13 December 2011
Tor Operations Security
Date: Tue, 13 Dec 2011 18:39:22 -0500
Subject: [tor-talk] Tor OPSEC - Operational Security - Great Resource of
What began as a simple reply to a Tor user on the subject of downloading
PDF files through Tor, turned into a wealth of information on Tor OPSEC.
I am adding this post to the list because others might find it as useful
as I have. Cheers.
Origin of discussion:
"First, I want to use TOR to download .pdf files"
First, how have you setup Tor? (it's not TOR btw, it's Tor)
Have you installed the Tor Browser Bundle? (TBB) It contains a (limited)
preconfigured Tor environment (you need to reconfigure the included Noscript
properly as by default it is set to allow everything, which is bad) and includes
Vidalia, a Tor GUI front-end. If you have, you can right click on most .PDF
file download links and select your local destination for the PDF to download
to and it runs through Tor without leaping outside of the Tor client. Some
PDF file downloads are caught by Tor button for unknown reasons, it thinks
you're trying to load it directly and not download it when you're trying
to download it. This may be a bug which appears at random. TBB's preconfigued
Tor environment does not modify files like wgetrc (more on this later) or
other application's files outside of the applications it provides.
My preferred method of handing PDF files when using Tor is to load them remotely
via this free web service:
I don't see that website as having any ads, but I block ads anyway, nor are
there any posts begging for money, nor do they push an application to download
in order to view the PDFs. It's the most simplistic layout I've seen for
loading PDFs remotely and safely so they don't touch your system (your web
cache should be disabled and is disabled if you use TBB, your swap and home
partitions, if not your whole system should be encrypted). But does the admin
track PDFs and IPs? Simple, always use Tor with that site with nothing
It should be noted the moment you begin using your real name and playing
about on Facebook with your friends or acquaintances via Tor, you've lost
the plot. Do not mingle your personal Internet use with your Tor Internet
use. Do not use Tor while at the same time accessing your personal e-mail
outside of Tor (you shouldn't load it inside Tor, for that matter, either).
Don't boast through Tor to one of your chums that you're using Tor.
The PDF files (at view.samurajdata.se) are transformed into single paged
graphics which you may navigate through easily. 99% of the time it works,
some PDFs it chooses not to load and spits out an error. It doesn't
who runs the site or their privacy and data retention habits, but I recommend
it above all other sites offering to convert PDFs on-line. I have not tested
uploading local PDF files to that service so I cannot suggest others do so,
I don't know whether or not there would be any privacy leaks in doing so,
so just copy/paste urls into that service.
In using that free PDF converter website, I can preview the document to determine
beforehand whether it is worth the time, space, and effort in manually
downloading the PDF and storing it for future access. Should you access PDF
files on your system, I would recommend burning them to a CD or DVD, a read
only medium, and accessing them from a non-networked environment such as
a Linux LiveCD with the network cable unplugged, using an open source PDF
reader, never use the proprietary PDF reader from Adobe, unless you're reading
off-line from read only media, in addition to pulling the network cable prior
to booting from a fresh and verified LiveCD and pulling the cable and power
plugs from any hard drives (before you turn your system ON), to eliminate
any possible contamination. Remember, you're downloading PDF files through
Tor, and unless you verify each file through checksum verification (like
MD5 or GPG) there's a chance they could've been trojaned by a rogue exit
node, or contain phoning home instructions or any other type of malicious
"feature". No amount of open or closed source virus/trojan scanners can convince
me a file is entirely free of malware.
If you're booting from a LiveCD to use Tor, I heavily recommend pulling the
plug/power cord from any hard drives just in case, before you start your
LiveCD session and before you've powered the system ON, so no data is
transferred/shared through the use of the LiveCD sessions. I strongly recommend
against using a preconfigured Tor LiveCD, not limited to but including the
recent, "Tails LiveCD". You have no method to inform you on whether or not
the binaries have been modified to whatever end. While not pointing the finger
at any one such project, I can imagine the temptation would be great for
a malicious user or project team to poison the well, so to speak, with
compromised binaries naive users would trust their security/privacy to.
If you're running a system with sufficient memory, you should be able to
download a Linux LiveCD of your choosing, verify it with MD5 or GPG, verify
it with the bootable option to, "Verify This CD", extract the previously
downloaded TBB into the home directory, disable all extra network services,
configure a few files like hosts.deny and others as well as changing the
password on the LiveCD user account. Since the LiveCD user runs with elevated
privileges, you should consider creating your own LiveCD for TBB use, stripping
it down to only the basics to minimize bugs in some packages in the repositories
which could compromise your Tor operational security/privacy.
There are free tools like remastersys which allow you to put together a LiveCD
with packages of your choosing. You may configure a proper limited user account
beforehand and use this with TBB from your customized LiveCD. I'm not
recommending remastersys or any other LiveCD creation tool as I have not
audited their source
code nor do I blindly trust binaries, but it's an option.
It would be wise to consider all binary transfers via Tor as potentially
trojaned by a rogue exit node, modifications to data by a rogue exit node
AND sniffing of plain text traffic occurs and is well documented. Some good
preventative methods for browsing in Tor:
1. https://www.ixquick.com/ offers
encrypted searches AND proxying of web content, you may surf in Tor
through Ixquick's web proxy for excellent SSL protection.
2. https://ssl.scroogle.org/ offers
encrypted searches but offers no secure web proxy. Using Scroogle or Ixquick
over Google or Yahoo among others is encouraged as you don't hit a brick
wall with an error message (Yahoo) or a message saying you have to verify
you're a human (Google). By default Torbutton will redirect you to one of
more search results than the first page presented to you, so I suggest Scroogle
for web searches and Ixquick's free SSL web proxy for browsing. Do not, under
configured properly. There are many ways to decloak and otherwise poison
Flash: Don't install the plugin, don't try alternatives, they won't be torrified.
Some have claimed, on Tor's or-talk mailing list discussions, to have enabled
YouTube's HTML5 option and, without the use of a Flash plugin, enabling
the content to be shot through Tor but I haven't tried it. There are
methods of downloading flash videos through Tor, such as through a third
party website or by using clive or youtube-dl, both are listed in the Ubuntu
repositories but each must be configured to use a proxy with Tor like Polipo
Second, if you haven't installed Tor via the TBB, you've opted to install
and configure Tor with a proxy like Polipo or Privoxy. If this is so, it's
easier to download PDFs as you don't need to accomplish this through the
browser, instead you modify your /etc/wgetrc file with a proxy configuration
matching the proxy port you're using with Tor.
$cat /etc/wgetrc | grep proxy
(default wgetrc displays as follows):
#If you do not want to use proxy at all, set this to off.
#use_proxy = on
sudo nano /etc/wgetrc
gksudo gedit /etc/wgetrc
You would specify the proxy as http://127.0.0.1:proxy port number here
If you're using a proxy port of 12345, for example, it would be
I don't know what port Polipo and Privoxy use, but use whatever value they
With wgetrc configured properly and proxy lines uncommented, you can test
it by using wget in a Terminal to manually download the PDF files, copy/paste
the url into the Terminal following the wget command, and I recommend using
the -c option in case the download fails somewhere during your download:
This would download the TBB for Linux (current as of 12/12/2011). While on
the subject, please verify every Tor package you download using GPG, instructions
are on their site, as well as instructions to torrify your gpg key fetching
if you don't wish to grab gpg keys in the clear.
I haven't tested wget while using the TBB, I don't know what would be required
here, installing Polipo or Privoxy and appending the proper local address
with port within Vidalia and giving it a go or by some other method. All
this rests on the belief you're downloading legal PDFs.
"or .torrent files"
I can't help you with that and it's considered bad etiquette to run torrent
traffic through Tor.
"An external application is needed to handle:
NOTE: External applications are NOT Tor safe by default and can unmask you!
If this file is untrusted, you should either save it to view while offline
or in a VM, or consider using a transparent Tor proxy like Tails LiveCD or
"Am I OK? Can I proceed safely and anonymously?"
No, not when it pops up with that warning. Don't click on the PDF url, right
click on the url and save it locally and the transfer will traverse through
the Tor network. As above, I mentioned Tor button randomly pops up with this
warning even though I've right clicked on the PDF url, probably a bug but
it thinks you're trying to view it
directly. You should see that Tor button warning most of the time for when
you're trying to access non-torrifyed content directly. Always click CANCEL
when this warning appears.
My best suggestion would be to use wget with a properly modified wgetrc file,
this likely means you'll have to download and configure Polipo or Privoxy.
If you're using the TBB, you're on your own, I haven't explored it.
"Also, I want to use a web-based email service via TOR so as to have anonymous
email capabilities. Gmail worked for a while, but just asked me what city
I usually log in from, cause it thought my account was hijacked. Know any
web-based email providers that will work with TOR?"
There are several options, you may google for a result or post to Tor's or-talk
mailing list, see the Documentation page on Tor's official website for
instructions on signing up and posting to the public
list, which consists of Tor developers and users. I cannot advise you here
as some TOS for free web-mail
may stipulate you may not mask your origin of transit with their services,
which is just what one would be doing by using their service. G-mail is not
recommended, you want to look for a web service which maintains a constant
SSL connection from the beginning to the end of your session. In addition,
the privacy busting potentials.
"Hushmail might work with Tor pretty well"
Does Hushmail not require Java installed to function? Java is a big no no
when using Tor, for many reasons not limited to rogue exit nodes manipulating
your traffic to unmask or otherwise poison your Tor session and possibly
exploit the java user's system. In the ideal Tor setup, no plugins should
be installed, this is where the TBB for Linux works well, it has no plugins
by default, it does have some extensions, such as Tor button, Noscript, and
eff.org's HTTP-Everywhere, but no plugins. Hushmail also has a checkered
history, in my opinion,
concerning privacy and I don't approve of their methods of encryption or
use of Java.
Wait a second... Well l00ky what we have here:
"Hushmail Turns Data Over to Government"
Furthermore, you shouldn't install other extensions unless you are certain
they work well with Tor, they could leak, Tor's website offers a page suggesting
which plugins work well. I would stick with the three TBB contains, and configure
them correctly as I mentioned earlier, Noscript is setup by default to allow
everything by default which is bad. To verify no plugins (don't confuse with
extensions) are installed, type about:plugins in your
browser's address bar. No plugins should be listed. I find TBB useful as
I can use it for Tor only, and use another browser outside of the TBB directory,
installed from Ubuntu's repositories, for non-Tor use, why mix the two in
one browser? It's complicated and messy. And, unless I'm mistaken, TBB's
version of Firefox (Aurora) has been tweaked by the Tor developers to address
certain issues vanilla Firefox would otherwise contain.
The preferred method of removing the possibility of any Tor leakage is to
change my network settings during Tor use to list no DNS servers. If, by
error, you launch an application outside of Tor, there are no DNS servers
to catch the application's requests, they are stonewalled and will turn up
an error. Despite what some may tell you, Tor functions well with no DNS
servers listed. After you modify your network settings with DNS servers removed,
check your resolv.conf file, it should look like this:
#Generated by NetworkManager
With no DNS servers listed.
You may also opt to block DNS during your Tor session with ufw by blocking
all communication with port 53. You may also choose to, as in my thread within
the Security section here details, block all ports except those you need
and configure Vidalia or your torrc file if not using Vidalia, to use only
port 80 and 443 for its operation.
Lastly, get to know and love using Tor bridges:
Why tell everyone on your network you're using Tor? Tor use may stand out
in other ways, but by using bridges, you're obscuring your use of Tor, instead
of telling everyone on your network you're connecting to known Tor nodes.
It's simple to determine you're using bridges, but it's more difficult than
using the standard method of Tor connectivity.
Has your network provider setup a honey-pot virtual Tor network and you're
connecting to it rather than the genuine Tor network? How would you know?
Again, this is where using bridges is the preferred method for Tor access.
Clear documentation of using bridges is on Tor's official site, but made
easier by using Vidalia and accessing the Tor bridges page, and copy/pasting
the Tor bridges into Vidalia's GUI section under Vidalia's Settings, Network,
and box tic for "My ISP blocks connections to the Tor network". If you have
a legit connection to the Tor network without using bridges, how may you
know whether or not your network provider is limiting the nodes you're able
to access and hasn't blacklisted many in order to better monitor your Tor
The subject of a network provider setting up a fake Tor network has been
documented and if memory serves me has appeared in at least one
If in doubt during any Tor use, Wireshark may be used to verify traffic is
contained within the Tor network, it's in the Ubuntu repositories.
I've waddled outside your request with more information than the OP requested,
but it's useful information for all. (and to all a good night!)
Bonus material: from a verified trusted and true LiveCD, run rkhunter and
chkrootkit against your hard disk drives, extra points for using a tool such
as hexdump or objdump to check binaries and space on the hard drive for any
potential virus or trojaned software/sectors. Trojans targeting the system's
BIOS are becoming more common, standard practice for any new system you obtain
is to set the BIOS write protect within the BIOS options and question whether
bundled system update programs which may want to update your BIOS is really
required, and source verified (has your DNS been poisoned? A new project
called DNSCrypt has been floating around in recent tech news as a potential
solution to these attacks).
Extra credit: Employ TEMPEST shielding techniques, never use a program which
claims to keep your computer passwords safe or simply holding them for you,
they are vulnerable to TEMPEST based attacks (and keeping them on any r/w
medium is stupid on so many levels). Use a Frequency Counter and test for
through-the-air leakage. Never use Tor on a Windows based system! Not even
within a VM. If you trust it, it's closed source:
install Wine and run a freeware program called, "Zero Emission Pad" to
modify/read your text documents in, as it claims (strong emphasis on claims)
to prevent TEMPEST attacks. It's a Windows only freeware program which I
haven't vetted for possible leaks but it is interesting, google for it and
you'll eventually find it. At least one software vendor in the U.S. offers
a proprietary and commercial application which does the same job, but I have
no trust in commercially developed, closed source software, which is a reason
why trusting GPG over PGP is a great idea.
Related OPSEC reading:
TEMPEST (or, "Hey! Who owns that van/RV/delivery truck outside? It never
TEMPEST ; Stealing Data Via Electrical Outlet
TEMPEST ; Compromising Wired Keyboards:
TEMPEST-for-eliza - demonstrate electromagnetic emissions from computer systems
(it's in the Ubuntu repositories, verify the tech threat for yourself)
Frequency counter devices:
DNSCrypt (not usable at this time AFAIK):
AX25 (is someone being sneaky and controlling your computer remotely through
the air?) (the dirty hidden secret of AX25 and packet radio, or how your
computer is capable of much more than you think, are we all rooted remotely?)
(note: has nothing to do with Wifi)
Package Manager Security:
Packet Filtering Firewalls:
Detecting Packet Injection:
Encryption: (TBB from within an encrypted Truecrypt container within an encrypted
Ubuntu install? woot!)
Tor OPSEC And General Articles:
IMPORTANT, ALWAYS VERIFY SIGNATURES!:
Writeprint (thought your words were anonymous via Tor, right? WRONG!):
Why, what a BEAUTIFUL scarf I received for the Holidays! Wait, what!?
Why are my windows constantly vibrating? What the... !!! "You'll shoot your
eye out, kid!"
Tinfoil hat reading / remote system compromise through the air on a grand
scale! (omg CONSPIRACY?
Or, I forgot to take my pills?)
To conclude, Google for:
- powerline vulns (or, "Hey, my key-presses can be picked up via
- additional through-the-air attacks (or, "What!? Someone in the other room
or building can pick up my key presses?)
- temperature vulns (or, "Hey, my cpu can be compromised by temperature attacks?
Wait a minute, why WAS that cute red head spending so much time looking inside
my computer when I had it open and asked me to go into the kitchen to make
an elaborate meal? How miniature modifications to hardware can escape your
sight!) Don't forget Timing and Side Channel attacks!
Walking in a winter wonderland....
"Behold, I give unto you power to tread on serpents and scorpions,
and over all the power of the enemy" - Luke 10:19
I forgot to add:
uget easy-to-use download manager written in GTK+2
uget is in the Ubuntu repositories and claims to support proxies, via:
from the man file:
--proxy-type=N set proxy type to N. (0=Don't use)
--proxy-host=HOST set proxy host to HOST.
--proxy-port=PORT set proxy port to PORT.
--proxy-user=USER set USER as proxy username.
--proxy-password=PASS set PASS as proxy password.
I haven't tried uget's proxy support, try it and tell us if it worked for
tor-talk mailing list