levels.It defaultstoStandard,whichisalreadyprettysecure,but
doesstillenableJavaScript,whichmanydistrust.Theannoying
issueisthatmostwebsitesrequireJavaScripttorun,soif it were
disabled,Torwouldbemostlyuselesstotheaverageuser– it’sa
trade-offbetweenusabilityandsecurity.
ThenextsecuritylevelofSafeturnsoffJavaScriptforallsites
thatcan’tusetheencryptedHTTPSmode,whileit disablesaudio,
video,andWebGLunlessyouclicktoallowthem.Thehighest
leveldisablesJavaScriptentirely.AndasforFlash –asecurity
nightmareatthebestoftimes– Torjustwon’tgothere.Ingeneral,
theadvicenottorunthird-partypluginsisdowntothefactthat
youhavenorealideawhatdatatheycouldtransmitbacktobase.
Tohelpsecureyourconnections,Tormakesuseoftwowidely
usedbrowserplugins:HTTPSEverywhereandNoScript.HTTPS
is a version of the standard HTTP plain-text protocol that’s
beenencrypted.Thisinstantlymeansnoonecanreadthedata
travellingbetweenyourPCandthedestinationserver.However,
it’snotalwaysenabledbydefault,hencetheuseofthepluginto
dojustthat– however,it can’tenableHTTPSonsitesthatdon’t
supportit.TheNoScriptpluginoffersper-sitecontroloveralmost
everyaspectofthecoderunbythatwebsite.Tormakesuseofthis
torestrictordisablecodethatcouldleakdata.
Identitiesandcircuits
Whenyou firstconnecttotheTornetwork,thisiscalledyour
initialIdentity– basically,alldataissenttothesameentrynode
forasetperiodof time(usuallytwoorthreemonths), before
you’reautomaticallycycledtoanother.Theseriesofencrypted
serverhopsafterthis,andthe exitnode,iscalledthecircuit.
Whenconnectedtoa website,clickthe‘i’iconatthestartofthe
URLaddressbartoseetheestablishedTorcircuit,alongwithan
optiontoresetthis[ImageB].
TorofferstwowaystoresetthecircuitortheIdentity.Thebasic
optionistheTorcircuit– thismostoftencropsupwhenanexit
nodeIPhasbeenbannedbya service.Choosinga newcircuit
providesyouwitha newexitnode.It causesthecurrentlyactive
taborwindowtobereloadedovera newTorcircuit.Otheropen
tabsandwindowsfromthesamewebsitewillusethenewcircuit
aswelloncetheyarereloaded.
Selectinga NewIdentitytakesthisa stepfurther.Alongside
requestinga newentrynode,itclosesallyouropentabsand
windows, clears allprivate information, such as cookies and
browsinghistory,andusesnewTorcircuitsforallconnections.It’s
likerestartingthebrowseraswellasyourrouter.
Weirdbrowsing
Weshouldhighlightsomeofthemorecommonissuesyoucan
runintowhenbrowsingthewebfromtheviewofa Torexitnode.
ExitnodeIPsgetflaggedupforallmannerofnefariousreasons,
soif a siteorserviceseesyou’recomingfromanexit-nodeIP,it’ll
likelytriggera redflagandadditionalsecuritychecksonyou,
whichyouwouldn’texperiencebrowsingnormally.
One common annoyance is repeated captcha challenges.
Where you might be used to getting one normally, expect
multiple challenges beforeyou’reallowed accesstoa service
orwebsite.Also,somewebsites turnupinforeignlanguages
- again,thisisdowntowhateverlocationyourTorexit
nodeislocatedin.Mostsitesbaseyourlocationonthis
IP,thenserveuptheirsiteorserviceinthatlanguage.
Youjusthavetoswitchthesite’slanguagepreferences.
YoumightgetmessagesthatyourIPis blocked,orthat
youraccountorsystemmayhavebeencompromised.
Again,thisisdowntounscrupuloustypesabusingthe
Torsystemandgivingexit-nodeIPsa badname.Typically,
theNewIdentityoptioncansolvetheseissues.
Runningnodes
Wementionedvarioustypesofnodes,whichisa fancy
namefora serverorPCrunningTorina specialmode.
By default, you run Tor inclient mode – you’reonly
accessingtheTornetwork,ratherthanhelpingtorunit.
Thenetworkitselfis madeupofthreenodetypes:entry,
relay,andexit.Themostwidespreadarerelaynodes,the
intermediarynodesthatpassencryptedonionpackages
withintheTornetwork[ImageC]– technically,whenyou
installtheTorBrowser,youhaveeverythingrequiredto
runone,butwe’renotgoingtocoverthis.Anentrynode
is simplya relaynodethat’sprovedtobereliableenough
fortheclassificationupgrade.
Anexitnodeis whereTortrafficre-entersthestandard
internetandissentontoitsdestination.If youwanted,
youcouldrunanexitnode,butthisis notrecommended.
Duetothenatureofthetraffic,exitnodescandrawthe
ireofnotonlyyourISP,butalsolocallawenforcement.
TheTorProjectadvisesyoutoinformbothyourISPand
localauthoritiesthatyou’rerunninganexitnodetoavoid
suchissues.So,it’snotsomethingyoushoulddoona
whim,orwithcompanyservers.Thedeep,darkweb
Torimplementsa networkwithintheinternetnetwork,
and just like the internet, the Tor network can and
does have its own network of anonymous websites
that get called various things, such asthe darkweb
or deep web, alongwith Tor Hidden Services. ThereC© TORFLOWWhile we might have talked about using
‘portable’ versions of Tor in terms of
releases you can take with you on a USB
drive that will run on any PC, what about
mobile devices? The double good news is
that, over recent years, the Tor Project has
come on in leaps and bounds with regard to
Android and iOS apps. Previously, it took a
similar multi-tool approach to mobile as it didfor PCs, but thankfully, it’s all now wrapped
up in a single easily installed package called
the Tor Browser – ignore Orbot, that’s the
old release.
Just download the Tor Browser and it
works the same on your smartphone or
tablet as it does on your PC. It’s available
via the standard Google Play Store or direct
as an APK from the Tor Project itself athttps://www.torproject.org/
download/#android (you need to know if
your device has a 64- or 32bit Arm CPU).
Due to Apple policies, the Tor Project on
iOS has had a bumpy time, but it’s available
as the Onion Browser, which works a treat,
and is right up to date. You can grab it from
https://apps.apple.com/us/app/onion-
browser/id519296448.GOING ON TOR
46 |^ |^ April 2020