/cypherpunk-journal
cat >> week07_tor_setup.md << 'EOF'
# Week 7: Tor Setup Log
## Tor Browser Installation
- Downloaded from: torproject.org
- Verified GPG signature: [Yes/No]
- Version installed: [version]
- Security level: [Standard/Safer/Safest]
## First Circuit Test
- Visited: check.torproject.org
- Result: [Congratulations! You are using Tor.]
- Exit node country: [country]
## .onion Site Test
- Visited DuckDuckGo .onion
- Address used: [onion address]
- Worked: [Yes/No]
## Notes
- Browsing speed: [observations]
- Sites that broke: [list]
- Adjustments made: [list]
EOF
Exercise 2: Test Tor Circuit Changes
- Visit https://check.torproject.org - note exit country
- Click “New Tor Circuit for this Browser”
- Refresh - note new exit country
- Repeat 3 times, observe different circuits
Exercise 3: Access .onion Services
Visit these verified .onion sites:
DuckDuckGo: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion
ProtonMail: https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion
Up Next
Week 7b covers advanced Tor topics: VPN combinations, bridges for censorship bypass, running relays, SSH over Tor, and Tor limitations.
Key Takeaways
- Tor provides anonymity through three-hop circuits - No relay knows both source and destination
- Always download from torproject.org - Verify GPG signatures for security
- Security levels trade usability for protection - Standard → Safer → Safest
- OpSec is critical - Don’t login to personal accounts, don’t resize windows
- .onion sites are Tor-exclusive - End-to-end encryption within the network
- New Identity = new circuit + cleared state - Use for compartmentalization