offering specific settings, pre-configured plugins, and security
certified to be as secure as possible out of the box. A regular
warning is not to use random plugins or indeed other browsers
(especially Chrome) over Tor, because you have no idea what
tracking they might have implemented within them. However,
there are two default plugins that we’ll cover shortly, explaining
why they’re so handy.
>> The Tor Browser is basically a locked-down build of
Firefox. By default, it forgets and wipes everything from
session to session, because it’s in what it calls “Permanent
private browsing mode.” If you’re after a more casual browsing
mode, you might want to select “Menu > Options > Privacy
& Security,” and disable “Always use private browsing mode”
under “History.” This forces a restart, and retains cookies and
your browsing history—if you’re after higher anonymity, this is
not recommended.
>> Moving security in the stronger direction, the Shield icon
in the toolbar—or within the “Menu > Options > Privacy &
Security > Security” section—offers three distinct security
levels. It defaults to Standard, which is frankly pretty secure,
but it does still enable JavaScript, which many distrust. The
annoying issue is that most websites require JavaScript to run,
so if it were disabled, Tor would be mostly useless to the average
user—it’s a trade-off between usability and security.
>> T h e n e x t s e c u r i t y l e v e l o f S a f e d o e s i n d e e d t u r n o f f J a v a S c r i p t
for all sites that can’t use the encrypted HTTPS mode, while it
disables audio, video, and WebGL unless you click to allow them.
The highest level disables JavaScript entirely. And don’t even ask
about Flash—you are, aren’t you? Flash is a security nightmare
at the best of times, so Tor just won’t go there. In general, the
advice not to run third-party plugins is down to the fact that you
have no real idea what data they could transmit back to base.
However, Tor does use two well known plugins.
>> To help secure your connections, Tor makes use of two
widely used browser plugins: HTTPS Everywhere and NoScript.
HTTPS is a version of the standard HTTP plain-text protocol
that’s been encrypted. This instantly means no one can read
the data traveling between your PC and the destination server.
However, it’s not always enabled by default, hence the use of the
plugin to do just that—however, it can’t enable HTTPS on sites
that don’t support it at all. The NoScript plugin offers per-site
control over almost every aspect of the code run by that website.
Tor makes use of this to restrict or disable code that could leak
data about yourself.4
IDENTITIES AND CIRCUITS
When you first connect to the Tor network, this is called
your initial “Identity”—basically, all data is sent to the
same entry node for a set period of time (usually two or three
months), before you’re automatically cycled to another. Theseries of encrypted server hops after this, and the exit
node, is called the circuit. When connected to a website,
click the “i” icon at the start of the URL address bar to
see the established Tor circuit, along with an option to
reset this [Image B].
>> Tor offers two ways to reset the circuit or the
Identity. The basic option is the Tor circuit—this most
often crops up when an exit node IP has been banned by
a service. Choosing a new circuit provides you with a new
exit node. It causes the currently active tab or window to
be reloaded over a new Tor circuit. Other open tabs and
windows from the same website will use the new circuit
as well once they are reloaded.
>> Selecting a “New Identity” takes this a step further.
Alongside requesting a new entry node, it closes all your
open tabs and windows, clears all private information,
such as cookies and browsing history, and uses new
Tor circuits for all connections. It’s like restarting the
browser as well as your router.5
WEIRD BROWSING
We should highlight some of the more common
issues you can run into when browsing the web
from the view of a Tor exit node. Exit node IPs get flagged
up for all manner of nefarious reasons, so if a site or
service sees you’re coming from an exit-node IP, it’ll
likely trigger a red flag and additional security checks on
you, which you wouldn’t experience browsing normally.
>> One common annoyance is repeated captcha
challenges. Where you might be used to getting one
normally, expect multiple challenges before you’re
allowed access to a service or website. Also, some
websites turn up in foreign languages—again, this is
down to whatever location your Tor exit node is locatedC©^TO
RFLOWWhile we might have talked about using
“portable” versions of Tor in terms
of releases you can take with you on
a USB drive that will run on any PC,
what about mobile devices? The double
good news is that, over recent years,
the Tor Project has come on in leaps
and bounds with regard to Android and
iOS apps. Previously, it took a similar
multi-tool approach to mobile as itdid for PCs, but thankfully, it’s all now
wrapped up in a single easily installed
package called the Tor Browser—
ignore Orbot, that’s the old release.
Just download the Tor Browser
and it works the same on your cell
phone or tablet as it does on your PC.
It’s available via the standard Google
Play Store or direct as an APK from
the Tor Project itself at https://www.torproject.org/download/#android
(you need to know whether your device
is a 64-bit or 32-bit Arm device).
Due to Apple policies, the Tor
Project on iOS has had a bumpy time,
but it’s available as the Onion Browser,
which works a treat, and is right up to
date. You can grab it from https://apps.
apple.com/us/app/onion-browser/
id519296448.GOING ON TOR
62 MAXIMUMPC MAR 2020 maximumpc.com
R&D