HOW TO : securise Tor Browser - Be anonymous on the INTERNET #1
technology·@juanpierre·
0.000 HBDHOW TO : securise Tor Browser - Be anonymous on the INTERNET #1
<html> <h1><strong> How to securise Tor browser</strong></h1> <p><br></p> <p> <img src="https://upload.wikimedia.org/wikipedia/commons/thumb/1/15/Tor-logo-2011-flat.svg/320px-Tor-logo-2011-flat.svg.png" width="320" height="193"/></p> <p><strong>What is Tor?</strong></p> <blockquote>Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. </blockquote> <p>https://www.torproject.org/</p> <p>Using Tor does not make you totally anonymous, indeed, the fingerprint of your browser can identify you.</p> <blockquote>What's the fingerprint ?</blockquote> <p>An user can be tracked on the internet by his cookies, his MAC address or by his IP address. But it is also possible to follow a user through the footprint of his browser. This fingerprint is calculated from browser-accessible data such as the operating system used, screen resolution, time zone, fonts on your computer,the UAS (User Agent String User Agent String, String containing information about your browser), plugins installed, list of accepted MIME types ...</p> <p>So the more your browser will be different from other Tor users, the more unique you will be, so more easily identifiable. Likewise if you walk down the street with atypical clothes. While if you are dressed like everyone else, you will be fused into the mass and you will be more anonymous </p> <p><img src="http://image.noelshack.com/fichiers/2017/27/1/1499104478-sans-titre.png"/></p> <p><br></p> <p> <strong>1. Ask for web pages in English </strong></p> <p> To avoid appearing different from other browsers it is better to ask for the pages in English.<br> The first time you use it, Torbutton asks you if it should ask for the pages in English.<br> If you did not say yes, I think you can activate this option by clicking the Torbutton icon and then clicking the "Edit details that distinguishes you from other Tor Browser users" The "Security Settings" tab.<br> To check, in a new tab type <strong>about: config</strong><br> Look for the following values:<br> </p> <p><strong>extensions.torbutton.spoof_english</strong> --> Must be set to True<br> <strong>intl.accept_languages</strong> --> Must be on the value en-us, en<br> <strong>general.useragent.locale</strong> --> Must be on en-US value<br> </p> <p><strong>2. NoScript & JavaScript</strong> </p> <p> Enabling NoScript is required.<br> Click on the S at the top left and then on "Forbid Scripts Globally (advised)"<br> </p> <p>Click on the S again, go to "Options", on the "Embedded objects" tab and check all the boxes that correspond to scripts as well as Audio / Video, <IFRAME>, <FRAME>, @ font-face and WebGL.<br> If you do not trust NoScript to block JavaScript open a new tab at: about: config.<br> <img src="http://image.noelshack.com/fichiers/2017/27/1/1499107176-1.png"/></p> <p>Find the value <strong>javascript.enabled </strong>and double-click it to go to false.<br> </p> <p><strong>3. Browser extension</strong></p> <p> On Tor Browser, NEVER install any extensions.<br> Sites can view the list of extensions installed on the browser.<br> This alters its fingerprint and makes it a little more unique.<br> </p> <p><strong>4. </strong> <strong>Downloads </strong></p> <p> Unless you have disabled it, when you upload a file with TorBrowser,<br> You should have a warning with two options:<br> - Open the file<br> - Save file<br> </p> <p>Especially never choose to open a file directly! You would expose your real IP address (not your Tor address) to the site.<br> Never download executable files from the clearnet with TorBrowser unless you are using an HTTPS connection with a valid certificate.<br> </p> <p><strong>5. HTTP Referer</strong> </p> <p> Wikipedia wrote:</p> <blockquote> The <strong>HTTP</strong> <strong>referer</strong> (originally a misspelling of <strong>referrer</strong><a href="https://en.wikipedia.org/wiki/HTTP_referer#cite_note-1">[1]</a>) is an <a href="https://en.wikipedia.org/wiki/List_of_HTTP_header_fields">HTTP header field</a> that identifies the address of the webpage (i.e. the <a href="https://en.wikipedia.org/wiki/Uniform_Resource_Identifier">URI</a> or <a href="https://en.wikipedia.org/wiki/Internationalized_Resource_Identifier">IRI</a>) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated. In the most common situation this means that when a user clicks a <a href="https://en.wikipedia.org/wiki/Hyperlink">hyperlink</a> in a <a href="https://en.wikipedia.org/wiki/Web_browser">web browser</a>, the browser sends a request to the server holding the destination webpage. The request includes the referrer field, which indicates the last page the user was on (the one where they clicked the link). Referer <a href="https://en.wikipedia.org/wiki/Server_log">logging</a> is used to allow <a href="https://en.wikipedia.org/wiki/Website">websites</a> and <a href="https://en.wikipedia.org/wiki/Web_server">web servers</a> to identify where people are visiting them from, for promotional or statistical purposes. </blockquote> <p> If you come from a search engine this is not embarrassing. On the other hand if the referer indicates the address of a site of sale of weapon or another site in .onion it exposes it.<br> To do this we return to about: config<br> <strong>network.http.sendRefererHeader</strong> --> Change from 2 to 1. If you set 0, some sites may no longer work.<br> <strong>network.http.referer.spoofSource</strong> --> Pass it to True instead of False<br> The best way to avoid referring is to copy / paste the link.<br> </p> <p><strong>6. Bridges obfs3</strong> </p> <p>If you aren't using a VPN and you think Tor's use is endangering you, you can use <strong>obfs3</strong> <strong>bridges</strong> to connect to the Tor network. This confuses communications and makes it difficult to locate your use of Tor. However, your navigation will be slower.<br> The list of bridges (bridges) obfs3 is not public. On the other hand, there is no<br> An infinite number of nodes and scarcity is possible. Use them only if necessary.<br> If you need it, when starting Tor Browser click on configure.<br> In the questionnaire, click on next until the question "Is your ISP blocking connections to the Tor network?" And indicate yes.<br> After clicking again next, the questionnaire will ask you to select which type of bridges you want to use.<br> Normally, obfs3 is selected by default. If not, select it and click Connect. <br> </p> <p><strong>7. Tracking by ETAG</strong></p> <p> Your browser often saves pages in its cache. This saves bandwidth.<br> On each given page, the server gives the browser an ETAG. It is a sequence of numbers and numbers that will change if the page is changed. Normally used for useful purposes (do not consume too much bandwidth) its use can be diverted by giving a unique ETAG to each browser.<br> The only way to protect yourself is to empty your cache very regularly or to prohibit its use.<br> The best solution is to go regularly to the Tor Button menu and click on "New Identity" (Ctrl + Shift + U) .<br> </p> <p><strong>8. Canvas HTML</strong> </p> <p>A canvas is an image to be generated by your browser<br> Taking into account your hardware like the graphics card and other parameters.<br> This canvas allows to gather a lot of information on your browser and your computer. The result is sometimes unique.<br> To protect themselves from it, it is enough to disable the scripts in NoScript (since it is often JS script).<br> If you leave your Javascript, the Tor browser will notify you if a site tries to generate a canvas. Always choose to block it.<br> Even all scripts disabled Tor browser will display an alert when attempting to extract an HTML canvas.<br> </p> <p><strong>9. Security Slider</strong> </p> <p> The Security Slider allows you to define security levels and reinforce the browser by removing as much as possible the available attack surface.<br> It is accessed by clicking on the Torbutton and then on Privacy and Security Settings.<br> The higher the level, the more the browser will disable possible attack vectors. I advise to put him at the highest.<br> All boxes must also be checked.<br> </p> <p><strong>10. PDFJS Viewer</strong> </p> <p> PDF.js Viewer is the Firefox PDF reader (and therefore Tor Browser). Recently a vulnerability has been discovered that allows access to sensitive files. To prevent<br> It is better to disable it in about: config.<br> <strong>pdfjs.disabled</strong> --> Set it to True.</p> <p><br></p> <p>source : </p> <p>http://neckara.developpez.com/tutoriels/securite/empreintes_navigateurs/</p> <p>FWD</p> </html>