Privacy @lemmy.ml fishonthenet @lemmy.ml 3 yr. ago

About to use Tor. Any security tips?

matt.traudt.xyz About to use Tor. Any security tips? – pastly@home

Tech, Pets, and Vettes

a great post that was published a few years ago on Matt Traudt's blog with some tips for people using Tor and the Tor Browser.

it also addresses common misconceptions like disabling JS and using fingerprinting tests, which unfortunately I see floating around every other day on the internet.

5 comments

@k_o_t@lemmy.ml @TheAnonymouseJoker@lemmy.ml can we get this thread pinned? i didn't read it all but it looks like decent advice and the question about what's tor and how to use it best comes up frequently
- There's generally nothing wrong with logging in to "real" accounts over Tor.
  
  Tor Browser intelligently isolates your traffic so logging in to your "real" Facebook while doing secret stuff on a different website is not correlate-able via traffic patterns.
  
  It also isolates local state (like cookies) so it won't leak that way.
  
  I found this problematic. He is encouraging the use of PII accounts over Tor, which is a very risky thing to do for someone not familiar with how to make and stick to an OPSEC.
  
  A lot of his advice is actually what I practice and preach, but this and the JavaScript one makes me feel less confident here. Preferring JavaScript stay disabled is a better choice, the next best is only allowing JavaScript when needed momentarily. This is why TailsOS which ships with a uBlock Origin Tor Browser is more helpful.
  
  I will start by saying that the author of the article was a tor researcher and dev so this gives some context on the content and me posting this.
  
  which is a very risky thing to do for someone not familiar
  
  may I ask why? I generally agree with the sentiment of the article but I don't have a very strong opinion on this and maybe I'm missing something.
  
  PS I don't think the usual "I will end up in a list of people who use Tor" argument is a valid one.
  
  Preferring JavaScript stay disabled is a better choice, the next best is only allowing JavaScript when needed momentarily.
  
  I disagree with this, it's simply overkill for 99% of the people with arguably no benefit at all. what's there to gain?