Do not use personal social accounts. networks.
2. Do not go to accounts that you use without Tor.
You should assume that on each visit, the server log stores the following data:
Please note that the Internet Service Provider (ISP) will record at least the online time and the client's IP address / location. Also, the provider can record data such as IP addresses / location of visited sites, how much data was transmitted and what exactly was transmitted and received. Until the traffic is encrypted, the ISP will be able to see what specific actions were carried out, the information received and sent. You can compromise your account even with a single authorization through a connection not secured by Tor, from a real IP address. As a result, such single mistakes lead to sad consequences.
3. Do not log into online banking or payment systems.
Also, I do not recommend going to an online bank or payment systems (Qiwi, YandexMoney, PayPal, etc.), as well as to other financially important accounts registered in your name.
In most payment systems, using Tor entails an account freeze due to "suspicious activity" that is recorded by the fraud prevention system. The reason is that hackers sometimes use Tor for fraudulent activities.
If you still used Tor with an online bank or payment system and your account was blocked, try contacting support, as some services allow weakening the rules for determining fraud for user accounts.
4. Do not send sensitive data without finished encryption.
Tor's most vulnerable point is exit nodes, they can be eavesdropped on communications and mediated attacks (i.e. when a third party secretly participates in relaying or changes the way data is transmitted between two users), even if you use HTTPS. Therefore, the only way to transfer sensitive data is to use the final encryption.
5. Do not disclose online data that can be used to identify you.
Here are some rules to help you avoid de-anonymization:
Do not include personal information or personal interests in nicknames.
Do not discuss personal information such as place of residence, age, marital status, etc. Over time, silly conversations like discussing the weather can lead to an accurate calculation of the user's location.
Remember that IRC, other chat rooms, forums, mailing lists are public places.
Do not discuss anything personal at all, even when connecting securely and anonymously to a group of strangers. Recipients in a group are potential risks (“known unknowns”) and could be made to work against the user. It only takes one informant to destroy the group.
Heroes exist only in comics - and they are actively hunted. There are only young or dead heroes.
6. Do not use the same digital identity for a long time.
The longer you use the same nickname, the more likely you are to stumble and give yourself away. As soon as an attacker has such an opportunity, he will be able to study the history and all activity under this pseudonym. The best solution to this problem is to create new digital identities and stop using old ones.
7. Don't use multiple digital personalities at the same time.
If you use multiple aliases, then you increase the likelihood of impersonating yourself. Different digital identities can be easily linked if they are used at the same time, as Tor can reuse chains in the same surfing session, or there could be a potential information leak from Whonix-Workstation.
8. Do not stay logged into social networks and other accounts longer than necessary.
Reduce the time of authorization in social. networks and other services associated with accounts to the absolutely necessary minimum. After logging out of your account, it is safe to change the Tor chain.
This is necessary because many websites have social media integration buttons. Therefore, if the user remains authorized in any service, then these buttons tell the owner of the service to visit the site.
9. Do not use clearnet and Tor at the same time.
Using a non-Tor browser and Tor Browser at the same time, you run the risk of confusing them one day and de-anonymizing yourself.
When using the clean web and Tor at the same time, there are also risks of simultaneous connections to the server through anonymous and non-anonymous channels. A user can never feel safe visiting the same page through anonymous and non-anonymous channels at the same time, because he only sees the URL, but not how many resources are being requested in the background. Many different sites are hosted in the same cloud. Services like Google Analytics are featured on most sites and therefore see many anonymous and non-anonymous connections.
If this advice is ignored, then the user should have at least two different desktops to prevent confusion between browsers.
10. Do not connect to the server anonymously and non-anonymously at the same time.
I do not recommend creating both Tor and non-Tor connections to a remote server at the same time. If there is a disconnection with the Internet, then all connections will be disconnected at the same time. In this case, an attacker can easily determine which public IP / location belongs to which Tor IP / connection, potentially directly identifying the user.
11. Learn to distinguish between anonymity and pseudonymity.
An anonymous connection is considered to be a connection to a destination server when that server has no way of establishing the origin (IP address / location) of this connection or assigning an identifier to it.
A pseudonymous connection is a connection to a destination server when that server is unable to establish the origin (IP address / location) of this connection, but can assign an identifier to it.
As soon as you log into your account on the website using your username, the connection automatically loses its anonymity. The origin of the connection (IP address / location) is still hidden, but the connection can be assigned an identifier; in this case, this is the account name. Identifiers are used to log various things: the time when the user wrote something, the date and time of entry and exit, what exactly the user wrote and to whom, the IP address used (useless if it is a Tor exit node), the saved browser fingerprint, and so on.
12. Do not distribute your link first.
Never be the first to advertise your anonymous project!
The more the personalities are separated from each other, the better.
13. Don't open random files and links.
If you have been sent a file of any type or a link to a file, be careful regardless of the file format. The sender, mailbox, account or key could be compromised, and the file or link could be specially prepared to infect the user's system when opened in a standard application.
14. Do not use mobile phone verification.
Many websites ask for a mobile phone number when you use Tor. In no case do not give out this information only if you have some kind of alternative like a virtual number.
Any phone numbers will be logged. The SIM card will most likely be tied to the user. Even if not, receiving the SMS will give the location. You can try to buy a SIM card anonymously, but there is still a risk - this is the phone. If the SIM card is purchased anonymously, but the phone is not, then there will be no anonymity, because the two serial numbers will be linked together.
Therefore, there are two options for solving this problem:
Finally, I want to say that the most effective way to stay anonymous is to use multiple means of anonymity together, not just Tor Browser.
- I do not recommend logging into your personal Vkontakte account, Facebook or any other social network. Even if you use a fake name, most likely this account is associated with friends who know you. Ultimately, a social network can guess who the user really is.
- Any anonymity system has its flaws. Online anonymity software can hide your IP address and your location, but big social. networks and do not need this information. They already know the user, his friends, the content of messages between them, etc. This data, at best, is stored only on the servers of social networks, and no software can be used by an ordinary user to delete it.
- Users who log into their social accounts. networks over Tor receive only location hiding, not anonymity.
2. Do not go to accounts that you use without Tor.
You should assume that on each visit, the server log stores the following data:
- Client IP address / location.
- Date and time of the request.
- Specific addresses of the requested pages.
- HTTP code.
- The number of bytes transferred to the user.
- User's browser agent.
- Referring site (referrer)
Please note that the Internet Service Provider (ISP) will record at least the online time and the client's IP address / location. Also, the provider can record data such as IP addresses / location of visited sites, how much data was transmitted and what exactly was transmitted and received. Until the traffic is encrypted, the ISP will be able to see what specific actions were carried out, the information received and sent. You can compromise your account even with a single authorization through a connection not secured by Tor, from a real IP address. As a result, such single mistakes lead to sad consequences.
3. Do not log into online banking or payment systems.
Also, I do not recommend going to an online bank or payment systems (Qiwi, YandexMoney, PayPal, etc.), as well as to other financially important accounts registered in your name.
In most payment systems, using Tor entails an account freeze due to "suspicious activity" that is recorded by the fraud prevention system. The reason is that hackers sometimes use Tor for fraudulent activities.
If you still used Tor with an online bank or payment system and your account was blocked, try contacting support, as some services allow weakening the rules for determining fraud for user accounts.
4. Do not send sensitive data without finished encryption.
Tor's most vulnerable point is exit nodes, they can be eavesdropped on communications and mediated attacks (i.e. when a third party secretly participates in relaying or changes the way data is transmitted between two users), even if you use HTTPS. Therefore, the only way to transfer sensitive data is to use the final encryption.
5. Do not disclose online data that can be used to identify you.
Here are some rules to help you avoid de-anonymization:
Do not include personal information or personal interests in nicknames.
Do not discuss personal information such as place of residence, age, marital status, etc. Over time, silly conversations like discussing the weather can lead to an accurate calculation of the user's location.
- Don't mention gender, tattoos, piercings, physical ability, or disability.
- Do not mention a profession, hobby, or participation in activist groups.
- Don't use special characters on your keyboard that only exist in your language.
- Do not post information on the regular Internet (Clearnet), being anonymous.
- Don't use Twitter, Facebook, or other social media. It will be easy to associate you with a profile.
- Don't post links to Facebook images. The file name contains your personal ID.
- Do not visit the same site at the same time of the day or night. Try to vary your session times.
Remember that IRC, other chat rooms, forums, mailing lists are public places.
Do not discuss anything personal at all, even when connecting securely and anonymously to a group of strangers. Recipients in a group are potential risks (“known unknowns”) and could be made to work against the user. It only takes one informant to destroy the group.
Heroes exist only in comics - and they are actively hunted. There are only young or dead heroes.
6. Do not use the same digital identity for a long time.
The longer you use the same nickname, the more likely you are to stumble and give yourself away. As soon as an attacker has such an opportunity, he will be able to study the history and all activity under this pseudonym. The best solution to this problem is to create new digital identities and stop using old ones.
7. Don't use multiple digital personalities at the same time.
If you use multiple aliases, then you increase the likelihood of impersonating yourself. Different digital identities can be easily linked if they are used at the same time, as Tor can reuse chains in the same surfing session, or there could be a potential information leak from Whonix-Workstation.
8. Do not stay logged into social networks and other accounts longer than necessary.
Reduce the time of authorization in social. networks and other services associated with accounts to the absolutely necessary minimum. After logging out of your account, it is safe to change the Tor chain.
This is necessary because many websites have social media integration buttons. Therefore, if the user remains authorized in any service, then these buttons tell the owner of the service to visit the site.
9. Do not use clearnet and Tor at the same time.
Using a non-Tor browser and Tor Browser at the same time, you run the risk of confusing them one day and de-anonymizing yourself.
When using the clean web and Tor at the same time, there are also risks of simultaneous connections to the server through anonymous and non-anonymous channels. A user can never feel safe visiting the same page through anonymous and non-anonymous channels at the same time, because he only sees the URL, but not how many resources are being requested in the background. Many different sites are hosted in the same cloud. Services like Google Analytics are featured on most sites and therefore see many anonymous and non-anonymous connections.
If this advice is ignored, then the user should have at least two different desktops to prevent confusion between browsers.
10. Do not connect to the server anonymously and non-anonymously at the same time.
I do not recommend creating both Tor and non-Tor connections to a remote server at the same time. If there is a disconnection with the Internet, then all connections will be disconnected at the same time. In this case, an attacker can easily determine which public IP / location belongs to which Tor IP / connection, potentially directly identifying the user.
11. Learn to distinguish between anonymity and pseudonymity.
An anonymous connection is considered to be a connection to a destination server when that server has no way of establishing the origin (IP address / location) of this connection or assigning an identifier to it.
A pseudonymous connection is a connection to a destination server when that server is unable to establish the origin (IP address / location) of this connection, but can assign an identifier to it.
As soon as you log into your account on the website using your username, the connection automatically loses its anonymity. The origin of the connection (IP address / location) is still hidden, but the connection can be assigned an identifier; in this case, this is the account name. Identifiers are used to log various things: the time when the user wrote something, the date and time of entry and exit, what exactly the user wrote and to whom, the IP address used (useless if it is a Tor exit node), the saved browser fingerprint, and so on.
12. Do not distribute your link first.
Never be the first to advertise your anonymous project!
The more the personalities are separated from each other, the better.
13. Don't open random files and links.
If you have been sent a file of any type or a link to a file, be careful regardless of the file format. The sender, mailbox, account or key could be compromised, and the file or link could be specially prepared to infect the user's system when opened in a standard application.
14. Do not use mobile phone verification.
Many websites ask for a mobile phone number when you use Tor. In no case do not give out this information only if you have some kind of alternative like a virtual number.
Any phone numbers will be logged. The SIM card will most likely be tied to the user. Even if not, receiving the SMS will give the location. You can try to buy a SIM card anonymously, but there is still a risk - this is the phone. If the SIM card is purchased anonymously, but the phone is not, then there will be no anonymity, because the two serial numbers will be linked together.
Therefore, there are two options for solving this problem:
- Buy anonymously a SIM card and a phone, go away from home, receive an SMS and immediately turn off the phone.
- Use online services to receive SMS messages, but many such services are not suitable for some websites and applications.
Finally, I want to say that the most effective way to stay anonymous is to use multiple means of anonymity together, not just Tor Browser.
