How-To: Tor Browser Bundle

Tor Threat Models, Tor Browser Bundle

My last post covered threat modeling the Tor Network.  While I have a very nuanced opinion of Tor, I do think it is ideal for certain use cases.  Unless contraindicated .  Using Tor is not difficult, but there are some potential pitfalls to be aware of.  This post will cover how to use the Tor Browser Bundle.

Download and Install the Tor Browser

The first step is to download the Tor Browser from https://torproject.org.  Before you install it you should verify the integrity of the file. The Tor Project has an excellent tutorial on how to do this here.  Additionally, I will begin to post checksums for the Tor Browser this month.  After you have verified the file, install it.  If you use a Mac, double-click the .dmg and drag the icon into your applications folder.  A few more steps are required if you use Windows, but setup is not difficult.  Instructions are available here.

Tor Browser Bundle

Begin Browsing with Tor

You are now ready to begin browsing.  Double-click the Tor icon.  Tor will as you to choose between “Connect” and “Configure”.  For the vast majority of use-cases connecting directly is your best option.  The “configure” option gives you the ability to use a bridge or proxy.  Using a bridge or proxy may be necessary if you are in a country or on a network that blocks Tor traffic.  Configuring a bridge or proxy is fairly intuitive, should you need to do so.

Tor Browser Bundle

When you connect to the Tor network, your request is first routed to a directory server.  This server will create your custom “circuit”, the network of three nodes through which your traffic will be routed.  When your connection is established, the Tor browser will open automatically.  You are now ready to browse through the Tor network.  The Tor Browser is a modified version of Firefox.  Browsing with Tor is superficially no different than browsing with Firefox with one or two exceptions.

Using Tor-Specific Features

Clicking the Onion button opens some options not available in Firefox.  It also displays your Tor circuit and allows you to change the following options:

  • New Identity:  This closes all open tabs and discards any browsing data, like cookies.  A new, clean instance of the browser is then opened.  I do not recommend this
  • New Tor Circuit for this Site:  This feature builds a new circuit for the tab that is currently open.
  • Privacy and Security Settings:  See below.
  • Tor Network Settings:  Allows you to configure bridges and/or proxies if needed.
  • Check Tor Browser for Updates:  Always keep your browser up-to-date.  I recommend checking each time you open Tor because updates are frequently released.

Tor Browser BundlePrivacy and Security Settings:  Click this to open an additional dialogue.  The privacy portion has four radio buttons.  Leave all of these checked.  The security dialogue contains a slider and allows you to choose a desired level of security (low, medium-low, medium-high, high). These settings correlate roughly to threat models.  The higher your threat model, the higher a level of security you should choose.  I believe you should always use “high”.  It is less convenient and requires a working knowledge of NoScript, but if you are going to use Tor you should use it to its full potential.  On the other hand, ease-of-use may convince more people to use it overall.

Tor Browser Bundle 4

Potential Problems with Tor

Tor is imperfect for everyday use.  There are reasons it is not incredibly common.  Among them: the Tor Network is slow.  Traffic is routed through multiple servers, usually in multiple countries.  This inevitably slows your traffic.  Additionally, your traffic is slowed at least to the speed of the slowest server in your circuit.  You will also be forced to solve captchas to visit or log in to some websites, and encounter other minor inconveniences. You will also encounter security issues when using the Tor Browser.  I addressed some of these in my last post.  My next post will address one of them specifically: exit node security through HTTPS.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Leave a Reply